Article 17255 of alt.security: Path: jac.zko.dec.com!alfabx.lkg.dec.com!lead.zk3.dec.com!crl.dec.com!pa.dec.com!decuac.dec.com!haven.umd.edu!ames!pacbell.com!nntp-hub2.barrnet.net!news3.near.net!shore.shore.net!slip-0-5.shore.net!user From: vin@shore.net (Vin McLellan) Newsgroups: alt.security,comp.security.unix,rec.radio.amateur.digital.misc Subject: Re: WANTED: One time password facility for Linux Date: Sun, 11 Jun 1995 14:48:27 -0500 Organization: Privacy Guild Lines: 108 Message-ID: References: <3rg324$get@nyx.cs.du.edu> NNTP-Posting-Host: slip-0-5.shore.net Xref: jac.zko.dec.com alt.security:17255 comp.security.unix:16997 rec.radio.amateur.digital.misc:9949 > In article <3rg324$get@nyx.cs.du.edu>, > gcortevi@nyx.cs.du.edu (Greg Corteville) seemed to say: > > I'm looking for a program that will generate a number of random passwords > > during a secure session. I would then use each password once and the > > program would change my password to the next immediately after login. Attached is the appendix on OTP vendors that was published with the Internet CERT (Computer Emergency Response Team) Report on Network Monitoring Attacks in February, 1994. +The Privacy Guild /////////////////CERT Text Follows //////////// ONE-TIME PASSWORDS Given today's networked environments, CERT recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CERT has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text. Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection. I. Public Domain packages S/KEY(TM) The S/KEY package is publicly available (no fee) via anonymous FTP from: thumper.bellcore.com /pub/nmh directory There are three subdirectories: skey UNIX code and documents on S/KEY. Includes the change needed to login, and stand-alone commands (such as "key"), that computes the one-time password for the user, given the secret password and the S/KEY command. dos DOS or DOS/WINDOWS S/KEY programs. Includes DOS version of "key" and "termkey" which is a TSR program. mac One-time password calculation utility for the Mac. II. Commercial Products Secure Net Key (SNK) (Do-it-yourselfproject) Digital Pathways, Inc., 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487 Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian) Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export. SecurID (complete turnkey systems) Security Dynamics, One Alewife Center, Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836 Products: SecurID changing number authentication card ACE server software SecureID is time-synchronized using a 'proprietary' number generation algorithm WatchWord and WatchWord II Racal-Guardata, 480 Spring Park Place, Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217 Products: Watchword authentication calculator Encrypting modems Alpha-numeric keypad, digital signature capability SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: (510)827-2593 Products: DES Silver card authentication calculator SafeWord Multisync card authentication calculator Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors. Products: software chall/response authentication: LOCKout DES PCMCIA authentication/encryption: LOCKout Tessera (End CERT TEXT - >>>>>>>>>>>>>>>>>>> -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. O2150 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''