Replies

You could use a RSA prime generator as the means to a one time pad.

The idea behind a one-time pad is that you create a cipher key so long that you use pieces of the key XOR’ed with your plaintext, and never, ever use that piece of the key again. The Soviets pioneered use of this in the field with the Verona ciphers, famous during the Cold War for frustrating MI-5 and the NSA for years and years.

The idea behind a OTP password generator card is that the card has a password. You enter that password to activate the card. Once your PW to the card is accepted, you tell it “generate a password string for me.” It does. You enter that password to whatever server or machine you’re logging into. If the algorithm on the server and your OTP card are in agreement as to your sequence of passwords, you’re in.

As soon as you use a password generated by the OTP card (ie, you use it to log into any server tied into the password generator service), that password is “burned” - it may never be used again. You can set an option on these OTP systems to either lock down the account upon receipt of a burned p/w, or to merely prompt for another one.

If you get out of sync (let’s say you bungle the entry of a password), you merely ask the OTP card to generate you a new password again. The server s/w generated ‘n’ passwords ahead of your current OTP card’s sequence. Once it accepts a password in that window of passwords, the password and all passwords prior to the password accepted are ‘burned’ and can never be used again.

The way this prevents attacks is this: OK, you (the hacker) log the keystrokes in a situation like this. That’s nice. You, the hacker, don’t have the OTP card or the algo, so you can’t generate a new password to log in at your own time and choosing. You can hijack a session once the user enters a password, but that means you’re going to be detected, because the user is sitting there, watching his computer be taken over.