[Cryptography] Phishing Attacks - Alice, HAL and Bob

[Joseph Kilcullen]

So if you're all out there, reading these posts, can you look at my 
original posts that started this thread i.e.

June (4 posts)  First = 
http://www.metzdowd.com/pipermail/cryptography/2016-June/029544.html
July (2 posts) First = 
http://www.metzdowd.com/pipermail/cryptography/2016-July/029695.html

I'm arguing that a remote website (Mallory/a phishing website) cannot 
counterfeit a secret shared between me and my web browser. At least not 
without hacking into my PC first. And that's hacking, not phishing!

Another example, connected with the second paper, is the Kellogg's ‘Free 
Spoon’ offer i.e. a one-time password inside the cereal box is entered 
into a website to get your free spoon. If the code works then you know 
your box of cereal is not counterfeit. The thing is, someone needs to 
tell the pharmaceutical industry (and cigarettes industry) so that they 
can use this solution on their products. Like the coin solution this is 
cryptography/authentication, it just doesn’t look like it because there 
is no maths involved.

P.S. Cool responses, very helpful, I love the nuclear energy connection. 
So thank you Jerry, Dirk-Willem, Philip and Thierry. Some of my original 
work did involve laminating glitter to create random patterns. And 
assessing daft ideas like printing digital signatures onto sheets that 
would be inside your box of drugs. (That’s a telephone directory sized 
book inside your box of toothpaste. After scanning it in (OCR) you 
verify the digital signature, then compare a picture inside the digital 
signature to a piece of glass with glitter inside it. Also inside the 
box with your toothpaste. I guess you might have issues if you do this 
rather than brush your teeth with the fake toothpaste.)

Ok. Joking aside, real world example: You’re about to hop into bed with 
a woman and you are wondering if the condoms you have are genuine or 
fake? You open the tamper proof packaging (a one-way function) retrieve 
a one-time password from inside the packaging. Now you enter that code 
into a website. If the genuine manufacturer confirms the code, then the 
condoms are genuine, otherwise they are fake.

About 11 years ago there was a small baby boom in Ireland after a batch 
of condoms was found to be faulty. The media did not report them as 
counterfeit, just faulty. Legal issues I guess.

This is cryptography/authentication, confirmation of a shared secret, 
one-time functions etc. etc.

Also, the two papers are connected, one is about the counterfeiting of 
websites (phishing) the other counterfeiting of pharmaceutical drugs. In 
both cases the solution is classic cryptography.