Authenticator... Simple technology or magical wizard in a plastic container?

[Kryos]

Thanks for being on topic haha but the Algorithms discussion is actually on topic, as I have been trying to manually figure out the formula myself!

// calculate current interval number
long intervalNumber = (CLIENT_TIME_IN_MILLISECONDS + TIME_DIFFERENCE_TO_SERVER) / 30000

// calculate HMAC-SHA1 from secret key and interval number
byte[20] mac = HMAC-SHA1(SECRET_KEY, intervalNumber)

// determine which 4 bytes of the MAC are taken as the current code
// last 4 bit of the MAC points to the starting byte
int startPos = mac[19] & 0x0F

// select the byte at starting position and the following 3 bytes
int selectedInt = mac[startPos .. startPos + 3]

// use the lowest 8 decimal digits from the selected integer as the
// current authenticator code
return selectedInt % 100000000

[Aisriyth]

I don't do well with numbers. That being said I also use the phone version which is 8 digits instead.

I still say witchcraft is involved either way.

[_leander]

I don't do well with numbers. That being said I also use the phone version which is 8 digits instead.

I still say witchcraft is involved either way.

Phone version less secure. Much less. Phone can be hacked and make more vulnerable. Not true of true authenticator.

Also code mention is not confirmed as Blizz used code. Only possible code. Many public algorithm out there which are more secure and Blizzard could be using. Many hacker fanboy say it is Vasco, but no proof. Only say Vasco because many DPG6 use Vasco. More likely use another stronger code. Vasco still hard on reverse engineer. Not talk about hacker. Need cryptologist.

[Rukus]

Sounds like alot of you guys need to go on meds for OCD...google it

[Cactrot]

Look up the Diffie-Helmmann exchange, operates on a very similar principle.

http://en.wikipedia.org/wiki/Diffie-Helmann

Basically both source and client generate/exchange enough information that both parties can calculate the required key without having anybody on the outside watching capable of deciphering what key was used.

This would explain why the only known 'breaks' of the Authenticator were done using a MITM attack which the Diffie-Helmann exchange is vulnerable to.

Strictly speaking it is nothing like that at all. They do not share a key publicly. It is purely private key. Diffie-helmann is for when establishing new connections. An authenticator only uses a secret key. There's no exchange at all. That's how it is secure. A man in the middle attack sits in the middle of the communication and pretends to be side B to side A and side A to side B. The authenticator hack is not technically a man in the middle attack.

The authenticator attack is just a keylogger with the ability to send fake codes to blizzard, and send the key in realtime to a hacker. That's it. It's still a keylogger. It's not a man in the middle. It isn't intercepting any public (or private) keys.

TLDR: The authenticator does not use something like Diffie-helmann from a technical perspective. Its weakness is not a MITM attack.

[Aisriyth]

Phone version less secure. Much less. Phone can be hacked and make more vulnerable. Not true of true authenticator.

Also code mention is not confirmed as Blizz used code. Only possible code. Many public algorithm out there which are more secure and Blizzard could be using. Many hacker fanboy say it is Vasco, but no proof. Only say Vasco because many DPG6 use Vasco. More likely use another stronger code. Vasco still hard on reverse engineer. Not talk about hacker. Need cryptologist.

Anything can be hacked. So w/e doesn't matter to me. Core hound pup ftw.

[ScorchHellfire]

Pretty sure the numbers are based on some formula having to do with the current time... same as random number generators on computers...

[Lausten]

I believe anything 7 numbers or less is optimal for human memory, hence why phone numbers are 7 digits long.

Rofl! That depents where the hell in the world you live! In Denmark we got 8 digits..

[Yohassakura]

Weird, i just look at my iphone and mash the numbers in a second or so and tend to give no thought to it, unless it stands out like has 666 or something which supposedly has some significance like that

[gunner_recall]

[Phoenixphire]

i believe numbers in the UK are 8 numbers long. instead of 3-4 they do 2-2-4. if i remember right.

6 numbers for the UK

[private420]

should be a poll my money is on wizard

[Sarcasm]

I believe anything 7 numbers or less is optimal for human memory, hence why phone numbers are 7 digits long.

This.

[scudmuffin]

They're 8?

Phone numbers, as far as I know, in North America, are 7 digits long (excluding area codes).

also @ the guy saying he can remember 8 things or whatever, this is on average, there are people that can remember everything they see throughout the day, this is called photographic, or eidetic memory. There are people who remember the first months of their lives in great detail, who can name their street address from when they were 6 months old from seeing it through a car window while passing by. 7 digit phone numbers are optimal for memorization because the average person can store 7 digits in their short term memory, as you increase the number of digits, the amount of people that can store them in their short term decreases drastically.

http://en.wikipedia.org/wiki/The_Mag...s_or_Minus_Two

[Larc]

My pocket wizard will sometimes talk to me..Not too often and he's usually fairly grumpy from being stuck in such a little device. It also doesn't have good air flow in there.

One time he told me he used to fight ogres with both his arms tied behind his back..And then got horribly beaten down because he needs his hands to cast spells. He's a pretty weird guy, he probably drinks in there.

[Civfanata]

I believe anything 7 numbers or less is optimal for human memory, hence why phone numbers are 7 digits long.

Humans remember 5-7 things well on average in short term memory. One trick to memorizing numbers is break them into groups. Like has been said with phone numbers. XXX-XXX-XXXX is 3 "things"

[Kryos]

Pretty sure the numbers are based on some formula having to do with the current time... same as random number generators on computers...

I already posted how it works + the formula.