On Sun, 21 Sep 2008, Eric Rescorla wrote: | > > - Use TLS-PSK, which performs mutual auth of client and server | > > without ever communicating the password.... | > Once upon a time, this would have been possible, I think. Today, | > though, the problem is the user entering their key in a box that is | > (a) not remotely forgeable by a web site that isn't using the | > browser's TLS-PSK mechanism; and (b) will *always* be recognized by | > users, even dumb ones. Today, sites want *pretty* login screens, | > with *friendly* ways to recover your (or Palin's) password, and not | > just generic grey boxes. Then imagine the phishing page that | > displays an artistic but purely imaginary "login" screen, with a | > message about "NEW! Better naviation on our login page!" | | This is precisely the issue. | | There are any number of cryptographic techniques that would allow | clients and servers to authenticate to each other in a phishing | resistant fashion, but they all depend on ensuring that the | *client* has access to the password and that the attacker can't | convince the user to type their password into some dialog | that the attacker controls. That's the challenging technical | issue, but it's UI, not cryptographic. The sitation today is (a) the decreasing usefulness of passwords - those anyone has a chance of remembering are just to guessable in the face of the kinds of massive intelligent brute force that's possible today and (b) the inherently insecure password entry mechanisms that we've trained people to use. Perhaps the only solution is to attack both problems at the same time: Replace passwords with something else, and use a different, more secure input mechanism at the same time.
The problem is what that "something else" should be. Keyfobs with one-time passwords are a good solution from the pure security point of view, but (a) people find them annoying; (b) when used with existing input mechanisms, as they pretty much universally are, are subject to MITM attacks. The equivalent technology on a USB plugin is much easier on the user in some circumstances, but is subject to some bad semantic attacks, as discussed here previously. Also, it's not a great solution for mobile devices. DoD/government uses smartcards, but that's probably not acceptable to the broad population. There's been some playing around with cellphones playing the role of smartcard, but cellphones are not inherently secure either. There's also the related problem of scalability to multiple providers: I only need one DoD card, which might be acceptable, but if every secure web site wants to give me their own, I have a problem. Of course, various federated identity standards are already battling it out, but uptake seems limited. Besides, that can only be one element of the solution - if I use a traditional password to get to my federated identity token, I've made the old problem much worse, not better. Some laptops and keyboards and even encrypted USB memory sticks are getting fingerprint scanners as standard hardware. *If* these actually work as advertised - not a good bet, based on history so far - these could be an interesting input mechanism. Since there are no expectations today that the fingerprint data will be available to any web site that asks, one could perhaps establish a standard for controlling this in an appropriate way, with a built-in, unforgeable display. With microphones and, increasingly, cameras as widely-available components, one might define a similar special input mode around them and look to voice or face recognition. Or maybe we could even leverage the increasing interest in special outside-the-main-OS basic displays one sees on laptops. (I'm sure it just thrills Microsoft to see Dell putting a tiny Linux implementation in each laptop....) These are all just possibilities, and whether any of them (or some other approach) actually gains broad acceptance is, of course, totally up in the air. Right now, while in the aggregate the problems with ID theft are bad and getting worse, relatively few individuals feel the pain, nor is there much in the way to offer them. Until one or the other of these changes - and most likely, both - the old "password in some window or another" model will likely stick around. -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]