At 07:25 PM 12/11/2003 -0500, Paul A.S. Ward wrote:
>I'm not sure why no one has considered the PC banking problem to be a
>justification for secure computing.  Specifically, how does a user know
>their computer has not been tampered with when they wish to use it for
>banking access.

actually the EU FINREAD (financial reader) standard is quite directed at this area. basically a secure entry/display\token-interface device. part of the issue is not skimming any pin-entry that may be assumed as possible with just about all keyboard-based entry (aka tamper evident device .... supposedly somewhat consumer equivalent of the TSM ... trusted security module and tamper evident guidelines for point-of-sale terminals). In effect, finread is isolating some set of secure components into a tamper evident housing that has something akin to a trusted security module.

the other aspect somewhat shows up in the digital signature area. fundamentally a digital signature may be used for authenticating (and message integrity) ... but not, by itself as to "agreement" in the legal signature sense. the issue is how to create an environment/infrastructure for supporting both straight-forward authentication as well as intention/agreement

in theory finread has the ability to securely display the value of a transaction (and possibly other necessary details) and then requires a PIN entry after the display as evidence of

1) something you know authentication
2) being able to infer agreement with the transaction.

pretty much assumed is that finread implies some sort of token acceptor device ... which in turn implies a "something you have" token authentication.

so finread is attempting to both address two-factor authentication (and possibly three if biometric is also supported) as well as establish some environment related for inferring agreement/intention/etc as required per legal signature.

possibly overlooked in the base eu finread work is being able to prove that the transaction actually took place with a real finread device as opposed to some other kind of environment. In the (financial standard) X9A10 working group on the X9.59 financial standard for all electronic retail payments we spent some amount of time on not precluding that the signing environment could also sign the transaction i.e.

1) amount displayed on secure secure display,
2) pin/biometric securely entered (after display occurs)
3) token digitally signs (after pin/biometric entered)
4) finread terminal digital signs

the 2nd & 3rd items (alone) are two (or three) factor authentication. however, in conjunction with the first and fourth items some level of assurance that the person agrees with the transaction.

lots of past finread references: 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure Authentication white paper FINREAD was. Authentication white paper FINREAD ... and as an aside FINREAD was. Authentication white paper Welome to the Internet, here's your private key AW: Digital signatures as proof Meaning of Non-repudiation Meaning of Non-repudiation Proxy PKI. Was: IBM alternative to PKI? Interests of online banks and their users [was Re: Cryptogram: Palladium Only for DRM] The real problem that https has conspicuously failed to fix FAQ: e-Signatures and Payments Shades of FV's Nathaniel Borenstein: Carnivore's "Magic Lantern" Q: Internet banking PKI/Digital signature doesn't work PKI/Digital signature doesn't work PKI/Digital signature doesn't work PKI/Digital signature doesn't work Net banking, is it safe??? No Trusted Viewer possible? Are client certificates really secure? Smart Card vs. Magnetic Strip Market Smart Card vs. Magnetic Strip Market Opinion on smartcard security requested Opinion on smartcard security requested Security Issues of using Internet Banking Security Issues of using Internet Banking Digital signature Convenient and secure eCommerce using POWF Help! Good protocol for national ID card? Help! Good protocol for national ID card? smartcard+fingerprint HELP, Vulnerability in Debit PIN Encryption security, possibly application of unique signature
Anne & Lynn Wheeler
Internet trivia 20th anv

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to