massive data theft at MasterCard processor
James A. Donald
jamesd at echeque.com
Thu Jun 23 22:58:41 EDT 2005
--
On 22 Jun 2005 at 8:39, Anne & Lynn Wheeler wrote:
> the dual-use attack ... is possibly a person-centric
> digitally signing token (in contrast to
> institutional-centric token where each institution
> might issue a unique token for every use) ... that can
> be registered for use in multiple places and
> applications.
>
> one of the digial signing scenarios is pure
> authentication where the server sends out some random
> data which the end-user signs (effectively a variation
> on challenge/response as countermeasure against replay
> attacks).
Rather the server should send out some encrypted random
data which the end user decrypts. End user should then
prove knowledge of that encrypted data.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
mvLPUs8OZQJeGGYzUgIlJCvGBKsPF9FUruhnF3tE
4Krdy9r1LLw/aZSGjrIDNHXOcHkloS7F9MGLCTB6o
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list