[unisog] token based access (WAS: Re: [unisog] VPN Protection of Wireless Networks)

Wilfred L. Camilleri, CISSP wilfred.camilleri at utoronto.ca
Tue Dec 18 12:15:22 GMT 2001

At the UofT we have been using SecurID tokens for the past five years to 
authenticate Admin users (about 3,000) to our production systems.  We're 
using the pin-pad tokens.  This is a comparatively expensive way to
authenticate users but we didn't want to rely on reusable passwords in our 
environment. We haven't deployed the use of SecurID tokens to our student
population because it would bee too expensive and we would have to pass
the cost to our students (not politically acceptable).

We were a Keon PKI beta site but in the end the cost of implementing
a PKI scheme on campus was prohibitive and we abandoned the project.
Another problem we tried to address was portability of certificates and
we played around with smart cards for this. However, the cost was too
much (approximately CDN$150 for reader and card per machine!)  
Installing the readers and making them work was also problematic.
Until smart card readers are a standard peripheral on PCs, smart cards
are not an option.

The University issues smart cards to students and staff (approximately
50,000 in circulation) but these are used strictly for photocopying,
vending, etc.


> Paul L Schmehl <pauls at utdallas.edu> writes:
> > VPN by itself is better than WEP, for reasons I'm sure are familiar to this 
> > list.  We intend to use Smartcards with VPN in the future, but the 
> > Smartcard program is still in the early deployment stages and we early in 
> > the testing of VPN as well.
> I'd be interested in hearing more about your research into token-based
> access control.  I badly want to move us away from reusable passwords,
> but I'm at the very beginning of the process.  If anyone out there has
> looked further into the issue, I suspect that your results would be of
> interest to several people on the list.
> Anne.
> -- 
> Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
> anne at alcor.concordia.ca                                        +1 514 848-7606
	While it has been a number of years since I lasted pushed at this issue,
I expect at least some of the issues are the same. Here are the notable ones
that I remember:

1) The cards cost money (around $50 Candian at the point I looked, perhaps 
   cheaper now). With ~ 20,000 accounts we are talking a lot of capital (and
   note item 2!). Being a public University charging for them was likely going
   to be a political problem so the money had to come from the house not user
   charging (your milage may vary of course).

2) The cards batteries only last for a couple of years and then they need to 
   be replaced (the card, not the battery!). On going capital expense.

3) Card administration looked to be a fair amount of work (and expense) that
   needed to be factored in.

4) There was a student smart card initiative for campus charging (food, vending
   machines, copy machines) and identification (the library and registrar)
   going and I was pointing them at crypto type smart cards to piggy back on
   their plan, but it fizzled (and they weren't receptive to crypto cards 
   anyway having enough troubles of their own). The need for card readers was
   going to be an issue here as well.

5) all your hosts / authentication mechanisms will need to be modified to accept
   the cards. Again this is an ongoing workload that needs to be remembered and

	There are probably more I haven't remembered but, points 1 and 2 are 
likely the most exciting. Of course technology may have improved over the years
as well.
	One cheap alternative perhaps worth mentioning is Microchip Ibuttons. 
The buttons themselves are passive (no battery) and something like $2 US a 
piece (see item 1 again :-)). The downside (other than they wouldn't talk to me 
or sell me a sample :-)) is that they need a $15 US reader on any machine
that used them (but thats still cheaper than $50 per card / per user / per 2 
years). The readers are on a serial port so securing it so students couldn't 
MTM, steal or otherwise abuse or defeat it was going to be exciting but is 
probably possible. Modems and remote access in general are going to be a 
problem with this scheme (no Ibutton reader) but something like Skey or OPIE
would be an alternative there.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list