Re: otp - the next generation

[Szilveszter Adam <sziszi () PETRA HOS U-SZEGED HU>]

Hello,

Although the system you present is interesting and promising, (and I have
not heard of any such systems for Linux yet, athough commercial solutions
of this kind already exist)
but I would
like to focus everybody's attention on two minor things.

1) AFAIK mobile communications are *not* encrypted. This means that... yes,
you
guessed it. It is more difficult than the average wire-sniff attack but
only because there are fewer tools out there from the likes of tcpdump(1).

2) Also, all SMS-es go through the mobile service provider's SMS center or
whatever it is called in English. If the phone you are authenticating to
belongs to a different provider, than even two such centers are used. Of
course, manipulating messages (or even just reading them) there would
require access to the GSM providers infrastructure, but it is another facet
you shouldn't neglect.

This, of course, is nothing new:-) But in this wireless age
when mobile communications is becoming more and more important
I guess we'll need a new approach to security and soon such statements will
be as routine as "telnet transmits passwds in the clear" is now. But until
then it never hurts to repeat them:-)

Good luck with your studies & work in the USA, Lukasz!

--
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary