the limits of crypto and authentication

Perry E. Metzger perry at piermont.com
Sun Jul 10 11:48:51 EDT 2005


Florian Weimer <fw at deneb.enyo.de> writes:
> * Perry E. Metzger:
>> Nick Owen <nowen at wikidsystems.com> writes:
>>> It would seem simple to thwart such a trojan with strong authentication
>>> simply by requiring a second one-time passcode to validate the
>>> transaction itself in addition to the session.
>>
>> Far better would be to have a token with a display attached to the
>> PC. The token will display a requested transaction to the user and
>> only sign it if the user agrees. Because the token is a trusted piece
>> of hardware that the user cannot install software on, it provides a
>> trusted communications path to the user that the PC itself cannot.
>
> On the surface, we already have such technology in Germany (it's
> optional for bank customers), but there's a drawback: The external
> device doesn't know anything about the structure of banking
> transactions, so it relies on the (potentially compromised) host
> system to send the correct message to display before generating the
> signature.  Ouch.

That could be fixed. I think the right design for such a device has it
only respond to signed and encrypted requests from the issuing bank
directed at the specific device, and only make signed and encrypted
replies directed only at the specific issuing bank. If anything in
between can tamper with the communications channel you don't have the
properties you want out of this.

Given such a structure, however, you can know when the device displays
"Pay 53.22 euros to amazon.fr for book X" that this is precisely the
transaction you are authorizing, and that the communication will
not authorize any other transaction, its interception will not permit
the authorization of any other transaction, and no replay of the
transaction is possible.

However, you need both the end to end communication and the hardware
token with built in display and keyboard.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list