Path: utzoo!attcan!uunet!munnari!mulga!charlie!kokab!jgm
From: jgm@kokab.cc.deakin.OZ (John Moorfoot)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: passwords
Message-ID: <7178@charlie.OZ>
Date: 16 Nov 88 02:53:30 GMT
References: <8811090956.AA07706@LANAI.MCL.UNISYS.COM> <26010@bu-cs.BU.EDU>
Sender: root@charlie.OZ
Reply-To: jgm@charlie.oz.au (John Moorfoot)
Organization: Deakin University, Computing Services
Lines: 40

In article <26010@bu-cs.BU.EDU> kwe@bu-it.bu.edu (Kent England) writes:
>In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM>
> perry@MCL.UNISYS.COM (Dennis Perry) writes:
>>
>	When I was at InterOp I stopped by the Sytek booth to look at
>their telnet server.  I was not impressed, except by a neat little
>gizmo they had for their terminal server administrators.  It looked
>like a calculator.  To use it you enter a PIN, like at your favorite
>ATM machine.  Then when you log onto a secure port to administer your
>Sytek terminal server, the login program gives you a sequence of
>numbers.  You enter the numbers into the little gizmo and it gives you
>a bunch of numbers back.  You enter these into the login program and
>you are in.  Anyone catching this sequence over the net cannot
>duplicate it, they don't have the little calculator gizmo and your
>PIN.
>	There must be a name for this kind of security system.  Anyone
>know?
>	Is this kind of system available elsewhere?  How secure is
>this concept?  I thought it sounded like it might be useful for system
>administrators.

This sounds like PFX from Sytek. The s/w runs on a PC attached to
a secure port on the host, and each user has a calculator which
generates a response from a prompt issued from the server. It is
as secure as the port to which the PC is attached.

A host program asks the PC for a challenge for a user, and the PC
returns the challenge and two possible responses. The calculator
can be programmed to accept two separate PINs, and will give a
response to the challenge dependant on the PIN entered. This
provides an adiitional degree of security, as the second PIN can
be used (for instance) if the user is under duress.

The PC can be connected to a printer to provide an audit trail of
operations on the PC database, and it can also provide a facility
for disable a user for authentication without deleting the user's
record.

John Moorfoot 		ARPA:	jgm%charlie.oz.au@uunet.uu.net
			UUCP:	...!uunet!munnari!charlie.oz!jgm