Re: Re: Digipass Go3 Token Dumper (at least for 2006)
Thanks Hugo!
http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an
insecure-encryption vulnerability because the device uses an insecure
single-key encryption algorithm (...)"
That is not the case.
The C++ implementation that I've provided shows exactly the _opposite_!
Its core is 3DES_112(2 64 DES keys used) based.
I believe this was I misunderstanding from the list's guys. Nothing to worry
seriously about.
I'm glad we have VASCO's clarification. And it seems to me that now the
community is really free to analyze the truncation/decimalization side of
Digipass.
Is it secure? Is it the best VASCO could've come with? And the key derivation
process?...
Best regards,
Felipe Collyer
(a.k.a. faypou)