[Cryptography] So please tell me. Why is my solution wrong?

[Joseph Kilcullen]

On 08-Feb-17 3:40 PM, Theodore Ts'o wrote:
>
> My bank is doing that already, and has been doing it for, oh, two or
> three years?  So it's hardly a new or novel technique.
>
>        	      	      	       	      	    - Ted

Nope, they have'nt. It's not SiteKey. This is different.


A phisher cannot counterfeit fig 1 without hacking into people's home 
computers. Remote websites cannot access you hard disk. However 
installed software, like your web browser can. Hence a browser which 
displays information which remote websites cannot display is 
demonstrating that Fig 1 has been created by your web browser, not by a 
remote phishing website.


This solution is not SiteKey. Its getting your browser to force you to 
use TLS and all the cool identity authentication stuff already there, 
like certificate authorities etc.


See fig 9 on page 9 of the paper. You web browser is an actor in the 
cryptography protocol! Hence your web browser must authenticate itself!

After the browser verifies the TLS's digital signature, the browser 
presents fig 1. The human looks at fig 1 and implicitly authenticates 
BOTH 'her browser' and the TLS identity, by entering her login 
credentials. The picture is stored locally.