[17551] in cryptography@c2.net mail archive
Re: massive data theft at MasterCard processor
daemon@ATHENA.MIT.EDU (James A. Donald)
Thu Jun 23 23:48:16 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
Date: Thu, 23 Jun 2005 19:58:41 -0700
In-reply-to: <42B97806.3000301@garlic.com>
--
On 22 Jun 2005 at 8:39, Anne & Lynn Wheeler wrote:
> the dual-use attack ... is possibly a person-centric
> digitally signing token (in contrast to
> institutional-centric token where each institution
> might issue a unique token for every use) ... that can
> be registered for use in multiple places and
> applications.
>
> one of the digial signing scenarios is pure
> authentication where the server sends out some random
> data which the end-user signs (effectively a variation
> on challenge/response as countermeasure against replay
> attacks).
Rather the server should send out some encrypted random
data which the end user decrypts. End user should then
prove knowledge of that encrypted data.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
mvLPUs8OZQJeGGYzUgIlJCvGBKsPF9FUruhnF3tE
4Krdy9r1LLw/aZSGjrIDNHXOcHkloS7F9MGLCTB6o
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
