Identification, Authentication and Authorization

Token-based OTP generators

RSA SecurID

Personal authentication token.

  • Or software modules for handhelds (PDAs, smartphones, etc.).

It generates a unique number at a fixed rate.

  • Usually one per minute (or 30 seconds).

  • Bound to a person (User ID)

  • A unique number computed with:

    • A 64-bit key is stored in the token.

    • The actual timestamp.

    • A proprietary digest algorithm (SecurID hash).

    • An extra PIN (only for some tokens)

OTP-based authentication.

  • A user combines their User ID with the current token number.

    • OTP = User ID, Token Number.

An RSA ACE Server does the same and checks for a match.

  • It also knows the person’s key stored in the token.

  • There must be a synchronization to tackle clock drifts.

    • RSA Security Time Synchronization.

Robust against dictionary attacks since keys are not selected by people.

Yubikey

Personal Authentication Device

  • USB and/or NFC.

Activation generates a 44-character key.

  • Emulates a USB keyboard (besides its API).

  • Supports HOTP (events) or TOPT (Temporal).

  • If a challenge is provided, the user must touch the button to obtain a result.

  • Several algorithms, including AES 256.

PreviousBiometricsNextPAP & CHAP (RFC 1334, 1992, RFC 1994, 1996)

Last updated