[unisog] token based access (WAS: Re: [unisog] VPN Protection of Wireless Networks)
Wilfred L. Camilleri, CISSP
wilfred.camilleri at utoronto.ca
Tue Dec 18 12:15:22 GMT 2001
At the UofT we have been using SecurID tokens for the past five years to
authenticate Admin users (about 3,000) to our production systems. We're
using the pin-pad tokens. This is a comparatively expensive way to
authenticate users but we didn't want to rely on reusable passwords in our
environment. We haven't deployed the use of SecurID tokens to our student
population because it would bee too expensive and we would have to pass
the cost to our students (not politically acceptable).
We were a Keon PKI beta site but in the end the cost of implementing
a PKI scheme on campus was prohibitive and we abandoned the project.
Another problem we tried to address was portability of certificates and
we played around with smart cards for this. However, the cost was too
much (approximately CDN$150 for reader and card per machine!)
Installing the readers and making them work was also problematic.
Until smart card readers are a standard peripheral on PCs, smart cards
are not an option.
The University issues smart cards to students and staff (approximately
50,000 in circulation) but these are used strictly for photocopying,
> Paul L Schmehl <pauls at utdallas.edu> writes:
> > VPN by itself is better than WEP, for reasons I'm sure are familiar to this
> > list. We intend to use Smartcards with VPN in the future, but the
> > Smartcard program is still in the early deployment stages and we early in
> > the testing of VPN as well.
> I'd be interested in hearing more about your research into token-based
> access control. I badly want to move us away from reusable passwords,
> but I'm at the very beginning of the process. If anyone out there has
> looked further into the issue, I suspect that your results would be of
> interest to several people on the list.
> Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
> anne at alcor.concordia.ca +1 514 848-7606
While it has been a number of years since I lasted pushed at this issue,
I expect at least some of the issues are the same. Here are the notable ones
that I remember:
1) The cards cost money (around $50 Candian at the point I looked, perhaps
cheaper now). With ~ 20,000 accounts we are talking a lot of capital (and
note item 2!). Being a public University charging for them was likely going
to be a political problem so the money had to come from the house not user
charging (your milage may vary of course).
2) The cards batteries only last for a couple of years and then they need to
be replaced (the card, not the battery!). On going capital expense.
3) Card administration looked to be a fair amount of work (and expense) that
needed to be factored in.
4) There was a student smart card initiative for campus charging (food, vending
machines, copy machines) and identification (the library and registrar)
going and I was pointing them at crypto type smart cards to piggy back on
their plan, but it fizzled (and they weren't receptive to crypto cards
anyway having enough troubles of their own). The need for card readers was
going to be an issue here as well.
5) all your hosts / authentication mechanisms will need to be modified to accept
the cards. Again this is an ongoing workload that needs to be remembered and
There are probably more I haven't remembered but, points 1 and 2 are
likely the most exciting. Of course technology may have improved over the years
One cheap alternative perhaps worth mentioning is Microchip Ibuttons.
The buttons themselves are passive (no battery) and something like $2 US a
piece (see item 1 again :-)). The downside (other than they wouldn't talk to me
or sell me a sample :-)) is that they need a $15 US reader on any machine
that used them (but thats still cheaper than $50 per card / per user / per 2
years). The readers are on a serial port so securing it so students couldn't
MTM, steal or otherwise abuse or defeat it was going to be exciting but is
probably possible. Modems and remote access in general are going to be a
problem with this scheme (no Ibutton reader) but something like Skey or OPIE
would be an alternative there.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog