Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served.
Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Microsoft's move is good, RSA gets a good ride too, and the door may open for a standards-based two-channel authentication method. Cheers, Ed Gerck "Roy M.Silvernail" wrote: > On Tuesday 08 October 2002 10:11 pm, it was said: > > > Microsoft marries RSA Security to Windows > > http://www.theregister.co.uk/content/55/27499.html > > [...] > > > The first initiatives will centre on Microsoft's licensing of RSA SecurID > > two-factor authentication software and RSA Security's development of an RSA > > SecurID Software Token for Pocket PC. > > And here, I thought that a portion of the security embodied in a SecurID > token was the fact that it was a tamper-resistant, independent piece of > hardware. Now M$ wants to put the PRNG out in plain view, along with its > seed value. This cherry is just begging to be picked by some blackhat, > probably exploiting a hole in Pocket Outlook. > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
