Hi, > > The second possiblity has been realized by some european banks now, based > > on SMS and mobile phones, which sends the important transaction details > > together with a random authorisation code, that is bound to the > > transaction in the banks database. The user can then verify the > > transaciton, and then has to enter the authorisation code on the > > webinterface. > > How large is this code?
5 characters, including numbers and letters. I think you have something like 4 tries to enter a code correctly. (rough estimation: 5^30 = 931322574615478515625 / 4 = 232830643653869628906 , so you have a chance of 1:232830643653869628906 per transaction if you try it 4 times) > The security of this system would seem to rest on the security of mobile > phones against cloning. How were mobile phones protected against cloning? Well, the security depends on an attacker not being able to infect a specific users´s computer with a MitB and knowing and being able to clone this specific users´s mobile phone at the same time. Peter Gutmann wrote: > The external device emulates a standard USB memory key, to send data to it > you write a file, to get data back you read a file (think "/dev"). There's > no device driver to install, and no particularly tricky programming on the > PC either. Neat idea! It only has the problem that I know several companies already where you have to register your USB-stick, and only registered USB-sticks are allowed on the network ..., but it´s a neat workaround, yes. I think SecurityLayer should be easily adaptable to that concept. Do you already have an demo implementation of that external device, Peter? Best regards, Philipp Gühring --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]