Electronic: Ezio Time-based 6-Digit Token for use with Amazon Web Services


electronic product image recommend electronic⇒Ezio Time-based 6-Digit Token for use with Amazon Web Services
asin B002CRN5X8

Think about how this device might work: A high security implementation might works like this:

  • It has a private key burned into its firmware.
  • It encrypts the current time (rounded to the nearest 30 seconds) with the private key.
  • Amazon has on file a copy of the corresponding non-secret public key.
  • Amazon then takes the encrypted times, decrypts it with your public key and sees if it matches the current time.

The advantages include:

  • If someone snoops on your conversation, the password that they steal will not be of any use in future.
  • If someone breaks into Amazon, all they can steal is your public key which is non even a secret. It is useless for impersonating you.
  • If someone breaks into your computer, your private key is not there in any form. It lives only inside the token and cannot be retrieved.

A low security implementation might work like this:

  • To get it started, Amazon sends it a random number over and https: link.
  • The fob encrypts the current time (rounded to the nearest 30 seconds) with that seed.
  • Amazon has on file a copy of the corresponding seed.
  • Amazon then takes current time on its server, encrypts it to see if it matches the value just sent from the fob.

The weakness of this system, is if hackers steal the seeds, the whole system is compromised. The other weakness is that every website you use this device on, has to know its secret seed. That increase the odds of the hackers getting access to everything.

Specs.

Manufacturers are notoriously close-lipped about just how their devices work. They don’t want you to crack them or be aware of their vulnerabilities to help protect yourself. However, they say they implement OATH standards, so that may contain a clue.

It is too bad that you cannot use this wonderful device on websites other than Amazan AWS, such as your bank.

A similar device could be invented that did not require you to key the generated password. You would insert it into a USB port. It would not even need a clock. Amazon could send a random string to encrypt. However, that hypothetical certificate-based device would need a special browser adaptation.

American flag amazon.com bestbuy.ca Canadian flag
Canadian flag amazon.ca canadacomputers.com Canadian flag
German flag amazon.de ncix.ca Canadian flag
Spanish flag amazon.es newegg.ca Canadian flag
French flag amazon.fr staples.ca Canadian flag
Italian flag amazon.it tigerdirect.ca Canadian flag
UK flag amazon.co.uk bestbuy.com American flag
India flag junglee.com ncixus.com American flag
UN flag other stores newegg.com American flag
staples.com American flag
tigerdirect.com American flag
Greyed out stores probably do not have the item in stock

This page is posted
on the web at:

http://mindprod.com/electronic/B002CRN5X8.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\electronic\B002CRN5X8.html
logo
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[54.92.192.156]
You are visitor number