[VPN] Cryptocard
Joel M Snyder
Joel.Snyder at Opus1.COM
Sun Aug 31 13:34:17 EDT 2003
>I don't know if cryptocard is
>peer-to-peer or master-slave (Joel, can you answer
>this for us, please?), but I would be nervous about a
>master-slave setup if that's what it is.
Yes, CryptoCard has the same style as Safeword---centralized knowledge, but
distributed knowledge. In fact, I have had good experiences with Safeword as
well in recent years (got a pile of tokens in front of me as I speak), but
never used them in production because they don't support OpenVMS as a server.
There is a human-factors issue with distributed servers and CryptoCard.
CryptoCard is often used in "reduced input" mode, which means that the server
keeps some state between queries; it lets the user avoid putting in the
challenge if you (the network manager) don't want to require it. In essence,
in reduced input mode, the token & the server kind of agree on what the
challenge will be the next time, and the token shows it---if the server asks
for the same challenge that the token is giving, then the user just presses
ENTER instead of putting in the challenge. (for those of you who care, the
next challenge is based on additional bits out of the encryption that the
CryptoCard does but which are not displayed, so it is under control of the
server, not some synchronized algorithm like SecurID uses.)
If you flop around between servers, then you can't use reduced input (or, more
precisely, the user will perceive that they always have to enter the
challenge), so most people who use CryptoCard tend to have multiple servers,
but the servers are ordered (i.e., failover, not active load sharing) so that
the same card tends to hit the same server all the time. That doesn't mean you
can't load balance them across regions, just that your users will be happier if
you don't.
So that's a long answer to the question. The short answer is "yes, you can
have lots of servers." It's just that when you set it up, you need to be
cognizant of the human interface issues related to the product as well as the
IT reliability issues.
But I would agree with Willie 100%: I like the idea that I don't have a single
server which has the "core knowledge;" I can distribute the knowledge around by
sharing the token's secret among a bunch of different servers using CryptoCard
and that makes it more attractive to me.
jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
jms at Opus1.COM http://www.opus1.com/jms Opus One
More information about the VPN
mailing list