[Cryptography] What do we mean by ... ???
Jerry Leichter
leichter at lrw.com
Tue Feb 17 17:38:05 EST 2015
On Feb 17, 2015, at 4:10 PM, Natanael <natanael.l at gmail.com> wrote:
> This setup means that Achmed's sister can not see that you're reusing
> the same dongle for logging in to her site even if she could see his
> database. It means that Achmed can't reuse your reply for his server
> to get access to accounts that you have on his sister's service. It
> means somebody who pretends to be Achmed either won't get a response
> at all (wrong or bad certificate) or will get a response they can't
> reuse against Achmed's service (because your device did not attempt to
> authenticate *to Achmed*, but to a completely different service that
> just have a similar name). And it means a MITM can not tamper with the
> authentication, they can only act as a transparent proxy with access
> to nothing but ciphertext or break the connection....
A tangent, and just a matter of satisfying my curiosity: Can Achmed forge a session from me *to himself*? It sounds odd, but if he can, he can create a fake order apparently from me and insist I pay for it. Sure, I can add a separate signature to every order - but if it could someone come out of this protocol, so much the better.
-- Jerry
More information about the cryptography
mailing list