Another
mechanism for secure authentication without passwords is zero-knowledge proofs.
Networks
that use this system have a client and a server that share what is in essence a
very long sequence of digits. When the client connects to the server, the
server queries the client about a set of digits in a small set of positions in
the sequence. Because the number of digits in the sequence is very long,
knowledge of a few digits by a sniffer is not sufficient. The server will query
for a different set of positions each time the client connects.
This
type of authentication is growing in popularity. You store the digit sequence
held by the client on a credit card sized device or even in a ring worn by the
user. No computer needs to be carried by a mobile user of this technique; only
a few kilobytes of data storage.
RFC
1704 and RFC 1750 provide a good background in the principles of authentication
and the current state of encryption technology for the Internet.
DESlogin
1.3 uses a challenge / response technique in conjunction with DES encryption
for authentication. The latest version is available via anonymous FTP from ftp.uu.net/pub/security/des.
S/KEY
from Bellcore uses the response / challenge technique as well. S/Key is
available via anonymous FTP to thumper.bellcore.com in the /pub/nmh directory. S/Key has support for a variety
of platforms, including Unix, Macintosh, and Windows, to generate the onetime password
used as a response to a challenge. It also includes a replacement for
/bin/login and the FTP daemon on the Unix host.
RFC 1760 describes the system in
technical detail.
No comments:
Post a Comment