Hello All, > Date: Fri, 01 Feb 2002 15:18:27 -0500 > From: "Jay W." <[EMAIL PROTECTED]> > To: "e-gold Discussion" <[EMAIL PROTECTED]> > Subject: [e-gold-list] Re: help with mobile phone acceptance > > getting people to do MD5 hashes could be a show stopper... > with respect to SMS && gold...
One consideration more, with BSD style copyright notice just in case if someone will want to claim exclusive usage rights on the ideas stated below which I believe should be available to everyone for unlimited use. BSD style copyright ensures that everyone will be able to use these ideas in their products or services, just like FreeBSD system or Internet standards. COPYRIGHT (C) 2002 DMITRY SALNIKOV, MINSK, BELARUS, http://dmitry-salnikov.com/index.htm All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS TEXT IS PROVIDED BY DMITRY SALNIKOV ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DMITRY SALNIKOV BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Modern mobile phones are similar to computers already with their own operating system etc, even simpler ones are able to load games and other code into them. Thus it may be possible to make the whole calculation completely transparent to end user while providing direct SMS only access to e-gold account with all its benefits like precision in payments etc and direct access eliminates the need to freeze account funds for purchase of tickets like in SMSgrams scenario. Everything may be done in cooperation with mobile phone manufacturers, if they are wasting memory on games and ring tones and screen savers then they may be willing to add e-gold SMS only access to their devices. It may be a long way to meet everyone's interests but the first step may be only from e-gold side with protocol specification and implementation on e-gold servers so that all others could have something as foundation. And in any case it is possible to create small devices which will make all calculations and then enter the results of these calculations into mobile phone which will be as easy as entering SMSgrams tickets. If there will be special passphrase for SMS access then in transparent to user scenario it may be used to encrypt requests to e-gold system and all commands to server may be done using single secure SMS message. e-Gold SMS only access protocol for discussion and suggestions for improvements. 1. e-Gold SMS only access passphrase. There should be special passphrase which is set using common SSL access and its usage is limited to some amount of SMS transactions in any period of time, something like less than 9.9 grams of gold in any one week time, this may be configurable. This passphrase should be forced to be complex one in order to prevent attempts of brute force attacks, and can not be used to change master passphrase, this may be configurable also. 2. Format of SMS messages. A:B:C where =A= is owner e-gold account number and =B= is base 10 number of cypher like 1 for 3DES or 2 for RC4 and =C= is encrypted with SMS passphrase part of message in base 64 printable encoding like in electronic mail attachments. 3. =2=C= part prior to encryption. A:B:C:D where =A= is random sequence of base 10 digits and English characters for prevention of known plaintext and replay attacks which may be derived from key strokes timings and =B= is base 10 Unix style number of seconds time for command expiration and =C= is base 10 number of command like 1 for payment or 2 for balance or 3 for changing SMS passphrase and =D= is the command itself to e-gold server. 4. =3=D= part sample payment command. A:B:C:D where =A= is payee e-gold account number and =B= is payment amount and =C= is payment units and =D= is payment metal, payer e-gold account number was the first thing in SMS message and was not encrypted. There may be enable/disable configuration options for every SMS command in e-gold account common online SSL administration. There may be also the possibility to use SMS call back with random temporary passphrase to predefined phone number in case if SMS passphrase will be forgotten by user with special 0 void cypher number indicating this request and this type of request should be limited to something no more than one in one week and user should use this passphrase in change passphrase command in order to confirm it while any valid message with old passphrase will deny change. In addition if 0 owner account number and 0 void cypher number and plain text phone number in message are specified then e-gold server can create new account and send its number and temporary passphrase to calling phone and then first valid message with change passphrase command using these received data will confirm account creation with no more than one account for one phone number in one year created in this way in order to prevent attack on server resources. Any comments? Respectfully yours, Dmitry Salnikov, http://dmitry-salnikov.com/index.htm FreeBSD, Linux, C/C++, perl, ... Web software development services, English / Russian translations. --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
