Symantec™ Security Gateways Reference Guide - Sawmill

80 Controlling user accessAuthenticationBellcore S/Key runs the password and seed value though the hash function a pre-determined number oftimes for the first logon, then the original value less 1 for the second log on, and so forth until the numberreaches 1. At this point, the seed value must be reset.To connect to the security gateway, Bellcore S/Key users must provide the correct password and seed valueto a local Bellcore S/Key password generator. Upon supplying them, the Bellcore S/Key software on theuser’s client system generates a one-time password in the form of six short words.The user enters this string when prompted by the security gateway. With each subsequent connection, theBellcore S/Key software generates a new password string and decrements the user’s iteration count. Whenthe user's count decrements to zero, no further connections are permitted.Each password is unique and cannot be predicted from any password with a higher numbered iteration.However, you can predict Bellcore S/Key passwords from a lower numbered iteration. If a user enters apassword, seed value and an iteration count of 78, all passwords numbered 79 and above are generatedusing the hash function.Warning: There is a possible Trojan horse attack available with Bellcore S/Key. You can trick a user intoentering a password numbered a few iterations ahead of the current number. For example, if the end-userwas supposed to be on iteration 74, but gets prompted by a hacker for iteration 73, you can generate 74.Users should be aware of this possible attack. If they are asked to authenticate with Bellcore S/Key andenter an iteration number and then try again and enter a higher number, they should contact the securitygateway administrator immediately.Entrust authenticationConfiguration information for Bellcore S/Key authentication is found in your product’s administrator’sguide.The security gateway supports the use of Entrust Certificates to authenticate Symantec Client VPNs. TheEntrust authentication method requires a configuration setup, both on the client and the security gateway.You must define an entrust user at the security gateway to log on to the Entrust Server and an entrust userfor each Symantec Client VPN that needs to authenticate.An entrust user is defined by the following:■■■An initialization file (*.ini)A client profile (*.epf)A client passwordThe client profile is a file containing the various Entrust certificates for the user. The client password isused to encrypt the private certificates within the profile. The initialization file, client profile, and clientpassword are used by the user to log on to the Entrust Server and use its API to encrypt, decrypt, and signmessages.Configuration information for Entrust certificate authentication on the Symantec Client VPN is found inthe Symantec Client VPN User’s Guide. Configuration information for Entrust certificate authentication onthe security gateway is found in the your product’s administrator’s guide.Gateway password authenticationGateway password authentication is a multi-use password maintained within the security gatewaydatabase for each gateway user. Users and their passwords are entered and maintained by theadministrator. Gateway password authentication is a weak form of authentication. Both the challenge andthe response are passed as clear text.Configuration information for gateway password authentication is found in your product’s administrator’sguide.