At 09:09 AM 4/23/99 -0400, Laris Benkis wrote:
>The device I am looking for is the equivalent of the Security Dynamics
>ACM100 but I want challenge response, not time synch with cards that
>eventually die.
Just curiousity, but it is that you don't like time-synch
authentication for some practical or philosophical reason? Great and
rewarding experiences managing a site which uses one of the C/R calculators?
Bad experiences with an ACM100?
Do you expect your authentication needs to remain unchanged 4-5
years from now?
On what do you base your expectations that your tokens will
continue to be dependable 4-5 years hence? (Nothing on my desk lasts five
years. Not even the desk. OTOH, there are gentlemen like Padgett Peterson
who probably still has a kilobyte or two of An Wang's hand-wound core memory
on his home Lan.)
No Single Sign-on concerns? (No network?) No concern about network
or session encryption to secure your dial-up session against active network
attacks and session hijacking?
(I'm an consultant to SDTI, and less than wholly objective, but I
always thought those ACM hardware boxes were the world's most
heavily-tested and widely-installed strong authentication appliance for a
reason. Virtually every US (and Canadian;-) telephone company surveyed the
alternatives and installed dozens or hundreds of these boxes to secure
remote telco switching stations, for remote management and maintenance. I
think SDTI's ACMs are a mainstay of the teleco infrastructure throughout
North America, maybe in other countries too.)
The finite lifespan of SecurIDs, btw, is not based on battery
life-- although the SecurID is "sealed" and the battery is not accessible or
replacable by the token-holder. SDTI, as I recall, found that the failure
rate among five year-old SecurID cards was markedly worse than among those
with the same tokens which were only four years old. There seemed to be a
rapid drop in dependability after a relatively constant level of
dependability up until then.
Nothing particularly surprising, just wear and tear on a given token
design. I expect that SDTI will offer longer-lifed key-fobs when they get
real-world stats from their installed base, but I'd be surprised if the
SecurID cards are ever sold for longer than 5 years without some (heavily
studied) tweak in the design for the token casing.
I always wondered if C/R tokens -- which, after all, have to have
mechanical keypads, which most SecurIDs do not need -- are _really_ immune
to such predictable changes in dependability when a token is carried around
by an user, and is in heavy daily use over several years.
>Does anyone know of a device that will do this?
Toronto-based Cryptocard <http://www.cryptocard.com> has, among
other products, a Win95/NT-based RADIUS authentication manager that might
fit your needs. DES-based C/R tokens. Good little company.
Suerte,
_Vin
--------
"Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
