hardware preauthentication in krb5-1.3-beta4

Peter Iannarelli peteri at cryptocard.com
Tue Jul 15 07:14:28 EDT 2003

The use of the CRYPTOCard key does not sit well with me. Up north here 
we believe the
key should be protected at all costs and should never be transmitted 
(clear or encrypted).
Having said that, we have some newer tokens which can increase entropy 
Currently we have a high security mode for the classic tokens, which 
uses two CC responses
thus doubling the number of bits in the response ( 64 bits, more 
entropy). Additionally we have new tokens
which require 64, 128, 512 and 1024 byte responses. These types of 
tokens are embedded in
smartcards ( java and CAC, machine to machine interface only). The user 
activates the token
with their PIN.

Just a thought, perhaps the challenge should be used as a source of 
entropy. The user consumable
portion of the challenge can be augmented with additional randomly 
generated bytes. This
approach permits the continued use of a classic hardware token and 
provides a semi user
centric experience.

Ken Hornstein wrote:

>>I Ken, I do think your draft should regain the ability to just use the
>>crypto card key, not for crypto card, but for stronger tokens.
>Oh, it definately does.

More information about the krbdev mailing list