Chapter 14
Token Authentication: Protecting Logins
Token authentication allows you to set additional security restrictions on your FTP, TELNET, RLOGIN, and SET HOST logins. You can set up token authentication through TCPware's Access Control Encryption Client (ACE/Client) on the OpenVMS host, which communicates with Security Dynamics' ACE/Server on a UNIX or Windows NT host. The authentication takes place through a physical SecurID token "smart card" that you use to provide the ACE/Server with the necessary login information.
This chapter explains the TCPware ACE/Client, its interaction with the ACE/Server, and how to enter login information using the SecurID token.
Passwords have long been the front line of defense in protecting hosts and networks, and have come under scrutiny because of well-publicized security breaches. Applications that require passwords to access resources are especially vulnerable to these security breaches.
TCPware's token authentication, in collaboration with Security Dynamics Corporation's Access Control Encryption Server (ACE/Server), works with a two-factor password system to help solve this security problem. Token authentication combines use of the regular login password with a time-based code derived from a token. The authentication system consists of a secure server and the client connected to the devices that need to be protected.
Security Dynamics provides the ACE/Server and a backup server (Slave ACE/Server). TCPware provides the ACE/Client. The ACE/Client handles the interaction between the client and the ACE/Server software at the place where the client is responsible for gathering the authentication data from the user.
The authentication "token" in this case is the Security Dynamics SecurID "smart card," a physical card containing a microprocessor that generates a new, unpredictable code every 60 seconds on its liquid crystal display (LCD). The Server synchronizes and checks this code, when entered, with the user's memorized personal identification number (PIN). These two codes together form the user's PASSCODE.
Token authentication is available for FTP-OpenVMS, TELNET-OpenVMS, RLOGIN, and the OpenVMS SET HOST command.
The TCPware ACE/Client supports Security Dynamics' proprietary encryption (SDI Encryption). The ACE/Server must also use SDI Encryption. The ACE/Server runs on a UNIX or Windows NT machine. The ACE/Client must be registered with the ACE/Server.
Special terms used in this chapter include:
SecurID tokens are small, hand-held devices containing microprocessors that calculate and display unpredictable codes. The codes change at a specified interval, typically every 60 seconds.
As an authorized user on a protected system, you are assigned a SecurID token to use when accessing a protected resource. The code displayed on the token at the moment you attempt access is one part of the user's SecurID PASSCODE, which is required for positive authentication and system access. The other part is your valid, memorized PIN.
There are currently three hardware types of SecurID tokens:
|
Standard SecurID Card |
a rectangular card with the tokencode displayed at the upper right hand corner of the card. |
|
SecurID Key Fob |
an oblong key fob with a key holder with the tokencode displayed on the center of the fob. |
|
SecurID PINPAD card |
a rectangular card with the tokencode displayed at the upper right hand corner and a digit keypad at the bottom from which to enter the PIN. |
See the Logging In with a SecurID Token section.
The user interface to token authentication is through login screens for FTP, TELNET, RLOGIN, and SET HOST that display the usual username prompt followed by:
|
For |
the usual password prompt at which to enter... |
|
FTP |
the PASSCODE. |
|
TELNET, RLOGIN, and SET HOST |
your usual password, along with an Enter PASSCODE: prompt at which to enter the PASSCODE. |
Note! For an FTP login, the token cannot be in Next Tokencode or New PIN mode.
Example 14-1 shows a sample FTP login sequence to host BART. The shaded areas show values entered but not displayed on the screen. The PASSCODE is a combination of the PIN and the tokencode when used with a Standard Card or Key Fob.
Example 14-1 FTP Login Sequence Using Token Authentication
$ FTP BART
220 bart.process.com (192.168.34.56) FTP-OpenVMS FTPD V5.7-1 (c) 2005 Process Software
331 Password required.
230 User logged in, proceed.
_Username [MARGE]: MARGE
331 Password required.
_Password: 192837465
230 User logged in, proceed.
214 SITE +VMS+ recognized.
Example 14-2 shows a sample TELNET login sequence to host BART. The shaded areas show values entered but not displayed on the screen. The PASSCODE is a combination of the PIN and the tokencode when used with a Standard Card or Key Fob.
TELNET Login Sequence Using Token Authentication
$ TELNET BART
%TCPWARE_TELNET-I-TRYING, trying BART.nene.com,telnet
(192.168.142.1,23) ...
%TCPWARE_TELNET-I-ESCCHR, escape (attention) character is "^\"
Welcome to OpenVMS Alpha (TM) Operating System, Version V6.2
Username: MARGE
Password: MYPASSWORD
Enter PASSCODE: 192837465
PASSCODE Accepted
(Bart) $
You may have been assigned one of the following SecurID tokens:
|
Standard SecurID Card |
a rectangular card with the tokencode displayed at the upper right hand corner of the card. |
|
SecurID Key Fob |
an oblong key fob with a key holder with the tokencode displayed on the center of the fob. |
|
SecurID PINPAD card |
a rectangular card with the tokencode displayed at the upper right hand corner and a digit keypad at the bottom from which to enter the PIN. |
To access the protected system, you must enter a valid SecurID PASSCODE], which is made up of two factors:
• Your secret, memorized personal identification number (PIN)
• The tokencode currently displaying on your token
With a conventional security system, it is easy for someone to learn your password and log in under your identity. Requiring two factors ensures reliable identification and authentication.
Because this system creates an audit trail that cannot be repudiated, you may be held accountable for activities recorded identifying you as the user. Avoid the unauthorized use of your identity and privileges by protecting the secrecy of your PIN and the possession of your token.
You are responsible for protecting the authentication factors entrusted to you. Keep your PIN secret and protect your SecurID token against loss and theft.
If an unauthorized person learns your PIN and obtains your token, this person can assume your identity. Any action taken by this intruder will be attributed to you in the system's security log.
For your own protection and that of the system, always take the following precautions:
• Never reveal your PIN to anyone. Do not write it down.
• If you think someone learned your PIN, notify the security administrator, who will clear the PIN immediately. At your next login you will have to receive or create a new PIN.
• Exercise care not to lose your SecurID token or to allow it to be stolen. If your token is missing, tell an administrator immediately. The administrator will disable it so that it is useless to unauthorized users.
• Do not let anyone access the system under your identity—do not let them log in with your PIN and a code from your SecurID token.
• It is essential to site security that you follow your system's standard logoff procedures. Failure to log off properly can create a route into the system that is completely unprotected.
• Protect your SecurID token from physical abuse. Do not immerse it in liquids, do not expose it to extreme temperatures and do not put it under pressure or bend it. Each SecurID token comes with care instructions that you should read and follow.
Have your ACE/Server security administrator fill in the following information before you attempt to log in for the first time:
The system will assign a PIN to you; you cannot create your own
(See the Receiving a System-Generated PIN section)
You can use a PIN that you make up yourself
(see the Creating Your Own PIN section)
Your PIN can contain letters as well as digits
(Applies to the Standard Card and Key Fob only)
All PINs on the system must be the same number of characters: ____
(Applies to the Standard Card and Key Fob only)
All PINs on the system must be the same number of digits: ____
(Applies to the PINPAD card only)
Your PIN can contain from ____ through ____ characters
(Applies to the Standard Card and Key Fob only)
Your PIN can contain from ____ through ____ digits
(Applies to the PINPAD card only)
You can use a duress PIN
(See the Using a Duress PIN section)
The following steps allow you to use a system-generated PIN:
1 For PINPAD only: Clear PIN entries from your card. Press any number on the card, then press the P on the lower right of the card. The display clears and a new tokencode shows after the last of the countdown indicators disappears from the left of the LCD.
Note! For FTP logins, you must first log in on a terminal session such as TELNET or SET HOST to receive your PIN before you can initiate an FTP session.
2 Initiate a terminal login session. After you respond to the usual prompt for your login name, the system asks you to enter a PASSCODE.
3 If you never received a PIN before, enter the code that is currently displaying on your SecurID token at the Enter PASSCODE prompt.
If your token previously had a PIN and the administrator did not clear it when setting it in New PIN mode:
• For Standard Card and Key Fob only: Enter the old PIN and right after it, the code that is currently displaying on your token. (Do not separate the two with a space.)
• For PINPAD only: Enter the old PIN into the card and press the diamond (u) near the bottom of the card. Then at the Enter PASSCODE prompt, enter the code displayed on the card.
4 Press Return. If you entered the code incorrectly, the system displays an Access denied message. Try again. Once you enter a valid tokencode, the following message appears:
Press <Return> to generate a new PIN and display it on screen
or
<Ctrl d> to cancel the New PIN procedure:
5 If anyone else can see your screen, press Ctrl/D so that your secret PIN is not displayed on your screen. The operation is canceled and your card or key fob is still in New PIN mode.
If no one else can see your screen, press Return to receive your new PIN. Your PIN is displayed for 10 seconds or until you press Return.
6 Memorize your new PIN. Do not write it down.
7 You are now ready to log in. Wait for the next tokencode, then follow the instructions in the Login Steps section.
The following steps allow you to create your own PIN:
1 If you are going to create your own PIN, first give some thought to what it will be. Do not pick an obvious number like a birthday or phone number. See your checklist. You may be allowed letters or digits, or just digits, and the length may be fixed somewhere between four and eight characters, or you may be allowed any number of characters in that range. For PINPAD only: PINs cannot begin with a zero.
2 For PINPAD only: Clear PIN entries from your card. Press any number on the card, then press the P on the lower right of the card. The display clears and a new tokencode shows after the last of the countdown indicators disappears from the left of the LCD.
Note! For FTP logins, you must first log in on a terminal session such as TELNET or SET HOST to receive your PIN before you can initiate an FTP session.
3 Initiate a terminal login session. After you respond to the usual prompt for your login name, the system asks you to enter a PASSCODE.
4 If you never received a PIN before, enter the code that is currently displaying on your SecurID token at the Enter PASSCODE prompt.
If your token previously had a PIN and the administrator did not clear it when setting it in New PIN mode:
• For Standard Card and Key Fob only: Enter the old PIN and right after it, the code that is currently displaying on your token. (Do not separate the two with a space.)
• For PINPAD only: Enter the old PIN into the card and press the diamond (u) near the bottom of the card. Then at the Enter PASSCODE prompt, enter the code displayed on the card.
5 Press Return. If you entered the code incorrectly, the system displays an Access denied message. Try again. Once you enter a valid tokencode, you are prompted to perform the New PIN operation.
6 If the prompt reads:
Enter your new PIN, containing 4 to 8 characters, or
Press <Return> to generate a new PIN and display it on screen
or <Ctrl d> to cancel the New PIN procedure:
do one the following and go to Step 8. Otherwise, go to Step 7 now.
• If anyone else can see your screen, press Ctrl/D to cancel the operation and leave your token in New PIN mode.
• If you want the system to generate a PIN for you and no one else can see your screen, press Return. Your PIN is displayed for 10 seconds or until you press Return.
• If you want to create your own PIN and no one else can see your screen, enter the PIN you would like to use, again remembering the guidelines in step 1.
7 If the prompt reads:
Enter your new PIN, containing 4 to 8 characters,
or Ctrl/D to cancel the New PIN procedure:
then you have to create your own PIN. You cannot have the system generate one for you. If anyone else can see your screen, press Ctrl/D to cancel the operation and leave your token in New PIN mode. Otherwise, type in the PIN you would like to use, again remembering the guidelines in Step 1.
8 Memorize your new PIN. Do not write it down.
9 You are now ready to log in. Wait for the next tokencode, then follow the instructions in the following Login Steps section.
Use the following two steps to log in:
1 Initiate a login session. After you respond to the usual prompt for your login name, you may get your usual password prompt:
• If you are using TELNET, RLOGIN, or SET HOST, enter your usual password at the password prompt and press Return. Then go to Step 2.
• If you are using FTP, the password prompt is your PASSCODE prompt. Enter your PIN immediately followed by the code currently displaying on your token, without any separating space and press Return.
2 At the Enter PASSCODE: prompt, enter your PIN immediately followed by the code currently displaying on your token, without any separating space.
If you entered a valid PASSCODE, the system displays the message PASSCODE accepted.
Once accepted, a SecurID PASSCODE cannot be used again. To log in again, you must wait for a new tokencode to appear. The stack of countdown indicators on the left side of the LCD lets you know how soon the code will be changing.
If the system displays the message Access denied instead, you may have typed in your PASSCODE incorrectly. Try again. If you are repeatedly denied access even though you are typing your PASSCODE correctly, contact your system administrator.
On the third attempt to log in with a valid PIN but with an invalid tokencode, the system asks you to enter the next code that appears:
Please enter the next code from your token:
Wait until the stack of countdown indicators on the left side of the LCD tokencode goes down and the code changes, then go ahead and carefully type the new one followed by Return.
If you are not granted access after correctly entering the next code, contact your system administrator.
If your system has the duress PIN option installed, you have two PINs: a regular PIN and a duress PIN. Use your regular PIN for normal logins. Use the duress PIN if you are ever forced to log in by an unauthorized person attempting to gain system access.
If you use your duress PIN, you are granted access and you will see no difference in operation. However, the system notifies administrators that you were forced by an intruder to log in.
Your duress PIN is your regular PIN with 1 added to it but with no carrying. See Table 14-1 for examples.
Table 14-1 Sample Duress PINs
|
If your regular PIN is... |
Then your duress PIN is... |
Applies to... |
|
243890 |
243891 |
All tokens |
|
243899 |
243890 |
All tokens |
|
ABCDEF |
ABCDEG |
Standard Card and Key Fob |
|
ABCDEZ |
ABCDEA |
Standard Card and Key Fob |
