07 Sniffer: One time password technology
Description
This article is from the Sniffer FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
07 Sniffer: One time password technology
S/key and other one time password technology makes sniffing account
information almost useless. S/key concept is having your remote host already
know a password that is not going to go over insecure channels and when you
connect, you get a challenge. You take the challenge information and
password and plug it into an algorithm which generates the response that
should get the same answer if the password is the same on the both sides.
Therefore the password never goes over the network, nor is the same
challenge used twice. Unlike SecurID or SNK, with S/key you do not share a
secret with the host. S/key is available on
ftp:thumper.bellcore.com:/pub/nmh/skey
OPIE is the successor of Skey and is available at
ftp://ftp.nrl.navy.mil/pub/security/nrl-opie/
Other one time password technology is card systems where each user gets a
card that generates numbers that allow access to their account. Without the
card, it is improbable to guess the numbers.
The following are companies that offer solutions that are provide better
password authenication (ie, handheld password devices):
Secure Net Key (SNK)
Digital Pathways, Inc.
201 Ravendale Dr. Mountainview, Ca.
97703-5216 USA
Phone: 415-964-0707 Fax: (415) 961-7487
SecurID
Security Dynamics,
One Alewife Center
Cambridge, MA 02140-2312
USA Phone: 617-547-7820
Fax: (617) 354-8836
SecurID uses time slots as authenication rather than challenge/response.
ArKey and OneTime Pass
Management Analytics
PO Box 1480
Hudson, OH 44236
Email: fc@all.net
Tel:US+216-686-0090 Fax: US+216-686-0092
OneTime Pass (OTP):
This program provides unrestricted one-time pass codes on a user by user
basis without any need for cryptographic protocols or hardware devices. The
user takes a list of usable pass codes and scratches out each one as it is
used. The system tracks usage, removing each passcode from the available
list when it is used. Comes with a very small and fast password tester and
password and pass phrase generation systems.
ArKey:
This is the original Argued Key system that mutually authenticates users and
systems to each other based on their common knowledge. No hardware
necessary. Comes with a very small and fast password tester and password and
pass phrase generation systems.
WatchWord and WatchWord II
Racal-Guardata
480 Spring Park Place
Herndon, VA 22070
703-471-0892
1-800-521-6261 ext 217
CRYPTOCard
Arnold Consulting, Inc.
2530 Targhee Street, Madison, Wisconsin
53711-5491 U.S.A.
Phone : 608-278-7700 Fax: 608-278-7701
Email: Stephen.L.Arnold@Arnold.Com
CRYPTOCard is a modern, SecureID-sized, SNK-compatible device.
SafeWord
Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
510-827-5707 Fax: (510)827-2593
For information about Enigma ftp to: ftp.netcom.com in directory
/pub/sa/safeword
Secure Computing Corporation:
2675 Long Lake Road
Roseville, MN 55113
Tel: (612) 628-2700
Fax: (612) 628-2701
debernar@sctc.com
Continue to:
My Books
