Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Hardware user authentication

0 views
Skip to first unread message

Vin McLellan

unread,
Apr 7, 1998, 3:00:00 AM4/7/98
to

Date: Tue, 07 Apr 1998
From: Vin McLellan <v...@shore.net>
Organization: The Privacy Guild
Newsgroups: comp.security.misc,comp.security <relay to iss newsgroups>
To: Nuno Bandeira <n...@holos.pt>
Subject: Re: Hardware user authentication

Nuno Bandeira <n...@holos.pt> queried the Newsgroups:

> We are looking for security products that provide user
authentication
> using small hardware devices (smart-card like) that _do_not_need_
> specific card readers.

> We want to be able to provide these cards to our end users without
> forcing them to install any hardware on their computers and
effectively
> enable them to access our system from any computer using just the
card.

> Two products that closely match our requirements are:
>
> - Vasco's AccessKey II
> - Security Dinamics' SecureID
>
> After identifying the user we wish to start a secure web connection
in
> order to transfer private user data in both directions.

For Security Dynamics Technologies (SDTI), based in Bedford, Ma.,
USA
See: <http://www.securid.com>, <http://www.rsa.com>, and
<http://www.dynas.se>)

For Vasco Data Security, Inc., based in Oakbrook Terrace, IL, USA.
See: <http://www.vasco.com/>.

You might want to look closely at the latest enhancedments in the
WebID
toolkit which ships as part of SDTI's ACE/Agent for NT, supporting
SecurID
apps in webservers. I do a lot of consulting for SDTI, so I'm not
exactly
objective, but I think the new WebID access control options deserve
special attention.

The WebID toolkit allows a webmaster to demand two-factor SecurID
authentication before allowing a remote user access to designated
directories, pages, or objects in an IIS or Netscape webserver (even
when other portions of the webserver are open to the public.) It can
also be used to _require_ the user to link to those protected objects or
pages
only with SSL.

(After a successful SecurID authentication, the WebID facilitity
drops an encrypted cookie -- timed to self-destruct, as determined by
the admin
-- into the user's browser to allow a pseudo-stateful http connection.
That
means the user does not need to repeatedly SecurID-authenticate as his
browser hits the webserver to demand additional html pages.

(To support dynamic page generation, the cookie can also repeatedly
provide webserver with the user's "user_name" and browser type with each
authentication call.)

A couple of weeks ago, SDTI announced a powerful new WebID access
control enhancement for the new version of the ACE/Agent for NT. At
least on Microsoft's IIS webserver, the WebID facility now allows the
ACE
administrator to assign SecurID users to groups in the ACE/Server
database,
and then to establish multiple group-based access privileges to any
portion
of the webserver. (This means you can control access privileges for
hundreds or thousands of people -- who only need secure and
strongly-authenticated access the protected website, or selected
portions
of that website -- at the ACE/Server, _without_ having to set up NT user

accounts for them.)

I don't know what plans, if any, SDTI has to extend this
functionality
to other webservers -- although SDTI has traditionally worked closely
with
both Netscape and Microsoft. Both, of course, are heavily dependent on
SDTI's RSA cryptosystems, both for public-key and symmetric crypto.

If strong SSL crypto is important to you (or to your non-American
clients,) I trust you are also familiar with Fortify for Netscape
<http://www.fortify.net>, a neat hack which enables (turns "on") strong
SSL
(and S/MIME) crypto in Netscape v.3 and v.4. If this is a concern, you
might also want to track the efforts of the Mozilla Crypto Group in
Australia <http://mozilla-crypto.ssleay.org/>, where a notable group of
cryptographers are working to integrate strong-crypto SSL (SSLeay) into
the newly-released Netscape source code -- a further promise that the
confidentiality of web-based data transfers will not be held hostage to
the US export controls.

Other vendors of "readerless" hand-held authentication (HHA) tokens
active in the North American market which you may wish to check out
include:

_ Activcard, <http://www.activcard.com>, a French firm out of Paris,
which has US offices in Redwood City, CA.

_Axent Technologies, based in Rockville, Md., USA
Axent bought Assurenet Pathways (né Digital Pathways,) vendor of the
Defender token, in 1997. Now marketed as the OmniGuard Defender.
See: http://www.axent.com

_CRYPTOCard Corporation, based in Toronto, Canada.
See: <http://www.cryptocard.com/>,

_LeeMah DataCom, based in Freemont, CA, USA.
See: <http://www.leemah.com>

_Secure Computing Corp., based in San Jose, CA, USA.
SCC purchased Enigma Logic, vendor of the Safeword token, in 1996.
See: <http://www.securecomputing.com/>


> Any information (products, technologies, pointers, white papers,
etc)
> would be of great help and highly appreciated.
>
> ---
> Nuno Cabrita Bandeira | n...@uninova.pt
> HOLOS, Lda. |
> Campus da FCT/UNL | Fax: (+351) (1) 350-0291
> 2825 Monte Caparica, PORTUGAL | Phone: (+351) (1) 350-0211


Suerte,
_Vin
-----
Vin McLellan + The Privacy Guild + <v...@shore.net>
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-- <@><@> --

0 new messages