Cryptography Reference
In-Depth Information
Token Applications
1. A token may be embedded in a
smart card
, which has the physical ap-
pearance of a credit card but has the above authorization mechanisms
embedded. (We will study smart cards in detail in Section 9.3.) The login
ID is not static, and may actually change every few minutes for security
reasons. Thus, if a security token is lost, and Mallory finds it, he cannot ac-
cess the network without Alice's PIN. Furthermore, an additional security
measure against the possibility that Mallory might launch a brute-force
attack to recover Alice's PIN, is that the device would be disabled after
a small number of attempts to enter the PIN, say, three or four. Hence,
security tokens provide one of the foremost, modern, practical methods
for the storingof secret keys.
2. Since employees of, say, a corporation, need to insert their security token
into their computers for network access, the corporate administrators must
guard against human laziness. For instance, a user, such as Alice, might
decide to leave her oLce, to get a coffee, say, and not remove the token
from her computer, which is a security risk. To guard against this, the
employers may require that the token is needed for access to her oLce, the
coffee machine, the filingcabinets, the department oLce, the rest room,
and so on. In this fashion, the token cannot be left unattended, in any
reasonable scenario. This makes such a system foolproof, but not idiot-
proof. (An adage is that genius knows its limitations, but stupidity is
unbounded.)
We will learn about other security options such as biometrics in Section 9.4.
For now, we turn to a remote login protocol that is considered to be the industry
standard.
The Secure Shell Remote Login Protocol (SSH)
Although there is an older version, SSH1, we will describe only the newer one,
SSH2, which corrects failings of the original, including susceptibility to certain
attacks. SSH1 and SSH2 are quite different and are actually incompatible under
certain configurations. We describe only SSH2 since it is a complete rewriting
of the SSH1 protocol, does not use the same networkingimplementation, and
is more secure. We do point out the advantages SSH2 over SSH1 when that
benefit is an overwhelmingone. For instance, see the automatic mechanism for
host authentication on page 337.
Although the protocols in SSH2 described below may have many differing
formats, we do not delve into that detail. Instead, suitable references will be
provided for the interested reader. We concentrate upon the description of the
main protocols and focus upon SSH2 as a development that is on an approach
to becomingthe new standard for remote login.
Search WWH ::
Custom Search