On Tue, Sep 7, 2010 at 2:17 PM, <[email protected]> wrote: > I'm curious how OTP tokens work.
Most of them are HOTP (http://en.wikipedia.org/wiki/HOTP) of one form or another, which is basically an application of HMAC to a secret key and a nonce of some kind. Some implementations derive the nonce from the current time. Some derive it from a counter value. Some do proprietary backflips so as to require you use their server-side software along with the client tokens. If you assume HMAC is a perfect MAC algorithm, then the security of HOTP follows straight from that assumption. An attacker who can forge a HOTP value must be able to forge a corresponding MAC value. Because we have assumed that our MAC algorithm is perfect, no such attacker can exist. Thanks, Lea _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
