RE: [linux-security] Re: RE: Re: Checking remote servers

["Dale.Babiy" <Dale Babiy gov yk ca>]

>> application, and then again, it may not.  But it is a handy thing to
>> know is out there.

>Isn't this something like a SecureID type system?

No, SecureID is merely a one time password system for people not swift
enough to handle S/Key :).  That's basically what it is.  The little
card you carry around has a function such that f(time)=x.  Your server
computes f(time)=x, f(time-1)=x1 f(time+1)=X2.  This way it creates a
'window' of possible passwords, and can keep track of clock drift on
your token card.  Time is measured in 60 second windows normally.

An elegant solution and it looks very impressive to people whom you are
trying to convince you are secure :).  You append a PIN to the front of
it, so that if someone simply steals your token you're safe, but it
doesn't do any encryption, etc...

The solution I was referring to on the other hand is a modem set that
has an encryption alg implemented.  The client's key is stored in the
card.  It should be totally transparent to any end
applications/authentication mechanisms.  You could in fact run SecureID
over it. 

Cheers/Dale