top | item 46676705

(no title)

Thinking about it, there are only 10 billion different keys and somewhat fewer sboxes.

So given a single pass code and the login time, you can just compute all possible pass codes. Since more than one key could produce the same pass code, you would need 2 or 3 to narrow it down.

In fact, you don't even need to know the login time really, even just knowing roughly when would only increase the space to search by a bit.

discuss

brna-2|1 month ago

Also @MattPalmer1086 the best solution for this I have now is to have several secret keys and rotate usage. Would be nice to have some additional security boosts.

MattPalmer1086|1 month ago

Key rotation among a set of keys only partially mitigates the issue (have to obtain more samples).

It has it's own synch problems (can you be sure which key to use next and did the server update the same as you, or did the last request not get through?).

This post on security stack exchange seems relevant.

https://security.stackexchange.com/questions/150168/one-time...

brna-2|1 month ago

Yep known issue, was hoping someone could spice the protocol up without making it mentally to heavy, hn is full of smart playful people.