[11752] in cryptography@c2.net mail archive
Re: unforgeable optical tokens?
daemon@ATHENA.MIT.EDU (David Wagner)
Tue Sep 24 21:36:00 2002
X-Envelope-To: cryptography@wasabisystems.com
To: cryptography@wasabisystems.com
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 25 Sep 2002 00:04:49 GMT
X-Complaints-To: news@abraham.cs.berkeley.edu
Bill Frantz wrote:
>If the challenger selects several of his stored challenges, and asks the
>token reader to return a secure hash of the answers (in order), no
>information will be leaked about the response to any individual challenge.
>This procedure will allow the challenger to perform a large number of
>verifications with a relatively small number of stored challenge-response
>pairs.
I don't think this works. A malicious reader could remember all the
challenges it gets and record all the responses it measures (before
hashing). If the number of possible challenges is small, the malicious
reader might learn the entire challenge-response dictionary after only
a few interactions. From that point on, the malicious reader would be
able to spoof the presence of the token.
(Of course, if malicious readers aren't a threat, then you don't
need fancy uncloneable tokens. A simple cryptographic key written
on a piece of paper suffices.)
So I think you really do need to use a different challenge every time.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
