Slashdot Mirror

← Back to Stories (view on slashdot.org)

Transec, a Secure Authentication Tag Library

Posted by ryuzaki0 on from the no-keystrokes-to-capture dept.

Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

1 of 125 comments (clear)

  1. Re:One time pads. The only solution. by Anonymous Coward · · Score: -1, Offtopic
    I think you're confusing one-time pads with one-time passwords.

    A one-time pad is a randomly-generated sequence of numbers shared by the sender and receiver which is added to the plain-text message. Since no character in the ciphertext depends on any other character in the ciphertext, the resulting code is unbreakable. One-time pads are almost never used in practice because the key must be the same length as the message and creates a serious key-distribution problem. How do you communicate the pads securely? Also, the pads can only be used once. Two messages encrypted with the same pad can be differentially analyzed and the plain-text decrypted with comparative ease.

    A one-time password is a password which is constantly altered, making it more difficult to gain unauthorized access to a computer system. There are several flavors of one-time passwords, but they are all based on some sort of synchronization between a client system (OTP software, secure token, etc ) and the server system. The one-time password is more secure than a static password, because a compromized password will only allow unauthorized access to the system for a short time interval.

    -Sean