From: amp <Alan.Pugh@internetMCI.COM>
Date: Mon, 1 Jan 1996 14:57:23 +0800
To: David Lesher <wb8foz@nrk.com>
Subject: Re: Australian "calculatorcard"
Message-ID: <01HZH81Y0DKI95P3WV@MAIL-CLUSTER.PCY.MCI.NET>
MIME-Version: 1.0
Content-Type: text/plain


-- [ From: amp * EMC.Ver #2.3 ] --

From: David Lesher             \ Internet:    (wb8foz@nrk.com)

To:   amp                      \ Internet:    (alan.pugh@internetmci.com)
cc:   Cees de Groot            \ Internet:    (c.degroot@inter.nl.net)
cc:   cypherpunks              \ Internet:    (cypherpunks@toad.com)

Subject: Re: Australian "calculatorcard"

> sounds like the card i use for remote dialup to certain non-public
> systems i use at work. it has a six digit number on the front that
> changes every 60 seconds. 

DS> Do these card systems use a window to handle clock-slip?

i'm not sure. i would image so.

DS> I'd think you could have the server safely accept # N, N-60 sec, and
DS> N+60 seconds; and adjust the server's idea of your card's clock speed
DS> from that.

DS> What new risk would that create?

i would figure the server would give a minute or so for slippage.
basically the risk is that it would give someone 3 minutes to do a
brute force attack rather than one. if you have decent security on
the server side, i.e., disallow the card for 5 minutes or more after 3
or so failed attempts, brute attacks would be minimized. however, if
the actual window for a single code is 3 minutes, that increases your
chance of hitting it as 3 separate numbers would be valid for a given
card at any given time.


amp
<0003701548@mcimail.com> (since 10/31/88)
<alan.pugh@internetmci.com>
PGP Key = 57957C9D
PGP FP = FA 02 84 7D 82 57 78 E4  E2 1C 7B 88 62 A6 F9 F7 
December 31, 1995   21:59