[4665] in WWW Security List Archive
Re: SecureID alternatives?
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Wed Mar 5 10:49:35 1997
Date: Wed, 05 Mar 1997 14:19:56 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: Vin McLellan <vin@shore.net>
CC: "Haggard, John C." <jch@vasco.com>,
www-security <www-security@ns2.rutgers.edu>, tel1dvw@is.ups.com,
aisecur!KClancy@bpd.treas.gov
Errors-To: owner-www-security@ns2.rutgers.edu
Vin McLellan wrote:
<snip>
> Vasco's Internet AK II offers two-factor (token and PIN)
> authentication in the classic role of the hand-held authentication (HHA)
> token: at the gateway, validating user IDs before allowing access to a
> protected Netscape server (with a neat little Java applet that drops a
> token-readable bar code on the user's screen.)
About that applet I'd be curious to know how the user could safely check
out it's the 'right' and not a malicious one.
> After authenticating the user, the
> WebID (which is part of the NT ACE/Client, on the web server) passes a
> timed cookie to the user's browser, which gives him continuous
> authentication to other protected items on that server (subject to his NT
> permissions) until the cookie times out.
Cookies (or hidden tag or digest auth or ..) without ssl AND a 'short'
timeout (short enough to not let bad guys decrypt it!) are pretty
useless from a security point of view.
An example of this is the way Checkpoint's firewall allows http proxy
auth through secur-id tokens. It permits to define a period of time
during which any http request presenting an http auth user/password with
a good (but outdated) passcode is considered valid.
Roberto Galoppini
rgaloppini@tim.it
"Speak, friend, and enter"
