Re: Telephonic Credentials
Roedy Green wrote:
I think it would be nice if I could prove to someone on the other end
of the phone I am me, and demand they prove they are who they claim to
be.
It could be done by letting a modem kick in for a second to exchange
challenge phrases to be encrypted by identification certificate that
might include name, address, phone number, expiry date, company.
Then if some charity I donate to phone me, I can be sure it is them.
There are so many scams out there.
It might also be done by each of us contacting an Internet server.
Has anyone heard of such projects?
I don't know about phone based security, but I know that the concept is
used in PGP and GPG.
Basically, you can ask the person to cryptographically sign something.
For instance, if they have a private key, and you have a public key
(which you know is theirs), ask them to encrypt a simple,
random-each-time value. Then verify that the trusted public key can
decrypt that value. This verifies that the caller has access to the
private key that matches the public key you tested.
Of course, you still have to be sure that the public key is the public
key of the entity you believe it is.
Actually, you can do the other way around too. Encrypt something with
the public key, ask them to decrypt it and tell you want it was.
--
Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>