The Register - UK firm touts alternative to digital certs (fwd)
David Howe
DaveHowe at gmx.co.uk
Mon Oct 21 03:42:16 PDT 2002
at Sunday, October 20, 2002 2:22 PM, Jim Choate
<ravage at einstein.ssz.com> was seen to say:
> http://theregister.co.uk/content/6/27659.html
looks like a dumbed-down version of the secureID system.
Basically, it works like this
1. user enters five-digit pin code. code is in colours (four choices)
not numbers though. Total pin keylength therefore ten bit.
2. device increments an internal counter, and generates a composite code
comprising user id, current clock time and the internal counter (number
of times card used, basically)
3. device uses single-DES to encrypt that data, and then binhexes it to
give a keycode
4. user types in their username and keycode into website
5. website contacts quizid authentication server and verifies code is
valid (and that account has enough to cover the transaction)
6. website completes transaction and bills quizid company
7. quizid company bills user's credit card.
the plus side here is that the website never knows the user's credit
card details, and is given a oneshot authentication handle that is
useless once verified.
the downside is that the system has no way to verify an amount, and is
only weakly protected (both in pin (weaker than the usual four digit ATM
pin) and in transit (single-des????)
More information about the cypherpunks-legacy
mailing list