[Cryptography] Phishing Attacks - Alice, HAL and Bob

Maxime MEYER maxime.meyer at huawei.com
Mon Aug 22 04:56:04 EDT 2016 

"You’re about to hop into bed with
a woman and you are wondering if the condoms you have are genuine or
fake? You open the tamper proof packaging (a one-way function) retrieve
a one-time password from inside the packaging. Now you enter that code
into a website. If the genuine manufacturer confirms the code, then the
condoms are genuine, otherwise they are fake."

I think that the problem would still apply here.
What if the package is intercepted?
Then the attacker could reproduce the same package with a valid one time password 
in a new packaging, sealing this new one and selling it as a genuine one.

However for the package seal, I have seen one company who is making sealing RFID tags working with PUF technology for authentication of the product, Verayo Inc (http://www.verayo.com/)
________________________________________
From: cryptography [cryptography-bounces+maxime.meyer=huawei.com at metzdowd.com] on behalf of Joseph Kilcullen [kilcullenj at gmail.com]
Sent: Friday, August 19, 2016 6:12 PM
To: cryptography at metzdowd.com
Subject: Re: [Cryptography] Phishing Attacks - Alice, HAL and Bob

So if you're all out there, reading these posts, can you look at my
original posts that started this thread i.e.

June (4 posts)  First =
http://www.metzdowd.com/pipermail/cryptography/2016-June/029544.html
July (2 posts) First =
http://www.metzdowd.com/pipermail/cryptography/2016-July/029695.html

I'm arguing that a remote website (Mallory/a phishing website) cannot
counterfeit a secret shared between me and my web browser. At least not
without hacking into my PC first. And that's hacking, not phishing!

Another example, connected with the second paper, is the Kellogg's ‘Free
Spoon’ offer i.e. a one-time password inside the cereal box is entered
into a website to get your free spoon. If the code works then you know
your box of cereal is not counterfeit. The thing is, someone needs to
tell the pharmaceutical industry (and cigarettes industry) so that they
can use this solution on their products. Like the coin solution this is
cryptography/authentication, it just doesn’t look like it because there
is no maths involved.

P.S. Cool responses, very helpful, I love the nuclear energy connection.
So thank you Jerry, Dirk-Willem, Philip and Thierry. Some of my original
work did involve laminating glitter to create random patterns. And
assessing daft ideas like printing digital signatures onto sheets that
would be inside your box of drugs. (That’s a telephone directory sized
book inside your box of toothpaste. After scanning it in (OCR) you
verify the digital signature, then compare a picture inside the digital
signature to a piece of glass with glitter inside it. Also inside the
box with your toothpaste. I guess you might have issues if you do this
rather than brush your teeth with the fake toothpaste.)

Ok. Joking aside, real world example: You’re about to hop into bed with
a woman and you are wondering if the condoms you have are genuine or
fake? You open the tamper proof packaging (a one-way function) retrieve
a one-time password from inside the packaging. Now you enter that code
into a website. If the genuine manufacturer confirms the code, then the
condoms are genuine, otherwise they are fake.

About 11 years ago there was a small baby boom in Ireland after a batch
of condoms was found to be faulty. The media did not report them as
counterfeit, just faulty. Legal issues I guess.

This is cryptography/authentication, confirmation of a shared secret,
one-time functions etc. etc.

Also, the two papers are connected, one is about the counterfeiting of
websites (phishing) the other counterfeiting of pharmaceutical drugs. In
both cases the solution is classic cryptography.



_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list