>Looking for sources/vendors who provide "smart cards" products to secure
>logging onto a bastion host (Harris CyberGuard) over a serial connection
>(modem or direct connect). Looking for vendor/source names, phone numbers,
>www page, etc..
Well, there are a number of vendors (Enigma-Logic, National Semiconductor,
ACE Security Dynamics, Racal) but basically just four types of "smart
card" that I know of. With the exception of the last, all depend on software
running on the host-side equipment.
1) Time Synchronous: These are the cards with a display that changes
periodically. Very easy to use but rely on an accurate clock on the
host side to stay reasonably synchronous with the card. As a consequence
PC - based hosts do not always work well
2) Challenge-response: Bit more difficult to use since the user (or software)
must read the callenge sent by the host, enter this into the device, and
respond to the host wth a series calculated by the device. Since there
is no reliance on an external clock, these can be used on any platform
and can be handled entirely by software on both ends.
3) Series: The devices are pre-seeded with a value. Each subsequent use
causes a computation of the next sequential "password". Some use a
One-Time-Pad type implimentation.
4) Autoigniting: This was the promise of Capstone/Tessera/Fortezza. Each
use will exchange a secure authentication mechanisn developed on-the-fly.
Opinion: All have merit but the first three require coordination of the units
and provide only authentication of the channel. The last provides no
direct authentication (could but doesn't) rather is intended to secure
the channel. All could (and will eventually) provide both authentication
and channel encryption (have been waiting four years for that now, expect
within two). Have not (yet) seen any device that gives everything I
need.
Two encrypting/handshaking modems I saw at the CSI show come close, one
was from IRE in Baltimore, the other was from Parallon in Bellevue
Washington. Both provide session encryption and host-recognition based
authentication. Parallon was interesting in that it had the potential
for disk encryption as well but had not addressed the issue as yet. Do
not have any to play with (hint 8*).
Believe that the future is in a PCMCIA (guess new term is "PC Card")
device that can provide authentication, auto-ignition session encryption,
full disk encryption, duress response, and have jack for modem and
Ethernet. Have most of them now but in a herd of devices, not one.
(National Semi "Persona" is possibly the closest but is still "under
construction". Fortezza could do it also as soon as the gov decides to
either drop the LEAF - they do not need it - or allow designated escrow
holders - Lockheed-Martin comes redily to mind for some obscure reason 8*).
Just as error correcting modems (V-42, MNP-various) made secured
communications easy, the speed/size of the PCMCIA card makes all
else possible. Just a matter of time now but I am getting impatient.
Warmly,
Padgett
ps still need a copy of the tech manual for a "Lightweight Computer Unit
V2 LC" AN/GYC-37. Is "TM 11-7021-217-12 & P". Have gotten everything
but the display working & have plans for a portable FireWall. So far
have not been permitted to buy/beg/borrow the manual (tried both SAIC
and the GPO).
|
|
