John Ioannidis wrote:
Just don't do it. If you are going to spend your energy on anything, it should be to work against such a plan.
I would agree, but I fear that a "this is never going to work, drop it" will be less heard than any effort in at least trying to raise the bar for an attack. The previous proposed solution at the work group was that the service provider 'configured' the device with an authentication 'word' upon activation an made sure that that 'word' was always present on each message to authenticate it. The only benefit I can see in it (that could very likely been accepted if no one objected) is that is so simple that all bugs are obvious...

But I accept that the false sense of security of a complex scheme that is broken somewhere _maybe_ worse than an obviously wrong solution...


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to