>you enter a usercode in the first screen, you are presented with a
>second screen to enter your password. The usercode is a mnemonic
>6-character code such as HB75RC (randomly generated, you receive from
>the server upon registration). Your password is freely choosen by you
>upon registration.That second screen also has something that you and
>the correct server know but that you did not disclose in the first
>screen --

This scheme is quite popular with banks.  I have at least three
accounts where I enter my user name in one screen, then on a second
password entry screen it shows me a picture chosen when I set up the
account along with a caption I wrote.  They have a large library of
pictures of cute animals, household appliances, and so forth.

Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen.  Since the bad guy knows what
site you're trying to reach, he can use your usercode to fetch the
shared secret from the real site and present it to you on his fake
site.  It's true, the fake site won't have the same URL as the real
site, but if the security of this scheme still depends on people
scrutinizing the browser's address bar to be sure they're visiting the
site they think they are, how is this any better than an ordinary
kitten-free SSL login screen?

Another bank sent me a dongle that generates a timestamped six-digit
number that I use as part of the login.  Even with the dongle, MITM
attacks are still effective.  The bad guy can only steal one session
rather than a user's permanent credentials, but that's still plenty
to, e.g., wire money out of the country.

The only thing I've been able to come up with that seems even somewhat
secure is a USB dongle that plugs into your computer and can set up an
end-to-end encrypted channel with the bank, and that has a screen big
enough that once you've set up your transaction in your browser, the
bank then sends a description to the dongle to display on its screen,
and YES and NO buttons on the dongle itself.

Unless the screen and the buttons are physically part of the dongle,
you're still subject to MITM attacks.  But a dongle with a screen big
enough for my 87 year old father to read, and buttons big enough for
him to push reliably would be unlikely to fit on his keychain.  It's a
very hard problem.

John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to