Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


June 1997

Token-Based Security Add-Ons


RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Most network security systems rely on single-factor authentication. With this type of authentication, end users need only one item to verify the username they enter when they log on. This one item is usually a password, which often remains the same for a significant amount of time.

Most end users don't know what authentication refers to in the realm of computer security, but when you ask them about passwords, they know what you mean. Passwords are a battle. End users want passwords that are short and easy to remember. Security administrators want passwords that are long and difficult to crack. Even if the security administrators have their way, nothing will stop the proverbial Post-It note from appearing on a user's monitor with a long and difficult-to-remember password written on it.

Even if users keep their password secret, accessing passwords is possible if you do not change them regularly. A protocol analyzer can capture static passwords off the network. Someone with enough computing horsepower can break an encrypted password.

Security experts agree that the current password-generation method that corporate computing uses is not effective. The tremendous growth in the Internet (and intranets), telecommuting, and the soon-to-be ubiquitous market of electronic commerce magnify password confidentiality and security concerns.

Two-Factor Authentication
An alternative to the current security approach is two-factor authentication: The user provides two items, a personal identification number (PIN) and a token code. The PIN is unique to each user and is encrypted when it is transmitted over the network or WAN. Think of the PIN as the security-equivalent of the PIN you use with your ATM card or credit card. A physical device called a token generates the token code. The token displays a new code every 60 seconds; therefore each token code is used only once.

Token-based authentication eliminates nearly all the risk involved with validating users in a network. Token-based schemes improve security, lower per-user cost, centralize and reduce administration costs, and minimize unauthorized access to services. A few major players that produce token-based authentication solutions for the Windows NT environment are listed in the contact box.

The ACE System
Security Dynamics is a leading vendor of token-based authentication solutions. To give you an example of a typical token-based authentication system, this article will explore the uses and functionality of Security Dynamics' ACE/Server software and SecurID token.

ACE/Server provides authentication services for network resources; audit and reporting utilities; realtime monitoring of logon and administrative activity; and GUI-based tools for administering the ACE system, the users, and the PIN and token-code database. The ACE/Server software runs under NT Server or various UNIX implementations and works with a client-side module, the ACE/Client. The software is optimized for NT, and you can perform all security management functions from the server or from an NT workstation. ACE/Server provides enhanced security for both local network logons and remote logons via Remote Access Service (RAS).

The SecurID token is about the size of a credit card, but thicker. It contains an 8-bit microprocessor, memory, a clock chip, and a lithium battery, and provides LCD output for the token code. The token is a sealed device that does not require battery changes. A token that lets you unlock it and replace the batteries is a significant security risk, so the microprocessor is designed to erase its memory if the token's casing is breached or otherwise subjected to attack.

The code a SecurID token displays is a pseudo-random number that changes every 60 seconds. No one can calculate, guess, or otherwise determine the next or future codes from a record of past codes from that SecurID token. Determining a code is computationally impossible if you don't know the seed numbers that were entered for the proprietary one-way function (OWF) hash algorithm that calculates the code. The standard SecurID token runs for up to four years. During this period, it generates 4 million to 8 million sequential calculations. You can also preprogram tokens to terminate at a given date and time.

Each user is assigned a PIN that corresponds to the token. The PIN is between four characters and eight characters long and can be all numeric or a mix of numbers and alphabetical and typographical characters. Longer PINs obviously provide greater security against an attacker who tries to guess a user's PIN or who tries to read a PIN over the shoulder of a user working at a keyboard.

ACE/Server also supports a duress PIN in addition to the normal PIN. Users can enter the duress PIN if they're logging on under coercion. With a duress PIN, the user is granted access and sees no apparent difference in the system's response. But the system records the access in the audit trail, and the ACE/Server administrator's account is immediately notified of the event. The administrator sees a pop-up message or a message on a beeper. The administrator can then take appropriate action.

   Previous  [1]  2  Next 


Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...


Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education

Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!

Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement