转自:http://www.ikrady.com/?p=1398
今天吃饭的时候一群人在讨论token的工作原理,有人说每换一次密码发一次电波(1min),有人就立即反对了说不可能发电波,一是夏耗电不说,两是信号问题,同时传输也有延迟。每换一次密码发一次电波不现实,大家比较认同的方法是server和token之间可以基于一个唯一的密钥和当前的时间算出当前这一分钟内的密码,并且这个密码是唯一的。密码基于pin和时间,而硬件的误差肯定是有的,如何保证时间的同步就很重要,毕竟好几万的手机也有误差。我当时猜想的是也是靠电波来纠正这个误差,像现在的电波手表一样,隔一段时间纠正下时间的偏移(比如一天)。
回来搜了下,发现token算法真妙:
- 时间基于UTC
- 用令牌窗口来解决时间漂移问题,当第一次验证请求(token)过来时,server端其实查询的不是一个token,还包括了前后各一分钟的token。如果当前的token不符,而其它两个有一个符合了,证明该token与server间存在一定的时间误差,那么该次请求通过,并且在server端记录这个漂移,以后查询时server以当前时间除去这段漂移的时间我基准线来算密钥。
- 三分钟的令牌窗口适合于经常使用的token,这种误差一般就比较小,如果很久没用的,可能与server的误差太多了,采用扩大窗口(10min)二次验证再确认的方法。
- 也就是说server端对于每一个token记录了一个与之对应的种子,上次验证的时间以及时间误差,时间同步都让server做了,与token无关。
一下更详细的英文解释转自
http://blog.sina.com.cn/s/blog_67b556ca0100sawy.html
ZT: How does my RSA security token (Secure ID) card work?
The 6 digit code that you see on the token is generated using an algorithm that is exists in all tokens. The token also contains a clock and has a unique seed number. The current time and the unique seed are processed using the algorithm and produce the token code you see on the token. This is normally done 1 per minute. In this way a unique code is generated that appears to be random.
The server (Ace server), that is online and connected to whatever system you are logging on to, also knows the time and it also knows the unique seed number of your token. So it uses the same algorithm to calculate the code that you should see on your token. If they match then you are authenticated.
What happens if the time is wrong on the token (or the server)?
The server normally allows a 3 minute window. So it will calculate and accept passcode based on the current time and a minute either way. If the code is more than 2 minutes out and less than 10 then the server will recognize this code also but will ask for the next code as well to confirm you really have the token and didn't just read it by chance on someone else's token. If the time is slightly wrong then the server sets a time offset for the token and remembers that it is x minutes out. It then knows to expect this and has effectively synchronized the token.
(Sources: RSA Security)
扫一扫
1465
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
