[Noisebridge-discuss] Two factor auth, not SecureID
Moxie Marlinspike
moxie at thoughtcrime.org
Fri Oct 16 04:06:19 UTC 2009
Jacob Appelbaum wrote:
> Ah! I think you should ask Moxie or the other developer to put up the
> .apk outside of the Market. That's totally reasonable and probably
> worthwhile.
Sure, we can do that.
>> Can you explain the differences in approach of Barada, OPIE, and
>> SRP?
Yes, OPIE is a pain. SRP is basically a little more than we want here.
Even in its most straightforward form, it requires a few round-trips to
complete the authentication process, and so isn't really the best thing
to drop into an existing password-based system, or for a setup where the
computation is happening on an external device not connected to the network.
>> Is SHA1-HMAC affected by any of the cryptanalytic problems with SHA-1?
In the common case of how people (and Barada) tend to use MACs, no. In
our case, collision resistance isn't even an important property.
- moxie
--
Thoughtcrime: http://www.thoughtcrime.org
Blue Anarchy: http://www.blueanarchy.org
Audio Anarchy: http://www.audioanarchy.org
More information about the Noisebridge-discuss
mailing list