|
|
|
|
|
|
by tialaramex
2892 days ago
|
|
|
I goofed by using the word "secret" in the ratchet description after earlier choosing "secret" to mean the TOTP Shared Secret. In the situation we care about (which you think hardly matters, but I believe evidence shows to be extremely common) bad guys do NOT have the TOTP Shared Secret, it's in your 1Password Vault and the bad guys can't access that. What they do have is a code, a One Time Password typically six digits long. Because TOTP produces a _One Time_ Password, if I use that code, or any subsequent code, the one the bad guys have is now useless even if it has not yet expired. This forms a ratchet. Ratchets aren't about detecting cloning, they're about what happens if bad guys temporarily get access. Can we recover? In many systems we're permanently screwed, if there's a ratchet we may be able to recover. For example this is essential to the design of OTR and the Signal Protocol. |
|
|