[11867] in cryptography@c2.net mail archive
Re: QuizID?
daemon@ATHENA.MIT.EDU (Adam Shostack)
Thu Oct 17 14:51:30 2002
Date: Thu, 17 Oct 2002 14:48:46 -0400
From: Adam Shostack <adam@homeport.org>
To: Rich Salz <rsalz@datapower.com>
Cc: Marc Branchaud <marcnarc@rsasecurity.com>,
cryptography@wasabisystems.com, cypherpunks <cypherpunks@lne.com>
In-Reply-To: <3DAF03FB.6080003@datapower.com>
On Thu, Oct 17, 2002 at 02:39:55PM -0400, Rich Salz wrote:
| Marc Branchaud wrote:
| >Any thoughts on this device? At first glance, it doesn't seem
| >particularly impressive...
| >
| >http://www.quizid.com/
|
| Looks like hardware S/Key, doesn't it?
|
| If I could fool the user into entering a quizcode, then it seems like I
| could get the device and the admin database out of sync and lock the
| user out of the system.
Aww, Rich, that trick never works!
More seriously, most of the vendors will search forwards and back
through the expected codes to make the attack less likely to work.
(If authentication is centralized, searching backwards may not be a
security risk.)
I think the most interesting part of this is the unit looks cool, and
its spun slightly differently than other tokens have been.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
