Click here to receive your FREE subscription to Campus Technology
Focus
Security: It’s Not All About Hackers
8/22/2005
The current generation of “smart” cards makes effective use of twofactor authentication requiring “something you know” (a PIN or password) as well as “something you have” (a card). In PIN-protected memory cards, the information stored in the memory of the card can be read only after the PIN has been typed into the card or the device reading the card. But the latest two-factor smart cards are cryptographic challenge/response cards that have onboard memory and processors, and can perform encryption and decryption. In one challenge/response scheme, the host computer system and the user both know a shared secret password. The host computer sends a number to the user (the “challenge”); the user encrypts the challenge number with the shared secret password on the smart card and returns the result (the “response”) to the host computer. The host computer independently encrypts the challenge and compares the result with the user’s response. If the two agree, the user is given access. In another challenge/response scheme, the smart card has a clock, which periodically displays the encrypted time that the user types into the host computer system. In this case, the “challenge” is never sent explicitly but is understood to be the encrypted current time. If an external intruder obtains the response by listening to network traffic, that action has limited value because the correct response changes every few seconds as the time changes. Unfortunately, most smart cards can run $60 to $100 per employee, and involve other issues such as creating mechanisms to quickly replace lost cards.
Advantages/Disadvantages
Something you have. What are the relative advantages and disadvantages of using “something you have” for security purposes? Whether it’s the use of an old-fashioned metal key or a high-tech token, the primary advantages are convenience and relatively modest cost. The primary disadvantage is that such items can easily be lost or stolen, and there is no guarantee that the appropriate individual is using them.
Something you know. Passwords have the advantage of being inexpensive, and the concept is well understood by users. Most PCs and networks can be easily configured to require passwords to access information. Unfortunately, passwords can be stolen while transmitted over a network, collected by illicit software designed to capture passwords, or even guessed by smart hackers. What’s more, because so many passwords are required of users, many individuals opt to use a single password for everything. When one password is compromised, multiple accounts for a given user may be compromised.
Something you are. Biometric devices that identify individuals by fingerprint, retinal pattern, handwriting, keystroke dynamics, or voice pattern are most appropriate for very high-security environments, but are still relatively expensive and as yet are not a perfect science; users complain of frequent false rejections. (There’s nothing quite as frustrating as being locked out of your own computer when it refuses to recognize your thumbprint.)
Secure Password Checklist
Recommended Reading
- California Community Colleges Partner with Waterfall Mobile on Statewide Emergency Notification Coverage
The Foundation for California Community Colleges (FCCC) has awarded a statewide emergency alert notification contract to Waterfall Mobile. The contract establishes Waterfall's AlertU as an approved technology through the official non-profit foundation for the California Community College (CCC) system office. Through this partnership, individual colleges may directly implement emergency communication services, eliminating lengthy technology evaluation and RFP processes.
- King's College and ASU Add e2Campus for Improved Emergency Notifications
King's College and Arizona State University have switched to Omnilert's e2Campus for emergency notification. Omnilert also has introduced a new program called the ENS Conversion Service that allows schools to bulk upload data from their previous emergency notification system into e2Campus at no charge.
- Saint Joseph Builds Out Wireless Network in Multi-year Upgrade
Saint Joseph's University has begun deploying a Meru Networks wireless local area network across its Philadelphia campus as part of a multi-year effort to bring wireless coverage to every building on campus.
- Vista Ramp Up Is Happening Now, Study Says
Organizations may have been slow to adopt Microsoft Windows Vista, but expect that to change by late 2008 to 2009, according to a Forrester Research report by Benjamin Gray et al., published last week.
- Talisma Launches New Version of CRM with Built-in Application Management
Talisma Corp. announced version 8.0 of its constituent relationship management (CRM) application for higher education. The new release includes application management, a revamped user interface, two-way text messaging, personalized Web portals, and an ADA-compliant Web client, among other enhancements.
- Bringing Composers into Classrooms Through Skype
Two Pennsylvania teaching colleagues with an interest in music and technology are bringing remote experts into classrooms at almost no cost, using Skype's free videoconferencing technology.
