Description
- USB device that looks like a cut-down SD memory card with one push button.
- One-time password generator - useful for authentication only.
- Emulates a USB keboard - no drivers required.
- No battery.
- Open source and open development community!
- Works with OpenID and other web-service based auth methods.
- Key is write-only.
Authentication mechanism
- 128-Bit AES-ECC
- Character set used is 16 symbols (keyboard scan codes). These symbols were selected based on being common to all international keyboards. (Note: 4-bits per symbol).
- authentication string is 44 (4-bit) characters
- 12-character (48 bits) device id
- 32 character (128 bits) authentication token (AES encrypted)
- encoded authentication token string 16 bytes (128 bits, 32 symbols) (1 AES block)
- 6 bytes (48 bits) device id
- 2 bytes (15 bits) session counter - stored in NV memory, incremented each time the unit is powered up. Note: Unit is only good for 32k sessions since passwords would repeat after that.
- 3 bytes (24-bits) time stamp - based on 8Hz counter started when the unit is powered up. Note: Maximum is 24-days.
- 1 byte (8 bits) session counter - incremented each time a password is incremented during a session.
- 2 bytes (16 bits) random data - padding due to ECB mode
- 2 bytes (16 bits) CRC
Comments
- No authentication to access device.
- Should use ECC or other asymmetric cipher.
Things to verify
- User can write key? Set key once or multiple times?
- push-button (plus) and non-push-button version? How to operate without button?
- Soft token possible?