Information about one-time passwords for Sun systems

Information about one-time passwords for Sun systems

Post by Ivan Ang » Wed, 23 Nov 1994 15:02:59



We have recently become interested in evaluating one-time, non-reusable
password technology which we can integrate with our (primarily) Sun systems
running SunOS and Solaris. (No prizes for guessing why).

Can anyone give me any information on products available in Australia ?

The kinds of things I'm thinking of are those credit-card sized gadgets
that everyone talks about which generate non-reusable passwords for you.

An important caveat is that we need to convert the system to non-reusable
passwords for system administrators only, not for all users.

Any information would be appreciated.  I have obtained a copy of Skey
but I haven't given it a try yet.  We are interested in something which
will allow us to log in to our systems from a hostile system/network on
a regular basis, and my understanding is that skey doesn't fit that bill.

On the subject of Skey, does anyone know where I can get a version that will
compile under Solaris 2.4 ?

--
-------------------------------------------------------------------

Faculties Computer Unit                 There :       (06) 249 3261
Australian National University          Everywhere : +61 6 249 3261

 
 
 

Information about one-time passwords for Sun systems

Post by Vin McLell » Mon, 28 Nov 1994 04:04:05



> We have recently become interested in evaluating one-time, non-reusable
> password technology which we can integrate with our (primarily) Sun systems
> running SunOS and Solaris. (No prizes for guessing why).

> Can anyone give me any information on products available in Australia ?

> The kinds of things I'm thinking of are those credit-card sized gadgets
> that everyone talks about which generate non-reusable passwords for you.

Security Dynamics, Inc. (a sometime client of mine) markets
its SecurID cards and ACE server software in Australia. I think SDI has the
only "credit-card sized gadgets" on the market -- and they'll be
delighted to know that everyone is talking about them in Australia.


for their distributors Down Under.  

Quote:> An important caveat is that we need to convert the system to non-reusable
> passwords for system administrators only, not for all users.

> Any information would be appreciated.  I have obtained a copy of Skey
> but I haven't given it a try yet.  We are interested in something which
> will allow us to log in to our systems from a hostile system/network on
> a regular basis, and my understanding is that skey doesn't fit that bill.

> On the subject of Skey, does anyone know where I can get a version that will
> compile under Solaris 2.4 ?

The primary repository on s/key is still Bellcore:
anonymous ftp from thumper.bellcore.com in /pub/skey.

Regards,

_Vin McLellan, The Privacy Guild  ????????????????????????

 
 
 

Information about one-time passwords for Sun systems

Post by Charles Hedri » Tue, 29 Nov 1994 05:02:52



>Security Dynamics, Inc. (a sometime client of mine) markets
>its SecurID cards and ACE server software in Australia. I think SDI has the
>only "credit-card sized gadgets" on the market -- and they'll be
>delighted to know that everyone is talking about them in Australia.

There are a number of similar devices.  I don't have my list on hand,
but a few I recall are Security Dynamics, Enigma Logic, Racal
DataGuard (I could have that wrong), and Digital Pathways.

There are a number of different flavors, including challenge-response
sequences, cards that give a different number each time you ask, and
cards that give a number that changes every minute.  Security
Dynamics' patent appears to cover the time-based cards, so they're the
only ones that do that, but by no means the only cards.

There are advantages and disadvantages to that technique compared to
the others.  For example: on the academic side we use Enigma Logic DES
Gold cards (which, by the way, I should warn you tend to be slightly
fragile.  Enigma's software is fine, but you might check some of the
other vendors whose hardware they support to see if there are sturdier
cards available.  This problem is not unique to their cards.  We've
had trouble with the Security Dynamics cards too, though I think their
cards are a bit sturdier.  Basically the conclusion is that for any of
these cards if you don't put them in something like a purse -- a
wallet definitely is *NOT* good -- you want something like a metal
calling card holder.  The test for an acceptable card is to put it in
your back pocket and sit on it -- your users are certainly going to do
this.)  They issue a new number each time you ask them.  The server
knows what the next number will be.  (Actually it will accept the next
several, since sometimes you end up generating a number and not using
it, because of a typo or some other goof.)  So if someone at a vendor
needs to FTP me a file, I can generate a number and give it to them
over the phone.  If I don't see them FTP in immediately, I just log in
with that number or one later, and that will invalidate it.

That's an advantage for us, but in some environments, the ability to
give someone else your number is a security risk.  For example, if
someone leaves their card out on their desk, you could ask it for a
number, and then go off somewhere else and log in with it.  With the
Security Dynamics cards (which we use on the administrative side) the
number changes every minute, so this is not as much of a risk (or
advantage, depending on how you view it).  Consider also our system
staff.  When they log in, typically their .xinitrc starts up windows
on a zillion different machines.  With a card that only gives you a
new number once a minute, startups could take a long time.  (You can't
reuse a number, even within the same minute, in order to prevent
replay attacks if someone is watching the network.)

Then there's the question of whether to get cards with a PIN on them
or not.  A number of vendors (including Security Dynamics and Enigma)
sell cards both with and without.  With a PIN, you have to type a PIN
to the card before it will give you a number.  (Typically if you
mistype the PIN it gives you a number, but it's wrong.  Makes guessing
PIN's harder.)  Normally you want logins to depend upon something a
user knows plus something a user has.  I.e.  a PIN (which he knows)
and the one-time password (which is based on something he has).  The
one-time password protects against replay attack if someone is
watching the network, looking over his shoulder or whatever.  The PIN
protects against his losing the card or leaving it his desk.  But this
becomes a security/convenience tradeoff.  People may not be happy to
have to type a PIN to their card, then read a number and type that
into the computer.  I think the PIN is essential if you're using the
card as the only authentication.  If you're also asking for a
conventional password, your users probably won't put up with a PIN
also.  (However the PIN is more secure than the conventional password,
because it is typed to the card.  Thus it never goes over the
network.)

 
 
 

Information about one-time passwords for Sun systems

Post by Ran Atkins » Tue, 29 Nov 1994 07:04:55



>An important caveat is that we need to convert the system to non-reusable
>passwords for system administrators only, not for all users.

S/Key will support that.

Quote:>Any information would be appreciated.  I have obtained a copy of Skey
>but I haven't given it a try yet.  We are interested in something which
>will allow us to log in to our systems from a hostile system/network on
>a regular basis, and my understanding is that skey doesn't fit that bill.

Hmmm.  If you mean that the console you are _normally_ typing from is
compromised or hostile, then you have MUCH more serious problems than
one-time passwords can solve.

  When we occasionally run into the situation where we are using a
console whose security is questionable (most usually this is at a
conference such as Interop or an Internet Engineering Task Force
meeting), we use one of two approaches:

        1) carry around some preprinted keys on a slip of paper
           (do not put your name, account, email, or system name on
            that paper in order to minimise risk if you lose it)
        2) use our own notebook computer (e.g. PowerBook, ThinkPad)
           to generate keys as needed.

  I suspect that if someone were to manufacture credit-card sized
MD4/MD5 key generators for S/Key compatible systems (with user
replaceable batteries !) at a reasonable cost, they would probably
sell at some modest rate to various folks on the net.

Quote:>On the subject of Skey, does anyone know where I can get a version that will
>compile under Solaris 2.4 ?

  We are porting NRL OPIE to Solaris 2.4 and other systems but the
port is not yet finished.  When it is ready, it will probably be
announced in the usual places and probably appear online in source
form.

Ran

 
 
 

Information about one-time passwords for Sun systems

Post by Vin McLell » Tue, 29 Nov 1994 04:37:52



> We have recently become interested in evaluating one-time, non-reusable
> password technology which we can integrate with our (primarily) Sun systems
> running SunOS and Solaris. (No prizes for guessing why).

Attached is the appendix on vendors that was published with the Internet
CERT (Computer Emergency Response Team) Report on Network Monitoring
Attacks last February.

Suerte,

_Vin McLellan
The Privacy Guild  /////////////////CERT Text Follows ////////////

ONE-TIME PASSWORDS

Given today's networked environments, CERT recommends that sites
concerned about the security and integrity of their systems and
networks consider moving away from standard, reusable passwords. CERT
has seen many incidents involving Trojan network programs (e.g., telnet
and rlogin) and network packet sniffing programs.  These programs
capture clear-text hostname, account name, password triplets. Intruders
can use the captured information for subsequent access to those hosts
and accounts.  This is possible because 1) the password is used over
and over (hence the term "reusable"), and 2) the password passes across
the network in clear text.

Several authentication techniques have been developed that address this
problem. Among these techniques are challenge-response technologies
that provide passwords that are only used once (commonly called
one-time passwords). This document provides a list of sources for
products that provide this capability. The decision to use a product is
the responsibility of each organization, and each organization should
perform its own evaluation and selection.

I.  Public Domain packages

S/KEY(TM) The S/KEY package is publicly available (no fee) via
anonymous FTP from:

thumper.bellcore.com            /pub/nmh directory

There are three subdirectories:

skey            UNIX code and documents on S/KEY. Includes the change
needed to login, and stand-alone commands (such as "key"), that
computes the one-time password for the user, given the secret password
and the S/KEY command.

dos             DOS or DOS/WINDOWS S/KEY programs.  Includes DOS
version of "key" and "termkey" which is a TSR program.

mac             One-time password calculation utility for the Mac.

II.  Commercial Products

Secure Net Key (SNK)                            (Do-it-yourself
project) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca.
94043-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487

Products: handheld authentication calculators  (SNK004) serial line
auth interruptors (guardian)

Note: Secure Net Key (SNK) is des-based, and therefore restricted from
US export.

Secure ID                                       (complete turnkey
systems) Security Dynamics One Alewife Center Cambridge, MA 02140-2312
USA Phone: 617-547-7820 Fax: (617) 354-8836

Products: SecurID changing number authentication card ACE server
software

SecureID is time-synchronized using a 'proprietary' number generation
algorithm

WatchWord and WatchWord II Racal-Guardata 480 Spring Park Place
Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217

Products: Watchword authentication calculator Encrypting modems

Alpha-numeric keypad, digital signature capability

SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520
510-827-5707 Fax: (510)827-2593

Products: DES Silver card authentication calculator SafeWord Multisync
card authentication calculator

Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as other
OS versions.  Supports one-time passwords and super smartcards from
several vendors.

 
 
 

Information about one-time passwords for Sun systems

Post by Adam Shosta » Wed, 30 Nov 1994 04:14:43




>> On the subject of Skey, does anyone know where I can get a version that will
>> compile under Solaris 2.4 ?
>The primary repository on s/key is still Bellcore:
>anonymous ftp from thumper.bellcore.com in /pub/skey.

ftp.win.tue.nl is where logdaemon is from.  Claims to build under
solaris.  The logdaemon S/key is what I'm using, it seems to be the
most solid code.

Adam

--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume

 
 
 

Information about one-time passwords for Sun systems

Post by johnk.. » Mon, 05 Dec 1994 22:08:26



>  When we occasionally run into the situation where we are using a
>console whose security is questionable (most usually this is at a
>conference such as Interop or an Internet Engineering Task Force
>meeting), we use one of two approaches:

Let me start by saying ... my opinons are my own.....

I have worked Interop and Network/Interop USA shows 2 years now. I can a test
to the amount of security we place on the system to protect us and the
remote terminal clusters in the hotels. We have caught our share of hackers
and wanna-bes as well. Our system security center is tracking 24 hrs a day
the whole the connection to the real world is up. We can and have had NOC
team members arrive on the floor within 2 min of a system reboot. We have
expelled a few attendees and reported them to authorities as well.
The NOC team is comprised of some the best security talent I have ever
seen . The security is not questioned it is really open and beyond the
staffs control once it hits the public feed (internet) .. But we take
great mesures to protect that is within our control. Oh by the way
95% of the NOC team members are volunteers.

John Kida
Specials/wireless/application clusters.

 
 
 

Information about one-time passwords for Sun systems

Post by Nathan Laws » Tue, 06 Dec 1994 17:39:57



Quote:

>I have worked Interop and Network/Interop USA shows 2 years now. I can a test
>to the amount of security we place on the system to protect us and the
>remote terminal clusters in the hotels. We have caught our share of hackers
>and wanna-bes as well.

You mean you don't appreciate everyone stopping by to hit "CTRL-ALT-DEL"?

Quote:>Our system security center is tracking 24 hrs a day
>the whole the connection to the real world is up. We can and have had NOC
>team members arrive on the floor within 2 min of a system reboot.

Ever worked as a lab monitor in a public access school lab?  Except you
can't threaten to prosecute any dweeb that reboots his machine.

Quote:>We have expelled a few attendees and reported them to authorities as well.

Isn't that a bit harsh?  You've never played around on a computer in a
store?  I think that if it's out on the public floor, and someone does
something destructive, that would be appropriate, but say someone puts a
password on your screen saver or something?  You are going to be that rude
about it?

Quote:>The NOC team is comprised of some the best security talent I have ever
>seen.

Yeah, it's tough to tell whether a machine has been rebooted or not.

Quote:>The security is not questioned it is really open and beyond the
>staffs control once it hits the public feed (internet)

Translation: once the HaQeR gets to the Information Super Highway, our best
security talent is left scrambling for the Prodigy manuals.

Quote:>.. But we take great mesures to protect that is within our control.
>Oh by the way 95% of the NOC team members are volunteers.

Actually, I that is commendable.  Crowd control is one of the more
unpleasant activities.

Ciao,
Nate
--
Nathan Lawson |  "Friendship," said Christopher Robin, "is a very comforting
  SysAdmin    |   thing to have."
______________/                    -- A. A. Milne