Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!ceres.physics.uiowa.edu!news.iastate.edu!cs352a41
Newsgroups: comp.dcom.modems
Subject: Re: What do you think about security functions in modems?
Message-ID: <cs352a41.671557694@zippy>
From: cs352a41@cs.iastate.edu (Adam Goldberg)
Date: 13 Apr 91 15:48:14 GMT
Sender: news@news.iastate.edu (USENET News System)
References: <1991Apr4.144615.22814@dce.ie> <1991Apr6.152822.4628@dramba.neis.oz> <37@mgsscsg.UUCP> <59727@aurs01.UUCP>
Organization: Iowa State University, Ames IA
Lines: 40

whitcomb@aurs01.UUCP (Jonathan Whitcomb) writes:

>In article <37@mgsscsg.UUCP> zuck@mgsscsg.UUCP (Zuck Zuckerbrot) writes:
>-just to throw my $.02 in, we here at motorola use a security system
>-between our modems and the systems.  every user has a credit card sized
>-device with an lcd display with a six digit number that changes randomly (?)
>-once a minute.  to use it one dials in, connects with a modem, enters
>-a four digit PIN followed by the number currently in the window.
>-once validated, it allows you to pass through to the hosts.
>- 
>-it's made by security dynamics in boston and is called the "ace system"

>Recently I was helping a friend (a modem and computer novice) learn to
>use a telecommunications package and modem to log into the computer
>where she works (Glaxo, in RTP, NC).  They use the number
>generating cards that Zuck mentioned.  I am very curious how these
>work.  Do all of the cards display the same number at the same
>time, or does the computer have a quick way to compute what number
>will be on the specific caller's card (based on the PIN)?  If either
>of these schemes are valid, those cards have to be _very_ accurate.

>Can anyone fill us in on how this works?

I once did some consulting work for a client whose friend used the above
system.  The client wanted me to find out whether it would make sense for
him to use something like it.  The client's answer was no, but in the mean
time I talked to the guy who used the card--it seems that the number displayed
is verifiable by the host computer (ie, not just random), and that only
certain numbers are possible.  It may be (I don't know) that each card has
its own set of numbers, ie the host can tell not only if the number is valid,
but if it is valid who is calling in.

Seems like this system is for the very paranoid or very secure, depending on 
your point of view.

--
+-----------------------------------------------------------------------------+
! Adam Goldberg           !       *         ! "It's simple! Even a PASCAL     !
! cs352a41@cs.iastate.edu !       *         !  programmer could do it!"       !
+-----------------------------------------------------------------------------+