-----Original Message-----
From: Vin McLellan [SMTP:[EMAIL PROTECTED]]
Sent: April 23, 1999 4:17 PM
To: Laris Benkis; '[EMAIL PROTECTED]'
Subject: Re: Looking for an authentication appliance
At 09:09 AM 4/23/99 -0400, Laris Benkis wrote:
>The device I am looking for is the equivalent of the Security Dynamics
>ACM100 but I want challenge response, not time synch with cards that
>eventually die.
Just curiousity, but it is that you don't like time-synch
authentication for some practical or philosophical reason? Great and
rewarding experiences managing a site which uses one of the C/R calculators?
Bad experiences with an ACM100?
[Laris Benkis] In a previous life I worked at a site which had the device I
described. It was was called the SCS2 and was made by a company called Optimum
Electronics which unfortunately is no longer in business. After those devices were
deployed they were used for years without having to make any changes. The calculators
were very robust and we never had any problems; if their battery died you just
replaced it. What I've seen of the SecurID cards has not given me any confidence that
they can perform the same way. Their limited lifespan means that periodically I would
have to dial into every ACM100 on the network and reseed them with new cards. I've
seen enough of these cards to know that many of them don't even come near to meeting
their advertised lifespan. This place I used to work went to the ACM100 by the way,
and this is a big headache for them, they indicated that if I find an equivalent to
the SCS2 they would be very interested in hearing about it.
Do you expect your authentication needs to remain unchanged 4-5
years from now?
[Laris Benkis] This is an application where the needs are very static. Support for a
simple VT100 session is all that is required. However fast the industry is moving,
console access requirements have not changed at all and I don't expect they will.
On what do you base your expectations that your tokens will
continue to be dependable 4-5 years hence? (Nothing on my desk lasts five
years. Not even the desk. OTOH, there are gentlemen like Padgett Peterson
who probably still has a kilobyte or two of An Wang's hand-wound core memory
on his home Lan.)
No Single Sign-on concerns? (No network?) No concern about network
or session encryption to secure your dial-up session against active network
attacks and session hijacking?
[Laris Benkis] I'm not worried about passive line monitoring - if someone sees how
the router is configured I'm not that concerned, as long as they can't change it
themselves. For this application I think the risk of that is low enough that I can
live with the threat of an active hijack on the phone line.
(I'm an consultant to SDTI, and less than wholly objective, but I
always thought those ACM hardware boxes were the world's most
heavily-tested and widely-installed strong authentication appliance for a
reason. Virtually every US (and Canadian;-) telephone company surveyed the
alternatives and installed dozens or hundreds of these boxes to secure
remote telco switching stations, for remote management and maintenance. I
think SDTI's ACMs are a mainstay of the teleco infrastructure throughout
North America, maybe in other countries too.)
The finite lifespan of SecurIDs, btw, is not based on battery
life-- although the SecurID is "sealed" and the battery is not accessible or
replacable by the token-holder. SDTI, as I recall, found that the failure
rate among five year-old SecurID cards was markedly worse than among those
with the same tokens which were only four years old. There seemed to be a
rapid drop in dependability after a relatively constant level of
dependability up until then.
Nothing particularly surprising, just wear and tear on a given token
design. I expect that SDTI will offer longer-lifed key-fobs when they get
real-world stats from their installed base, but I'd be surprised if the
SecurID cards are ever sold for longer than 5 years without some (heavily
studied) tweak in the design for the token casing.
I always wondered if C/R tokens -- which, after all, have to have
mechanical keypads, which most SecurIDs do not need -- are _really_ immune
to such predictable changes in dependability when a token is carried around
by an user, and is in heavy daily use over several years.
>Does anyone know of a device that will do this?
Toronto-based Cryptocard <http://www.cryptocard.com> has, among
other products, a Win95/NT-based RADIUS authentication manager that might
fit your needs. DES-based C/R tokens. Good little company.
[Laris Benkis] I've talked to Cryptocard. They don't have anything which meets my
requirements.
Don't get me wrong, SecurID is great in an environment where you have a centralized
auth server. I've used in in remote access and DISA applications and it worked great.
If a card dies you only have to make changes on the server to get a new card working.
In a distributed environment like this they are just too much of a headache.
Suerte,
_Vin
--------
"Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
[Laris Benkis] Laris
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
