Thread: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
View Single Post
ndi's Avatar
ndi is offline ndi
2010-06-27 , 20:38
Posts: 2,050 | Thanked: 1,425 times | Joined on Dec 2009 @ Bucharest
#30
Originally Posted by CrashandDie View Post
No. When you use it in async mode (challenge/response), then there is absolutely no use of the internal clock. It can be that the authentication server only allows a specific challenge for a specific length of time.
Could be. It has 2 modes:

* Login: I input user name (set) and a password. The password is given by a token, after entering PIN. However, if I generate a password, wait for 60 seconds, then enter the password, it will not work. If I don't use it enough, it desyncs, and I need to call them to allow me one time-ignorant login. Once that happens, it works again. I have no other explanation than the fact that the token has an internal clock it uses.

* Transaction: Site gives me a random number (challenge). I press the signature button on the device, input the number, then it gives me a similar number. I enter that into the site and the transaction goes through. If I delay, it does not go through, and it re-issues me a different challenge. It could be timed, it could be clock based, I can't tell because in order to sign you have to log in, so time is sync.


Originally Posted by CrashandDie View Post
If you want, I can go into much further detail of the algorithms. Three months have passed, so I'm legally allowed to disclose stuff now.
I don't need the info, but as a programmer not only by job but by sheer passion, I'd love the insight.
__________________
N900 dead and Nokia no longer replaces them. Thanks for all the fish.

Keep the forums clean: use "Thanks" button instead of the thank you post.