[17027] in cryptography@c2.net mail archive
Re: two-factor authentication problems
daemon@ATHENA.MIT.EDU (Matt Crawford)
Sun Mar 6 22:37:57 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 06 Mar 2005 20:37:56 -0600
From: Matt Crawford <crawdad@fnal.gov>
In-reply-to: <4229ED41.2030602@nma.com>
To: Ed Gerck <egerck@nma.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
On Mar 5, 2005, at 11:32, Ed Gerck wrote:
> The worse part, however, is that the server side can always fake your
> authentication using a third-party because the server side can
> always calculate ahead and generate "your next number" for that
> third-party to enter -- the same number that you would get from your
> token. So, if someone breaks into your file using "your" number --
> who is responsible? The server side can always deny foul play.
Huh? The server can always say "response was good" when it wasn't
good. Unless someone reclaims the server from the corrupt operator and
analyzes it, the results are the same.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
