Rick Smith at Secure Computing [EMAIL PROTECTED] writes:
At 06:48 PM 11/5/2001, David Jablon wrote:
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password
Nobody is gonna indemnify the world against infringement, but I thought
Stanford's SRP protocol comes as close as realistically possible to what
you're asking for.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
but in the financial case ... you don't have to identify them (aka their
DNA) ... you just match them and the account. absolutely no identity
needed. If i deposit a large sum of money and want to be the only person
authorized to transact on the account ... there is no need to present
identity
Authentication of people is an especially subtle engineering problem.
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password schemes, your average
At 06:48 PM 11/5/2001, David Jablon wrote:
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password schemes, your average one-in-a-thousand
or one-in-a-million
not completely. except for some of the know your customer rules a
financial institution doesn't have to identify you ... they only have to
authenticate that you are the person authorized to transact with the
account; aka 1) I come in and open a brand-new account and deposit a whole
lot of
: when a fraud is a sale,
Re: Rubber hose attack
In a message dated 11/5/01 9:41:44 AM, [EMAIL PROTECTED]
writes:
On one hand I'm tempted to read
In a message dated 11/5/01 10:55:39 AM, [EMAIL PROTECTED] writes:
in the account-based financial transaction ... the requestor is the
card-holder/consumer and the authorization or service entity is the
card-holder's financial institution.
I think you have nailed it on the head. When
In a message dated 11/5/01 11:28:57 AM, [EMAIL PROTECTED] writes:
then
you can only 'authenticate' between entities that share some
fairly complex secret information. Anything else can be spoofed
pretty easily.
The information does not have to be secret at all. It can be open, but not