To validate the transaction, a receipt could be sent to the user
encrypted by the server's public key.  If the receipt is correct, the
user enters their PIN to 'sign' the transaction.

I'm assuming an asymmetric authentication system here outside the
browser. The attacker would have to steal the user's private key, their
PIN and the server's private key, correct?

I know that if the PC is compromised anything is possible, but I think
this raises the bar significantly - perhaps to an unprofitably level.

Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Nick Owen writes:
>>It would seem simple to thwart such a trojan with strong authentication
>>simply by requiring a second one-time passcode to validate the
>>transaction itself in addition to the session.
> How does the user know which transaction is really being authenticated?
> (I alluded to this in a 1997 panel session talk; see
> )
>               --Steven M. Bellovin,


Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
At last, two-factor authentication, without the hassle factor

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to