Bringing Passwords Under Control

Firewalls and similar perimeter protections are, of course, designed to keep out those who are not authorized to access the network while allowing those with proper authorization easy access to the data they need. Naturally, distinguishing the one from the other is critical. That is the purpose of authentication, and usually involves the combination of a username and a password.

Passwords, however, are fraught with problems. Easy to remember passwords are also easily guessed while more complicated passwords, or those that are frequently changed, are hard to remember and end up being written down and thereby compromised. They are also expensive — the GIGA Group estimates that about one third of all help desk calls are password related.

If a typical help desk annually costs between $300 and $350 per user supported, that equates to more than $100 a year to maintain each user’s passwords.

A variety of technologies have been developed recently that are aimed at alleviating these issues, but fall short of the mark by being too technologically complex, too expensive or by simply shuffling the problem to a different set of individuals. CRYPTOCard Corporation has an easy to use, inexpensive and elegant alternative called CRYPTO-Server.

CRYPTO-Server employs tokens to authenticate to a server. It is a single use password system, whereby a new password is generated for each use and will never work again. Users no longer need to know their passwords and so cannot write them down or inadvertently reveal them to others. CRYPTO-Server provides authentication services and logs activity to a log server. It uses an SQL database (MySQL, SQL Server, Oracle, etc.) to hold token information and obtains user information from a Directory Server such as LDAP or Active Directory.

The system comprises several components, including the server itself, CRYPTO-Console, CRYPTO-VPN, CRYPTO-Web, CRYPTO-Logon and CRYPTO-Deploy. There is also a kit for developers who wish to include the CRYPTO technology into their own systems.

The system is administered through the CRYPTO-Console, which can be installed either locally on the server or at remote workstations. With CRYPTO-Deploy, pre-initialized hardware tokens can be deployed through any browser, anywhere. CRYPTO-VPN allows for the integration of the CRYPTOCard technology for VPN access authentication.

CRYPTO-Web puts the technology into either IIS or Apache to protect all or parts of a web site, using strong authentication to secure sensitive information. CRYPTO-Logon replaces the usual static password to protect LAN, PC and thin client access with secure one-time passwords.

There are various tokens available, including a pin-pad token, a keychain token, a USB smartcard dongle, a software token and a smartcard token with either a PCMCIA or a USB reader. These tokens are made from a tough metal alloy, which makes them durable, and have replaceable batteries, giving them a considerable advantage over RSA’s SecureID tokens.

CRYPTOCard also has plug-ins for either the Citrix Metaframe Access Suite or Windows Terminal Services environments to allow for highly secure “follow-me” computing. Using CRYPTOCard smart cards, which also require a PIN code to gain access, the user is automatically authenticated and logged in to the server farm.

When the smartcard is removed from the thin (or thick) client device, the active session is immediately suspended and the local device is secured. When the card is reinserted, either into the same device or another, and the PIN is provided, the session is reconnected exactly as it was when it was suspended.

In situations where sensitive information should not be left on a screen to be read by the wrong eyes, such as a bank or financial institution, a hospital or a government agency, this system provides an ideal mechanism for protection of that information. When the authorized user leaves the workstation for any reason, taking their smartcard token with them, there is nothing left on the screen to be read.

In fact, if thin clients are in use, there is no information stored locally at all. Since the smartcard also has the ability to be integrated with a door access system, a very high level of security can be enforced — a user couldn’t leave the room without first removing the information from the screen!

Complex password management systems and sophisticated policies often fail because of the difficulties faced by end users. To be effective, an authentication system has to be simple to use, much like the PIN system used and understood by ATM users all over the world. The CRYPTO-Server system meets this criterion admirably.

From the technical staff perspective, the ease of use is the same. A CRYPTO-Server could easily be installed and implemented in an afternoon and the administrative console is a breeze to use. For those who are using RSA SecureID and would prefer the more rugged and longer lasting CRYPTOCard tokens, there is a simple, three-step migration to CRYPTO-Server.

Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.