OTP Support in MIT Kerberos
Frank Cusack
fcusack at fcusack.com
Mon Jul 31 11:38:05 EDT 2006
On July 28, 2006 7:04:25 PM -0400 Jeffrey Altman <jaltman at secure-endpoints.com> wrote:
> Henry B. Hotz wrote:
>
>> "Soft" tokens are preferred to "hard" tokens, if tokens are needed,
>> though undetected theft becomes an issue. It might be possible to
>> make my internet kiosk example work with a java applet, but I'm not
>> sure I know all the concerns to address there.
>
> The java applet has a boot strap problem. Applets such as Citicorp's
> Credit Card Number generator require a username and password to be
> used over TLS in order to access the account so that the necessary data
> can be obtained to produce and register the new numbers. I suspect
> you will have the same issues by trying to use an applet to generate
> a one time password.
>
> The primary benefit to using the concatenated PIN + OTP as a password
> is that it is theoretically possible to use existing clients such as
> Windows 2000/XP or web based authentication without requiring changes
> in the protocols or user interfaces. However, this requires that the
> OTP sequence for the user be made available to the authentication
> service so that the appropriately derived keys can be produced.
>
> If you are aware of a OTP vendor who is willing to make OTP sequences
> available, please let us know.
We do. tri-dsystems.com. But as Douglas points out, this is not enough,
even if krb5 is your only means of authentication.
-frank
More information about the krbdev
mailing list