Matt Crawford wrote:
On Mar 5, 2005, at 11:32, Ed Gerck wrote:
The worse part, however, is that the server side can always fake your authentication using a third-party because the server side can always calculate ahead and generate "your next number" for that third-party to enter -- the same number that you would get from your token. So, if someone breaks into your file using "your" number -- who is responsible? The server side can always deny foul play.
Huh? The server can always say "response was good" when it wasn't good. Unless someone reclaims the server from the corrupt operator and analyzes it, the results are the same.
This is a different attack. If you have someone outside auditing, they will notice what you said but not what I said. A simple log verification will show the response was NOT good in your case. What I said passes 100% all auditing -- and the operator does not have to be corrupt.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
