CryptoCard lightens security burden

The weakest link in any security system is generally the people. Employees may tape passwords to monitors or leave their laptops behind on an airplane, and administrators may neglect to update passwords or disable network access for stolen devices.

As long as people are involved, there is no foolproof security system. But CryptoCard Corp.'s Secure Password Technology offers a low-cost and relatively easy way to lighten the security burden on both administrators and end users.

CryptoCard's token-based security system is as easy for end users to employ as an automated teller machine card. And in fact one of its options is to use ATM-like smart cards as the CryptoCard token. Insert the smart card into the smart card reader, enter your personal identification number when prompted and you're in. CryptoCard's PC Card works in a similar way.

But CryptoCard offers other options for accessing the system. Assuming the client software has been installed on a computer, you can employ a hardware authentication token using a keypad for entering PIN information. Alternatively, a key chain device can be used to generate a one-time password for accessing the system. To get one, simply press the button on the token and then enter your PIN for authentication by the CryptoCard server.

These hardware tokens and the smart cards all allow users to access the network from any computer. Of course, if you were using a smart card or a PC Card, the appropriate readers would have to be attached to the computer.

A final option is the software token. Especially useful for personal digital assistants, software tokens can also be used on desktop computers. The one major limitation is that users can access the system only from specific computers they are authorized to use.

The biggest advantage of the CryptoCard system over other token-based systems is that no user passwords are actually transmitted over the network. Instead, the user's PIN activates communication between the local client and the authentication server without passwords ever being transmitted — and potentially stolen during transit — to the server.

That also means end users aren't burdened with the need to frequently change passwords. By default, three failed attempts to enter the correct PIN will result in the token being deactivated and made unusable, but this number can be changed by the administrator.

We also liked that the CryptoCard system can be integrated with other resources. Available software allows CryptoCard to be used for controlling access not only to local-area networks, but also to virtual private networks (Cisco Systems Inc., CheckPoint Software Technologies Ltd., Nortel Networks Ltd. and NetScreen Technologies Inc. VPNs) and Web servers (Microsoft Corp.'s Internet Information Server, Apache Software Foundation's Apache Server, Sun Microsystems Inc.'s Open Network Environment, Citrix Systems Inc.'s NFuse and Active Server Pages/Java Server Pages-based servers). You can even use smart card tokens with other security systems to control access to door locks and other security devices.

We found CryptoCard's administrative module a bit tricky to set up, mostly due to sketchy documentation. But once installed, the module was easy to use. Administrators will find a simple, drag-and-drop interface for managing and tracking token distribution, and the module also allows you to group users, thus making it easier to implement access-based security policies.

If you don't have a Remote Authentication Dial-In User Service server installed, you can use the bundled easyRADIUS Server Module. If you're already using Cisco's Secure Access Control Server, Funk Software Inc.'s Steel Belted RADIUS or Microsoft's Internet Authentication Service, CryptoCard will simply integrate with your existing RADIUS server.