Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!ut-emx!mojo.ots.utexas.edu!jah
From: jah@mojo.ots.utexas.edu (Jeff Hayward)
Newsgroups: comp.dcom.modems
Subject: Re: What do you think about security functions in modems?
Message-ID: <47191@ut-emx.uucp>
Date: 15 Apr 91 04:29:22 GMT
References: <1991Apr6.152822.4628@dramba.neis.oz> <37@mgsscsg.UUCP> <59727@aurs01.UUCP>
Sender: news@ut-emx.uucp
Organization: The University of Texas
Lines: 30

In article <59727@aurs01.UUCP> whitcomb@aurs01.UUCP (Jonathan Whitcomb) writes:
>Recently I was helping a friend (a modem and computer novice) learn to
>use a telecommunications package and modem to log into the computer
>where she works (Glaxo, in RTP, NC).  They use the number
>generating cards that Zuck mentioned.  I am very curious how these
>work.  Do all of the cards display the same number at the same
>time, or does the computer have a quick way to compute what number
>will be on the specific caller's card (based on the PIN)?  If either
>of these schemes are valid, those cards have to be _very_ accurate.
>
>Can anyone fill us in on how this works?

All of these "smart tokens" work on a challenge-response principle, in
which the host's challenge, possibly with a user PIN, is input to the
token which yields a response by performing some cryptographic
operation on the challenge using a key specific to the individual.
The host computer has the means to determine what the proper response
should be for the given challenge and individual.

In the case of the Security Dynamics device, I believe they use a
stable clock as an implicit challenge, so they can be used in place of
a password without modifying host user/password mechanisms much.

The main advantage of these devices is that the response generated is
only valid for the given challenge, thus they are relatively free from
playback-type attacks.
-- 
Jeff Hayward
The University of Texas System          +1 512 471 2444
Office of Telecommunication Services    jeff@nic.the.net