[vpn] Re: Two Factor Authentication, was PKI authentication with VPN

Tina Bird tbird at precision-guesswork.com
Fri Mar 22 01:06:05 EST 2002 

Okay, okay, I'll chip in my opinion here -- tho' I
didn't watch the beginning of the thread as closely
as I might have if I'd known I would get dragged in!

The SecurID key pad card still qualifies as two
factor, because you have to have your PIN (what you
know) and the token (what you have), and the server
validates that combination.  One factor would be
being able to log in with just the PIN or just
the token.

tbird

                             Don't get even -- get odd.
                                     Swami Beyondananda

Life: http://www.shmoo.com/~tbird
Log Analysis: http://www.counterpane.com/log-analysis.html
VPN: http://vpn.shmoo.com


On Thu, 21 Mar 2002, Adam Safier wrote:

> Kent,
> 
> Seems like an awfully fine distinction.  SecureID used to have a numeric key
> pad card (I don't know if they still do) where you entered you PIN, it
> generated a number and you entered only the number in the authentication
> screen on the workstation.  That would NOT be two factor by your definition
> even though it used the ACE server.  The more common (and cheaper) token
> card without a key pad would qualify since you are sending the PIN and the
> number.
> 
> The access point gateway only gets one authentication "OK" from the ACE
> server so I still have problems with this since where do you draw the line?
> >From my view point, the numeric key pad card and the smart card are still
> two-factor.  You have to have the card and you have to know a password.
> 
> I think it all comes down to definition.  I have not followed the IETF
> lately to see if they defined it in any way in the "standards".  It really
> does not matter that much in real life. The point is to get strong
> authentication that can be carried to many processes and applications.  For
> that, the PKI / local password to smart card  solution is OK.  I like PKI /
> local bio authentication to smart card better (finger print never leaves the
> reader) but that is just coming around from the products I know.
> 
> I'd love to see some opinions from the list but I have the feeling we're the
> only ones discussing this.
> 
> I can't make the VPNcon but I hope you have lots of fun.
> 
> Adam
> 
> 
> 
> ----- Original Message -----
> From: "Kent Dallas" <kent at dalliesin.com>
> To: "'Adam Safier'" <safieradam at hotmail.com>; <vpn at securityfocus.com>
> Sent: Thursday, March 21, 2002 5:40 PM
> Subject: RE: Two Factor Authentication, was PKI authentication with VPN
> 
> 
> > Adam,
> >
> > RSA's SecurID is two-factor, since the gateway (with the ACE server
> > architecture) verifies both the one-time password and the PIN.  While this
> > may sound like two passwords, the one-time password is established from
> the
> > token (or soft token, if so implemented).  The fact that they are
> > transmitted together is irrelevent.  And the fact that it is two-factor
> > doesn't mean that it is more secure than all single factor systems.
> >
> > I don't have alot of experience with CheckPoint VPN-1, but I think
> beginning
> > with v4.1, they supported "hybrid" authentication, which allows "legacy"
> > authentication mechanisms, such as RADIUS, TACACS+, and SecurID to be
> > combined with (or to replace) either pre-shared keys or digital
> > certificates.  Perhaps someone with more experience with VPN1 can confirm
> or
> > refute.
> >
> > Adding username/password to your implementation would be an example of a
> > two-factor authentication system.  The IPsec service I designed for
> > Intelispan (now McLeodUSA) utilized both digital certificates and
> > username/passwords, for another example.  And there are plenty of others
> out
> > there as well.  As you may have noticed from slide 20 on the L2TP
> > presentation, we even engineered a two-factor authentication solution with
> > an L2TP compulsory tunnel service (no IPsec).
> >
> > Sun operates an iPlanet forum at
> > <http://supportforum.sun.com/cgi-bin/WebX.cgi?/iplanet.general>.
> >
> > Thanks for checking out the site. On May 14th, I'll be presenting
> > "Authentication Alternatives for Remote Access VPNs" at VPNcon
> > <www.vpncon.com> in San Jose.  That presentation will be added to my site
> > shortly after the presentation. I'd hope you would have the chance to
> > attend.
> >
> > Regards,
> > Kent Dallas
> >
> > -----Original Message-----
> > From: Adam Safier [mailto:safieradam at hotmail.com]
> > Sent: Thursday, March 21, 2002 3:34 PM
> > To: kdallas at dalliesin.com; vpn at securityfocus.com
> > Subject: Re: Two Factor Authentication, was PKI authentication with VPN
> > - was Cisco VPN 3000 authentication mechanisms
> >
> >
> > Kent,
> >
> > Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated.
> > By those policies the gateway does know what the user had to do. For
> > example, if the certificate is issued to the user at the time they are
> > handed the smart card and they cannot export the private key you know they
> > had to authenticate to access the card.
> >
> > User authentication, user side tools and policy at the time of certificate
> > issance is a key part of a PKI design and what makes smart cards qulify,
> at
> > least in my mind, as two-factor.   That is why Santa Clause could get a
> free
> > certificate from Verisign when all they used was the email address.
> > Verisign stated clearly that this was weak since all you knew was that the
> > e-mail existed at the time.  But it was a way to introduce certificates to
> > the public.  You had to pay for more thorough registration processes.
> > Neither solution dealt with two-factor vs. single factor. They really did
> > not address where, how or by which browser the private key and certificate
> > were stored or exported, so it wasn't two-factor.
> >
> > By your definition RSA SecurID ACE systems would also be considered a
> single
> > factor system. Even though you have a token number and a pin you transmit
> > them together.  They always market it as two-factor.  I guess I swallowed
> > their line .. 8-)
> >
> > If those don't qualify as two-factor authtication, what would you use as
> > examples of real two-factor authentication in the production world?
> >
> > I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey
> at
> > this time.  Do you by any chance have a link to an iPlanet discussion
> > archive handy?
> >
> > BTW, I like your L2TP slide show.  Nice site.
> >
> > Adam
> >
> >
> >
> 
> VPN is sponsored by SecurityFocus.com
> 


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list