On Thu, Dec 06, 2007 at 09:38:00AM -0800, SJS wrote:
Easy approach would be to send an ssh public key, and then ssh in to the other's machine.
You need to have the recipient out-of-band verify the public key, otherwise the attacker can do a man-in-the middle attack (although one with complicated timing). A voice channel to verify the key helps a lot.
Otherwise, this is just screaming out for a Diffie-Hellman key exchange.
You still have to authenticate the other party in a DH key exchange, otherwise a man-in-the-middle attack is very easy. There's quite a bit of difference between a key-fob and an email message. A key fob is designed to be difficult/expensive to compromise, whereas an email is pretty close to a public channel. Dave -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
