[e-gold-list] Execution proofs in AxiomaticTokenizer

[George Hara]

Execution proofs make digital signatues irrelevant.

If, say, a user has a malicious aplication on his computer which is
connected to the Internet, the application can intercept and modify the
webpages seen by the user in the webbrowser.

This would make it possible for the application to tell the user that
when he makes a payment, the payment was successfully executed, even
though the malicious application intercepted and stopped and payment
from reaching the payment service.

One way to protect against this kind of attack is for the service to
sign the response sent to the user and then have the user check the
signature. But this is of no good for AxiomaticTokenizer because that
would be too complex.

This problem can be solved, but only for encrypted payments / tokens.
Both AxiomaticTokenizer and the service compute and display to the user
some texts called "execution success / error proofs". If the proof
displayed in the user's webbrowser is the same as the proof displayed by
AxiomaticTokenizer, and since nobody but the service can decrypt the
encrypted token (and computed the proofs), the user can be sure that the
service is reporting either success or error.

The proofs are computed in a unique way, so they are not reusable by the
attacker.


http://www.gardenerofthoughts.org/ideas/axiomatictokenizer/integrators/index.htm#Execution_proof


---
You are currently subscribed to e-gold-list as: e-gold-list at kobly.com
To unsubscribe send a blank email to leave-e-gold-list-512001C at talk.e-gold.com

Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.