|
|
Initiation responsibility: IT Security Management, Administrators
Implementation responsibility: Administrators
It is relatively easy to intercept passwords which are transferred in uncoded form through networks. Implementation and logging errors in the operating system and application software might even threaten the security of encrypted passwords as well.
For this reason, it is advisable to use one-time passwords which are changed after first usage. Both hardware and software-aided generation of one-time passwords is possible.
Users must generate one-time passwords on the local IT system or via a token, or read them from a list which is generated by the remote IT system and must be kept in a safe place. One-time passwords must be verified by the remote IT system.
Public-domain programmes, e.g. OPIE or S/Key, can be used for one-time passwords. OPIE (one-time passwords in everything) is a public-domain advancement of S/Key, which is now marketed as a commercial product.
As opposed to OPIE, S/Key still uses the MD4 algorithm as standard for generating and verifying one-time passwords. Due to the recognised weaknesses of the MD4 algorithm the MD5 algorithm supplied should be used.
The OPIE and S/key programmes consist of a routine on the server for verifying entered passwords and a routine on the user's IT system. After logging into the remote system and entering their name, users obtain a display of the sequential number of the password to be entered and an ID. Using these two items and a confidential password, OPIE or S/Key calculate the one-time password for this session on the local IT system. If no local programme is available to the user for the purpose of calculating one-time passwords, the remote system can generate a list of one-time passwords which must then be kept in a safe place.
Non-recurrent passwords can also be generated via tokens which provide the generation and which can consist of chip cards or devices similar to pocket calculators. The token first requires authentication by the user. After that, the token either authenticates itself automatically to the server, or provides the user with a display of the one-time password to be entered on the client.
The greater the amount of sensitive information which needs to be protected against unauthorised access simply through the use of passwords, the greater the importance of one-time passwords and hardware-based authentication methods. Hardware-based systems should be used in situations where the use of software-based one-time password systems such as OPIE are not readily accepted. In addition, many hardware-based systems also offer the possibility of configuring a "single sign-on" option. With this option, users no longer have to employ a different password for each individual IT system, even in large, heterogeneous networks. Instead, they only need to authenticate themselves to the first IT system to be used, and this system subsequently passes on the information to all other IT systems.
Hardware-based one-time password systems also eliminate the need for observing many of the rules specified for users in S 2.11 Provisions governing the use of passwords, as these rules are then observed implicitly.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |