One Time Identification, a request for comments/testing.

Douglas E. Engert deengert at
Thu Feb 1 12:11:22 EST 2007

I was trying to get the authors of the note to say this, as
it appears that their approach is equivalent to soft tokens
but may have some advantages with regard to password policies.

Nicolas Williams wrote:
> On Wed, Jan 31, 2007 at 08:42:43AM -0600, Douglas E. Engert wrote:
>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
>> What are the security implications if the identity token is
>> stolen?
>> How does this compare to using cert and key on the USB
>> device with PKINIT rather then your identity token?
>> How does this compare to using a smart card or USB equivelent
>> of a smartcard with PKINIT? To the user they still have to insert
>> the card or USB device, and have to enter a pin or password?
> You're correct -- softtokens aren't a replacement for real smartcards.
> That doesn't stop a softtoken from being useful though.
> Compare softtokens to passphrase-protected ssh private key files in
> users' home directories :)

These suffer form policy control of the passphase used to encrypt the
key. The user can change the passphrase, or remove it all together!
This is a problem for oraganizations that need to enforce password
quality rules. It all so allows for offline guessing attacks.
(A smart card at least enforces some rules on the pin, and
defeats the guessing attack buy turring off the card after some small
number of guesses.)

It sounded like the identity token approach required the use of a
password as well, so it might get around some of the password policy
issues, as the KDC gets to enforce the policies. I would like the authors
to comment more on this.

> Nico


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list