Nortel Networks 3500, NTRN10AN manual Local ‘challenge-response’ user authentication

Operation, administration, and maintenance (OAM) features 2-123

Local ‘challenge-response’ user authentication

When logging in locally with ‘challenge-response’ as the specified domain, users will be given a challenge for which they must provide a response.

Challenge / Response addresses many security issues associated with sending authentication information over unsecured links:

•When a user attempts to authenticate, they are presented with a challenge. This challenge is changed at each login attempt, regardless of whether it is successful or not.

•A local shared secret is used to calculate a response for a given challenge. This local shared secret is never transmitted as part of the authentication process.

Note: User ability to provision the Challenge-Response local shared secret is restricted to those individuals with administrative access (default ADMIN, UPC 4). To change the local shared secret, you will require knowledge of the old local shared secret.

•A response calculator (in the Login application of Site Manager) is used to generate a response for a given challenge using the local shared secret. The network element uses the same shared secret to validate if the response is correct for the given challenge.

If an intruder is able to gather challenge and response pairings, these pairings cannot be replayed to gain access to the equipment. The intruder may attempt to collect a number of challenge/response pairings and perform some brute force attacks in an attempt to compromise the shared secret, however for properly chosen shared secrets, this is computationally infeasible at the present time.

The challenge generator and response validator will be present on the network processor and shelf processor. The local shared secret is provisioned on each network processor and shelf processor. The provisioned local shared secret is stored locally on each network processor and shelf processor in such a way that it is not visible in clear text.

Note 1: The challenge-response login mechanism is always available to the user

Note 2: If a challenge-response login is successful, the UPC level granted to the user is derived from the level encoded into the response from the response calculator (found in the Login application of Site Manager).

Note 3: It is very important to note that an NP will still Save & Restore all provisioning information for every node provisioned in its SOC.

Planning and Ordering Guide—Part 1 of 2 NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004