Encryption and risk
David Kramer
david-8uUts6sDVDvs2Lz0fTdYFQ at public.gmane.org
Tue Oct 6 11:13:17 EDT 2009
Richard Pieri wrote:
> On Oct 6, 2009, at 10:27 AM, Dan Ritter wrote:
>> Everyone seems to be ignoring the real brute force attack:
>> rubber-hose cryptanalysis.
>
> I did not ignore it; I simply chose not to address it. But since you
> asked... :)
>
> Obviously, no algorithm can be proof against a rubber hose attack.
> Securing against rubber hoses is a matter of implementation. One
> possible mechanism is something similar to standard code signing
> practice with multi-factor authentication. The user has a pass phrase
> (virtual key). The site has a hard token of some sort. That token is
> stored in a secured area (physical key).
In military circles, they use the phrase "Something you have, and
something you know". Fortunately the only secure application I
developed went on SIPRNET, so once I talked to their singne-sign-on, I
didn't have to worry about security much (other than the usual
roles/groups authorization).
More information about the Discuss
mailing list