[e-gold-list] AxiomaticTokenizer - Increased payment security with one time tokens

Tue Oct 30 23:54:31 MST 2007

(This is an interesting idea which could be used by service providers,
if only just as a starting point. No special hardware required.)

 Increased payment security with one time tokens

 Let's say you have an account with an online payment service. The
 classical way for you to make a payment is to log into your account
 using an account name and a password; note that the password is always
 the same, unless you change it.

If there are malicious applications in the computer which you use to log
into your account, they can intercept your login information and they
can later steal all your money from that account. This can happen
because your password is always the same.

One time tokens change exactly this. Such tokens are different every
time you make a payment. If the tokens are generated on a computer which
is not connected any communication network, the passphrase you have to
use to generate them can not be intercepted by malicious applications.

In order to send a token to the service to make a payment, you can
simply copy it from the display of the computer which generated it to
the computer which is connected to the Internet, or you can use a memory
card to transfer it between the two computers.

However, in order for the service to be able to known that a token it
receives was indeed generated by you, both you and it need to know a
secret, called shared secret. You can generate a token in order to send
your shared secret to the service, but this time it's in the clear, so
anyone who can intercept it, can steal all your money.

To protect yourself against such possible events, you always have to
send your shared secret from a computer which is free of malicious
applications. Since you can never be sure of this, it's possible to
split the shared secret in two parts and send each part, to the service,
from a different computer. As long as the two parts are not intercepted
by a thief and linked together, your money is safe.

If your online payment service accepts one time tokens, you can use a
small application, AxiomaticTokenizer, to generate your tokens. This is
written in HTML and JavaScript. Download it on your computer by
right-clicking here (
http://www.gardenerofthoughts.org/ideas/emoney/axiomatictokenizer.htm )
and choosing "Save link as". Then just click on that file to open it in
your web-browser and use it.

The user interface of AxiomaticTokenizer is small because it was
specifically designed to run on mobile devices. Unfortunately, not all
mobile web-browsers support all the necessary JavaScript.

 Detailed protocol at
 http://www.gardenerofthoughts.org/ideas/emoney/tokens.htm

---
You are currently subscribed to e-gold-list as: e-gold-list at kobly.com
To unsubscribe send a blank email to leave-e-gold-list-512001C at talk.e-gold.com

Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.