Now, if the number changes every minute, that's a little over 10,000 samples in a week, certainly enough to determine if they are using weak random number generation.
1) not true. I read an article about a pseudorandom number generator which appeared random to every test they used on it. [...] Lesson: it can be *very* hard to determine randomness.
The experiment I was proposing would possibly answer 'yes' to the question "Is the number generation weak?" It would not say how strong it was, or even if it was strong. it would, however, give some lower bound on its strength or else show that it was in fact not very strong at all.
2) The sequence is not random. It is cryptographically pseudorandom. This is very different.
Since we are talking about a device in which a sequence is duplicated on two ends, I did not feel the need to belabor the difference between pseudorandom and random. The context makes it clear that this can't be a random device based on a physically random process.
3) A friend who has a significant math background in crypto stuff has seen the Security Dynamics algorithms (under non-disclosure), and says that they're credible.
That bit of information may mean that a 10^4 sample test is not worth doing.
That vouches for their theory.
That changes our trust from no trust at all into trust in your friend's ability and your assessment of it. :-)
That they insist on programming the cards and keeping the keys themselves, and that they do not allow you to program the cards yourself, is a major problem, no matter how good their math is.
Granted. Their keeping the keys is worth, say, using a linear congruential generator (or worse) in terms of overall security. I was merely curious as to whether they were fools on all fronts, as opposed just to the secrecy front. Eric