[Cryptography] So please tell me. Why is my solution wrong?

Tom Mitchell mitch at niftyegg.com
Fri Feb 10 16:07:13 EST 2017 

On Tue, Feb 7, 2017 at 10:20 AM, Joseph Kilcullen <kilcullenj at gmail.com>
wrote:

> This is a link to my original post back in June 2016. You people never
> told me why my solution is wrong.
>
> So please tell me. Why is my solution wrong?
>

I suspect you would have done better to include the abstract.
The limited context is an interesting focused and bounded problem.
Yes limited in ways that make it easy to dismiss.
The first line of the abstract got my attention:
   "I researched the ability of browsers to counterfeit the behaviour of
installed software."
   ....See below for full abstract....
Comment:
Browser based interfaces are getting common enough that understanding the
details of this limited
case has value.  One is understand what and how to constrain the feature
set of browsers.
There are sites and users that work exclusively in a single application and
they are easy to attack this way.
The application is loaded and the user logs in and out of the application
not the system.
Should an attacker know a lot about a specific application (insider) and
the site itself an agent could do stuff to steal credentials.   Some
applications
have credential based privileges and a user at a low level could leave a
live
imposter screen in an attempt to grab the password of a higher level.
A frustrated user attempting to log in might hit reset or never blink twice
at a blue
screen of death.  A binary could do more ...

----
Abstract. I researched the ability of browsers to counterfeit the behaviour
of installed software. In full screen mode browsers can counterfeit almost
anything, including BSOD, formatting the hard drive and fake login screens.
I found one category of behaviour which could not be counterfeited by a
remote website. On examination every solution in that category was a secret
known by the computer user and her browser. That is, remote websites cannot
counterfeit what they do not know. Neither Bob nor Mallory know secrets
shared between the computer user and her computer. This transformed game
theory research into cryptography research. On successful verification of a
TLS certificate’s digital signature the browser should present the
’user-browser’ shared secret together with the TLS certificate’s identity
credentials. This allows the user to authenticate both her browser and the
identity specified in the TLS certificate. Following these conclusions, an
authentication mechanism for manufactured goods is presented.

Here's a link to the latest version of the paper:
> https://arxiv.org/abs/1511.03894





-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170210/d6159e1f/attachment.html>

More information about the cryptography mailing list