HTTPS mutual authentication alpha release - please test

Nick Owen nowen at wikidsystems.com
Thu Nov 3 13:06:22 EST 2005


cyphrpunk wrote:
> On 10/31/05, Nick Owen <nowen at wikidsystems.com> wrote:
> 
>>The system works this way: Each WiKID domain now can include a
>>'registered URL' field and a hash that website's SSL certificate.  When
>>a user wants to log onto a secure web site, they start the WiKID token
>>and enter their PIN. The PIN is encrypted and sent to the WiKID server
>>along with a one-time use AES key and the registered URL.  The server
>>responds with a hash of the website's SSL certificate.  The token client
>>fetches the SSL certificate of the website and compares it the hash.  If
>>the hashes don't match, the user gets an error.  If they match, the user
>>is presented with registered URL and the passcode.  On supported
>>systems, the token client will launch the default browser to the
>>registered URL.
> 
> 
> What threat is this supposed to defend against? Is it phishing? I
> don't see how it will help, if the bogus site has a valid certificate.

Yes, phishing.  The token client isn't checking to see if the cert is
valid, it's only checking to see if it's the same as the one that is on
the WiKID authentication server.  The cert doesn't have to be valid or
have the root CA in the browser.

> 
> 
>>Most one-time-password systems suffer from man-in-the-middle attacks
>>primarily due to difficulties users have with validating SSL
>>certificates. The goal of this release is to validate certificates for
>>the end user, providing an SSH-esque security for web-enabled
>>applications such as online banking.
> 
> 
> What does it mean to "validate a certificate"? Aren't certs
> self-validating, based on the key of the issuer? Again, what is this
> protecting against?

Bad choice of words on my part - validate is a loaded word vis-a-vis
certs.  The token client pulls down a hash of the certificate from the
WiKID server. It pulls the certificate from the website and performs a
hash on it.  It compares the two hashes and if they match, presents the
user with the OTP and the message:
"This URL has been validated. It is now safe to proceed."

Does that clarify?

> 
> CP
> 

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
Now open source: http://sourceforge.net/projects/wikid-twofactor/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list