|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Info on Dynamic Password Cards (Smartcards)
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From Firewalls-Owner Fri Feb 5 20:27:30 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA18315; Fri, 5 Feb 93 20:27:30 GMT
Received: from siemens.siemens.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA18308; Fri, 5 Feb 93 12:27:24 PST
Received: from yogi.siemens.com by siemens.siemens.com with smtp
(Smail3.1.28.1 #11) id m0nHGKl-0019LQC; Wed, 27 Jan 93 12:13 EST
Received: by yogi.siemens.com (4.1/RTL-CLIENT-SUBSIDIARY)
id AA02270; Wed, 27 Jan 93 12:13:43 EST
Date: Wed, 27 Jan 93 12:13:43 EST
From: [email protected] (Michael Platoff)
Message-Id: <[email protected]>
To: firewalls@GreatCircle.COM
Subject: Dynamic password cards
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
I'm interested acquiring some sort of dynamic password cards for
users who want to enter our computers from the Internet or
dial-ups. I've been in contact with Security Dynamics, but I'd
like to know what other companies provide dynamic password
devices. If anyone has pointers to other products I should
investigate, I'd greatly appreciate it.
Thanks in advance.
Michael Platoff email: [email protected]
Siemens Corporate Research phone: (609) 734-3354
755 College Road East
Princeton, NJ 08540-6668
From Firewalls-Owner Mon Feb 8 21:07:26 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA23288; Mon, 8 Feb 93 21:07:26 GMT
Received: from siemens.siemens.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA23281; Mon, 8 Feb 93 13:07:12 PST
Received: from yogi.siemens.com by siemens.siemens.com with smtp
(Smail3.1.28.1 #11) id m0nLfi7-00199bC; Mon, 8 Feb 93 16:08 EST
Received: by yogi.siemens.com (4.1/SMI-4.1)
id AA10812; Mon, 8 Feb 93 16:07:41 EST
Date: Mon, 8 Feb 93 16:07:41 EST
From: [email protected] (Michael Platoff)
Message-Id: <[email protected]>
To: firewalls@GreatCircle.COM
Subject: Dynamic password cards
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
Many people have contacted me about the results of my query for
vendors who sell dynamic password cards. I've attached the most
informative message I received about these devices. There were
some other replies about software-only solutions, but I'm looking
for a device that a user can carry around with them to use from a
terminal or arbitrary node on the Internet.
Michael Platoff email: [email protected]
Siemens Corporate Research phone: (609) 734-3354
755 College Road East
Princeton, NJ 08540-6668
------- Start of forwarded message -------
X-VM-Attributes: [nil nil nil nil nil]
Status: RO
Return-Path: <[email protected]>
Received: from siemens.siemens.com by yogi.siemens.com (4.1/SMI-4.1)
id AA09080; Fri, 5 Feb 93 16:35:38 EST
Received: from teal.csn.org by siemens.siemens.com with smtp
(Smail3.1.28.1 #11) id m0nKaiG-00197rC; Fri, 5 Feb 93 16:35 EST
Received: by teal.csn.org id AA02925
(5.65c/IDA-1.4.4 for [email protected]); Fri, 5 Feb 1993 14:34:08 -0700
Message-Id: <[email protected]>
From: Nathan Estey <[email protected]>
To: [email protected]
Subject: Re: Dynamic password cards
Date: Fri, 5 Feb 1993 14:34:08 -0700
>From csn!magnus.acs.ohio-state.edu!zaphod.mps.ohio-state.edu!malgudi.oar.net!caen!spool.mu.edu!newsd.edu!mentor.cc.purdue.edu!noose.ecn.purdue.edu!samsung!transfer!ellisun.sw.stratus.com!cme Tue Oct 19:02:00 MDT 1992
Article: 5962 of sci.crypt
Path: csn!magnus.acs.ohio-state.edu!zaphod.mps.ohio-state.edu!malgudi.oar.net!caen!spool.mu.edu!newsd.edu!mentor.cc.purdue.edu!noose.ecn.purdue.edu!samsung!transfer!ellisun.sw.stratus.com!cme
From: [email protected] (Carl Ellison)
Newsgroups: sci.crypt
Subject: RESULTS: challenge login devices
Message-ID: <[email protected]>
Date: 6 Oct 92 16:26:17 GMT
Sender: [email protected]
Organization: Stratus Computer, Software Engineering
Lines: 126
A while back, I wrote:
>I have heard descriptions of small devices (eg., pocket calculator size)
>which apply a secret DES key to a challenge (random) number to produce a
>response for use in login (instead of a password). Does anyone out there
>know manufacturers for such devices so that I can get technical and
>price information?
Thanks to everyone who responded.
I have learned that the manufacturers all call these devices "tokens" or
"password tokens".
The following manufacturers have been brought to my attention:
Company Product Name(s)
------- ---------------
Racal-Guardata WatchWord
480 Spring Park Place
Herndon, VA 22070
(703) 471-0892
Enigma Logic, Inc. SafeWord (4 versions):
2151 Salvio #301 Gold Card, Silver Card,
Concord, CA 94520 AccessCard, MultiSync
(510) 827-5707
Digital Pathways, Inc. SecureNet
201 Ravendale Drive
Mountain View, CA 94043
(415) 964-0707
Hughes LAN Systems ??? (they didn't seem to
Hughes Aircraft Company know what I was talking
1225 Charleston Road about when I called them)
Mountain View, CA 94043
(415) 966-7400
Security Dynamics, SecureID
2067 Massachusetts Avenue,
Cambridge, MA 02140
(617) 547-7820
>From what I've been able to learn so far:
=====
Racal-Guardata makes a full line of H/W -- modems, key management boxes,
... -- and supports not just the WatchWord but also smartcards. For
example, they have a product which is a modem into which you plug your
smartcard, enter a PIN (using keys and an LCD on the modem itself) and from
then on, you are not only authenticated but your line is continuously
encrypted.
WatchWord is used by the NCSC's dockmaster system and at least one user out
there thinks it's the best of the lot. I was impressed with their
provision for multiple (2) keys and PINs -- the use of the PIN directly to
the token (never transmitted). The WatchWord costs about $90 (quantity 1)
- -- but is a 4 function calculator as well, with memory (yup -- probably a
$5 value :-).
WatchWord operates by being challenged with a 7 digit (decimal) number (in
phone number format). You enter your PIN and that number, then the
calculator gives you a 7-digit response which you type in response to the
login. It's about 4.125" x 2.25" x 0.375".
====
Enigma Logic makes S/W to do the login authentication using almost all the
other tokens, not just their own. The impression I got was that they
really wanted to sell S/W -- and sold H/W just because it was necessary.
SafeWord DES Gold: synchronous -- you enter your PIN and a host number, it
gives you the next password in your sequence. There's no challenge -- you
have to keep in sync. [as one person pointed out, you have to make sure
there's no kid in the house to fiddle with it and start generating
passwords you don't use.] There are up to 8 different hosts provided for.
SafeWord DES Silver: synchronous -- press "on" and get the next password.
(no PIN, no multiple hosts)
SafeWord AccessCard: public key (allegedly), 7-digit challenge and
response. Details on the algorithm aren't given in the data sheet I
received from them, so I don't know anything about their algorithm or how
they do key negotiation -- and I especially don't know how secure it is.
The brief sketch of how to initialize it doesn't say anything about having
to type hundreds of digits to and from the host to do key management -- so
it doesn't sound like DH exponential key exchange.
SafeWord MultiSync: up to four hosts, any of 4 modes: async (chal/resp);
1-button synchronous; PIN-async (PIN and challenge); PIN-sync (PIN => next
password).
All of these cards are bulky credit card size (3.4" x 2.2" x 0.2")
=====
SecureNet: two modes: async (chal/resp); sync (enter PIN and digit
selecting 1 of 6 hosts -- get next password in sequence). Size: 52 x 89 x
9.8 mm (info from Enigma Logic data sheet).
Price about $60, (quantity 2).
=====
SecureID: time-synchronous: displays a new password continuously, changed
every minute or so. The host keeps not only your key (for generating the
same sequence) but a synchronized clock. My detailed info from them is
about to arrive. This info is from sci.crypt readers.
SecureID does not use DES but rather a proprietary PRNG algorithm which was
reviewed and blessed by Ron Rivest. This card is used by Cray users
worldwide (or so it seems from the responses I got). It is credit-card
sized and if I remember correctly, in the $60 range (but that's not a real
price quote -- just (possibly flaky) memory).
=====
[email protected] sent mail describing some S/W solution their company
sells, but that's not what I was asking for so I didn't follow up.
=====
- --Carl
>From csn!magnus.acs.ohio-state.edu!zaphod.mps.ohio-state.edu!darwin.sura.net!haven.umd.edu!uunet!do!csrc.ncsl.nist.gov!clancy Tue Oct 6 19:02:31 MDT 1992
Article: 5966 of sci.crypt
Path: csn!magnus.acs.ohio-state.edu!zaphod.mps.ohio-state.edu!darwin.sura.net!haven.umd.edu!uunet!do!csrc.ncsl.nist.gov!clancy
From: [email protected] (Kim Clancy)
Newsgroups: sci.crypt
Subject: Re: RESULTS: challenge login devices
Message-ID: <5975@dove.nist.gov>
Date: 6 Oct 92 18:38:09 GMT
References: <[email protected]>
Sender: news@dove.nist.gov
Organization: National Institute of Standards & Technology
Lines: 4
I use Enigma Logics Multisycn card. NIST sent it to me since I dial into
------- End of forwarded message -------
From Firewalls-Owner Tue Mar 2 17:34:25 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA26204; Tue, 2 Mar 93 17:34:25 GMT
Received: from cray.com (timbuk.cray.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA26197; Tue, 2 Mar 93 09:34:17 PST
Received: from matrix.cray.com by cray.com (4.1/CRI-MX 2.13)
id AA12500; Tue, 2 Mar 93 11:34:52 CST
Received: by matrix.cray.com
id AA24319; 4.1/CRI-5.6a; Tue, 2 Mar 93 11:34:51 CST
From: [email protected] (Bryan Koch)
Message-Id: <[email protected]>
Subject: Re: Appletalk through firewalls.
To: [email protected] (Leland K. Neely)
Date: Tue, 2 Mar 93 11:34:48 CST
Cc: firewalls@GreatCircle.COM
In-Reply-To: <[email protected]>; from "Leland K. Neely" at Mar 2, 93 9:25 am
X-Mailer: ELM [version 2.3 PL0]
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
>
> Bryan Koch writes:
> >
> > ARA, the Gatorlink, and Security Dynamics' ACE/Server team up to collectively
> > prompt for and validate a login ID, a PIN (a password by another name), and
> > the SecurID PRN (pseudo-random number). To generate the PRN in software
> > would require knowledge of the seed value programmed into the card, the
> > algorithm, and the time. Of these only the third is generally available.
> >
> Huh? This makes sense-----
>
> BUT I am confused. When Caymon showed the secure id stuff to me, they did NOT
> enter a username or password, ONLY a secure id. (Hence my concern)
> I can take 2 of my three requirements, but not one of 3.
There are two versions of the SecurID card. The less expensive one
simply displays numbers. PINs (passwords) are sent along with the
displayed information to authenticate the user. The more expensive
cards have a 10-digit "pin pad" on them. The user enters their
PIN on the card, and the card then displays a numerically-integrated
PIN/PRN value. The advantage of the later of these is that the user's
PIN (password) is never sent on the network in clear form. It is, however,
still a part of the authentication process.
> As ARA is SO SIMPLE to configure on ANY mac, I want to be able to provide a
> secure centralized access point, so the users DON'T setup their OWN access
> points..... (a political {or people} battle at times :-)
I agree. One of the shortcomings of the current ARA offerings is that they
all support a small number of lines (the Gatorlink supports only three).
Centralized security, via SecurID or some other query protocol, greatly
simplifies security setup.
Bryan
From Firewalls-Owner Fri Mar 5 07:38:34 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA07562; Fri, 5 Mar 93 07:38:34 GMT
Received: from uu.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA07555; Thu, 4 Mar 93 23:38:22 PST
Received: by uu.psi.com (5.65b/4.1.031792-PSI/PSINet) via UUCP;
id AA05090 for ; Thu, 4 Mar 93 07:47:58 -0500
Received: from silver_screen.sbcoc.com (silver_screen-gate) by il.us.swissbank.com (4.1/SMI-4.1)
id AA16537; Wed, 3 Mar 93 12:08:23 CST
Received: from localhost by silver_screen.sbcoc.com (4.1/SMI-4.1)
id AA00601; Wed, 3 Mar 93 12:08:21 CST
Message-Id: <9303031808.AA00601@silver_screen.sbcoc.com>
To: Leland K. Neely <[email protected]>
Cc: firewalls@GreatCircle.COM
Subject: Re: Appletalk through firewalls.
In-Reply-To: Your message of "Tue, 02 Mar 93 09:25:24 PST."
<[email protected].COM>
X-Organization: Capital Markets and Treasury Division, Swiss Bank Corporation
Date: Wed, 03 Mar 93 12:08:20 CST
From: "Gordon C. Galligher" <[email protected]>
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
In message <[email protected].COM>
Leland K. Neely <[email protected]> writes:
`
` Huh? This makes sense-----
`
` BUT I am confused. When Caymon showed the secure id stuff to me, they did
` NOT
` enter a username or password, ONLY a secure id. (Hence my concern)
` I can take 2 of my three requirements, but not one of 3.
BUT, the SecureID thing that the person entered was the random number
generated by the SecureID card (the physical requirement of having the
card) AND the PIN number of the PERSON owning the card (this validates
that the user currently holding the card is the person that is supposed
to hold the card. This is better than just login/password because with
that there is no physical requirement.
The problem with the SecureID card is that the last four digits of the
"password" that you enter IS your PIN number! As this is in
plain-text, this is not the best solution. SecureID has fixed this
with a more expensive card (surprise, grr) which has a keypad on it.
You enter your PIN number into the card, it cons's up a totally new
number based on an internal algorithm including your PIN number and
then you enter that number to your system. This protects against a
"snoop" attack -- they can see the number that you enter but it does
NOT contain your PIN in the clear so the number is useless to them.
Does this help?
-- Gordon.
--
Gordon C. Galligher [email protected] [email protected]
"You can have war between races, war between cultures, war between planets;
but once you have war between the sexes, you eventually run out of people."
-- Kerr Avon.
From Firewalls-Owner Fri Mar 5 16:17:22 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA09018; Fri, 5 Mar 93 16:17:22 GMT
Received: from uu.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA09007; Fri, 5 Mar 93 08:17:13 PST
Received: from commpost.UUCP by uu.psi.com (5.65b/4.1.031792-PSI/PSINet) via UUCP;
id AA15260 for ; Fri, 5 Mar 93 10:49:54 -0500
Received: by ml.com (/\==/\ Smail3.1.24.1 #24.2)
id <[email protected]>; Fri, 5 Mar 93 10:27 EST
Received: by pilot.dmg.ml.com (/\==/\ Smail3.1.24.1 #24.3)
id <[email protected]>; Fri, 5 Mar 93 10:26 EST
Message-Id: <[email protected]>
Received: by thor.sysdev.dmg.ml.com
(16.8/16.2) id AA27487; Fri, 5 Mar 93 10:28:56 -0500
Date: Fri, 5 Mar 93 10:28:56 -0500
From: "Jon S. Stumpf" <[email protected]>
To: firewalls@GreatCircle.COM
Subject: SecureID PIN (Was Re: Appletalk through firewalls.)
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
> To: Leland K. Neely <[email protected]>
> Subject: Re: Appletalk through firewalls.
> Date: Wed, 03 Mar 93 12:08:20 CST
> From: "Gordon C. Galligher" <[email protected]>
> The problem with the SecureID card is that the last four digits of the
> "password" that you enter IS your PIN number! As this is in
> plain-text, this is not the best solution. SecureID has fixed this
> with a more expensive card (surprise, grr) which has a keypad on it.
Now, couldn't what you know be, instead of a fixed number of some length,
a simple transform such as "swap the second and fourth digits" of the
random number generated? This would not involve a new card (with a keypad)
since you are doing the transform (albeit, a simple one) instead of the card.
Therefore, no extra cost for a new card and a simple software change on the
central device.
Since the transform needs to be something simple to remember without writing
down (e.g., add 25 or mutate the string), this will work only if the original
number is not public (i.e., the card owner makes sure noone sees the display
and the transform together).
- jss
PS: Or am I just missing something?
--------------------------------------------------------------------------
Jon S. Stumpf [email protected] Merrill Lynch
World Financial Center
(212) 449-0498 Phone North Tower
(212) 449-0912 Fax New York, N.Y. 10281-1315
--------------------------------------------------------------------------
From Firewalls-Owner Fri Mar 5 18:33:45 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA09638; Fri, 5 Mar 93 18:33:45 GMT
Received: from ctt.ctt.bellcore.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA09631; Fri, 5 Mar 93 10:33:36 PST
Received: from shadow.secure.bellcore.com by ctt.ctt.bellcore.com (4.1/1.34)
id AA24073; Fri, 5 Mar 93 13:34:03 EST
Received: by shadow.secure.bellcore.com (4.1/SMI-4.1)
id AA21213; Fri, 5 Mar 93 13:22:22 EST
Date: Fri, 5 Mar 93 13:22:22 EST
From: R.F. Graveman <[email protected].com>
Message-Id: <[email protected].bellcore.com>
To: [email protected]
Subject: Re: SecureID PIN (Was Re: Appletalk through firewalls.)
Cc: firewalls@GreatCircle.COM
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
Jon
What yor're missing is that the pin is assigned to be unique
per ogganization and used as an index into a table of seeds
(i.e., keys) used to run the same algorithm and check the
number on the display.
Rich Graveman, Bellcore
From Firewalls-Owner Fri Mar 5 22:06:23 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA10217; Fri, 5 Mar 93 22:06:23 GMT
Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA10210; Fri, 5 Mar 93 14:05:44 PST
Received: from yeager.corp.sgi.com by sgigate.sgi.com via SMTP (920330.SGI/920502.SGI)
for [email protected] id AA00578; Fri, 5 Mar 93 11:36:23 -0800
Received: by yeager.corp.sgi.com (921113.SGI/911001.SGI)
for lear id AA06224; Fri, 5 Mar 93 10:57:39 -0800
Date: Fri, 5 Mar 93 10:57:38 PST
From: Eliot Lear <[email protected]>
To: R.F. Graveman <[email protected].com>
Cc: [email protected], firewalls@GreatCircle.COM
Subject: Re: SecureID PIN (Was Re: Appletalk through firewalls.)
In-Reply-To: Your message of Fri, 5 Mar 93 13:22:22 EST
Message-Id: <[email protected]>
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
> What yor're missing is that the pin is assigned to be unique
> per ogganization and used as an index into a table of seeds
> (i.e., keys) used to run the same algorithm and check the
> number on the display.
The way all these systems work is that the cards are indexed in some
out of band manner. Sometimes this means that they are programmed and
the serial number of the card is used as the index. Sometimes the
programming occurs at the time of assignment, and thus the only index
is user supplied, such as login name.
Eliot Lear
[[email protected]]
From Firewalls-Owner Fri Mar 5 19:19:10 1993
Return-Path: Firewalls-Owner
Return-Path: <Firewalls-Owner>
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA09878; Fri, 5 Mar 93 19:19:10 GMT
Received: from cray.com (timbuk.cray.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015)
id AA09871; Fri, 5 Mar 93 11:18:46 PST
Received: from matrix.cray.com by cray.com (4.1/CRI-MX 2.13)
id AA17880; Fri, 5 Mar 93 13:19:11 CST
Received: by matrix.cray.com
id AA06107; 4.1/CRI-5.6a; Fri, 5 Mar 93 13:19:09 CST
From: [email protected] (Bryan Koch)
Message-Id: <[email protected]>
Subject: Re: SecureID PIN (Was Re: Appletalk through firewalls.)
To: [email protected].com (R.F. Graveman)
Date: Fri, 5 Mar 93 13:19:07 CST
Cc: [email protected], firewalls@GreatCircle.COM
In-Reply-To: <[email protected].bellcore.com>; from "R.F. Graveman" at Mar 5, 93 1:22m
X-Mailer: ELM [version 2.3 PL0]
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
> What yor're missing is that the pin is assigned to be unique
> per ogganization and used as an index into a table of seeds
> (i.e., keys) used to run the same algorithm and check the
> number on the display.
At least for non-PIN-pad cards, the PIN is indeed a password. For Security
Dynamics' software products (ACM-4100/7100/ACE-Server et al), each user has
a PIN. The administrators can either force PINs to be set for each
user, in which case they may well be globally unique (within an
organization), or to allow users to select their own PINs. In
the later situation, it can be the case that a single PIN is assigned
to more than one user.
Bryan Koch, Cray Research
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
