Kevin Vance - I was poking at various perl things to move kvance.com away from…

Entries | Archive | Friends | Friends' Friends | User Info

03:30 am

Friday, April 28th, 2006
Previous Entry Share Next Entry
I was poking at various perl things to move kvance.com away from static html pages, and I thought of a crazy authentication scheme:

You have an account with your mobile number and public key.
You go to the login page and request a one-time password.
You then whip out your mobile phone and start the password receiving program.
The server sends you the password as a text message encrypted to your public key.
Your private key with password on the phone decrypts the one-time password for the website.
Enter that password into the login page. It can't be used again.

So keyloggers and network sniffers are foiled, and if the badguy steals your private key (how?) and password, he also has to steal your phone to get the text message! Huh? Crazy? I am up much later than usual tonight :P
Link )Reply )

Comments
[User Picture]From: teferi
2006-04-28 07:43 am (UTC)
Doooo it! That would be rad.
(Reply) (Thread)
[User Picture]From: wikle
2006-04-28 05:57 pm (UTC)
They could intercept both the encrypted password and then the decrypted one, if everyone has the same decryption program (which they must) they should have everything they need to break your private key.

If however the server knows your private key and also creates some sort of randomized element into the decoding, so the decoding takes place in two parts, the first one based on your private key that will then reveal the second randomized part which will then be used to create your one time password, then the hacker couldn't get access to your private key without hacking the server itself to get the randomized part sent to you.

So the server sends one piece of data which contains two individual items 1) the information that can be decoded with your private key, and 2) the randomized item.

1 is used to get access to 2. 1 and 2 together then create 3

3 = one time password.

Or so says my non comp sci mind.

If it all works patent it in a hurry then market it to all those companies who want to sell stuff wirelessly, basically itunes and like music services as well as cell phone companies. You would make MeeeeEEEellions.
(Reply) (Thread)
[User Picture]From: kvance
2006-04-28 06:22 pm (UTC)
You raise a good point. Retransmitting the plaintext in the clear should have raised some flags. I think popular systems like PGP are resistant to this attack because they add random junk to the message and use a different session key each time. I'm definitely suspicious now though. I should ask a cryptographer.

And it's pointless for me to patent this because I don't have the thousands of dollars required to sue companies that use it.

Or so says my non IP law mind XD
(Reply) (Parent) (Thread)
[User Picture]From: wikle
2006-04-29 12:00 am (UTC)
Well actually, if you did patent it and someone did violate it, then depending on who violated it (as in whether the have money), you should be able to get your case picked up on contingency fee. This means the lawyer gets paid when you do and not before. If you really have a case then the vast majority of the time it gets settled outside of court anyway.

Or such is how I understand it without actually taking any IP classes yet heh.
(Reply) (Parent) (Thread)
[User Picture]From: duinlas
2006-04-30 01:54 pm (UTC)
He also doesn't have the thousands of dollars needed to file the patent in the first place.
(Reply) (Parent) (Thread)
From: (Anonymous)
2006-05-01 04:22 am (UTC)
It's not that expensive. My brother's doing it.

On the other hand, he posted it to a public domain bulletin board.
(Reply) (Parent) (Thread)