Thermal, Near X-Ray, Radiological, RF Detection, Camera Detection/Jamming and the list goes on. The only reason to use glasses would be to conceal yourself in public.
Got $20,000 to make one?
>In the flash animation above the video (on the passwindow site), there are clearly more than 5 digits. I can see 16 places a digit can be (counting the _ sections of the digit, the uprights overlap).
Good observation!
>If I was able to have multiple attempts, I can break any password
Say you were given 10 changes to guess a password, could you guess it? My point is that you could potentially enumerate any valid passwindow key with very little guesses. PassWindow key enumeration?
Not rude at all to ask and is actually quite a reasonable question to pose. That is your assumption to say and only you can conclude for yourself.
Ask yourself this. If your presumption were true then how does it disprove my comments in retrospect?
I do believe the concept to be novel. It just needs some help from people whom test application security as a profession...
A quick and simple solution would be to use out of bounds transmission of the challenge string (ex. SMS or EMail). An attacker cannot access the challenge string and cannot enumerate possible codes. Fixed!
That is refreshing to hear. I would be sure that you will still agree that the system still does not provide effective protection.
This type of cipher (using loosely) reminds me of a ceaser cipher. Frequency analysis, or what I'm more adept to call analytical differentiation, can still break it. The frequency analysis technique is over 1000 years old and Analytical Differentiation is over 60 years old.
Side note, after looking at the products site it shows that the card can be flipped in 4 different orientation. This reminds me of the Enigma tumblers having 6 possible positions.
Professional opinion is that financial institutions need not apply (as of now).
If he implements the recommendations (increase key space, use A-Z as well 0-9 and ensure that the number of unknowns are random and not 14 per 14).
There is a reason why VPN tokens use LCD screens. The attacker has no data to correlate an effective attack.
Back to the drawing board for this guy.
5 character code - 0-99999 = 100,000 possible codes. 5 characters with 7 lines each = 35 possible "line" locations. The card in the video has 14 lines. The challenge code on the computer "ALSO" has 14 lines.
This solution simply has the appearance of security. There are MAJOR design flaws.
If one were to analyze the incomplete code from the video you begin to notice that there is an enumeration flaw.
The first character is blank, 0-9. The second character can either be a 0, 6 or 8. The third character can either be a 0, 5 or 8. The fourth character can only be a 0, 2, 3, 8 or 0. The fifth character can only be a 0 or 8.
This only leaves 900 possibilities. Much easier then 100,000 possibilities.
If I calculated each of these 900 possible codes I could then determine which of these 900 codes utilize 14 characters! This would allow me to determine all possible "card codes" within a 99% accuracy. If I was able to receive multiple challenges from the server, I would repeat the process and cross compare results. This would allow me to determine the key on the card within an almost 100% accuracy.
Increasing the keyspace, utilizing [A-Z0-9] and randomizing the number of challenge characters would limit my ability to enumerate as easily.
This solution currently provides no security against a motivated attacker.
Slashdot Mirror
Thermal, Near X-Ray, Radiological, RF Detection, Camera Detection/Jamming and the list goes on. The only reason to use glasses would be to conceal yourself in public. Got $20,000 to make one?
I'll believe it when I try it... Have seen similar promises before...
>In the flash animation above the video (on the passwindow site), there are clearly more than 5 digits. I can see 16 places a digit can be (counting the _ sections of the digit, the uprights overlap). Good observation! >If I was able to have multiple attempts, I can break any password Say you were given 10 changes to guess a password, could you guess it? My point is that you could potentially enumerate any valid passwindow key with very little guesses. PassWindow key enumeration?
Never trust users!! Issuing tried and true SSL VPN tokens would be a strong solution. Would have an increased capital cost per user though...
Not rude at all to ask and is actually quite a reasonable question to pose. That is your assumption to say and only you can conclude for yourself. Ask yourself this. If your presumption were true then how does it disprove my comments in retrospect? I do believe the concept to be novel. It just needs some help from people whom test application security as a profession... A quick and simple solution would be to use out of bounds transmission of the challenge string (ex. SMS or EMail). An attacker cannot access the challenge string and cannot enumerate possible codes. Fixed!
That is refreshing to hear. I would be sure that you will still agree that the system still does not provide effective protection. This type of cipher (using loosely) reminds me of a ceaser cipher. Frequency analysis, or what I'm more adept to call analytical differentiation, can still break it. The frequency analysis technique is over 1000 years old and Analytical Differentiation is over 60 years old. Side note, after looking at the products site it shows that the card can be flipped in 4 different orientation. This reminds me of the Enigma tumblers having 6 possible positions. Professional opinion is that financial institutions need not apply (as of now).
If he implements the recommendations (increase key space, use A-Z as well 0-9 and ensure that the number of unknowns are random and not 14 per 14). There is a reason why VPN tokens use LCD screens. The attacker has no data to correlate an effective attack. Back to the drawing board for this guy.
Lets analyze....
5 character code - 0-99999 = 100,000 possible codes.
5 characters with 7 lines each = 35 possible "line" locations. The card in the video has 14 lines. The challenge code on the computer "ALSO" has 14 lines.
This solution simply has the appearance of security. There are MAJOR design flaws.
If one were to analyze the incomplete code from the video you begin to notice that there is an enumeration flaw.
The first character is blank, 0-9. The second character can either be a 0, 6 or 8. The third character can either be a 0, 5 or 8. The fourth character can only be a 0, 2, 3, 8 or 0. The fifth character can only be a 0 or 8.
This only leaves 900 possibilities. Much easier then 100,000 possibilities.
If I calculated each of these 900 possible codes I could then determine which of these 900 codes utilize 14 characters! This would allow me to determine all possible "card codes" within a 99% accuracy. If I was able to receive multiple challenges from the server, I would repeat the process and cross compare results. This would allow me to determine the key on the card within an almost 100% accuracy.
Increasing the keyspace, utilizing [A-Z0-9] and randomizing the number of challenge characters would limit my ability to enumerate as easily.
This solution currently provides no security against a motivated attacker.