Re: CFS w/ CRYPTOCARD

[Ryan McBride <mcbride@countersiege.com>]

On Sat, Mar 31, 2001 at 08:47:05PM -0700, dreamwvr@dreamwvr.com wrote:

> Is anyone using CRYPTOCARD w/ CFS and if so can it do AES instead of DES
> |xxxDES ? How does this compare to vnconfig? TIA

I assume that you mean CRYPTOCards made by CRYPTOCard Corp,
(http://www.cryptocard.com/). These cards are Challenge/Response
authentication devices, not general-purpose encryption processors.
They only do DES (Unless you're a DOD related entity that is lucky
enough to get their 3DES variant)

If you really have a problem remembering passwords, you /could/ use
them as a kind of memory tool: Make sure you have the card programmed
in synchronous mode with a random key. Enter a challenge that you can
remember (perhaps all 0s, doesn't matter). Then hit <ENT> and you get
an 8 character response. This is the first part of your password. Then
Hit <ENT> two more times, and you get the second part of your
password. This is not a terribly good password, as you're only getting
56 bits of entropy, so you'd probably want to program the other two
keys in the CRYPTOCard and use those as well, getting you 168 bits of
entropy. Thes would of course work just as well with vnconfig as with
cfs. 

Note: IANAC (I Am Not A Cryptographer). The above may be weaker than
ROT13. Use at your own risk.

What they ARE good for is to replace/augment plain password
authentication. CRYPTOCard makes their own proprietary authenticaion
server (gack!) but it also speaks RADIUS. There is also code floating
around for CRYPTOCard support in (MIT) Kerberos 5, and I imagine it
wouldn't be too dificult to add native support to OpenBSD in other
places since they do plain old DES. 

-Ryan

-- 
Ryan McBride - mcbride@countersiege.com
Systems Security Consultant
Countersiege Systems Corporation - http://www.countersiege.com