Comments on: Designing a simple token algorithm with PHP http://mediumexposure.com/designing-simple-token-algorithm-php/ by Maxim Chernyak Thu, 15 Jul 2010 14:57:57 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: syscoal http://mediumexposure.com/designing-simple-token-algorithm-php/comment-page-1/#comment-14 syscoal Sat, 26 Apr 2008 14:12:53 +0000 #comment-14 <p>Hello,</p> <p>I finally decided to clean and distribute to the community a <a href="http://syscoal.users.phpclasses.org/browse/package/4518.html">token grid class in PHP</a>. You can have a look on it on the <a href="http://syscoal.users.phpclasses.org/browse/package/4518.html">PHPclasses.org repository</a>, licensed in LGPL.</p> <p>You can produce a credit card sized printed token grid for each customer, and then each time they want to log in, we ask (in addition to the username and the password) the token at a specific position.</p> <p>Each token (by default 10x10 on one card) are calculated using an application id, a user id and the position in the grid. The token generation is based on a md5 of the parameters (you can have a look in the source code)</p> <p>Best regards, have a nice week-end.</p> <p>Any feedback welcome!</p> <p>André</p> Hello,

I finally decided to clean and distribute to the community a token grid class in PHP. You can have a look on it on the PHPclasses.org repository, licensed in LGPL.

You can produce a credit card sized printed token grid for each customer, and then each time they want to log in, we ask (in addition to the username and the password) the token at a specific position.

Each token (by default 10×10 on one card) are calculated using an application id, a user id and the position in the grid. The token generation is based on a md5 of the parameters (you can have a look in the source code)

Best regards, have a nice week-end.

Any feedback welcome!

André

]]> By: mx_ http://mediumexposure.com/designing-simple-token-algorithm-php/comment-page-1/#comment-163 mx_ Thu, 06 Sep 2007 17:21:04 +0000 #comment-163 <p>It's a good catch. Having a secret word stored somewhere brings the cracking complexity to the next level. Relying on hiding a function itself might not be a good idea in terms of high security. Ideally, if we have enough inputs and outputs - we can figure out the algorithm. However, if in a hypothetical case - that one configuration word leaks out, then you'll have to come up with another word, while storing the first one. I avoided the idea of storing an extra seed that has to be maintained - but it can easily be plugged into the above functions at some places where I mentioned that "you can go crazy here". : ) Thanks for the follow up!</p>

It’s a good catch. Having a secret word stored somewhere brings the cracking complexity to the next level. Relying on hiding a function itself might not be a good idea in terms of high security. Ideally, if we have enough inputs and outputs – we can figure out the algorithm. However, if in a hypothetical case – that one configuration word leaks out, then you’ll have to come up with another word, while storing the first one. I avoided the idea of storing an extra seed that has to be maintained – but it can easily be plugged into the above functions at some places where I mentioned that “you can go crazy here”. : ) Thanks for the follow up!

]]> By: Arnold Daniels http://mediumexposure.com/designing-simple-token-algorithm-php/comment-page-1/#comment-20 Arnold Daniels Thu, 06 Sep 2007 15:56:05 +0000 #comment-20 <p>Although this is a way to do this, I wouldn't recommend it. Even if the pattern looks quite complex, a computer will figure out the pattern using a hand full of valid keys. It's very difficult to come up with an algorithm which is difficult to hack.</p> <p>I've written a follow up article, giving an alternative: <a href="http://blog.adaniels.nl/?p=45">http://blog.adaniels.nl/?p=45</a></p> Although this is a way to do this, I wouldn’t recommend it. Even if the pattern looks quite complex, a computer will figure out the pattern using a hand full of valid keys. It’s very difficult to come up with an algorithm which is difficult to hack.

I’ve written a follow up article, giving an alternative: http://blog.adaniels.nl/?p=45

]]>