Comments on: Strong Authentication for the Masses? http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/ "Coffee should be black as hell, strong as death, and sweet as love." - Turkish Proverb Thu, 22 Jul 2010 00:39:42 +0000 hourly 1 http://wordpress.org/?v=3.0 By: strerror http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/comment-page-1/#comment-8549 strerror Sun, 22 Jan 2006 13:35:00 +0000 http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/#comment-8549 I noticed that you were using Gentoo for your tests. I'm considering putting wikid into portage and would like to know your experiences with doing so in Gentoo. In particular any documentation you have would be great. Please contact me. I noticed that you were using Gentoo for your tests. I’m considering putting wikid into portage and would like to know your experiences with doing so in Gentoo. In particular any documentation you have would be great. Please contact me.

]]> By: Roy Verrips http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/comment-page-1/#comment-6215 Roy Verrips Thu, 13 Oct 2005 14:36:41 +0000 http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/#comment-6215 Hi I had a look at WIKID for my home personal use, being especially interested in the fact that it's open source and can use my mobile phone to generate the Key - However, what I didn't like was that the client device needs to authenicate back to the server everytime - It would be nicer if, like with the RSA SecureID system, the mobile phone can be setup like a "token" that only reads the encryption algorythm once and then is able to generate a new code every 45 seconds (like RSA SecurID) And of course, if this was open source I'd be even happier 'cause I simply can't afford RSA for my home use Hi
I had a look at WIKID for my home personal use, being especially interested in the fact that it’s open source and can use my mobile phone to generate the Key – However, what I didn’t like was that the client device needs to authenicate back to the server everytime – It would be nicer if, like with the RSA SecureID system, the mobile phone can be setup like a “token” that only reads the encryption algorythm once and then is able to generate a new code every 45 seconds (like RSA SecurID)
And of course, if this was open source I’d be even happier ’cause I simply can’t afford RSA for my home use

]]> By: Mike http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/comment-page-1/#comment-5858 Mike Tue, 13 Sep 2005 16:15:02 +0000 http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/#comment-5858 Michael - Good points; see my comments at the WiKID blog. You see the replay attack that I mentioned earlier. However, a replay attack assumes you can capture the traffic between the device client and the wikid server - it's doable, but it's harder than brute forcing a password. It's a matter of reducing risk somewhat (by using something stronger than basic authentication) then accepting the residual risk (that the replay attack might happen). Michael – Good points; see my comments at the WiKID blog. You see the replay attack that I mentioned earlier. However, a replay attack assumes you can capture the traffic between the device client and the wikid server – it’s doable, but it’s harder than brute forcing a password.

It’s a matter of reducing risk somewhat (by using something stronger than basic authentication) then accepting the residual risk (that the replay attack might happen).

]]> By: Michael Peters http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/comment-page-1/#comment-5851 Michael Peters Mon, 12 Sep 2005 23:01:24 +0000 http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/#comment-5851 I don't think WikiD is very secure at all. It is subject to a simple replay attack. Their description of the token is that it " ... is is encrypted with the WiKID Server's public key - assuring that only that server can decrypt it with its private key." This is subject to several attacks. On its face, it means anyone can copy this encoded message and replay it in an attack. In a more sophisticated version of this attack, the super secure encoded message is intercepted in a MIDM. The authenticated message is forwarded to the server, which sends the bad guys a OTP. I don’t think WikiD is very secure at all. It is subject to a simple replay attack.

Their description of the token is that it ” … is is encrypted with the WiKID Server’s public key – assuring that only that server can decrypt it with its private key.” This is subject to several attacks. On its face, it means anyone can copy this encoded message and replay it in an attack.

In a more sophisticated version of this attack, the super secure encoded message is intercepted in a MIDM. The authenticated message is forwarded to the server, which sends the bad guys a OTP.

]]> By: Thinking WiKID Thoughts http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/comment-page-1/#comment-5844 Thinking WiKID Thoughts Mon, 12 Sep 2005 14:17:36 +0000 http://www.coffeecorner.org/2005/09/11/strong-authentication-for-the-masses/#comment-5844 <strong>"Strong Authentication for the masses"</strong> WiKID got a nice review over at the Coffee Corner. I hope they do test the WiKID server on your home network. That is exactly the scenario we envisioned when we released the open source version. No reason why home users shouldn't be able to have strow... “Strong Authentication for the masses”

WiKID got a nice review over at the Coffee Corner. I hope they do test the WiKID server on your
home network. That is exactly the scenario we envisioned when we released the open source
version. No reason why home users shouldn’t be able to have strow…

]]>