P800 RSA Password Generator

In the P800 white paper, it mentions "Password Generators from RSA
Security an Secure Computing" under the Security section. What are
they, and what (and how) are they used for?

TIA!
Viv

---

› See More: P800 RSA Password Generator

"Viv" <[email protected]> queried the Group:

> In the P800 white paper, it mentions "Password Generators from RSA
> Security an Secure Computing" under the Security section. What are
> they, and what (and how) are they used for?

Hi Viv:

RSA Security, Inc., and Secure Computing. Inc., are two American companies
which are leading vendors of hand-held devices that are used to generate
so-called "one-time passwords."

These one-time passwords or passcodes allow a website or remote server to
validate or authenticate -- to a high degree of certainty -- that a person
attempting to access a restricted site is indeed the same person that was
previously registered as an authorized user with legit access to that
website (or to some guarded resource on a particular network or machine
accessible though that website).

These devices offer what is called "two-factor authentication," and for
thirty years two-factor token-based "strong authentication" has been widely
recognized by security mavens to be a safer and far more secure alternative
to simple user-memorized passwords.

[InfoSec 101: An individual can only identify himself to a remote computer
by one of three methods: something known (eg. a password), something held
(e.g. a hardware token or device), or something one is (a biometric, e.g.,
fingerprint, voice sample, etc.)

[Two or three-factor authentication enhances online user identification
because the process relies on additional identifiers -- which in turn
require input from off-line devices, electromechanical or fleshy, believed
to be in the possession of an individual previously registered on the system
by some competent authority.

[As the name implies, a one-time password or passcode is a pseudo-random
number that can only be used once -- replays will not be accepted -- and
typically must be used very quickly after it is issued.]

For decades, RSA's SecurID and Secure Computing's Safeword -- tokens which
use similar but different technologies for their authentication process --
have been widely used around the world enable restricted access to protected
online resources.

There are millions of these tokens in use, in thousands of corporations and
many government agencies. In the US, for example, most White House staffers,
all US Senators, and many other top government officials have for years
carried a SecurID -- either a credit-card size device or a small key fob.
The SecurID has a little window that continuously displays a 6-8 digit
"passcode" that changes every 60 seconds.

Neat, and handy enough to be popular -- but for many of us any
authentication token is still just one more gadget we have to carry.

Last year, the big token vendors apparently decided that the SMS networks
were reliable and quick enough to allow them to offer two-factor
authentication systems that leverage an individual's possession of the one
gadget that no one can do without:-)

RSA www.rsasecurity.com introduced "RSA Mobile," and Secure Computing
<www.securecomputing.com> offered "MobilePass."

These systems allow a user, with a SSL-secured browser connection, to log on
to a website, enter an ID (or an ID and a memorized password) -- and then
have the site's authentication server send an SMS message or e-mail
containing a fresh "one-time passcode" to the user's mobile phone (or
wireless PDA, or Blackberry, or some other SMS-capable pager).

The user then types the SMS-transmitted "passcode" (or the "passcode" and a
memorized password) into the log-on form offered by the website to gain
access to the site or to some protected resource on the website.

In some sequence, the remote site always gets two factors -- both a
user-memorized password, and a passcode that could only have been generated
or (in this case) received by a specific physical device, which is assigned
to a specific user, and habitually carried by him or her.

RSA Mobile, with which I am more familar, issues a "one-time passcode" that
is only viable for a very brief period. In transmission, of course, my RSA
passcode is first encrypted with A5, the light-weight GSM voice encryption,
and then protected by SSL as it is sent back to the authentication server.
RSA Mobile also requires that a specific one-time passcode be submitted to
the secured site from the same device, in the same browser session, as the
original log-on -- something I assume they enforce with a short-term cookie
that drops down to the browser with the initial connection.

I won't bother you with details of the authentication servers which support
these systems. Surfice to say both vendors make their money selling Db-based
servers that allow an organization to safely handle the authentication
process, user registration and provisioning, the assignment of limited
rights and privileges to registered users, and sundry other aspects of
indentity and access management (IAM).

Hope this answers your questions, Viv. I beg the indulgence of the newgroup
for the off-hand tutorial. I may come back with some questions of my own.
I'm about to trade in my trusty T28 for a P-800.

Suerte,

_Vin

Vin McLellan
The Privacy Guild