hardware preauthentication in krb5-1.3-beta4
Peter Iannarelli
peteri at cryptocard.com
Tue Jul 15 07:14:28 EDT 2003
The use of the CRYPTOCard key does not sit well with me. Up north here
we believe the
key should be protected at all costs and should never be transmitted
(clear or encrypted).
Having said that, we have some newer tokens which can increase entropy
significantly.
Currently we have a high security mode for the classic tokens, which
uses two CC responses
thus doubling the number of bits in the response ( 64 bits, more
entropy). Additionally we have new tokens
which require 64, 128, 512 and 1024 byte responses. These types of
tokens are embedded in
smartcards ( java and CAC, machine to machine interface only). The user
activates the token
with their PIN.
Just a thought, perhaps the challenge should be used as a source of
entropy. The user consumable
portion of the challenge can be augmented with additional randomly
generated bytes. This
approach permits the continued use of a classic hardware token and
provides a semi user
centric experience.
Ken Hornstein wrote:
>>I Ken, I do think your draft should regain the ability to just use the
>>crypto card key, not for crypto card, but for stronger tokens.
>>
>>
>
>Oh, it definately does.
>
>--Ken
>
>
>
More information about the krbdev
mailing list