"James A. Donald" <[EMAIL PROTECTED]> writes: >Peter Gutmann wrote: >>All they're doing is reading a URL off a USB dongle >>(technically a 256-byte I2C memory card plugged into a >>reader, but in effect the combination is a USB dongle). >>That's a no-brainer, I can do that with two wires taped to >>the card contacts and poked into the PC's parallel port, and >>around 50 bytes of code on the PC. > >If all they were doing is reading the URL, presumably you can already get to >the site without owning the smartcard.
Yup, but that wouldn't be Cool(tm) any more. >I believe the card cryptographically proves its presence to the site to show >that the user is authorized to hit the site. That would be a considerable feat for a 256-byte dumb memory card. At most, it'll contain a name+password for HTTP basic-auth (and to identify users to the site so they can be connected with the info they supplied at purchase time). You've spent too long in the crypto world. Peter.