On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck <edge...@nma.com> wrote:
> Thanks for the comment. The BofA SiteKey attack you mention does not work
> for the web access scheme I mentioned because the usercode is private and
> random with a very large search space, and is always sent after SSL starts
> (hence, remains private).

This is meaningless. What attack is the 'usercode' trying to prevent?
You said it's trying to authorise the site to the user. It doesn't do
this, because a 3rd party site can take the usercode and send it to
the 'real' site.

> I'm referring to SMTP authentication with implicit SSL. The same
> usercode|password combination is used here as well, but the usercode is
> prepended to the password while the username is the email address. In this
> case, there is no anti-phishing needed.

Eh? This still doesn't make any particular amount of sense.

> This case has the  same BofA SiteKey vulnerability. However, if that is
> bothersome, the scheme can also send a timed nonce to a cell phone, which is
> unknown to the attacker. This is explained elsewhere in
> http://nma.com/papers/zsentryid-web.pdf

Anything you do can be simulated by an evil site. Sending a key to a
phone is a good idea, but still, in the end, useless, because the evil
site can simulate it by passing whatever requested the user did to
that site.

> If the threat model is that you can "learn or know the RNG a given site is
> using" then the answer is to use a hardware RNG.

No, it isn't.

> The point is that two passwords would still not have an entropy value that
> you can trust, as it all would depend on user input.

*shrug* make one of them autogenerated. Doesn't matter. You're just
adding complexity for no real benefit.

> That data is just a key that is the same for /all/ users. It is not
> user-specific. its knowledge does not provide information to attack any
> account.

Well I'm sorry but you don't understand your own system then.
Obviously it must have information to 'attack' a given account,
because you used it to generate something. The function you used did
something, so you can repeat it if you have all the inputs.

> Sorry if it wasn't clear. Please have a second reading.


> Cheers,
> Ed Gerck

noon silky

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to