[17036] in cryptography@c2.net mail archive
Re: two-factor authentication problems
daemon@ATHENA.MIT.EDU (Ed Gerck)
Sun Mar 13 14:14:50 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 07 Mar 2005 12:39:57 -0800
From: Ed Gerck <egerck@nma.com>
To: Matt Crawford <crawdad@fnal.gov>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <f041ebdf457acb1964be50a0a2aeda74@fnal.gov>
Matt Crawford wrote:
>
> On Mar 5, 2005, at 11:32, Ed Gerck wrote:
>
>> The worse part, however, is that the server side can always fake your
>> authentication using a third-party because the server side can
>> always calculate ahead and generate "your next number" for that
>> third-party to enter -- the same number that you would get from your
>> token. So, if someone breaks into your file using "your" number --
>> who is responsible? The server side can always deny foul play.
>
>
> Huh? The server can always say "response was good" when it wasn't
> good. Unless someone reclaims the server from the corrupt operator and
> analyzes it, the results are the same.
This is a different attack. If you have someone outside auditing, they will
notice what you said but not what I said. A simple log verification will
show the response was NOT good in your case. What I said passes 100% all
auditing -- and the operator does not have to be corrupt.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
