Tuesday, October 02, 2007


From Simon Willison, Cronto.

Cronto’s technology uses a unique authorisation code for each separate transaction, based on a challenge-response mechanism.

While the idea is cool, Contro's technology is neither standardized nor novel.

1 comment:

Anonymous said...

Indeed, many researchers have previously suggested the use of a visual channel for various authentication purposes, have a look at Seeing is Believing, for example. However, as you correctly pointed out, and as Bruce Schneier explained in a few of his posts, the Man-in-the-Middle attack still presents a problem which Cronto solution does in fact address. This is to do with the fact that transaction details are included as part of a challenge, and thus transaction authentication is enabled.

The security protocol behind the solution requires relatively large amount of data to be transmitted and in attempt to make solution simple and intuitive for end users 2D barcodes are introduced. Most of the "standardized" 2D barcodes, however, are black and white, and a significant proportion of camera phones outside Japan have rather inexpensive camera optics, limited processing power and no built-in QR code reader "to leverage on." Nevertheless, they all take images in colour... So why use the standard black and white visual code when we know we could do better in terms of reliability, robustness and performance?