the limits of crypto and authentication

Jaap-Henk Hoepman jhh at cs.ru.nl
Tue Jul 19 08:37:14 EDT 2005 

Actually, Dutch banks already give users the option to recieve one-time
pass-codes by SMS to authenticate internet banking transactions (instead of
sending a list of those codes on paper by ordinary mail in advance). So it's
less unrealistic than you think.

Jaap-Henk

On Sat, 09 Jul 2005 20:38:38 +0200 Florian Weimer <fw at deneb.enyo.de> writes:
> You send the pass code in an SMS to the user's mobile phone, together
> with some information on the transaction.  (If the SMS delay is a
> problem, use a computer-generated phone call.)  The pass code is then
> entered by the user to authorize the transaction.
>
> This will eventually break down, once PCs and mobile phones are
> integrated tightly, but in the meantime, it's reasonably secure even
> if the client PC is compromised.
>
> I'm not sure if users will accept it, though.  What's worse, the costs
> for sending the SMS message (or making the phone call) are so
> significant that it's unrealistic we'll see widespread use of such
> technologies.
>
> (Manually transferring cryptographic tokens which depend on the
> transaction contents seems to be infeasible, given the number of bits
> which must be copied.)
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>

-- 
Jaap-Henk Hoepman           |  I've got sunshine in my pockets
Dept. of Computer Science   |  Brought it back to spray the day
Radboud University Nijmegen |        Gry "Rocket"
(w) www.cs.ru.nl/~jhh       |  (m) jhh at cs.ru.nl
(t) +31 24 36 52710/53132   |  (f) +31 24 3653137

----------


-- 
Jaap-Henk Hoepman           |  I've got sunshine in my pockets
Dept. of Computer Science   |  Brought it back to spray the day
Radboud University Nijmegen |        Gry "Rocket"
(w) www.cs.ru.nl/~jhh       |  (m) jhh at cs.ru.nl
(t) +31 24 36 52710/53132   |  (f) +31 24 3653137


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list