I have a hardware token for remote login to a citrix environment. When I click on the button on the device, I get an identifier and I can use it to enter the citrix farm. I can press the button as much as I like, and every time a new code is generated, and they all work.
Now I also want to protect my private website, but not with a hardware token, but with a “token application” on my phone. Therefore, I launch the application on my phone, create a key and use it for (partially) authentication on the server.
But here's the point: I don't know how it works! How can I generate 1, 2 or 100 keys at a time, which I can see (on the server), all of them are valid, but without contact with the server and the phone (the hardware token is also a "stand-alone" solution).
Can you help me with a hint of how I will do this?
This is what I was thinking so far: the phone app and the server app know (with a hard code) the same encryption key. The phone application encrypts the current time. The server application decrypts the string to the current time, and if the difference between this time and the actual server time is less than 10 minutes, this is normal. It’s hard for other users to fake the key, but encryption gives such nasty lines for input, and the hardware token gives me such nice things like “H554TU8”. This is probably not how the real token works, because the server and the phone application must “know” the same encryption key.
Michelle
source
share