Re: Re: Digipass Go3 Token Dumper (at least for 2006)

[fcollyer () gmail com]

Thanks Hugo!

http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an insecure-encryption vulnerability 
because the device uses an insecure single-key encryption algorithm (...)"

That is not the case.
The C++ implementation that I've provided shows exactly the _opposite_!

Its core is 3DES_112(2 64 DES keys used) based.
I believe this was I misunderstanding from the list's guys. Nothing to worry seriously about.

I'm glad we have VASCO's clarification. And it seems to me that now the community is really free to analyze the 
truncation/decimalization side of Digipass.

Is it secure? Is it the best VASCO could've come with? And the key derivation process?...

Best regards,

Felipe Collyer
(a.k.a. faypou)