No More Passwords!
CITI has a vision of a login procedure that starts with Kerberos keys
stored securely in a smartcard. On approaching a machine for login,
the user inserts the card, which automatically identifies the Uniqname
and engages in a Kerberos challenge/response for authentication. A
panel on the computer's screen (or a text-based login command) pops up
and requests a PIN. Because smartcards have hardware protection for
storing data elements such as PINs, guessing (or "dictionary") attacks
are thwarted. In contrast, a diligent hacker can obtain hundreds, even
thousands of Uniqname/password pairs with an offline dictionary attack
over a few days. (I confirmed this a few years ago by "cracking" over
3,000 Uniqname passwords with a few days effort.)
At CITI we are experimenting with protocols and procedures along these
lines in anticipation of such an information technology infrastructure.
1. We do not want passwords because
...
-
Easy to steal or compromise.
-
Easy to forget.
-
No way to detect a stolen password.
-
Too short to be secure, or too long to remember.
2. Smart Cards are better because
...
-
To logon You need something you know (PIN) plus something you have.
-
Physically secure.
-
You know when you've lost it.
-
PIN is short and easy to remember.
-
PIN guessing is thwarted by smart card hardware
