FireWall-1 FAQ: One-Time Password Schemes vs. Static Passwords
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
OS or VPN-1/FireWall-1 Passwords allow you to use a single password to log on. Since most networks are subject to eavesdropping or packet tracing, a hacker could easily pull the login information off the wire and thus “pretend” to be you by supplying your login and password information (which is static).
One time password or challenge/response schemes require a different password each time the user authenticates. Even though the network may be subject to packet tracing and may be able to see the entire challenge/response session, no information is divulged that a hacker can use to pretend to be a particular user. One time password schemes use a secret key along with a cryptographic hash function. As long as the secret key is not divulged, the scheme is not compromised.
There are three one time password schemes supported by FireWall?-1: SecurID, Axent Pathways Defender, and S/Key.
SecurID
SecurID is by far the most popular one-time password scheme used with FireWall-1. It uses a hardware token with a value that changes every minute. Newer cards also allow you to enter a PIN to further hash the value displayed. The card is synced up with an ACE server that validates the authentication attempt. As long as you do not lose this card, your authentication will be secure.
When you are prompted for authentication, you will be given a “passcode” prompt. You will either type your PIN into the card, push the diamond key, then type the 6-digit number shown on your SecurID card at the passcode prompt. If you do not have a SecurID card that allows you to enter a PIN, then you type your “PIN” followed by the 6-digit number currently displayed on your SecurID card at the passcode prompt. Since the SecurID card and ACE server are in sync, the ACE server knows what the SecurID card should read at any given moment.
Using SecurID involves purchasing both the ACE Server (which runs on Unix or NT workstations) and SecurID keys.
Axent Pathways Defender
Axent Pathways Defender is also a hardware token-based solution. Instead of a changing value like SecurID, you use a numeric keypad on the hardware key to punch in a challenge and a user-definable PIN that gives you a response. The hardware key is programmed with an ID that is also specified on the Defender Authentication Server. This key is tied to a specific login ID and can not be used with anyone else’s login ID. When you log in, you are prompted with a “challenge” (a number). You punch this number along with your pin into the hardware key. This generates your “response”, which you then type back to the computer.
Axent Pathways Defender requires the purchase of the hardware keys and special server software. Native support for this authentication scheme was removed in NG FP2 and above (and was never provided on IPSO), but you can interface with this server via RADIUS.
S/Key
S/Key is a challenge/response system that uses an MD4 or MD5 cryptographic hash function. It uses three values: a password number, a seed value (usually the same as the username), and a secret key. The password number and the seed value are transmitted in the clear as the challenge. The challenge, along with the secret key, is typed into an S/Key generator that resides on the user’s local system. The S/Key generator then generates a response to that challenge, which the user types in to authenticate themselves.
Given the challenge and the reponse, it is impossible to determine what future responses will need to be without knowing the secret key used to generate the S/Key chain. However, if you pick an easily-guessable secret key, your login can easily be compromised. It is important that you pick a hard-to-guess secret key.
S/Key support is no longer available as of NG AI R54.
When you logon and use S/Key, you are given a challenge like:
SKEY CHALLENGE: 98 username
The number is the password number, which decrements after each successful login. The seed (in this case “username”) will always stay the same. You would type this information into an S/Key generator along with your secret key. This will generate a one-time password, which you will then use as the response.
Unix:
$ key 98 username
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: { Your password is not echoed as it is typed }
SNOW SON TECH FARM DOME BEG
Windows:
<img src="/img/faq0105.gif">