One Time Identification, a request for comments/testing.
peteri at cryptocard.com
Fri Feb 2 17:46:55 EST 2007
Good day everyone:
I am throughly enjoying this thread.
Mr. Wettstein, your reference to the manner in which people ensure
they do not forget their tokens is, to say the least appropriate
but please keep in mind that our tokens come in many form factors.
- Calculator style (RB)
- Dongle style (KT)
- Class 8 mass storage device (iPod, thumbdrive, mp3 player, etc...)
- USB (UB)
- SmartCard (SC)
- Hard Disk (ST)
- BlackBerry (BB)
- CellPhone (MT)
- SMS (WT)
I don't believe I've seen anyone with a token strapped to their
notebook and their PIN etched on the case. Still though I like
the manner in which you justify software token use.
The reality is different. Software tokena require a M2M or
machine to machine interface (software). Deploying this software
on 100 workstations is problematic. Multiply that by 1000, within
a heterogeneous environment, and its an administrative nightmare.
Hardware tokens are the most portable and most secure. Hardware
token out sell software tokens by a factor of approx. 100 to 1.
Additionally, one can't use a public station because the software
to access or drive that token on the device in question isn't available.
If I can be of any assistance in getting 2FA into Kerberos, simply
ask. If I remember currently I submitted a proposal to kerbdev,
Sam Hartman and Ken Hornstein some years back. Perhaps that document
is still around some place in the archives. It presented an open
framework for any type of 2FA.
Again, if anyone would like input or assistance from CRYPTOCard,
just let me know.
Vice President, Research & Development
g.w at hurderos.org wrote:
> On Feb 1, 5:15pm, Jeffrey Hutzelman wrote:
> } Subject: Re: One Time Identification, a request for comments/testing.
> Good day to everyone.
>> On Thursday, February 01, 2007 03:06:21 PM -0600 g.w at hurderos.org wrote:
>>>> What keeps a user from copying the identity token from the USB
>>>> device to a local or shared file system to avoid having to insert
>>>> the USB device all the time?
>>> We were considering public flogging but were unsure if we could get it
>>> into an IETF draft.
>> <wg chair hat on>
>> Anyone can submit an internet-draft; just write up your proposal
>> according to <http://www.ietf.org/ietf/1id-guidelines.html> and send
>> it off to internet-drafts at ietf.org.
>> You should then bring up your proposal on the Kerberos Working Group
>> mailing list, ietf-krb-wg at anl.gov. We're beginning to move into the
>> area of preauthentication and improving the initial authentication
>> exchange, and while I can't guarantee that your proposal will be
>> well-received, it will certainly receive the same consideration as a
>> number of others that have recently been raised.
> I do appreciate the offer and will review the proposal guidelines.
> That being said I'm certainly no IETF politician. I also don't have
> any agenda, corporate or otherwise with any of this. I believe there
> needs to be people doing interesting stuff in this field and I enjoy
> the challenge of innovation. Its not sexy, nor fun, like building a
> new desktop environment so there is a paucity of Open-Source interest
> in the arena.
> OTI ultimately comes from our work and interest in how to define
> identity. As such its a paradigm shift which is always a difficult
> But we would certainly entertain a discussion if anyone was interested
> in any type of collaboration on this.
>>> Security starts with user training and making it unnecessary for them
>>> to want to do things like that.
>> In this case, I think that is unrealistic. The thing users want to
>> avoid is "Oh, damn, I have to dig out this stupid USB thing and plug
>> it in before I can use my computer, what a pain." They'll do that
>> by copying the file off, especially after the first few instances of
>> "Oh, damn, I have to dig out this stupid USB thing and plug it in to
>> use my laptop, and I can't because I'm in Europe and the USB thingy
>> is in Pittsburgh".
> Luckily there is a sure and certain solution to the problem. Spend
> money implementing CryptoCard or any one of a number of other
> solutions which people will gladly sell you.
> The only organizational challenge is dealing with the user who forgot
> their CryptoCard the last time they flew to Europe and now have it
> securely duct taped to the back of their laptop, with the pin number
> written in magic marker on the duct tape so they don't forget it.
> Jeff, you and I have been doing this stuff for a long time. I think
> we both agree its not possible to technically erradicate stupidity.
> There is an understandable fixation about copying off the identity
> token. I think the reason for it is the issue of paradigm shift which
> I discussed above. Physical protection of a two factor token arises
> from a paradigm where the token is capable of independently
> implementing the user's identity.
> Thats why RSA private keys get stuffed inside a self-destructing card
> or device, to force direct physical possession of the identity
> implementation. There is still a secret which ties implementation of
> the identity to a user, only we call it a PIN number rather than a
> In OTI the paradigm shifts, the implementation of the identity
> involves a direct interaction between the token and the user's secret
> (key). Obviously one prefers not to have tokens go wandering about,
> that is a standard security predicate of attacker knowledge
> deprivation. But, and its an important but, the token is not
> independently capable of implementing the user's identity.
> So Jeff, your IDtoken is free to go to Europe inside your laptop.
> Interestingly, it avoids a Denial of Service (DOS) attack from the
> person whose draft you frowned on, who decided to punch 0-0-0-0 into
> your CryptoCard four times to make your life miserable in Europe.
> I'm assuming, of course, standard security policy which requires a
> trip to the HelpDesk with a picture ID in the event of a need to
> re-establish authentication for someone... :-)
>> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
> --..., ...--
> Best wishes for a pleasant weekend.
> }-- End of excerpt from Jeffrey Hutzelman
> As always,
> Greg Wettstein
> The Hurderos Project
> Open Identity, Service and Authorization Management
> "Everything should be made as simple as possible, but not simpler."
> -- Albert Einstein
> krbdev mailing list krbdev at mit.edu
More information about the krbdev