https://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&feed=atom&action=historyProjects/SecurID SAM support - Revision history2024-03-28T12:03:31ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&diff=3673&oldid=prevTomYu at 20:09, 18 October 20102010-10-18T20:09:37Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 20:09, 18 October 2010</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>{{project-<del class="diffchange diffchange-inline">review</del> | <del class="diffchange diffchange-inline">31 August 2010</del>}}</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>{{project-<ins class="diffchange diffchange-inline">rel</ins> | <ins class="diffchange diffchange-inline">1.9</ins>}}</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>''The RSA SecurID SAM'' project proposes to add support for using [http://www.rsa.com/node.aspx?id=1156 SecurID] with [http://tools.ietf.org/id/draft-ietf-krb-wg-kerberos-sam Single Use Authentication Mechanism] Kerberos pre-authentication.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>''The RSA SecurID SAM'' project proposes to add support for using [http://www.rsa.com/node.aspx?id=1156 SecurID] with [http://tools.ietf.org/id/draft-ietf-krb-wg-kerberos-sam Single Use Authentication Mechanism] Kerberos pre-authentication.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This is a backward compatibility project for sites with deployed code.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This is a backward compatibility project for sites with deployed code.</div></td>
</tr>
</table>TomYuhttps://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&diff=3627&oldid=prevTomYu: /* Deployment */2010-09-02T17:27:18Z<p><span dir="auto"><span class="autocomment">Deployment</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 17:27, 2 September 2010</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 32:</td>
<td colspan="2" class="diff-lineno">Line 32:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Deployment ==</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Deployment ==</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This text should make its way into the administrator's guide.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This text should make its way into the administrator's guide.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In order to deploy this mechanism, Kerberos needs to be compiled against the SecurID SDK. The SDK needs to be placed in the library and include path such that configure will find it. Then an administrator creates <<del class="diffchange diffchange-inline">t</del>><i>principal/</i><del class="diffchange diffchange-inline">securid</del></<del class="diffchange diffchange-inline">t</del>> principals to enable SecurID for a given principal. If this is done, then the KDC will call into the <del class="diffchange diffchange-inline">SecureID</del> SDK and request authentication from the user.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In order to deploy this mechanism, Kerberos needs to be compiled against the SecurID SDK. The SDK needs to be placed in the library and include path such that configure will find it. Then an administrator creates <<ins class="diffchange diffchange-inline">code</ins>><i>principal/</i><ins class="diffchange diffchange-inline">SECURID</ins></<ins class="diffchange diffchange-inline">code</ins>> principals to enable SecurID for a given principal. If this is done, then the KDC will call into the <ins class="diffchange diffchange-inline">SecurID</ins> SDK and request authentication from the user.</div></td>
</tr>
</table>TomYuhttps://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&diff=3625&oldid=prevSamHartman: Projects/SecureID SAM Support moved to Projects/SecurID SAM support: product name incorrect2010-09-01T19:53:41Z<p><a href="/wiki/Projects/SecureID_SAM_Support" class="mw-redirect" title="Projects/SecureID SAM Support">Projects/SecureID SAM Support</a> moved to <a href="/wiki/Projects/SecurID_SAM_support" title="Projects/SecurID SAM support">Projects/SecurID SAM support</a>: product name incorrect</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<tr style='vertical-align: top;' lang='en'>
<td colspan='1' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black; text-align: center;">Revision as of 19:53, 1 September 2010</td>
</tr><tr><td colspan='2' style='text-align: center;' lang='en'><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>SamHartmanhttps://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&diff=3624&oldid=prevSamHartman: Secure ID->securID; add deployment info2010-09-01T19:52:00Z<p>Secure ID->securID; add deployment info</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:52, 1 September 2010</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{project-review | 31 August 2010}}</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{project-review | 31 August 2010}}</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>''The RSA <del class="diffchange diffchange-inline">Secure ID</del> SAM'' project proposes to add support for using [http://www.rsa.com/node.aspx?id=1156 <del class="diffchange diffchange-inline">Secure ID</del>] with [http://tools.ietf.org/id/draft-ietf-krb-wg-kerberos-sam Single Use Authentication Mechanism] Kerberos pre-authentication.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>''The RSA <ins class="diffchange diffchange-inline">SecurID</ins> SAM'' project proposes to add support for using [http://www.rsa.com/node.aspx?id=1156 <ins class="diffchange diffchange-inline">SecurID</ins>] with [http://tools.ietf.org/id/draft-ietf-krb-wg-kerberos-sam Single Use Authentication Mechanism] Kerberos pre-authentication.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This is a backward compatibility project for sites with deployed code.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This is a backward compatibility project for sites with deployed code.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>==Relation to FAST and OTP Preauth ==</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>==Relation to FAST and OTP Preauth ==</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{idref|draft-ietf-krb-wg-otp-preauth}} describes a mechanism for using [[Projects/FAST|FAST]] with one-time password tokens such as RSA SecureID. </div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{idref|draft-ietf-krb-wg-otp-preauth}} describes a mechanism for using [[Projects/FAST|FAST]] with one-time password tokens such as RSA SecureID. </div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The SAM approach is a much older solution to that problem that does not depend on FAST. The FAST/OTP approach has a number of benefits over SAM. For tokens such as <del class="diffchange diffchange-inline">Secure ID</del>, the strength of the reply key is limited to the user's long-term password. So if an attacker observes an authentication and the user has a weak long-term password, then the attacker can recover the resulting ticket. FAST addresses this weakness by using an armor key. The checksum of the SAM challenge provides the attacker with plaintext encrypted in the user's long-term password. So as originally specified, SAM is incompatible with today's recommended practice of not sending text encrypted in the long-term secret before the client has proven knowledge of that secret. It may be possible to combine SAM with encrypted timestap.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The SAM approach is a much older solution to that problem that does not depend on FAST. The FAST/OTP approach has a number of benefits over SAM. For tokens such as <ins class="diffchange diffchange-inline">SecurID</ins>, the strength of the reply key is limited to the user's long-term password. So if an attacker observes an authentication and the user has a weak long-term password, then the attacker can recover the resulting ticket. FAST addresses this weakness by using an armor key. The checksum of the SAM challenge provides the attacker with plaintext encrypted in the user's long-term password. So as originally specified, SAM is incompatible with today's recommended practice of not sending text encrypted in the long-term secret before the client has proven knowledge of that secret. It may be possible to combine SAM with encrypted timestap.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Nothing stops SAM from being used in conjunction with FAST. If SAM is used with FAST, the SAM messages will not be bound to the FAST armor key. An attacker could capture messages from a non-FAST SAM exchange and include them in a FAST SAM exchange. Doing so does not appear to give the attacker any advantage. If SAM is used with FAST, then the user's long-term password is protected. However the weakness where an attacker could gain access to ciphertext encrypted in the user's password still exists.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Nothing stops SAM from being used in conjunction with FAST. If SAM is used with FAST, the SAM messages will not be bound to the FAST armor key. An attacker could capture messages from a non-FAST SAM exchange and include them in a FAST SAM exchange. Doing so does not appear to give the attacker any advantage. If SAM is used with FAST, then the user's long-term password is protected. However the weakness where an attacker could gain access to ciphertext encrypted in the user's password still exists.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Relation to PA-SAM-CHALLENGE ==</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Relation to PA-SAM-CHALLENGE ==</div></td>
</tr>
<tr>
<td colspan="2" class="diff-lineno">Line 10:</td>
<td colspan="2" class="diff-lineno">Line 10:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Proposed Work ==</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Proposed Work ==</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>MIT has been using patches that implement the following functionality:</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>MIT has been using patches that implement the following functionality:</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* SAM-2 for <del class="diffchange diffchange-inline">Secure ID</del> and Cryptocard</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* SAM-2 for <ins class="diffchange diffchange-inline">SecurID</ins> and Cryptocard</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* support for {{idref|draft-ietf-krb-wg-hw-auth}}</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* support for {{idref|draft-ietf-krb-wg-hw-auth}}</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Support for allowing a KDC to drop a packet if this KDC is not the right KDC to talk to an SecureID server.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Support for allowing a KDC to drop a packet if this KDC is not the right KDC to talk to an SecureID server.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-lineno">Line 30:</td>
<td colspan="2" class="diff-lineno">Line 30:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Discussion===</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Discussion===</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>== Deployment ==</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>This text should make its way into the administrator's guide.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In order to deploy this mechanism, Kerberos needs to be compiled against the SecurID SDK. The SDK needs to be placed in the library and include path such that configure will find it. Then an administrator creates <t><i>principal/</i>securid</t> principals to enable SecurID for a given principal. If this is done, then the KDC will call into the SecureID SDK and request authentication from the user.</div></td>
</tr>
</table>SamHartmanhttps://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&diff=3600&oldid=prevGhudson: /* Approvals */2010-08-24T00:07:09Z<p><span dir="auto"><span class="autocomment">Approvals</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:07, 24 August 2010</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 27:</td>
<td colspan="2" class="diff-lineno">Line 27:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Approvals===</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Approvals===</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>#[[User:Ghudson|Ghudson]] 00:07, 24 August 2010 (UTC)</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Discussion===</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Discussion===</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/SecurID_SAM_support&diff=3599&oldid=prevSamHartman: new project2010-08-23T20:21:17Z<p>new project</p>
<p><b>New page</b></p><div>{{project-review | 31 August 2010}}<br />
''The RSA Secure ID SAM'' project proposes to add support for using [http://www.rsa.com/node.aspx?id=1156 Secure ID] with [http://tools.ietf.org/id/draft-ietf-krb-wg-kerberos-sam Single Use Authentication Mechanism] Kerberos pre-authentication.<br />
This is a backward compatibility project for sites with deployed code.<br />
==Relation to FAST and OTP Preauth ==<br />
{{idref|draft-ietf-krb-wg-otp-preauth}} describes a mechanism for using [[Projects/FAST|FAST]] with one-time password tokens such as RSA SecureID. <br />
The SAM approach is a much older solution to that problem that does not depend on FAST. The FAST/OTP approach has a number of benefits over SAM. For tokens such as Secure ID, the strength of the reply key is limited to the user's long-term password. So if an attacker observes an authentication and the user has a weak long-term password, then the attacker can recover the resulting ticket. FAST addresses this weakness by using an armor key. The checksum of the SAM challenge provides the attacker with plaintext encrypted in the user's long-term password. So as originally specified, SAM is incompatible with today's recommended practice of not sending text encrypted in the long-term secret before the client has proven knowledge of that secret. It may be possible to combine SAM with encrypted timestap.<br />
Nothing stops SAM from being used in conjunction with FAST. If SAM is used with FAST, the SAM messages will not be bound to the FAST armor key. An attacker could capture messages from a non-FAST SAM exchange and include them in a FAST SAM exchange. Doing so does not appear to give the attacker any advantage. If SAM is used with FAST, then the user's long-term password is protected. However the weakness where an attacker could gain access to ciphertext encrypted in the user's password still exists.<br />
== Relation to PA-SAM-CHALLENGE ==<br />
This version of the SAM mechanism defines PA-SAM-CHALLENGE-2 and PA-SAM-RESPONSE-2. The MIT Kerberos client has supported this since 2002. The KDC contains support for some tokens with PA-SAM-CHALLENGE and no support for PA-SAM-CHALLENGE-2.<br />
== Proposed Work ==<br />
MIT has been using patches that implement the following functionality:<br />
* SAM-2 for Secure ID and Cryptocard<br />
* support for {{idref|draft-ietf-krb-wg-hw-auth}}<br />
* Support for allowing a KDC to drop a packet if this KDC is not the right KDC to talk to an SecureID server.<br />
* Support for the PA-RETURN-AS-REP pre-authentication item<br />
This project will forward port the following:<br />
* Support for PA-SAM-CHALLENGE-2 SecureID<br />
* Support for KDCs dropping packets<br />
The other items will not be forward ported. In addition, support for PA-SAM-CHALLENGE will be removed from the client and KDC.<br />
==Review==<br />
<br />
This section documents the review of the project according to [[Project policy]].<br />
It is divided into multiple sections. First, approvals should be listed. To list an approval type<br />
:<nowiki>#~~~~</nowiki><br />
(hash mark followed by four tilde characters) on its own line.<br />
The next section is for summarizing discussion, which should take place on krbdev@mit.edu. Provide links to the archive at http://mailman.mit.edu/pipermail/krbdev/ if appropriate. Blocking objections can be noted with <nowiki>{{project-block}}</nowiki>.<br />
<br />
===Approvals===<br />
<br />
===Discussion===</div>SamHartman