Local ‘challenge-response’ user authentication, Local ‘challenge-response’ user – Nortel Networks OPTera Metro 3500 User Manual

Operation, administration, and maintenance (OAM) features 2-123

Planning and Ordering Guide—Part 1 of 2 NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004

Local ‘challenge-response’ user authentication

When logging in locally with ‘challenge-response’ as the specified domain,
users will be given a challenge for which they must provide a response.

Challenge / Response addresses many security issues associated with sending
authentication information over unsecured links:

•

When a user attempts to authenticate, they are presented with a challenge.
This challenge is changed at each login attempt, regardless of whether it is
successful or not.

•

A local shared secret is used to calculate a response for a given challenge.
This local shared secret is never transmitted as part of the authentication
process.

Note: User ability to provision the Challenge-Response local shared secret
is restricted to those individuals with administrative access (default
ADMIN, UPC 4). To change the local shared secret, you will require
knowledge of the old local shared secret.

•

A response calculator (in the Login application of Site Manager) is used to
generate a response for a given challenge using the local shared secret. The
network element uses the same shared secret to validate if the response is
correct for the given challenge.

If an intruder is able to gather challenge and response pairings, these pairings
cannot be replayed to gain access to the equipment. The intruder may attempt
to collect a number of challenge/response pairings and perform some brute
force attacks in an attempt to compromise the shared secret, however for
properly chosen shared secrets, this is computationally infeasible at the present
time.

The challenge generator and response validator will be present on the network
processor and shelf processor. The local shared secret is provisioned on each
network processor and shelf processor. The provisioned local shared secret is
stored locally on each network processor and shelf processor in such a way that
it is not visible in clear text.

Note 1: The challenge-response login mechanism is always available to
the user

Note 2: If a challenge-response login is successful, the UPC level granted
to the user is derived from the level encoded into the response from the
response calculator (found in the Login application of Site Manager).

Note 3: It is very important to note that an NP will still Save & Restore all
provisioning information for every node provisioned in its SOC.