challenge-response token
Lourens Bordewijk
bordewijk at fox-it.com
Thu Apr 4 21:32:33 EST 2002
Hello,
I have to find a solution logon through OpenSSH to OpenBSD machines from
anywhere in the world (unsave computers). So I think I must use a
challenge-response system with an hardware token that isn't connected to the
computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I
can't use challenge response mode with cryptocard, because I want to protect
it against an attacker that can break DES. Is it possible to use ActivCard
with OpenSSH and OpenBSD ? Are there other solutions ?
Is there anyone who can help me ?
Thanx,
>SecurID is probably the easiest (for you and your users). Cryptocard is
>probably the cheapest. Activcard is probably the hardest to implement.
>I'd say they are all within the realm of "good". Don't use challenge
>response mode with cryptocard if you wish to protect against an attacker
>that can break DES. Your users won't like challenge/response mode anyway.
>Funny thing, cryptocard can store 3 keys and so could do 3DES if they
>wanted, or they could do a 2-key scheme which is unbreakable with any
>computing power. Oh well. I think I'll patent that and license it back
>to them. :-\
Lourens Bordewijk
Fox-IT Forensic IT Experts B.V.
Oude Delft 47
2611 BC Delft
Tel: 015 - 21 91 111
________________________________________________________
http://www.fox-it.com
________________________________________________________
More information about the openssh-unix-dev
mailing list