Results 1 to 2 of 2
  1. #1
    In the P800 white paper, it mentions "Password Generators from RSA
    Security an Secure Computing" under the Security section. What are
    they, and what (and how) are they used for?


    See More: P800 RSA Password Generator

  2. #2
    Vin McLellan

    Re: P800 RSA Password Generator

    "Viv" <[email protected]> queried the Group:

    > In the P800 white paper, it mentions "Password Generators from RSA
    > Security an Secure Computing" under the Security section. What are
    > they, and what (and how) are they used for?

    Hi Viv:

    RSA Security, Inc., and Secure Computing. Inc., are two American companies
    which are leading vendors of hand-held devices that are used to generate
    so-called "one-time passwords."

    These one-time passwords or passcodes allow a website or remote server to
    validate or authenticate -- to a high degree of certainty -- that a person
    attempting to access a restricted site is indeed the same person that was
    previously registered as an authorized user with legit access to that
    website (or to some guarded resource on a particular network or machine
    accessible though that website).

    These devices offer what is called "two-factor authentication," and for
    thirty years two-factor token-based "strong authentication" has been widely
    recognized by security mavens to be a safer and far more secure alternative
    to simple user-memorized passwords.

    [InfoSec 101: An individual can only identify himself to a remote computer
    by one of three methods: something known (eg. a password), something held
    (e.g. a hardware token or device), or something one is (a biometric, e.g.,
    fingerprint, voice sample, etc.)

    [Two or three-factor authentication enhances online user identification
    because the process relies on additional identifiers -- which in turn
    require input from off-line devices, electromechanical or fleshy, believed
    to be in the possession of an individual previously registered on the system
    by some competent authority.

    [As the name implies, a one-time password or passcode is a pseudo-random
    number that can only be used once -- replays will not be accepted -- and
    typically must be used very quickly after it is issued.]

    For decades, RSA's SecurID and Secure Computing's Safeword -- tokens which
    use similar but different technologies for their authentication process --
    have been widely used around the world enable restricted access to protected
    online resources.

    There are millions of these tokens in use, in thousands of corporations and
    many government agencies. In the US, for example, most White House staffers,
    all US Senators, and many other top government officials have for years
    carried a SecurID -- either a credit-card size device or a small key fob.
    The SecurID has a little window that continuously displays a 6-8 digit
    "passcode" that changes every 60 seconds.

    Neat, and handy enough to be popular -- but for many of us any
    authentication token is still just one more gadget we have to carry.

    Last year, the big token vendors apparently decided that the SMS networks
    were reliable and quick enough to allow them to offer two-factor
    authentication systems that leverage an individual's possession of the one
    gadget that no one can do without:-)

    RSA introduced "RSA Mobile," and Secure Computing
    <> offered "MobilePass."

    These systems allow a user, with a SSL-secured browser connection, to log on
    to a website, enter an ID (or an ID and a memorized password) -- and then
    have the site's authentication server send an SMS message or e-mail
    containing a fresh "one-time passcode" to the user's mobile phone (or
    wireless PDA, or Blackberry, or some other SMS-capable pager).

    The user then types the SMS-transmitted "passcode" (or the "passcode" and a
    memorized password) into the log-on form offered by the website to gain
    access to the site or to some protected resource on the website.

    In some sequence, the remote site always gets two factors -- both a
    user-memorized password, and a passcode that could only have been generated
    or (in this case) received by a specific physical device, which is assigned
    to a specific user, and habitually carried by him or her.

    RSA Mobile, with which I am more familar, issues a "one-time passcode" that
    is only viable for a very brief period. In transmission, of course, my RSA
    passcode is first encrypted with A5, the light-weight GSM voice encryption,
    and then protected by SSL as it is sent back to the authentication server.
    RSA Mobile also requires that a specific one-time passcode be submitted to
    the secured site from the same device, in the same browser session, as the
    original log-on -- something I assume they enforce with a short-term cookie
    that drops down to the browser with the initial connection.

    I won't bother you with details of the authentication servers which support
    these systems. Surfice to say both vendors make their money selling Db-based
    servers that allow an organization to safely handle the authentication
    process, user registration and provisioning, the assignment of limited
    rights and privileges to registered users, and sundry other aspects of
    indentity and access management (IAM).

    Hope this answers your questions, Viv. I beg the indulgence of the newgroup
    for the off-hand tutorial. I may come back with some questions of my own.
    I'm about to trade in my trusty T28 for a P-800.



    Vin McLellan
    The Privacy Guild

  • Phones Discussed Above

    Sony Ericsson P800 More Sony Ericsson P800 topics Sony Ericsson Forum Reviews
  • Similar Threads

    1. Sony Ericsson
    2. Sony Ericsson
    3. General Cell Phone Forum
    4. General Cell Phone Forum
    5. General Cell Phone Forum