[Next] [Up] [Previous]
Next: Network Authentication: Kerberos
Up: Access Control and
Previous: Tokens and Badges
In order to combat the problems of sharing and eavesdropping on
passwords, one can employ a method known as ``one-time'' passwords.
The idea here is that each time a user authenticates themselves to the
system, they supply a different password. This new password generally
needs to be computed for them by software or hardware that they carry
with them.
There are a variety of methods for doing so, including a
variety of software and/or hardware tokens. They generally fall into
two categories: a challenge/response system or a time-based
algorithm. In the challenge/response system, a challenge is issued by
the system, which is then used to compute the appropriate response.
The response can be computed via a token, an automatic program, or a
piece of user software. The only time-based algorithm that I am aware
of is called SecurID, and is marketed by Security Dynamics. In such a
system, the user carries a special token that displays the correct
response of the moment. There are several such tokens sold, and one
requires a PIN to be entered into the device before it displays the
correct response.
The time-based system carries the advantage that
the user is not required to handle a challenge, but carries the
disadvantage that it may be vulnerable to replay attacks for a short
time period unless properly implemented. It is also a proprietary
technology that limits the interoperability, choice of tokens, and
administrative tools.
Kevin S. McCurley
Sat Mar 11 16:00:15 MST 1995