Security experts explore wireless frontier

< Prev | 1 | 2

MSN Tech and Gadgets

Most overrated and underrated tech

10 hot Web redesigns of 2008

From Paper to PDA: Organize your life

Most popular

• Most viewed

• Top rated

• Most e-mailed

Mystery S. Africa disease may be rodent borne

Issue of race creeps into presidential campaign

Fla. mailman bitten by snake during his rounds

Economic woes could curtail action on warming

States warned about impending mortgage crisis

Most viewed on msnbc.com

RSS feeds on msnbc.com

Add these headlines to your news reader

Security

Learn more about RSS

Alan Boyle

Science editor

• Profile

• E-mail

Even as they're identifying the threats posed by stealth attacks, researchers are devising methods to head them off.

Perrig and his colleagues have been working on a routing protocol called Ariadne (PDF file), while Jakobsson and his colleague at Indiana University, Steve Myers, are close to releasing the beta code for a sign-in protocol called "Delayed Password Disclosure."

If computers could talk, here's how a transaction using Delayed Password Disclosure might unfold:

Story continues below ↓

Customer: Hello bank. I know my banking password. If you really are my bank, then you already know my password. I don't trust you and you don't trust me. I'm not going to tell you my password. We're going to use this authentication protocol called "Delayed Password Disclosure." It allows us to both be sure the other one is not lying about our identity, but without giving out any sensitive information in the process.
Bank: Proceed.
Customer: Bank, I will send you some information that is encrypted. You can only decrypt it if you know my password. If you don't know the password, you could of course try all possible passwords (although that is a lot of work!), but you would never know from my message if you picked the right one. Once you have decrypted the message, I want you to send it to me. If it is correctly decrypted, I will know that you know my password already. Once I know that you know my password, I will send it to you so that you can verify that I also know it. Of course, if I am lying about my identity and don't know the password in the first place, then I will not learn anything about the password from your message, so it is safe in both directions.

Jakobsson said the protocol could fight identity theft on wired as well as wireless networks. "It applies to any situation where you've got two people who have a secret that they wish to compare, without revealing it to the other," he said.

Wetzel said that new remedies for wireless vulnerabilities should start appearing within a year or two. But she and the other experts agreed that final victory in the computer security war was not yet in sight.

"There is always a cat-and-mouse game, in which somebody thinks of a worse attack that applies to a slightly different scenario," Jakobsson said. "So you can secure one particular setup, for example, but to say that this is a totally secure network — I wouldn't dare to say that's a year or two away. It's a very difficult technical problem."

< Prev | 1 | 2