On Thu, 01 Dec 2005 10:24:50 MST, Shannon Johnston said: > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. Forget it. You can't do it without going to two-factor authentication, *and* make sure that the second factor is *not* subvertible by the compromised system (for instance, even a SecureID won't totally work, because the keystroke logger can snarf what the user entered, use that to formulate a bogus request, and then issue the user's actual request, which should get rejected as a replay attack). Using crypto all the way from the web server to a smart-card (so all the compromised system can see is encrypted data it can't get the key for) can help yere.
Attachment:
pgpwwyvgpXSxA.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/