views:

58

answers:

1

Hi,

I am wondering if it is possible to generate a "key" that is valid for a period of (approximately) three months?

For example, let's say (hypothetically) that I generate a key like this (pseudocode):

Key = HASH ( MachineID, Salt );

And the way I verify a key is valid is to check like this:

isValid(Key)
{
   return Key == HASH ( MachineID, Salt )
}

How would you extend this to generate a key like this:

Key = HASH ( MachineID, Salt, LastMonth, ThisMonth, NextMonth );

But still have your isValid work correctly?

One way I can see is:

isValid(Key)
{
   return Key == HASH ( MachineID, Salt, (LastMonth), (ThisMonth), (NextMonth) )
   || Key == HASH ( MachineID, Salt, (LastMonth-1), (LastMonth), (ThisMonth) )
   || Key == HASH ( MachineID, Salt, (ThisMonth), (ThisMonth+1), (ThisMonth+2) )
}

But I would like to know if any better ideas come to mind.

+7  A: 

A typical way of doing this is to compose a cleartext message explaining what is needed to reach the key, which is then followed by the secure digest. You would thus return something like

function Key(password, expriry) {
    return "Expires: " + dateformat(expiry) +
           HASH(salt + expiry + password)
}

Note that the returned key contains the expiration date in clear text, but also includes it in the digest so that it cannot be tampered with. As always, it's not necessary to decode the digest, only verify that the same inputs produced the same digest.

TokenMacGuy
Thanks, but this requires the end application to know the expiry date. Is there any way for the end application to do a "here is today's date" is that valid for this key? Edit: Having reviewed, I see the solution is to make sure the user types in the expiry as well. It's a solution but I'm still curious if there's a better way.
Graphain
@Graphain: Well, the idea is to encode the expiry date into the "key" - you can always encode the expiry date as a couple of bytes (two bytes is enough for 180 years worth of days!), so the "key" is just lengthened by two bytes and the user has no idea that part of it is a date.
caf
@caf, yes but when decoding I do not know the expiry date, just the current date and I was hoping there was a method that the key could only be decrypted if the current date is less than the expiry date.
Graphain
@Graphain: When decoding you extract the expiry date from the composite key.
caf
@caf - Yeah I get that and it's probably the best way.
Graphain