In any computing environment, passwords provide the first line of defense against unauthorized use. Users who are able to respond with the correct password at the Password: prompt are presumed to be who they say they are. Anyone can guess or steal a legitimate user's password. Guessing can be made much less probable by avoiding the selection of easily -guessed passwords. Theft can be minimized by not writing down passwords, not telling them to others, and not allowing anyone to see them when they are typed in. Presumably, users are savvy (knowledgeable) enough not to enter their password when someone is looking over their shoulder.
Unfortunately, this is not the case. Unlike the days of yore, when logins took place from hardwired terminals, and the only place to intercept a password was over the user's shoulder. Today's ubiquitous (present everywhere) interconnected networks make it possible for passwords to be grabbed (captured) as they traverse the Internet. Indeed, there have been well-publicized instances of password "sniffers" being used on major regional networks and the machines of Internet Service Providers, leading to thousands of passwords being compromised report. One way to prevent such compromises in the future is for authentication to take place over an encrypted connection. One can use a scheme, which makes passwords obtained through eavesdropping useless. This is the approach taken by S/KEY.
What is S/Key ?
S/KEY is a software package developed at Bellcore (Bell Communications Research laboratory). S/Key is a challenge/response one-time password scheme. A challenge/response system is any system where the 'response' can be computed from the 'challenge' and some secret information that only the user knows. In order to be useful, the system must be designed such that knowledge of previous challenge/response pairs is not useful in computing future pairs.
It is a one-time password system. Each password used in the system is usable only for one authentication. Passwords cannot be re-used, and thus, intercepted passwords are of no utility. Moreover, knowledge of already-used passwords in a user's S/KEY password sequence provides no information about future passwords. Thus, even all of one's S/KEY passwords are "sniffed" as they transit an insecure network, they will not benefit their interceptor.
Click here to download more information
Unfortunately, this is not the case. Unlike the days of yore, when logins took place from hardwired terminals, and the only place to intercept a password was over the user's shoulder. Today's ubiquitous (present everywhere) interconnected networks make it possible for passwords to be grabbed (captured) as they traverse the Internet. Indeed, there have been well-publicized instances of password "sniffers" being used on major regional networks and the machines of Internet Service Providers, leading to thousands of passwords being compromised report. One way to prevent such compromises in the future is for authentication to take place over an encrypted connection. One can use a scheme, which makes passwords obtained through eavesdropping useless. This is the approach taken by S/KEY.
What is S/Key ?
S/KEY is a software package developed at Bellcore (Bell Communications Research laboratory). S/Key is a challenge/response one-time password scheme. A challenge/response system is any system where the 'response' can be computed from the 'challenge' and some secret information that only the user knows. In order to be useful, the system must be designed such that knowledge of previous challenge/response pairs is not useful in computing future pairs.
It is a one-time password system. Each password used in the system is usable only for one authentication. Passwords cannot be re-used, and thus, intercepted passwords are of no utility. Moreover, knowledge of already-used passwords in a user's S/KEY password sequence provides no information about future passwords. Thus, even all of one's S/KEY passwords are "sniffed" as they transit an insecure network, they will not benefit their interceptor.
Click here to download more information
Comments (0)
Post a Comment