the limits of crypto and authentication
Jaap-Henk Hoepman
jhh at cs.ru.nl
Tue Jul 19 08:37:14 EDT 2005
Actually, Dutch banks already give users the option to recieve one-time
pass-codes by SMS to authenticate internet banking transactions (instead of
sending a list of those codes on paper by ordinary mail in advance). So it's
less unrealistic than you think.
Jaap-Henk
On Sat, 09 Jul 2005 20:38:38 +0200 Florian Weimer <fw at deneb.enyo.de> writes:
> You send the pass code in an SMS to the user's mobile phone, together
> with some information on the transaction. (If the SMS delay is a
> problem, use a computer-generated phone call.) The pass code is then
> entered by the user to authorize the transaction.
>
> This will eventually break down, once PCs and mobile phones are
> integrated tightly, but in the meantime, it's reasonably secure even
> if the client PC is compromised.
>
> I'm not sure if users will accept it, though. What's worse, the costs
> for sending the SMS message (or making the phone call) are so
> significant that it's unrealistic we'll see widespread use of such
> technologies.
>
> (Manually transferring cryptographic tokens which depend on the
> transaction contents seems to be infeasible, given the number of bits
> which must be copied.)
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>
--
Jaap-Henk Hoepman | I've got sunshine in my pockets
Dept. of Computer Science | Brought it back to spray the day
Radboud University Nijmegen | Gry "Rocket"
(w) www.cs.ru.nl/~jhh | (m) jhh at cs.ru.nl
(t) +31 24 36 52710/53132 | (f) +31 24 3653137
----------
--
Jaap-Henk Hoepman | I've got sunshine in my pockets
Dept. of Computer Science | Brought it back to spray the day
Radboud University Nijmegen | Gry "Rocket"
(w) www.cs.ru.nl/~jhh | (m) jhh at cs.ru.nl
(t) +31 24 36 52710/53132 | (f) +31 24 3653137
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list