[unisog] token based access (WAS: Re: [unisog] VPN Protection of Wireless Networks)
Peter Van Epp
vanepp at sfu.ca
Mon Dec 17 18:25:47 GMT 2001
> Paul L Schmehl <pauls at utdallas.edu> writes:
> > VPN by itself is better than WEP, for reasons I'm sure are familiar to this
> > list. We intend to use Smartcards with VPN in the future, but the
> > Smartcard program is still in the early deployment stages and we early in
> > the testing of VPN as well.
> I'd be interested in hearing more about your research into token-based
> access control. I badly want to move us away from reusable passwords,
> but I'm at the very beginning of the process. If anyone out there has
> looked further into the issue, I suspect that your results would be of
> interest to several people on the list.
> Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
> anne at alcor.concordia.ca +1 514 848-7606
While it has been a number of years since I lasted pushed at this issue,
I expect at least some of the issues are the same. Here are the notable ones
that I remember:
1) The cards cost money (around $50 Candian at the point I looked, perhaps
cheaper now). With ~ 20,000 accounts we are talking a lot of capital (and
note item 2!). Being a public University charging for them was likely going
to be a political problem so the money had to come from the house not user
charging (your milage may vary of course).
2) The cards batteries only last for a couple of years and then they need to
be replaced (the card, not the battery!). On going capital expense.
3) Card administration looked to be a fair amount of work (and expense) that
needed to be factored in.
4) There was a student smart card initiative for campus charging (food, vending
machines, copy machines) and identification (the library and registrar)
going and I was pointing them at crypto type smart cards to piggy back on
their plan, but it fizzled (and they weren't receptive to crypto cards
anyway having enough troubles of their own). The need for card readers was
going to be an issue here as well.
5) all your hosts / authentication mechanisms will need to be modified to accept
the cards. Again this is an ongoing workload that needs to be remembered and
There are probably more I haven't remembered but, points 1 and 2 are
likely the most exciting. Of course technology may have improved over the years
One cheap alternative perhaps worth mentioning is Microchip Ibuttons.
The buttons themselves are passive (no battery) and something like $2 US a
piece (see item 1 again :-)). The downside (other than they wouldn't talk to me
or sell me a sample :-)) is that they need a $15 US reader on any machine
that used them (but thats still cheaper than $50 per card / per user / per 2
years). The readers are on a serial port so securing it so students couldn't
MTM, steal or otherwise abuse or defeat it was going to be exciting but is
probably possible. Modems and remote access in general are going to be a
problem with this scheme (no Ibutton reader) but something like Skey or OPIE
would be an alternative there.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog