On Sat, Sep 21, 2002 at 06:10:22AM +0000, David Wagner wrote: > Barney Wolff wrote: > >Actually, it can. The server can store challenge-responses in pairs, > >then send N as the challenge and use the N+1 response (not returned) > >as the key. > > But why bother? What does this add over just using crypto > without their fancy physical token? The uncloneability of > their token is irrelevant to this purpose. You might as well > just carry around a piece of paper, or a floppy disk, with a > list of keys on it.
In a logical sense, perhaps nothing. But in a practical sense, two methods of key agreement that produce equal-entropy keys may differ in computational cost or latency. I don't pretend to know how this would compare with other key derivations on those axes. The advantage over paper or floppy is as stated - temporary posession of the token does not allow the attacker to see or spoof future traffic. However, it would make prior traffic vulnerable, so I must agree that simpleminded token-based key derivation does not appear to be prudent. -- Barney Wolff I'm available by contract or FT: http://www.databus.com/bwresume.pdf --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
