Path: utzoo!utgpu!watmath!clyde!att!pacbell!pbhya!whh From: whh@pbhya.PacBell.COM (Wilson Heydt) Newsgroups: comp.unix.wizards Subject: Re: Password security - Another idea Keywords: passwords, security Message-ID: <22768@pbhya.PacBell.COM> Date: 9 Jan 89 16:24:35 GMT References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <4537@xenna.Encore.COM> <900@eta.unix.ETA.COM> Organization: Pacific * Bell, Oakland, CA Lines: 45 In article <900@eta.unix.ETA.COM>, bstrand@woods.unix.eta.com (Brad Strand) writes: > The recent discussions regarding Unix password security (and the lack > thereof) got me wondering about other authentification schemes. One > such scheme that I haven't seen mentioned here, is replacing the password > with a 'pass-function'. By that I mean that instead of having a > password such as "xyzzy", each user would have his/her own personal > function F, perhaps like > > F(C) = 4C + 3 > > The idea would be for the system to replace the "password:" prompt > with a prompt more like, "How about C?", where C is some reasonably > small (maybe 16-bit) random "Challenge" number generated by the system. > The user must then apply his/her pass-function to this particular C, > and enter the resulting F(C). Example: > > login: > How about 1204? <4819> > Welcome, Brad! ... etc. I've seen two implementations of this sort of scheme. They both use a physical device to do the function--thus avoiding the problem of users picking simple functions. (And also permitting turning access off easily at need.) The first one is called "Gordian Key" and the token is a gray block of plastic about 1-1/2 by 2-1/2 by 3/8 inches. It has 4 photodiodes on one end and a 6-character LCD in the top. The system generates the challenge code and displays it on the terminal both as text and as a pattern of @s to be read by the photodiodes. There is an auxilliary device available that has a keypad and a set of LEDs so the user can key the challenge and it generates the scan pattern for the key, instead of hold the key to the terminal screen. The other device is called "SecurId" and looks rather like a credit- card sized calculator. The passcode is continuously displayed. In both these systems the challenge and passcode change every 30 seconds and the key function is specific to the user. It is *supposed* to be impossible to take either of them apart without destroying critical parts of the circuitry. --Hal ========================================================================= Hal Heydt | "Hafnium plus Holmium is Analyst, Pacific*Bell | one-point-five, I think." 415-645-7708 | --Dr. Jane Robinson {att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh