>you enter a usercode in the first screen, you are presented with a >second screen to enter your password. The usercode is a mnemonic >6-character code such as HB75RC (randomly generated, you receive from >the server upon registration). Your password is freely choosen by you >upon registration.That second screen also has something that you and >the correct server know but that you did not disclose in the first >screen --
This scheme is quite popular with banks. I have at least three accounts where I enter my user name in one screen, then on a second password entry screen it shows me a picture chosen when I set up the account along with a caption I wrote. They have a large library of pictures of cute animals, household appliances, and so forth. Clever though this scheme is, man-in-the middle attacks make it no better than a plain SSL login screen. Since the bad guy knows what site you're trying to reach, he can use your usercode to fetch the shared secret from the real site and present it to you on his fake site. It's true, the fake site won't have the same URL as the real site, but if the security of this scheme still depends on people scrutinizing the browser's address bar to be sure they're visiting the site they think they are, how is this any better than an ordinary kitten-free SSL login screen? Another bank sent me a dongle that generates a timestamped six-digit number that I use as part of the login. Even with the dongle, MITM attacks are still effective. The bad guy can only steal one session rather than a user's permanent credentials, but that's still plenty to, e.g., wire money out of the country. The only thing I've been able to come up with that seems even somewhat secure is a USB dongle that plugs into your computer and can set up an end-to-end encrypted channel with the bank, and that has a screen big enough that once you've set up your transaction in your browser, the bank then sends a description to the dongle to display on its screen, and YES and NO buttons on the dongle itself. Unless the screen and the buttons are physically part of the dongle, you're still subject to MITM attacks. But a dongle with a screen big enough for my 87 year old father to read, and buttons big enough for him to push reliably would be unlikely to fit on his keychain. It's a very hard problem. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com