[17735] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: the limits of crypto and authentication

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jul 9 13:28:21 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Nick Owen <nowen@wikidsystems.com>
Cc: cryptography@metzdowd.com
In-Reply-To: Your message of "Sat, 09 Jul 2005 11:34:06 EDT."
             <42CFEE6E.1080607@wikidsystems.com> 
Date: Sat, 09 Jul 2005 11:45:35 -0400

In message <42CFEE6E.1080607@wikidsystems.com>, Nick Owen writes:
>It would seem simple to thwart such a trojan with strong authentication
>simply by requiring a second one-time passcode to validate the
>transaction itself in addition to the session.
>

How does the user know which transaction is really being authenticated?
(I alluded to this in a 1997 panel session talk; see
http://www.cs.columbia.edu/~smb/talks/ncsc-97/index.htm )

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17735] in cryptography@c2.net mail archive

Re: the limits of crypto and authentication

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)Sat Jul 9 13:28:21 2005

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jul 9 13:28:21 2005