Callback systems, Centralised security, Multiple passwords – Nokia 9290 User Manual

7

(9)

Nokia 9290 Communicator

Nokia Mobile Phones

Security White Paper

Copyright



Nokia Corporation 2001-2002. All rights reserved.

PAP works basically in the same way as the normal login procedure. The client authenticates itself by sending a user
name and a password to the server, which the server then compares to its database.

With CHAP, the server sends a randomly generated challenge string to the client. The client combines this with its
password and a one-way hash function; it then returns the result to the server. The server does the same computation
and will then grant access if the client-supplied response matches that generated by the server. CHAP also sends
challenges at regular intervals to ensure that an intruder has not replaced the client.

To enhance the security of PAP and CHAP, some other authentication methods are sometimes used when creating a
network connection. These methods may include, for example, one-time passwords (password generators, tokens, or
password lists). If the method works with normal PAP or CHAP, it can be used with the Nokia 9290 Communicator.
Other login schemes can be supported using a login script. Some of the alternatives are described below.

5.3.1 Callback systems

Some dial-up servers call the user back after the user has first called the dial-up server. The number to call back can
be stored on the server, and functions as an extra layer of authentication, as the attacker will have to use the phone
number of the real user. Callback can also be used for reverse billing, as the caller will usually pay for the connection.

The Nokia 9290 Communicator supports three PPP callback protocols: IETF type 0 (server-supplied callback phone
number) [RFC1570] and the Microsoft callback protocol in two different modes of operation (client-supplied and
server-supplied callback phone numbers).

Note that the incoming callback data call (from the dial-up server to the Communicator) is established as normal
analog data call (9600). The support for the incoming callback data call depends on the GSM network and the dial-up
system.

5.3.2 Centralised Security

One alternative approach is centralised security, which involves having the terminal or communications server
authenticate a dial-in user's identity through a single central database, known as the authentication server. This
server stores all the necessary information about users, including their passwords and access privileges. The use of a
central location for authentication data allows a greater degree of security for sensitive information, a greater ease of
management, and a more scaleable solution as the size of the network increases. Authentication servers can be
configured in a variety of ways, depending upon the organisation’s preferred network security scheme. Common
schemes for centralised security are based on RADIUS

[

RFC 2138

]

and TACACS

[

RFC 1492

]

.

RADIUS and TACACS are open IETF standards, which have been adopted by many organisations. The advantage of
these open standards is that they can be used between multiple vendors and shared among many products. Both
RADIUS and TACACS+ provide the ability to pass security data to a variety of databases. RADIUS, TACACS, and
TACACS+ can provide a single point of authentication and authorisation. Users can enter a single password and be
automatically authenticated into the remote access server or even multiple servers automatically.

5.3.3 Multiple Passwords

Multiple passwords can be used to make the authentication more secure. Different passwords can be used for dial-up
authentication and further access, such as mailboxes and Web pages.

5.3.4 Token-Based Security

Many of the most popular remote access security systems are based on a hardware token. As the token creates the
one-time passwords, any potential attacker needs to be in possession of such a token. Often there is also a PIN code
that must be entered in conjunction with the token.