How do netbank login dongles work?
This is a question purely to satisfy my own curiosity.
Here in Norway it's common for netbanks to use a calculator-like (physical) dongle that all account holders have. Yo开发者_JS百科u type your personal pin in the dongle and it generates an eight-digit code you can use to login online. The device itself is not connected to the net.
Anyone knows how this system works?
My best guess is that each dongle has a pregenerated sequence of numbers stored. So the login process will fail if you type an already used number or a number that is too far into the future. It probably also relies on an internal clock to generate the numbers. So far none of my programmer peers have been able to answer this question.
[Edit]
In particular I'm curious about how it's done here in Norway.
Take a look here: http://en.wikipedia.org/wiki/Security_token. If you are interested in the algorithms, these might be interesting: http://en.wikipedia.org/wiki/Hash_chain and http://en.wikipedia.org/wiki/HMAC.
TOKENs have very accurate real-time clock, and it is synced with same clock on the auth server. Real time is used as a seed along with your private key and your unique number is generated and verified on the server, that has all the required data.
One major one-time password system is Chip and PIN, in which bank cards are inserted into special, standalone card readers that accept a PIN and output another number as you describe. It is widely deployed in the UK.
Each bank card is a smart card. The card's circuitry is what checks the PIN and generates the one-time password. Cryptographic algorithms that such cards can use include DES, 3DES (Triple DES), RSA, and SHA1.
I recently went overseas and used the dongle there with no problems. It is a sealed battery powered dongle. One pushes the button and a code number appears. The only way it could work is that it is time synchronised to the bank.The number that is recruited only lasts for a minute if that. A random number generator is used to create the stream of numbers recorded in the memory of the device. It therefore becomes unique for the user and only the bank 'knows' what that random number generator produced for that particular user and dongle. So there can only be one next number . If the user makes a mistake, the bank 'knows' they are genuine because the next try is the next sequential number that is in the memory. If the dongle is stolen the thief also has to have the other login details to reach the account.
精彩评论