Passwords

[Jeremy Gaffney]

In article <1071 at seeker.MYSTIC.COM>, chip at seeker.MYSTIC.COM (David "Chip" Reynolds) writes:
|> 
[Deleted text]
|> If I do something on the system, there is NO WAY that a systems admin. can hold
|> me accountable.  "Someone stole my password!  They must have hacked it! KGB
|> spies are clearly responsible!  The dog ate it!" take your pick.
|> 
|> The only reasonable way to implement this is with a one-time password.
|> 
|> Password Books, with one-use passwords can be stolen, photocopied, lost, etc.
|> We use a different approach.  It's called a "super-smart card."
|
[More deleted]
|> system clock.) the card gives you back a response that you then re-enter.
|> Using multiple DES keys, no to challanges are ever repeated (the card has a 23
|> digit cipher key, after the challange-responses have been used, you change the
|> key) and the odds of guessing are in the area of 1 in 70 quadrillion. (assuming
|> full installation.)
|>

What prevents this card from being stolen in the same fashion as a password book?
If the user simply gives back what the card tells him/her, what prevents the card
from being used by J. Q. Cracker who stole the card?  Perhaps a pre-memorized function
(albeit simple, by necessity) could be applied by the user, but at this point, the 
procedure is too complicated for any but the by necessity most secure system.  Just
far too complicated...

-jg  (cs132041 at brownvm.brown.edu)



|> -*- DCKR -*-   David Reynolds
|> Blessed Be!
|> 
|> 
|> chip at seeker.UUCP
|> decwrl!prememos!chip at seeker.MYSTIC.com
|> 
|> root at diana.UUCP
|> 
|> David Reynolds
|> Programmer, Product Manager UnixSafe/GatewaySafe
|> Enigma Logic Inc.
|> 2151 Salvio St. Suite 301
|> Concord Ca. 94520
|> (415) 827-5797