there are a couple issues

1) using any widely known information for authentication.

2) standard security kindergarten 101 requires that every unique
security domain requires a unique shared secret (if shared secret is
used for authentication)

3) any information that is used for authentication should be dedicated
for authentication and not widely used in large number of other business
processes (like account numbers)

4) static data authentication (whether unique or not) is subject to
skimming for various kinds of replay and impersonation attacks.


the issue with digital signatures and private keys ... is that the
digital signature can be unique per transaction ... and that the
mechanism which is used to originate the transaction (private key) is
never divulged ... countermeasure against the skimming attacks on
transaction origin.

note that there have been some poorly designed digital signature schemes
that separate the authentication from the transaction ... such that they
are subject to MITM-attacks

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to