[17750] in cryptography@c2.net mail archive
Re: the limits of crypto and authentication
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Sat Jul 9 23:34:52 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Nick Owen <nowen@wikidsystems.com>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
cryptography@metzdowd.com
From: "Perry E. Metzger" <perry@piermont.com>
Date: Sat, 09 Jul 2005 17:42:37 -0400
In-Reply-To: <42CFEE6E.1080607@wikidsystems.com> (Nick Owen's message of
"Sat, 09 Jul 2005 11:34:06 -0400")
Nick Owen <nowen@wikidsystems.com> writes:
> It would seem simple to thwart such a trojan with strong authentication
> simply by requiring a second one-time passcode to validate the
> transaction itself in addition to the session.
Far better would be to have a token with a display attached to the
PC. The token will display a requested transaction to the user and
only sign it if the user agrees. Because the token is a trusted piece
of hardware that the user cannot install software on, it provides a
trusted communications path to the user that the PC itself cannot.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
