PPRuNe Forums - View Single Post - Bank gadgets
Thread: Bank gadgets
View Single Post
Old 6th September 2013 | 10:14
  #2 (permalink)  
mixture
 
Joined: Aug 2002
Posts: 3,663
Likes: 0
From: Earth
ExSp33db1rd,

You've correctly assumed the token is not transmitting to the bank.

Bushfiva started along the right lines with his response but it all came out a bit messy, so I'll try to clean it up. He, for example, is completely off-track with talk of random number generators.

Yes, there are broadly speaking two types. Challenge/Response and Event based.

Both have something in common, which is a shared secret or "seed". The bank stores it in its database, your token stores it hardcoded in its hardware.

There other common element is not between the mechanisms but between you and the bank. What that second element is depends on the mechanism used.

Challenge/Response is what Bushfiva said. Site gives you a code, your token derives a response in a cryptographic manner based on the code and the secret. The bank derives what it thinks the response should be. If what you submit what your bank is expecting it to be, then you're in.

Event based comes in two main flavours :

- Counter : i.e. each time you press a button the counter increments by one. Again, your token calculates a value in a cryptographic manner based on the counter and secret. The bank calculates a value based on what it reckons the counter value should be. If the value you submit is the same as what the bank calculates, you're in.

- Time based. Well, its not strictly time based, its moving factor. Your bank decides on two things (a) a time step (e.g. 30 seconds, 60 seconds) (b) How many steps it will verify. Your token contains a timer that increments in seconds (typically seconds since the UNIX epoch or 00:00:00 UTC on 1 January 1970 ... long story ). Every value you derive based upon the timer plus seed is the same within the same time step. Your bank derives a value based on the current time window plus the shared secret... if your value matches you're in. If it doesn't match, your bank might also check a couple of steps either side of the expected epoch depending on what it decided in (b).

In terms of how you get the 8 digits, the process is generally something like the following (this being an example of generating a HOTP style token response, which is counter event based) :

HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
where Truncate represents the function that can convert an HMAC-SHA-1 value into an HOTP value.
HMAC-SHA-1 being the output of a cryptographic function of the same name.

Basically Truncate() converts something like "11f6ad8ec52a2984abaafd7c3b516503785c2072" (which would be an example output from HMAC-SHA-1(K,C)) into the 6 or 8 digit number you type into the bank's website.

Generating a time based token would be similar, you would typically replace "C" with "T", i.e. the time step value.

I know it all sounds very technical, but its actually a very simple method....
Last edited by mixture; 6th September 2013 at 10:21.
mixture is offline  
Reply
0