<xmp>
From Cert Advisory CA-94:01  February 3, 1994

                         ONE-TIME PASSWORDS

Given today's networked environments, CERT recommends that sites
concerned about the security and integrity of their systems and
networks consider moving away from standard, reusable passwords. CERT
has seen many incidents involving Trojan network programs (e.g.,
telnet and rlogin) and network packet sniffing programs.  These
programs capture clear-text hostname, account name, password triplets.
Intruders can use the captured information for subsequent access to
those hosts and accounts.  This is possible because 1) the password is
used over and over (hence the term "reusable"), and 2) the password
passes across the network in clear text.

Several authentication techniques have been developed that address
this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly
called one-time passwords). This document provides a list of sources
for products that provide this capability. The decision to use a
product is the responsibility of each organization, and each
organization should perform its own evaluation and selection.

I.  Public Domain packages

S/KEY(TM)
        The S/KEY package is publicly available (no fee) via
        anonymous FTP from:

                thumper.bellcore.com            /pub/nmh directory

        There are three subdirectories:

                skey            UNIX code and documents on S/KEY.
                                Includes the change needed to login,
                                and stand-alone commands (such as "key"),
                                that computes the one-time password for
                                the user, given the secret password and
                                the S/KEY command.

                dos             DOS or DOS/WINDOWS S/KEY programs.  Includes
                                DOS version of "key" and "termkey" which is
                                a TSR program.
                
                mac             One-time password calculation utility for 
                                the Mac.


II.  Commercial Products

Secure Net Key (SNK)                            (Do-it-yourself project)
        Digital Pathways, Inc.
        201 Ravendale Dr.
        Mountainview, Ca. 94043-5216
        USA
        Phone: 415-964-0707 
        Fax: (415) 961-7487

                Products:
                        handheld authentication calculators  (SNK004)
                        serial line auth interruptors (guardian)

        Note: Secure Net Key (SNK) is des-based, and therefore restricted
        from US export.

Secure ID                                       (complete turnkey systems)
        Security Dynamics
        One Alewife Center
        Cambridge, MA   02140-2312
        USA
        Phone: 617-547-7820
        Fax: (617) 354-8836

                 Products:
                        SecurID changing number authentication card
                        ACE server software

        SecureID is time-synchronized using a 'proprietary' number 
        generation algorithm

WatchWord and WatchWord II
        Racal-Guardata 
        480 Spring Park Place
        Herndon, VA 22070
        703-471-0892
        1-800-521-6261 ext 217

                 Products:
                        Watchword authentication calculator
                        Encrypting modems

        Alpha-numeric keypad, digital signature capability

SafeWord 
        Enigma Logic, Inc. 
        2151 Salvio #301   
        Concord, CA 94520  
        510-827-5707
        Fax: (510)827-2593

                Products:
                        DES Silver card authentication calculator
                        SafeWord Multisync card authentication calculator

        Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as
        other OS versions.  Supports one-time passwords and super
        smartcards from several vendors.