A
A
Artem Sorokin2013-04-03 21:24:27
Fintech
Artem Sorokin, 2013-04-03 21:24:27

What is the principle of operation of banking (and not only) tokens?

Here, for example, I have a bank token that generates seemingly completely random numbers for authorization in the Internet bank. However, the bank somehow recognizes them and, of course, does not let them in with random numbers “from the bulldozer”.
Tell us (or tell me where you can read it) what is the principle of operation of these tokens?
PS: I know, in general, how, for example, authorization with one-time passwords with time synchronization works (eg Google Authenticator). But in my token, you can safely pull out the battery, put it back - and everything will continue to work, i.e. there is no clock in it. How then do the token and the bank recognize each other?

Answer the question

In order to leave comments, you need to log in

8 answer(s)
S
Singerofthefall, 2013-04-03
@Singerofthefall

They work on mathematical functions, and to calculate each key (by key I mean the number that is generated and that you enter for authorization), either a counter or sequential hashing is used.
Roughly speaking, the token contains some one-way function f(x) , and some starting number k . The server also knows what function and what number is used in the token linked to your account.
If it's a counter model, then your function calculates f(k) and then kincreases by one (or changes in any other way, the main thing is that according to a well-known algorithm). If these are sequential calculations of the key, then each next key is the result of the function on the previous key, that is, f(k) is calculated , then f(f(k)) , f(f(f(k))) , and so on.
Accordingly, each time you click on the button, the token calculates the next key. When you enter it for authorization, the server also calculates the same key and compares them.

S
Sergey Galkin, 2013-04-03
@Larrikin

> you can safely pull out the battery, put it back
And if you pull it out, wait a couple of weeks and only then put it back in?

F
FilimoniC, 2013-04-03
@FilimoniC

en.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D1%80%D0%B0%D0%B7%D0%BE%D0%B2%D1%8B%D0 %B9_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8C
habrahabr.ru/post/154229/
There are two principles -
f (T, IV) - Code based on time and code initialization, clock complexity
f(n,IV) — Code based on the attempt number and initialization code, the complexity is in the ability of the server not to know about the attempt made.
And who told you that there are no clocks there? The clock inside mikruha can go for years from the charge in the capacitor

L
lubezniy, 2013-04-03
@lubezniy

Alternatively, the bank does not need to know this one-time password at all. It is enough for him to receive a certain document signed by an EDS registered with a bank (certifying center) for a specific client. The token has built-in cryptographic means, with which you submit a document at the entrance, authorize using a one-time password for signing with a private key (it is stored in the token, there is no way to get it using the token), and at the output you get the EDS of the document, which, together with the document, is transferred to the bank and checked there (of course, the bank must have a public key that corresponds to a private one).

V
Vladimir Martyanov, 2013-04-04
@vilgeforce

I looked here one of the banking tokens in linux. iBank, it seems. lsusb honestly said - the SIM card is in the USB reader.

R
Roman Sopov, 2013-04-04
@sopov

habrahabr.ru/post/105268/

O
OKComputer, 2013-04-05
@OKComputer

The clock is definitely there, even if you don't believe it. Try entering a code that is outdated for at least a second ...

K
kimssster, 2013-04-11
@kimssster

Another one of the options.
The principle of their operation must be divided into several stages:
1. Preparatory: the generation center is deployed in the network infrastructure of the bank, its parameters are written to the software that initializes the tokens (the config is sewn up and passwords are generated), the firmware number and serial number are read, the group is updated.
2. Initialization: tokens go through the initialization procedure (now they know where to break), CA certificates can be entered, a group is allowed on the equipment or the number of tokens that are allowed access is increased, a password is generated for the user (usually in pin-conferencing)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question