[375] in Kerberos
Powerhouse Patrons Behind ID Tokens
daemon@TELECOM.MIT.EDU (Vin McLellan)
Wed Apr 27 21:12:47 1988
Resent-From: Bob Sidebotham <bob+@andrew.cmu.edu>
Resent-To: kerberos@ATHENA.MIT.EDU
X-Digest-From: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.COM>
X-Digest-To: RISKS-LIST@KL.SRI.COM
From: "Vin McLellan" <SIDNEY.G.VIN%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Apparently-To: kerberos@athena.mit.edu
A new venture in token-based ID authentication -- and a hint of a broad
new thrust in EDP security -- has emerged with the first product from the
Applied Information Technologies Research Center, a little-known R&D consortium
organized in 1984 by a number of universities and leading U.S. vendors of
information service products.
AITRC, in Columbus, Ohio, about to beta test a credit card-sized
calculator which impliments a challenge-response ID authentication. A software
module on a host CPU sends a 7-digit challenge to a remote terminal, the user
keys that number into his "calculator," presses a special authentication button
to process that number (and a token-specific seed) through a one-way crypto
algorithm -- then reads off the 7-digit response code on the calculator's LCD
screen. That number, transmitted to the host, verifies the token as one issued
to a specific user.
Tokens (also called "hand-held password generators") are said by IBM to
increase the certainty of end user authentication by at least a full order of
magnitude over mere passwords. Tokens impliment the second of the three ID
authentication options (something known, something held, something inherent to
the user) and have drawn rising interest as the relative frailty of classic
password systems becomes apparent and risks proliferate.
The two leading vendors, Security Dynamics in Cambridge, Ma., and Sytek of
Mountain View, Ca., are NSA-certified -- so their tokens can be integrated into
access control systems for secure DoD computers -- and SD last week obtained a
GSA scheduled contract which allows no-bid purchases by federal agencies. But
the AITRC development may mark tokens even more forcefully as the future
direction for the industry.
AITRC is jointly funded by CompuServ, Meade Data Central, Chemical
Abstracts, the Online Computer Library Center and John Wiley & Sons; as well as
Carnegie Mellon University, University of Pittsburgh, Wright State University,
Ohio State, the Ohio State University Research Foundation, BDM Corp., and
Batelle Institute. No lightweights there.
AITRC hopes to see licensed token/calculators marketed at $10 apiece
by the end of this year, according to AITRC president George Minot --
although the members of the AITRC consortium could potentially use and offer
them to their clients for even less, he said, since consortium members get
royalty-free access to the technology.
At $10 per unit, AITRC would revolutionize the pricing of tokens --
which currently range between four and ten times that for comparable
devices. Minot conceeded, however, that projected price is based on high
volume production (minimum100,000) overseas. The AITRC token is built upon
the 4-bit NEC calculator chip, works as a standard calculator, and is
powered by a 2-year lithium battery. According to Minot, the device is also
designed to be "initialized," or registered on the host, from any remote
terminal or push button telephone.
Vin McLellan, The Privacy Guild, Boston, Ma. (617) 426-2487
