two-factor authentication problems
Ed Gerck
egerck at nma.com
Mon Mar 7 15:39:57 EST 2005
Matt Crawford wrote:
>
> On Mar 5, 2005, at 11:32, Ed Gerck wrote:
>
>> The worse part, however, is that the server side can always fake your
>> authentication using a third-party because the server side can
>> always calculate ahead and generate "your next number" for that
>> third-party to enter -- the same number that you would get from your
>> token. So, if someone breaks into your file using "your" number --
>> who is responsible? The server side can always deny foul play.
>
>
> Huh? The server can always say "response was good" when it wasn't
> good. Unless someone reclaims the server from the corrupt operator and
> analyzes it, the results are the same.
This is a different attack. If you have someone outside auditing, they will
notice what you said but not what I said. A simple log verification will
show the response was NOT good in your case. What I said passes 100% all
auditing -- and the operator does not have to be corrupt.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list