>>
>> >> I am playing with the TIS toolkit and have come across something I
>>wouldn't
>> >> have done that way and am therefore tempted to change. I'd like to hear
>> >> from the list why they think I should leave well alone (or not :-).
>> >>
>> >> Password changing on s/key. This requires the user to enter the "secret"
>> >> password, the one part of the s/key stuff which is normally never leaves
>> >> the user's local system. I would like to change it so that the user enters
>> >> the three non-secrets when resetting the password, ie the new sequence
>> >> number, seed and the resulting s/key.
>> >
>> >This option is available in the version I use (I believe it's a -s).
>> >Hence, we thought your idea was a good one, too.
>>
>> Yes, if you are using the keyinit program directly. I was referring to
>> password changing via the TIS authsrv autentication server. It is linked to
>> the s/key library and allows password changing but only in the "insecure"
>> form.
>I have notice the same problem do you got an answer from TIS ?
>Remy
>
Yes. mjr @
tis .
com said, in effect, "we never thought of it, why don't you
write it?". So I will, when I can make time. (The boss wants our firewall
documented first "in case I get run over by a truck").
I am thinking of adding two options:
SKEYBLIND = system generates new seed and sequence number, user enters new S/Key
The problem with this is that we can do no password vetting. S/Key is
subject to password guessing attacks and users cannot be trusted not to use
their wife's name as a password. So:
SKEYPARANOID = The admin sets the password and issues it to the user once over
a "secure channel".
It is held in cleartext (or encoded) form on the authentication
server. We set a reset sequence number and a minimum sequence
number. When we hit the minimum sequence number we reset it and
increment the number on the end of the seed. We can issue the
user with a warning 100 skeys in advance. This means that the
authentication server must be airtight, but if you are also
using SecurID or Kerberos then it should be airtight anyway.
This is the "put all your eggs in one very strong basket"
approach, and should make S/Key more closely approach the
security of the smart-cards.
Comments and suggestions invited.
Al
---------------------------------------------------------------------------
Alastair Young _ Ariel NH
Cadence Design Systems, Information Services )/___ _ Red Hunter
555 River Oaks Parkway, 4B1 __/(___)_*##/c
San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ Brakes'n'lites
alastair @
cadence .
com (408)428-5278 \__/ ----'\__/ novel eh?
---------------------------------------------------------------------------
These statements and opinions are mine, not those of Cadence Design Systems
|
|
