Slashdot Mirror
Transec, a Secure Authentication Tag Library
Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?
This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.
This "new" product does not work around the principle that software cannot secure a computer for which you adversary has physical access.
Using images as a PIN-code isn't making things much more secure, if the same images are used every time. The credentials are still sent in a way that can be logged. It's just an extra annoyance for those who want to steal your password.
I use one-time passwords for accessing my home computer over SSH. Anyone can log my keystrokes, or look over my shoulder how much they want. The password is generated by an OPIE client running on my cell phone, and is valid only once.
OPIE clients run on virtually any kind of device. Just as long as you don't run it on the actual computer which you use to access the server, this is a more secure solution.
Using OPIE on untrusted servers would still present the security problem of initial passphrase synchronization between server and OPIE client - unless the passphrase is sent to the user by some secure channel, unlikely to be snooped.
How do you know the operating system in a particular machine is actually the Trusted version, and not a hacked version that's masquerading as the trusted one ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
You're dealing with people who register a domain in Uzbekistan, run the server in the Ukraine and sit in Moldavia. With these three countries being placeholders for pretty much every country from the former East Block east of Poland. Now try to get ANY kind of help from law enforcement there concerning computer crimes.
Those law enforcement organisations there have real problems to deal with, they have no spare manpower for petty things like computer crimes. I say that so I don't say they don't want to stand up against organized crime 'cause they have families.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The trouble is, anyone who owns your PC and has installed a keylogger can just as easily spy on your display and see what you are clicking.
Sometimes I would swear my brain explodes at our slowness to learn.
The only true solution is one time pads. They are unhackable, and only a minor inconvenience.
I would give blood to be able to use a one time pad for my online banking. The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset. Some marketing guru should wake up to the possibilities of the one time pad - potentially the greatest chick puller since the circular waterbed - and get us the hell out of this horrendous hacky world.
[x] auto-moderate all posts by this user as insightful
Provide them randomly generated hash table: 1234567890 JBFAHECGID Then ask them to enter letters instead of numbers (J instead of 1, B instead of 2 and so on). Should work OK on Braile screens. PS. I think I need to patent this.
so the chances of the man in the middle intercepting a code he can re-use are extremely slim.
That is a correct statement, but misses the point. It would be nice for a man-in-the-middle to get a reusable value, but it isn't necessary for a successful attack. The man-in-the-middle can clean out your account during the session you have successfully set up. I saw a demo of this with a person setting up a man-in-the-middle attack on his own brokerage account using a device which generated one-time passwords for the account. He bought a share of one stock, but the man-in-the-middle did a completely different transaction (bought a share of a competitor's stock).
So basically, we should eliminate the mouse clicks altogether. People who know dontclick.it know what I mean: You could just 'touch' the numbers with the mouse cursor for them to register. That way, the screen logger would have to record an entire video to get the password.
Of course, implementing such a thing without Flash and the likes will be a little more tricky.