[Beowulf] One time password generators...

James Cownie jcownie at cantab.net
Thu Mar 26 12:23:36 PDT 2009


On 26 Mar 2009, at 13:57, Leif Nixon wrote:

>
> Well, some banks over here have a authentication system that uses a
> hardware crypto token with a keypad. You use it for a challenge- 
> response
> procedure to log in to the Internet banking site - nothing new so  
> far -
> but you also use it to sign (using challenge-response) each bunch of
> transactions you perform on the banking site. And - this is the key
> point - to sign the transactions you actually enter certain parts of  
> the
> transaction data (like the total amount to transfer) into the crypto  
> token.
>
> Even with total control over the client PC, it's real hard for an
> attacker to do anything really evil in that setting.
>

But check this analysis of the UK version, which seems to be almost  
exactly as described...

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

--
-- Jim
--
James Cownie <jcownie at cantab.net>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.scyld.com/pipermail/beowulf/attachments/20090326/fb46d989/attachment.html


More information about the Beowulf mailing list