[Cryptography] So please tell me. Why is my solution wrong?

Thierry Moreau thierry.moreau at connotech.com
Thu Feb 16 09:52:59 EST 2017 

On 15/02/17 10:24 PM, John Levine wrote:
> In article <CACQRC431R7+vcZ9e7Cyyfc1riq9kKuPYy=9hCxwypZ_VcaRj0A at mail.gmail.com> you write:
>> Having dongles where you just press a button would be much
>> better, so don't tell me that they are available right now.
>
> They are available right now.  I know this because I am holding two of
> them in my hand.  One is a U2F key by Yubico, the other is a Plug-Up
> security key.  They both implement an open spec from the FIDO
> alliance.

I wonder to which extent the "open" qualification actually applies (IPR 
encumbrance, completeness of the specification, mandatory consortium 
membership fees, ...).

> Physically, they're USB dongles that pretend to be keyboards and send
> a text string, when you push a button on the Yubico, or when you plug
> it in with the Plug-up.  They are about the size of a house key and
> have a hole so you can put them on a keychain.
>
> I use one of them to secure my Google account.  They work pretty well
> if you're using a computer with a USB port, not at all from a phone
> since there's no place to plug them in, and even with a USB to micro
> USB adapter, phone apps tend not to expect input from a physical
> keyboard.
>
> Then there's Google Validator, an app that runs on your phone and
> generates those six-digit codes.  It's also an open spec, anyone can
> use it and many do.

Is "open spec" meaning no-fee download from Google-controlled appstore? 
(I am not knowledgeable of mobile app development environment, but the 
last time I checked, the basic required hardware was hard to procure 
without developer licenses with too much -- seemingly -- innocuous 
legalese.)

> My Validator app generates codes for my Amazon
> account, my Hurricane Electric tunnelbroker account, my Tucows
> registrar account, by Bitstamp account, my Synology disk server, and
> also my Google account.
>
> None of this is obscure.

All these services are controlled by remote entities. To some readers of 
this list, those remain difficult to trust, and perhaps plainly obscure.

>  It's all easy to find if you look for it.

Maybe it's available with some leap of faith in security techniques 
implemented by those remote entities. However, trust backed by a 
reasonable security review appears totally out of reach.

Regards,

- Thierry

More information about the cryptography mailing list