the limits of crypto and authentication
Nick Owen
nowen at wikidsystems.com
Sat Jul 9 12:29:16 EDT 2005
To validate the transaction, a receipt could be sent to the user
encrypted by the server's public key. If the receipt is correct, the
user enters their PIN to 'sign' the transaction.
I'm assuming an asymmetric authentication system here outside the
browser. The attacker would have to steal the user's private key, their
PIN and the server's private key, correct?
I know that if the PC is compromised anything is possible, but I think
this raises the bar significantly - perhaps to an unprofitably level.
Steven M. Bellovin wrote:
> In message <42CFEE6E.1080607 at wikidsystems.com>, Nick Owen writes:
>
>>It would seem simple to thwart such a trojan with strong authentication
>>simply by requiring a second one-time passcode to validate the
>>transaction itself in addition to the session.
>>
>
>
> How does the user know which transaction is really being authenticated?
> (I alluded to this in a 1997 panel session talk; see
> http://www.cs.columbia.edu/~smb/talks/ncsc-97/index.htm )
>
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list