[Cryptography] So please tell me. Why is my solution wrong?
John Levine
johnl at iecc.com
Thu Feb 16 10:41:08 EST 2017
In article <58A5BCCB.9080101 at connotech.com> you write:
>> They are available right now. I know this because I am holding two of
>> them in my hand. One is a U2F key by Yubico, the other is a Plug-Up
>> security key. They both implement an open spec from the FIDO
>> alliance.
>
>I wonder to which extent the "open" qualification actually applies (IPR
>encumbrance, completeness of the specification, mandatory consortium
>membership fees, ...).
For anyone who wondered enough to do 10 seconds of googling,
the spec is here:
https://fidoalliance.org/download/
It looks to me like if you want to build hardware, you need to join
Fido since to get the IPR don't-sue-us. If you just want to implement
the software side, you can. They've sent a proposed API spec to the
W3C.
>> Then there's Google Authenticator, an app that runs on your phone and
>> generates those six-digit codes. It's also an open spec, anyone can
>> use it and many do.
>
>Is "open spec" meaning no-fee download from Google-controlled appstore?
Of course not.
>All these services are controlled by remote entities.
No. It's an implementation of RFC 6328. You set it up with an 80 bit
shared secret, typically sent as a QR code, and then the app generates
time based OTPs. If you don't like Google's app, there are several
open source implementations. The apps run entirely on the phone, and
just uses the shared secret and the time to generate the OTP.
Ten more seconds of googling finds a very informative Wikipedia page:
https://en.wikipedia.org/wiki/Google_Authenticator
R's,
John
More information about the cryptography
mailing list