W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re: Conspicously absent: social engineering and cross-domain problems

From: James A. Donald <jamesd@echeque.com>
Date: Wed, 14 Jun 2006 11:34:48 +1000
Message-ID: <448F67B8.7030805@echeque.com>
To: Amir Herzberg <herzbea@macs.biu.ac.il>
CC: public-usable-authentication@w3.org

James A. Donald:
 > > Oops, we are on a new computer?  Random number [from
 > > which passwords are constructed] is not there?  Then
 > > do an SRP login to the server of the company issuing
 > > the login program, and get a copy of the large
 > > random number.  This means that the company issuing
 > > the login program can launch a dictionary attack on
 > > your master password, as can anyone who has access
 > > to one of your logins and access to a computer on
 > > which you used the login program, but no one else
 > > can launch a dictionary attack.

Amir Herzberg wrote:
 > Do you mean to authenticate to the `login helper
 > trusted party (LHTP)` using as a shared key the hash
 > of your master password, and they'll send the user's
 > `random number` ? That does seem a reasonable
 > solution.

Yes, that is what I had in mind.  People could set up
their own LHTP, and should, though I suspect that in 99%
of cases they would not.

          James A. Donald
Received on Wednesday, 14 June 2006 01:34:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC