Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!uunet!brunix!cs.brown.edu!cs132041 From: cs132041@cs.brown.edu (Jeremy Gaffney) Newsgroups: comp.unix.wizards Subject: Re: Passwords Message-ID: <72985@brunix.UUCP> Date: 21 Apr 91 22:10:08 GMT References: <1991Apr12.120209.21241@mp.cs.niu.edu> <17401: Apr1307:58:0691@kramden.acf.nyu.edu> <1071@seeker.MYSTIC.COM> Sender: news@brunix.UUCP Organization: Brown Computer Science Dept. Lines: 46 In article <1071@seeker.MYSTIC.COM>, chip@seeker.MYSTIC.COM (David "Chip" Reynolds) writes: |> [Deleted text] |> If I do something on the system, there is NO WAY that a systems admin. can hold |> me accountable. "Someone stole my password! They must have hacked it! KGB |> spies are clearly responsible! The dog ate it!" take your pick. |> |> The only reasonable way to implement this is with a one-time password. |> |> Password Books, with one-use passwords can be stolen, photocopied, lost, etc. |> We use a different approach. It's called a "super-smart card." | [More deleted] |> system clock.) the card gives you back a response that you then re-enter. |> Using multiple DES keys, no to challanges are ever repeated (the card has a 23 |> digit cipher key, after the challange-responses have been used, you change the |> key) and the odds of guessing are in the area of 1 in 70 quadrillion. (assuming |> full installation.) |> What prevents this card from being stolen in the same fashion as a password book? If the user simply gives back what the card tells him/her, what prevents the card from being used by J. Q. Cracker who stole the card? Perhaps a pre-memorized function (albeit simple, by necessity) could be applied by the user, but at this point, the procedure is too complicated for any but the by necessity most secure system. Just far too complicated... -jg (cs132041@brownvm.brown.edu) |> -*- DCKR -*- David Reynolds |> Blessed Be! |> |> |> chip@seeker.UUCP |> decwrl!prememos!chip@seeker.MYSTIC.com |> |> root@diana.UUCP |> |> David Reynolds |> Programmer, Product Manager UnixSafe/GatewaySafe |> Enigma Logic Inc. |> 2151 Salvio St. Suite 301 |> Concord Ca. 94520 |> (415) 827-5797