NanoNote as SecurID substitute

neil at dist.ro neil at dist.ro
Fri Jul 27 22:31:26 EDT 2012


Apologies if this has been discussed before or is unworkable ( I am
not a cryptanalyst).  Could the NanoNote be used as a SecurID
substitute?  It's already been noted that being isolated from the
Internet is a positive for applications such as this.

We have been comparing passwords, authorized_keys and Kerberos for
securing access to servers via SSH.

 + How often must we authenticate? Too often is unpleasant
 + Is there a risk of breach should a laptop be stolen?
 + Do we have continued access if a laptop is lost?
 + In which scenarios are we denied access?
 + Are we susceptible to password-guessing attacks?
 + Can we gain access from any computer anywhere in the world?

Kerberos scores well against the above but is still susceptible to
password guessing, failure of the Kerberos servers and is work to
install on a fresh workstation.

Would it work for:

 + The secured server to re-generate passwords each minute
 + The NanoNote generates the same password upon request ( based on a
   shared secret and the current time)
 + Both the server and the NanoNote need fairly accurate clocks.  GPS
   over UBB to keep the time accurate without the Internet might be
   desirable
 + The shared secret must still be protected on the NanoNote with a
   pass phrase, although biometrics or RFID over UBB would be fun

I've left out a lot of detail in case there's a critical flaw in the
approach.

If it could be made to work, would it sell more units?  A lot of
technologists face this problem of SSH authentication and getting a
full UN*X system with a UN*X keyboard with their SecurID token could
make it a desirable solution.

- neil





More information about the discussion mailing list


interactive