I provided this with my original post: http://timur.mobi/anymime-ksp/ Can you please phrase your concern relative to the fingerprint verification example?
On 30.09.2011 15:50, Ted Smith wrote: > So, how can a user verify that the key material comes from the expected > peer? I know nothing of bluetooth and NFC, so instead of describing > low-level protocols (which in most cases are NOT implemented using free > software and CANNOT be naively trusted), please describe what I'd see > using your app. > > On Fri, 2011-09-30 at 13:46 +0200, Timur Mehrvarz wrote: >> DKG, your impression that there is no security in place when using >> Bluetooth and NFC is not true. Anymime uses encrypted and >> authenticated communications only. And NFC does not just make the >> procedure much more usable, it also removes the weakest spot with >> "long range" Bluetooth: device discovery. What is needed now is that >> people play with it and try to break it. And more devices with NFC >> chips must become available. >> >> I will prepare another reply with more info, just need a bit more >> time. My impression is, that those who specify and implement the lower >> layers are honest about security. Also keep in mind that payment is >> one important use case here. Why not benefit from the effort? >> >> I'm following this list long enough to be aware of the QR discussion. >> I think both technologies need to be implemented for key exchange. If >> someone comes to you with QR code printed on a business card, your NFC >> chip won't help much. >> >> Thank you Stefano + Michael for your encouraging words. >> Timur >> >> On 29.09.2011 17:45, Daniel Kahn Gillmor wrote: >>> i'm concerned that bluetooth and NFC don't provide much protection >>> against spoofing. that is, can the operator of a device using >>> these technologies verify that the communication comes from the >>> expected peer? or is it possible for a nearby attacker with >>> control over the RF spectrum to inject messages into the >>> communication? >>> >>> The advantage of the optical approach (QR codes and webcams) >>> discussed some months ago on this list (see posts about >>> "monkeysign" and "manus vexo") is that a (sighted) human user can >>> observe the communication between devices directly and ensure that >>> there is no tampering. >>> >>> Is there some mechanism with bluetooth or NFC that offers >>> equivalent protection from network interference? >>> >>> --dkg >>> > > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
