Could anyone explain to me in simple programmatic terms how these RSA key dongles work? I know Blizzard has them for WoW and paypal as well as some of the trading sites.
有人能用简单的程序术语向我解释这些RSA密钥加密狗是如何工作的吗?我知道暴雪将它们用于魔兽世界和PayPal以及一些交易网站。
Thanks!
3 个解决方案
#1
The fob has a clock and a serial number that is used as a seed for a PRNG. When you hit the "show me a code" button, the fob displays a number that is the product of that timestamp and the serial number run through the PRNG. The server knows your fob's serial number and time, and does the same operation. If your codes match, you're authenticated.
密钥卡有一个时钟和一个序列号,用作PRNG的种子。当您点击“显示代码”按钮时,表情符号会显示一个数字,该数字是该时间戳的产物,序列号通过PRNG运行。服务器知道您的FOB的序列号和时间,并执行相同的操作。如果您的代码匹配,则表示您已通过身份验证。
You can calculate the previous/next N values on the server end to account for clock skew.
您可以计算服务器端的上一个/下一个N值,以解决时钟偏差问题。
#2
Programmatic terms aren't necessary. Just imagine two pieces of hardware (your dongle and something at the company) that generate the same numbers at the same regularly scheduled intervals. It would be virtually impossible to guess what the number is due to some proprietary algorithms, so if the number you type in (or is automatically sent by the dongle) matches the number at the server, your identity is validated.
程序术语不是必需的。想象一下两个硬件(你的加密狗和公司的东西),它们以相同的定期间隔生成相同的数字。几乎不可能猜出某些专有算法导致的数字是多少,因此如果您键入的数字(或由加密狗自动发送)与服务器上的数字相匹配,则您的身份将得到验证。
At least with the dongle I have, you also have to supply a pin known only by you and the server. So, in order to be authenticated you need both something physical and something in your head. That combination is pretty hard to fake. Even if someone gets the dongle, unless they know your pin it's worthless. And if they know your pin, that information is worthless without the dongle.
至少在我使用的加密狗时,你还必须提供一个只有你和服务器才知道的引脚。因此,为了进行身份验证,您需要一些物理内容和头脑内容。这种组合很难伪造。即使有人拿到加密狗,除非他们知道你的别针,否则它毫无价值。如果他们知道你的销钉,那么没有加密狗,这些信息就毫无价值。
#3
Security Now! episode 103 talks about how they work. (That link is to the show notes, but there's a link at the top of the page to the audio podcast.)
现在安全!第103集讨论了它们的工作原理。 (该链接指向演出说明,但页面顶部有一个链接到音频播客。)
Basically, the key fob is synchronized with a server and they're both seeded to generate the same sequence of pseudo-random numbers. The server knows it's you if you input the right number at the right time.
基本上,密钥卡与服务器同步,它们都被播种以生成相同的伪随机数序列。如果您在正确的时间输入正确的号码,服务器就知道你。
#1
The fob has a clock and a serial number that is used as a seed for a PRNG. When you hit the "show me a code" button, the fob displays a number that is the product of that timestamp and the serial number run through the PRNG. The server knows your fob's serial number and time, and does the same operation. If your codes match, you're authenticated.
密钥卡有一个时钟和一个序列号,用作PRNG的种子。当您点击“显示代码”按钮时,表情符号会显示一个数字,该数字是该时间戳的产物,序列号通过PRNG运行。服务器知道您的FOB的序列号和时间,并执行相同的操作。如果您的代码匹配,则表示您已通过身份验证。
You can calculate the previous/next N values on the server end to account for clock skew.
您可以计算服务器端的上一个/下一个N值,以解决时钟偏差问题。
#2
Programmatic terms aren't necessary. Just imagine two pieces of hardware (your dongle and something at the company) that generate the same numbers at the same regularly scheduled intervals. It would be virtually impossible to guess what the number is due to some proprietary algorithms, so if the number you type in (or is automatically sent by the dongle) matches the number at the server, your identity is validated.
程序术语不是必需的。想象一下两个硬件(你的加密狗和公司的东西),它们以相同的定期间隔生成相同的数字。几乎不可能猜出某些专有算法导致的数字是多少,因此如果您键入的数字(或由加密狗自动发送)与服务器上的数字相匹配,则您的身份将得到验证。
At least with the dongle I have, you also have to supply a pin known only by you and the server. So, in order to be authenticated you need both something physical and something in your head. That combination is pretty hard to fake. Even if someone gets the dongle, unless they know your pin it's worthless. And if they know your pin, that information is worthless without the dongle.
至少在我使用的加密狗时,你还必须提供一个只有你和服务器才知道的引脚。因此,为了进行身份验证,您需要一些物理内容和头脑内容。这种组合很难伪造。即使有人拿到加密狗,除非他们知道你的别针,否则它毫无价值。如果他们知道你的销钉,那么没有加密狗,这些信息就毫无价值。
#3
Security Now! episode 103 talks about how they work. (That link is to the show notes, but there's a link at the top of the page to the audio podcast.)
现在安全!第103集讨论了它们的工作原理。 (该链接指向演出说明,但页面顶部有一个链接到音频播客。)
Basically, the key fob is synchronized with a server and they're both seeded to generate the same sequence of pseudo-random numbers. The server knows it's you if you input the right number at the right time.
基本上,密钥卡与服务器同步,它们都被播种以生成相同的伪随机数序列。如果您在正确的时间输入正确的号码,服务器就知道你。