once more, with feeling.
James A. Donald
jamesd at echeque.com
Tue Sep 23 02:59:25 EDT 2008
Leichter, Jerry wrote:
> The problem is what that "something else" should be. Keyfobs with
> one-time passwords are a good solution from the pure security point
> of view, but (a) people find them annoying; (b) when used with
> existing input mechanisms, as they pretty much universally are, are
> subject to MITM attacks. The equivalent technology on a USB plugin
> is much easier on the user in some circumstances, but is subject to
> some bad semantic attacks, as discussed here previously. Also, it's
> not a great solution for mobile devices.
>
> DoD/government uses smartcards, but that's probably not acceptable to
> the broad population. There's been some playing around with cellphones
> playing the role of smartcard, but cellphones are not inherently secure
> either.
Cellphones are not inherently secure, but *could* be inherently secure.
Each cellphone sim card has a unique identity. It is possible to
guarantee that a message goes to or from a cellphone containing a
particular sim card - but present phone software provides no means to do
this.
If a cellphones has nfc communications capable of talking to a pc, then
the whole interaction could be made painlessly automatic - touch your
cellphone to the pc nfc sensor to login to the website, touch it to the
security door to unlock the security door, touch it to the cash
register, observe the indicated payment on the cellphone screen, and
press OK, touch it to the screenless, keyboardless atm, and the
interaction comes up on your phone screen instead of the ATM screen,
touch cellphones to pay money from one individual to another.
The major obstacle is that the government would want a strong binding
between sim cards and true names, which is no more practical than a
strong binding between physical keys and true names.
Absent useful cellphone software, passwords must suffice. With a limit
on the number of guesses before people get locked out, passwords *do*
suffice - but then we need a means to unlock the account, and a means of
password recovery.
Although cellphones and email are insecure, a use once short lived
password emailed or instant messaged to the user is secure enough.
Trouble is, what happens if the user's email account is stolen?
I had this problem. I was using my hotmail account as the password
recovery account for various high value domain names. Someone called up
hotmail's password recovery, and human engineered a password reset out
of the hotmail staff, and then used email based password recovery to
seize my domain names. I eventually got them back, using reset
passwords snail mailed to my physical post office box, and now the
email account associated with my domain names is at a service that
provides no password recovery mechanism - and therefore provides an
attacker with a very large number of opportunities to guess, requiring
an insanely strong password.
Snail mail to a post office box is a secure password reset mechanism,
short of a well timed physical attack on the post office.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list