[Beowulf] One time password generators...
James Cownie
jcownie at cantab.net
Thu Mar 26 12:23:36 PDT 2009
On 26 Mar 2009, at 13:57, Leif Nixon wrote:
>
> Well, some banks over here have a authentication system that uses a
> hardware crypto token with a keypad. You use it for a challenge-
> response
> procedure to log in to the Internet banking site - nothing new so
> far -
> but you also use it to sign (using challenge-response) each bunch of
> transactions you perform on the banking site. And - this is the key
> point - to sign the transactions you actually enter certain parts of
> the
> transaction data (like the total amount to transfer) into the crypto
> token.
>
> Even with total control over the client PC, it's real hard for an
> attacker to do anything really evil in that setting.
>
But check this analysis of the UK version, which seems to be almost
exactly as described...
http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
--
-- Jim
--
James Cownie <jcownie at cantab.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20090326/fb46d989/attachment.html>
More information about the Beowulf
mailing list