Slashdot Mirror
Transec, a Secure Authentication Tag Library
Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?
If so, the malware must go after specific types of clicks - for example, maybe it looks at the URL and form action to determine whether it's worth capturing the images. Otherwise, a typical day of perusing Digg articles could result in megabytes upon megabytes of captured images. And unlike text data, image data is hard to sieve for gold.
This could very easily be replicated in praticially any web scripting language of your choice.
Exactly. It doesn't require any client-side processing. That's the beauty of it. This means you can TURN OFF javascript and it will still work.
As for the innovation- it allows a user to enter their pin while reducing the chance that it's snooped by malware, which is a Good Thing. It also makes it a lot harder for said malware to replicate the response compared to keyboard entry- because in addition to protecting your code, it also acts as a (primitive) captcha, making reasonably sure that whoever is entering the code is human.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
I'd imagine this would be most useful to run in my home server, so I could contact it from anywhere without having to trust the computer I'm using. And yeah, I'd rather inconvenience myself with this password entry method than with cleaning up the mess when someone hijacks the server.
Funny you should mention "terrorists" in your subject and then say this. After all, the War on Terror has been completely unsuccesfull in eliminating them. I think that it's been adequately proven that you can't eliminate baddies, you just have to design systems that can withstand badness.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
At least in their demo the entropy in the assignment between the coordinates and the numbers input is completely missing. Not a good "encryption" or "security" scheme.
You are right to some degree, but also wrong.
Their idea seems to be that the computer might be compromised, but the server is secure - so if the server creates the images, you can at least be secure against automated attacks - i.e. without human intervention. (because the attacker does not have access to the algorithm that created the images) This can work for as long as there are some tasks that humans can do and computers not.
If the computer is the last step in the authentication, then you are right. If you have a small little device that tells you "in this step use a->1, d->2, f->3 etc." then transaction can be secure even through a comprimised computer.
Are supposed to log in how?
First, I know what one time pads are, and I have read a lot of material on old cryptography techniques, but you still missed the very point! Supposed you have a one time pad and an attacker manages to get a keylogger onto your computer(this is the situation we are talking about, ING Direct is an online bank end of story, if you didn't know that then you really should not have hit the reply button because it's offtopic). So you carefully type in your one time pad into the computer. Guess what, since the attacker has all your keystrokes, he can easily put himself in the middle and take the pad you so careflly entered and give them to the bank himself and boom, he has access with minimal effort. By using one time pads you just ensure that everyone has to be very annoyed when they log in, people can lose their account in a fire, and that the bank has a more expenses in trying to keep everyone's pad available and secure(much more work and effort compared to a SHA-1 of the password maybe with a little salt). That means more expenses for the bank, which gets passed on the customer. Brilliant!
I know one time pads are cryptographically secure, but they are not magic bullets. If you think they are, you are free to implement your own bank that uses them. If you fail, you fail, but the number of banks and customers that want to use one time pads are pretty small.
Monstar L
At the risk of starting another flame war about why we should care about the blind...This system is unusable by the blind using a screen reader. You are unable to detect the location of the "buttons". I tested it with both the MacOS built in screen reader (VoiceOver) and a window add on (Jaws) screen reader.
So, in the U.S.,unless your looking to have the National Federation of the Blind, American Council of the Blind or the Justice Department come after you in court you would be well advised not to implement it in a commercial setting unless you have an alternate means of providing services.
And no, providing a physical store thirty miles down the road is not an alternate means, the blind don't drive remeber?