[nycbug-talk] Multi-factor Auth Systems, RSA SecurID gizmos...

Miles Nordin carton at Ivy.NET
Sun Feb 15 19:28:16 EST 2009

>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:

    il> Hi All, I've been tasked with finding/implementing a solid
    il> multi-factor auth system, mostly to simplify auth to a VPN.

I do not have experience but if I were going to do the same thing I
might try the Aladdin eToken Pro.  according to the release notes for
Cisco Mac VPN Dialer 4.9, the Aladdin eToken cannot do RSA on the fob,
so the private key's transferred from the fob into the computer after
you provide the pin to the fob.  However the Aladdin eToken Pro DOES
do RSA inside the fob, so you can generate the key inside the fob, and
the private material never leaves ever.  That's what you want, because
the goal is DRM-ish---you want to physically give the key to users
without giving them full control over the data inside it the same way
Apple gives you music or movies over which you don't have full
control, to stop the private key material from being copied.  Part of
the virtue of ``have something'' is that the owner will realize if the
thing he ``has'' gets stolen, which is not true of a password and ALSO
not true of the private key material inside the non-pro Aladdin
eToken, or anything else you can copy.

According to the picture below, you can use eToken to store the cert
for the VPN head-end, too!  though, it does not explicitly and
undeniably state the head-end will work with hte kinds of fob where
the private material never leaves the fob.


And this link shows that more than one vendor likes Aladdin eToken pro:


This type of fob is not what you asked for though, because it's not
xauth-via-RADIUS.  it's straight certificate auth.

For open-source RSA cert storage that you also didn't ask for, there
is this thing I stumbled into like 10 years ago called the Dallas
Semiconductor Crypto iButton.  It runs JavaCard, so I wonder if the
Aladdin stuff might be based on it?  I think it's too raw for your job
where you probably expect your proprietary VPN vendor to support it.

I heard a rumor the US military standardized on some kind of fob for
their nonclassified PKI, which worked out badly for them, but not
because the fobs themselves were awful.  you might figure out what
kind they used.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20090215/84d46bd2/attachment.bin>

More information about the talk mailing list