Comments on: Authenticators! How Do They Work? https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/ Journeys and Musings of an Ex-Hardcore Raider Mon, 02 Jun 2014 20:08:39 +0000 hourly 1 https://wordpress.org/?v=5.2.17 By: flosch https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26965 Mon, 02 Jun 2014 20:08:39 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26965 Yeah, that’s what I basically meant. I didn’t mean that there’s a list of possible passcodes from a device, that would indeed be silly. I just meant there is an entry in a list, or a record, for every single device, to allow initial setup.

]]>
By: Will https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26964 Mon, 02 Jun 2014 20:00:41 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26964 Well I don’t know if I would call it a master list, but certainly there is an exchange of records between VASCO and our customers. As a point of discussion, it’s generally not a good idea to keep lists around, so generally speaking we don’t keep lists (nor should anyone) and the details should only every be located in one location, which is usually the companies security infrastructure. In most cases the serial number is just a unique identifier for a specific record, kinda like a user name. The record itself can then be further modified and stored completely separately. I know people that don’t use the serial number at all and just use the code generated by the device as a mapping identifier.

The codes generated are always random and can be generated more than one time, so keeping a list of passcodes generated doesn’t help. They aren’t like the old scratch lists where you can just scratch them off as you use them (I would consider those lists to have passcodes that are more Event based rather than time based). The probability of how often a passcode comes up is as random as possible given the algorithms used.

]]>
By: flosch https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26962 Mon, 02 Jun 2014 19:14:31 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26962 Hey Will,

thank you for the detailed feedback!

So the way I understand you, with VASCO, the “master key” is more like a “master list” that the customer (Blizzard or whichever company) gets, that lists for each device the relation between the serial number and the device key? I thought that might be another possibility when I wrote the text, so I just guessed which version I found more likely. It makes sense that way too, though. So it’s a bit like a one-time pad. Though in an abstract way, it’s pretty much the same: the “master key” is not a single key, but a list, but it still gives the company a way to get from S/N to key, and if the key/list is compromised… well, bad things happen.

Though from a theoretical point, a list (which is just like a one-time pad) is of course safer in than any key-based cryptography, because if I remember my basic classes right, it’s provably unbreakable… if the list is truly randomly generated, but at that point it gets complicated again, of course. I wouldn’t be surprised if a company like VASCO takes the random-number generation part for those lists very seriously.

I hope you’ll enjoy other posts on this blog too! Though they’re rarely that technical and howto-ish.

]]>
By: Will https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26961 Mon, 02 Jun 2014 19:01:20 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26961 First off, very nice post and I will now be following 😉

Secondly, let me put the full disclaimer out there. I work for VASCO, i have worked for VASCO for a long time and I’m a technical person, some would even call me an engineer, although today I do a lot less engineering than I previously have. The comments I make here are my own personal views. I can not comment directly on what any of our customers use or do not use, so I can’t directly comment on the Blizzard devices.

Ok with those things out of the way, the one big comment I have for you is with regards to the hardware tokens. You mention that the devices use a “master key” and that the serial number is used in combination to generate each device’s unique key. In some token manufacturers this is correct. With VASCO, this is not correct. Instead VASCO programs every single device with its own unique key right from the factory. This has a few advantages. First, there is no master key you can use or you can find to try and reverse the password generation algorithms. Second, if you manage to get the secret key of a single device, it will not work and has no relation to any secrets on any other device. I’m sure you can find other advantages to this method, but just to set the record straight, these are the ones I will toss out there.

I think you have hit the nail on the head with this post. The end result being, the convenience verse security. The choice for any person is how much convenience do I need verse how much security do I want, and in the end how much will it cost me to do one thing over another. Hopefully after people read your post they will have more than enough information to make that informed decision.

Thanks for the post and for letting me comment on it.
-Will

]]>
By: flosch https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26897 Wed, 19 Feb 2014 16:20:41 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26897 Thanks! You might be right. My half-assed PS Vita “test” post I wrote in 2011 after I came back from Japan, and which took about half an hour to piece together, is one of my all-time top posts.

I think this one’s a lot better than that one. (Not that it takes much.) Definitely took more time to write!

]]>
By: HarbingerZero https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26896 Wed, 19 Feb 2014 16:05:01 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26896 Great post. This is one that will generate traffic for you for a long time to come!

]]>
By: flosch https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26895 Tue, 18 Feb 2014 06:12:42 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26895 Indeed, you need two consecutive codes, and what you say is most probably the reason. I’ll try and see where I can put that into the text. Thanks!

]]>
By: Carson https://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/#comment-26894 Mon, 17 Feb 2014 22:08:53 +0000 http://randomwaypoint.fajs.de/?p=3194#comment-26894 One detail that might be worth adding: to remove an authenticator from your account, if I recall correctly, you need to enter TWO codes in a row. So this specifically prevents anyone who taps your internet connection and eavesdrops a code from being able to instantly use it to remove the authenticator from the account.

]]>