[unisog] token based access (WAS: Re: [unisog] VPN Protection of Wireless Networks)

Peter Van Epp vanepp at sfu.ca
Mon Dec 17 18:25:47 GMT 2001


> 
> 
> Paul L Schmehl <pauls at utdallas.edu> writes:
> 
> > VPN by itself is better than WEP, for reasons I'm sure are familiar to this 
> > list.  We intend to use Smartcards with VPN in the future, but the 
> > Smartcard program is still in the early deployment stages and we early in 
> > the testing of VPN as well.
> 
> I'd be interested in hearing more about your research into token-based
> access control.  I badly want to move us away from reusable passwords,
> but I'm at the very beginning of the process.  If anyone out there has
> looked further into the issue, I suspect that your results would be of
> interest to several people on the list.
> 
> 
> Anne.
> -- 
> Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
> anne at alcor.concordia.ca                                        +1 514 848-7606
> 
	
	While it has been a number of years since I lasted pushed at this issue,
I expect at least some of the issues are the same. Here are the notable ones
that I remember:

1) The cards cost money (around $50 Candian at the point I looked, perhaps 
   cheaper now). With ~ 20,000 accounts we are talking a lot of capital (and
   note item 2!). Being a public University charging for them was likely going
   to be a political problem so the money had to come from the house not user
   charging (your milage may vary of course).

2) The cards batteries only last for a couple of years and then they need to 
   be replaced (the card, not the battery!). On going capital expense.

3) Card administration looked to be a fair amount of work (and expense) that
   needed to be factored in.

4) There was a student smart card initiative for campus charging (food, vending
   machines, copy machines) and identification (the library and registrar)
   going and I was pointing them at crypto type smart cards to piggy back on
   their plan, but it fizzled (and they weren't receptive to crypto cards 
   anyway having enough troubles of their own). The need for card readers was
   going to be an issue here as well.

5) all your hosts / authentication mechanisms will need to be modified to accept
   the cards. Again this is an ongoing workload that needs to be remembered and
   funded.

	There are probably more I haven't remembered but, points 1 and 2 are 
likely the most exciting. Of course technology may have improved over the years
as well.
	One cheap alternative perhaps worth mentioning is Microchip Ibuttons. 
The buttons themselves are passive (no battery) and something like $2 US a 
piece (see item 1 again :-)). The downside (other than they wouldn't talk to me 
or sell me a sample :-)) is that they need a $15 US reader on any machine
that used them (but thats still cheaper than $50 per card / per user / per 2 
years). The readers are on a serial port so securing it so students couldn't 
MTM, steal or otherwise abuse or defeat it was going to be exciting but is 
probably possible. Modems and remote access in general are going to be a 
problem with this scheme (no Ibutton reader) but something like Skey or OPIE
would be an alternative there.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list