Goodbye, Cryptocards. Hello, RSA tokens

Fermilab will soon move from the use of Cryptocards to RSA tokens for secure remote access to Fermilab systems. Photo: Ocrhoown work. Licensed under public domain via Wikimedia Commons

Many people need to log in remotely to Fermilab computing systems. Unfortunately, the most common way hackers steal passwords is to detect them as they traverse the network when a user logs in remotely. Consequently, one of our most important cybersecurity tasks is to prevent inadvertent disclosure of passwords.

Our primary tool in accomplishing this objective is the use of Kerberos. With this method, you first log in to a local Kerberos client installed on your desktop or laptop. Next, a Kerberos ticket is granted to you. Finally, your ticket, instead of your password, travels over the network, and your ticket is presented to allow you to log in to the remote Fermilab computer. Kerberos therefore substantially reduces any risk of password exposure.

Of course, sometimes you may need to log in to a Fermilab computer from a device that does not have a Kerberos client installed, such as a tablet. Until Oct. 11, you would have used a Cryptocard to generate a single-use password for this purpose. With the upgrade of the laboratory’s Kerberos systems, Cryptocards will no longer work. (The customized software supporting the Cryptocards cannot be integrated with the latest versions of Kerberos.) Instead, we will move to using RSA tokens, a modern, industry-standard solution. These tokens generate a single-use password for remote log-ins and, like Cryptocards, minimize the risks of password disclosure. The RSA tokens also are a method of two-factor authentication that I wrote about in February.

If you use a Cryptocard or if you need to access lab computers remotely from a device that does not have a local Kerberos client available, please read this article for important information about what you need to do.

Irwin Gaines