Identity and Access Management Basics

Transkript

1 Mittwoch, 30. November 2005 Dübendorf, Hewlett-Packard (Schweiz) GmbH Identity and Access Management Basics Prof. Dr. Peter Heinzmann Institut für Internet-Technologien und Anwendungen, HSR Hochschule für Technik Rapperswil (ITA-HSR) und cnlab Information Technology Research AG 11/30/ Referenzen, weiterführende Literatur: Microsoft Identity and Access Management Series, Part I The Foundation for Identity and Access Management Part II Identity Life-Cycle Management Part III Access Management and Single Sign On, Published: May 11, 2004; Updated: August 17, anage/default.mspx RSA Security, White Paper, Successful Real-World Implementations of Identity and Access Management, RSA, Sumner Blount, etrust Identity and Access Management Solutions, CA, White Paper, November Martine LINARES, Identity and Access Management Solution, GIAC Security Essentials Certification (GSEC), Practical Assignment, Version 1.4c, Option 1 - Research on Topics in Information Security, SANS, February 14,

2 cnlab information technology research ag Institut für Internet-Technologien und Anwendungen HSR spin-off 10 Engineers Engineering & Consulting Internet Application Development Internet Security Reviews Examples Collaboration&Controlling Framework Internet Performance Benchmarking Swiss Highway Traffic Monitoring Telebanking Audits Non US Pretty Good Privacy (PGP) SW Fachhochschule Ostschweiz, HSR Hochschule für Technik Rapperswil Elektrotechnik Informatik Maschinenbau Gartenbau Raumplanung Bauingenieurwesen ca Studierende (44% FHO) ITA-HSR: Institut für Internet- Technologien and -Anwendungen 11/30/

3 Identity and Access Management (IAM) Introduction IAM is used to align security management strategy with business goals by: managing who has access to which resources and services; logging and reporting what they have done; and enforcing business, privacy and security policies. 11/30/ Today s organizations must ensure they control and audit the process of issuing a user credential, conducting business transactions inside or outside of an organization, or allowing employees, customers or partners to access Web services, files or databases. To accomplish this, organizations need a single view of all activities, such as user management and policy management, or creating a new user account. Effective security management starts with identity and access knowing and controlling who can do what and accounting for what they have done. Identities are required for all users, including employees, customers and business partners. Reference: CA etrust Identity and Access Management solutions, 3

4 IAM Infrastructure Resources Account and privileges propagation Self administration Identity Authentication Content access Authorization 11/30/ Individual components of an Identity and Access Management (IAM) infrastructure implement following functions: Directory Services provides a central identity repository and reconciliation of identity details between application specific directories. Identity Management Services provide tools to manage identity details stored in the directory. Access Management Services implement authentication of web based users and enforces access control over the web-based transactions. Provisioning Services cover centralized user administration capabilities and serves mainly for propagation of user account changes and access rights across individual back-end applications. In this manner it is bridging the gap between e-business systems and enterprise applications security. Presentation Services provide a personalized interface for all user interactions with the system. Reference: Jiri Ludvik, Enterprise Identity And Access Management Technical White Paper, Security Weblog, April 2002, Note: Working version, ccessmanagement.html#26. 4

5 IAM for Regulatory Compliance avoiding unauthorized access to information auditing of information accessed by any type of identity assuring personal privacy and confidentiality and financial validity health care records: Health Insurance Portability and Accountability Act (HIPAA) financial data: Gramm-Leach-Bliley Act (GLBA) and the EU Data protection Directive (95/46/EC) controls on accounting practices: Sarbanes-Oxley Act 11/30/ The key requirement of virtually all security-related regulations involves the creation of strong internal controls. This means that all users must be uniquely identified, all their access to protected resources must be tightly controlled, access to these resources must be based on a defined security policy, and all access and security events must be easily and fully auditable. 5

6 IAM Example: First day at work (identity life cycle) 11/30/ A new user, Joe Newguy, is being added to an organization in a VP of Marketing role and is receiving a number of subset roles. With these subset roles, workflow is generated and processed, and approval requests are sent out. Once approvals are received, updates are made to respective systems where Joe Newguy will be performing his job function. For access to physical systems, such as a phone, credit card, ID badge and work location, workflow is processed and sent to the procurement manager. 6

7 Gartner IAM Hype Cycle (June 2005) 11/30/ IAM/NAC Integration: Integration of network access control (NAC) functions with IAM infrastructure for user level access by connection profile. Contact less Proximity Cards: Integrated circuit-based cards for information systems access that transmit and receive data via radio frequency technology. Based on the International Organization for Standardization/International Electrotechnical Commission standard, with a range of up to 10 centimeters. Building access can be incorporated on the card, which can also hold digital credentials for security processes, such as encryption or digital signing. Role Planning, Audit and Compliance: Designing, delivering and managing access to IT resources by allowing the creation of roles or rules to govern the authorization of that access across multiple systems or applications. Allows a company to manage access in a manner that corresponds to the multiple operating views that reflect how day-to-day business is conducted. Biometric Identity Documents: Uses one or more unique physical characteristics (such as a fingerprint, face or iris identification) or, less frequently, behavioral traits as part of a government-issued identification document (such as a passport or national ID card). Virtual Directories: Software products that create a logical (virtual) view of a Lightweight Directory Access Protocol directory by combining data from multiple repositories or by combining multiple repositories into a single view. Biometric User Identification: Use of unique physical features (such as fingerprints, face, and iris recognition) or, less often, behavioral traits (such as voice, typing rhythm, and signature dynamics) as a form of user authentication. Although "good enough" solutions are available for small or specialized implementations, barriers to broad-based use remain poor accuracy, poor scalability, integration issues in large and technologically diverse organizations, and high cost. Public Key Operations: A system for generating and managing digital certificates that identify the holder (person, system or device) of assigned public and private key pairs useful for identification, authentication, encryption and digital signing. The original public-key infrastructure (PKI) vision is changing, moving key management functions away from attempts to centralize them to be close to applications that use the keys and to apply PKI technology to Web services security. Federated Identity Management: Allows sharing of identification credentials among several entities. Trust is transferred from one identifying and authenticating entity to another. Liberty Alliance Security Assertion Markup Language-based solutions remain underutilized, yet interest is growing. The technology has some applications in the enterprise, but it has little use in business-to-consumer communication. The telecommunications industry has shown significant interest. Positioned to provide consumer and business identification, and eventually authentication services supporting e-business and other applications. Microsoft AD/Kerberos: Microsoft's Active Directory (AD) supports Kerberos as a means of exchanging authorization credentials with other platforms. The dominant usage of AD Kerberos is Windows-centric; however, companies are beginning to deploy products that use AD Kerberos into non-windows environments. CCOW Standard: The clinical context object workgroup (CCOW) is a standard certified by the American National Standards Institute for single sign-on and context management that complements Health Level 7's emphasis on data interchange and workflow. It focuses on facilitating application integration at the point of use. Single sign-on allows the user access to multiple systems through a single, secure login. Context management (the synchronization of applications so that they are mutually aware of a set of real-world things, such as patients and encounters) allows users to interact with a number of systems through their native user interfaces as if they were one. Justification for Hype Cycle Position/Adoption Speed: In 2005, healthcare organizations will continue to focus on doing a better job on IAM in light of the Health Insurance Portability and Accountability Act (HIPAA) security deadline. Opportunities for context management will emerge as a result of IAM efforts and clinical context object workgroup (CCOW), and implementations will increase. Increased deployment of clinical workstations and physician portals, as well as the visual integration of disparate clinical systems to form the virtual electronic medical record, will also drive adoption. Source: Gartner Group 7

8 Cartoon by Peter Steiner, July 5, 1993 The New Yorker (Vol.69, No. 20) Internet provides for virtual identities only -Addresses News Authors Web-Server-Addresses Host-Addresses On the Internet, nobody knows you re a dog 11/30/ The above cartoon by Peter Steiner has been reproduced from page 61 of July 5, 1993 issue of The New Yorker, (Vol.69 (LXIX) no. 20) only for academic discussion, evaluation, research and complies with the copyright law of the United States as defined and stipulated under Title 17 U. S. Code. 8

9 Need for Identity and Access Management in the Internet 11/30/

10 Controlled Access is needed to... One Computer (Sign-On/Logon, Client-Server) Many Computers (Single Sign-On, SSO) Applications (Telnet, Secure Shell, ftp, library catalog) Mailbox (POP3, IMAP) Web-Editing (FrontPage) Web-Pages (.htaccess)... Rooms, areas,... 11/30/

11 Authentication, Authorization, Accounting (AAA) 0. Identification I am: Username Username: Password: pheinzma ******** 3. Accounting 1. Authentication user Prove, that I am username 2. Authorisation (Access) 11/30/ Identification establishes who you claim to be: The user claims an identity, usually by supplying a user ID or a user name. Authentication verifies that you are who you claim to be: The user supplies authentication information, which proves the binding between the user and the identity. Authorization establishes what you re allowed to do e.g. which files and applications you may access: The systems authorizes the (authenticated) user to do what he is allowed to do. Accounting charges for what you do. 11

12 Phishing Quiz Example 11/30/ MailFrontier Phishing IQ Test II, _Paypal.html Opera Browser Address Bar Spoofing Vulnerability, Internet Explorer Address Bar Spoofing Vulnerability The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the character in an URL. Example: Reference: address_bar_spoofing_test 12

13 11/30/ On June 25, an that appeared to be from the PayPal Support Center asked members of the online payment service to update their account information to protect themselves from fraud. 13

14 11/30/ It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims.[6] The United Kingdom also suffers from the immense increase in phishing. In March 2005, the amount of money lost in the UK was approximately 504 million GBP. Source: Wikipedia 14

15 Phishing Site Statistics (Nov. 2005) Taiwan Romania Hong Kong India Thailand Peru Iran Sri Lanka Egypt Country Korea (South) Turkmenistan Total sites 993'517 81'023 43' ' '250 72'076 4'777 4'298 2'021 10' Total Phishing sites 3'284 1'148 1' % 10.00% 11/30/ % of all known phishing sites % 3.20% 2.90% 1.70% 1.50% 1.10% 0.30% 0.20% 0.10% 0.10% Probability of phishing site 0.33% 1.43% 2.38% 0.43% 0.49% 0.56% 2.04% 2.08% 1.49% 0.28% 15

16 Server and Client Authentication Alice Bank Client A >123> B Server Hijack, reroute, Man-inthe-Middle Mike 11/30/ Digital identity The unique identifier and descriptive attributes of a person, group, device, or service. Examples include user or computer accounts, accounts, computer names or web server names. Credential Typically a piece of information related to or derived from a secret that a digital identity possesses. Examples of credentials include passwords, X.509 certificates, and biometric information. Identity life-cycle management The processes and technologies that keep digital identities current and consistent with governing policies. Identity lifecycle management includes identity synchronization, provisioning, deprovisioning, and the ongoing management of user attributes, credentials, and entitlements. Authentication A process that checks the credentials of a security principal against values in an identity store. Authentication protocols such as Kerberos, Secure Sockets Layer (SSL), NTLM, and digest authentication protect the authentication process and prevent the interception of credentials. 16

17 Odysseus Lokaler Proxy. Terminiert HTTP und HTTPS Erlaubt die Modifikation der HTTP Anfrage und der HTTP Antwort. Kann auch mit SSL Client Zertifikaten arbeiten. Muss im Browser als Proxy konfiguriert werden. 11/30/

18 Odysseus Funktion Lokaler Computer HTTP Request Web Server HTTP Reply 11/30/

19 Odysseus Activity Log 11/30/

20 Basic Access Control (Authentication) Schemes 11/30/

21 Authentication is based on... What you know (password, PIN, secret, certificate, ability to sign) ask for something only the authorized user knows or can do Username: Password: pheinzma ******** What you have (token, scratch list, certificate) test for the presence of something only the authorized user has 01 Z4GH 06 IKDX 02 67TS 07 9PL7 03 UR2A 08 NFLB 04 TIQV 09 K91D 05 3Z5P 10 HA85 What you are (biological pattern, e.g. fingerprint) obtain some non-forgeable biological or behavioral measurement of the user 11/30/

22 Basic Authentication Process: 1. Registration Alice Alice Registration Process Registration / Certification Authority Certification Process Store Alice s certified template Know: 1g-B@H Alice=A7FF93D Alice Alice= Alice CA Have: Alice= Are: Alice= 11/30/ g-B@H = Ich gehe mit Bob nach Hause 22

23 Basic Authentication Process: 2. Match & Control (Authenticate) I know my password: 1g-B@H Encrypt, Hash A7FF93D Matching, checking Alice s stored templates: Alice=A7FF93D I know how to sign a message: Sign 82A5F9EE3D B743CC AE8E9 82A5F9EE3D B743CC AE8E9 Alice Matching, checking I am Alice I have my key generator: Matching, checking Alice I am the person with this fingerprint: Matching, checking Alice= 11/30/ There are several ways to authenticate a user i.e. to prove the identity of a user: 1. The users presents something what they know, such as a password. This approach is known as a Knowledge factor. Personal identification number (PIN codes) or passwords are the most common method of using confidential knowledge to authenticate users. Passwords are also the least expensive method of user authentication. Unfortunately, user-selected passwords are often short and simple, which makes them easy to guess. The ability to sign a message may also be considered as what you know or can do. The user proves that he is the person to be identified by proving what he can do (e.g. sign the same way as shown on a given template). 2. The users presents something (physical) what they have in their possession, such as a key or a card. This approach is known as a Possession factor. To authenticate users digitally people provide them with tokens that contain a digital code. Tokens are available as both hardware and software. They may generate a different code within regular time intervals or upon request (e.g. upon reception of a challenge ). These tokens may also be smart cards, similar in size to a standard credit card which is inserted into a card reader as part of the authentication process. They may contain a digital certificate and they are usually presented in combination with a password or Personal Identification Number (PIN). 3. The user presents a personal physical attribute, such as a fingerprint or a retinal scan. This approach is known as a Being factor or a what you are factor. 23

24 What you know (Passwords) 11/30/

25 Authentication: Basic Principle Secret of ID-A secure channel (registration) Secret of ID-A F(S_A) unsecure channel F(S_A) Credentials of ID-A Credentials of ID-A? = Reference of ID-A 11/30/ Die Authentizität einer Person (oder einer Maschine) wird mit Hilfe sogenannter Credentials überprüft. Diese basieren in den meisten Fällen auf gemeinsamen Geheimnissen (shared secret), welche eindeutig nur die zu authentisierende Person und die überprüfende Stelle kennen können. Um eine solche Situation zu erreichen, muss zwischen den beiden Stellen mindestens einmal ein direkter oder indirekter sicherer Kommunikationskanal existiert haben. Credentials (dt. das Beglaubigungsschreiben, das Empfehlungsschreiben, die Zeugnisse): 1. That which entitles one to confidence, credit, or authority. 2. Evidence or testimonials concerning one's right to credit, confidence, or authority: The new ambassador presented her credentials to the president. 25

26 Logon Process (logon at the computer) Username: Password: Domain: pheinzma ******** local username password E PW (One-Way Function) PW-Hash WinXP: \WINDOWS\system32\config\SAM SAM = Security Account Manager (permanent file lock) Unix: /etc/passwd (User IDs) /etc/shadow (Password Hashes) username Password-File PW-Hash 11/30/ Der Zugang zum Computer soll nur derjenigen Person erlaubt werden, welche das zur Identifikation (zum Username) passende Passwort eingeben kann. Bei der Erstellung eines Benutzer-Accounts wird auf dem Computer das Passwort mit einer Einwegfunktion verschlüsselt. Der resultierende Passwort-Hash wird in einem File zusammen mit dem Benutzernamen (Username) abgelegt. Bei jedem Login des Benutzers berechnet das System aus dem eingegebenen Passwort mit Hilfe der Einwegfunktion den Passwort-Hash (PW-Hash) und vergleicht diesen mit dem zum eingegebenen Benuternamen passenden Passwort-Hash im Passwort-File. Wo die jeweiligen Passwortfiles abgelegt sind und welche Einwegfunktionen zum Einsatz kommen, hängt vom Betriebssytem ab, ist aber öffentlich bekannt. 26

27 password search time with search speed equal to passwords per second ( password length 26 (no case, letters only) 36 (no case, letters&digits) 52 (case sensetive) 96 (all printable) minute 13 minutes minutes 1 hour 22 hours 6 50 minutes 6 hours 2.2 days 3 months 7 22 hours 9 days 4 months 23 years 8 24 days 10.5 months 17 years years 9 21 months 32.6 years 881 years years years years years years 11/30/ The password search time with respect to the password length and character set size. The calculation assumes a search speed equal to passwords per second (one password comparison per 10 microseconds). contains an online calculator which lets you calculate a time of a password search depending on specific conditions you enter. 27

28 NT and LANmanager Password Compatibility NT Password Hash 14 characters with 14 Bit per character (Unicode characters) 16 Bytes NTLM Hash (md4) LANmanager Password Hashes Two times 7 characters with 8 Bit per character, only capital characters first 8 Bytes of LM Hash (Character 1.. 7) second 8 Bytes of LM Hash (Character ) = 0xAAD3B435B51404EE (if password has not more than 7 characters) 11/30/ For compatibility reasons on NT and W2K systems all passwords are stored in both formats: as NT password hash as well as LANmanager password hash. Note: NT distinguishes small and capital letters in the passwords, LANmanager doesn t i.e. it converts all password characters to capital letters. Hence, if LANmanager compatibility is enabled, using small and capital letters for passwords does not really improve security. Windows NT, Windows 2000, and Windows Server 2003 can be configured to eliminate both the storage and use of LM hashes. 28

29 Cain & Abel 11/30/ Cain & Abel ist eines von vielen öffentlich verfügbaren Sniffer-Werkzeugen, welche auch die Passworte aus verschiedenen Anwendungen herausfiltern und auch umcodieren oder sogar entschlüsseln. 29

30 Passwords and Moore s Law 1969 Unix (56 Bit) 1991LanManager (2 mal 56 Bit) 1997 Windows NT (196 Bit) 11/30/ The observation made in 1965 by Gordon Moore, co-founder of Intel, that the number of transistors per square inch on integrated circuits had doubled every year since the integrated circuit was invented. Moore predicted that this trend would continue for the foreseeable future. In subsequent years, the pace slowed down a bit, but data density has doubled approximately every 18 months, and this is the current definition of Moore's Law, which Moore himself has blessed. Most experts, including Moore himself, expect Moore's Law to hold for at least until The data used to construct this graph have been adapted from the Microprocessor Report 9(6), May 1995 (as reported to me by Mark Seager). and the ChipList, by Aad Offerman. "The human population does not double every 18 months but its ability to use computers to keep track of us does." [Phil Zimmermann, Moore's law 'is biggest threat to privacy Infosec security conference in London, April ] 30

31 11/30/ Die Sensibilisierung der Mitarbeiter für gute Passworte kann durch eine Intranet-Anwendung verbessert werden. Mit einem kleinen Wettbewerb werden die Nutzer und Nutzerinnen auch spielerisch zur Generierung guter Passworte animiert. 31

32 What you know (sign a message) (Public Key Systems, Certificate) 11/30/

33 Private key encryption (symmetric key systems) K AB K AB K AB K AB TEXT Plaintext (Klartext) E K AB Encipher (verschlüsseln) &%C5 Ciphertext (verschlüsselter Text) D K AB TEXT Decipher (entschlüsslen) Plaintext 11/30/ Beide Endstellen nutzen bei der symmetrischen Verschlüsselung die selben (geheimen) Schlüssel und Ver- und Entschlüsselungsalgorithmen. 33

34 Secure Socket Layer (SSL) ( WWW-Client WWW-Server Browser Server Signer HTTP-Server SSL Server SSL supports Confidentiality, Integrity Server Authentication optional Client Authentication 11/30/ An SSL session is initiated as follows: On the client (browser) the user requests a document with a special URL that commences https: instead of either by typing it into the URL input field, or by clicking on a link. The client code recognizes the SSL request and establishes a connection through TCP port 443 to the SSL code on the server. The client then initiates the SSL handshake phase, using the SSL Record Protocol as a carrier. At this point, there is no encryption or integrity checking built in to the connection. The SSL protocol addresses the following security issues: Privacy After the symmetric key is established in the initial handshake, the messages are encrypted using this key. Integrity Messages contain a message authentication code (MAC) ensuring the message integrity. Authentication During the handshake, the client authenticates the server using an asymmetric or public key. It can also be based on certificates. SSL requires each message to be encrypted and decrypted and therefore has a high performance and resource overhead. 34

35 Public and secret keys Public Key Private Key (secret key) Bob Bob Bob K B K B TEXT Af%G TEXT Plaintext Block E KB Encipher Ciphertext Block D KB Decipher Plaintext Block 11/30/ Wer Bob eine verschlüsselte Meldung senden will, besorgt sich Bob s öffentlichen Schlüssel. Man beachte, dass sich die Verschlüsselungsoperation beim Sender und die Entschlüsselungsoperation beim Empfänger unterscheiden und dass sie durch unterschiedliche Schlüssel gesteuert sind. 35

36 Dear Bob, change 5 and 7... Bob Dear Bob, change 5 and 7... Digital signature analogon: Alice checks Bob s signature Bob Dear Bob, change 5 and 7... Bob 1. Alice writes a message to Bob on a paper, puts it in a transparent box and locks it with Bob s public key 2. Bob opens the box using his private key and reacts on Alices s message 3. Bob put the paper back into the box, locks it with his public key and sends it in the transparent box back to Alice 4. Alice checks the reaction on her message to Bob 11/30/ Analogon zur Erklärung der Signatur-Funktion beim Public Key Ansatz. 36

37 What you have (Tokens) 11/30/

38 Physical Devices keys Tags/Cards (may be contactless) Special computers Mobile phones Token Examples 11/30/ Various (external) devices can be used to store secrets and to perform unique reactions on challenges. Comparison of Security Tokens: 38

39 Logon in Networks (NT Domains, ftp, telnet, Web-Server, POP,...) username Password Password Password username Password username Password Encoding PW* PW* PW* username PW* username Password E PW PW-Hash PW-Hash PW-Hash username PW-Hash 11/30/ Falls die Authentisierung nicht auf dem lokalen Computer, sondern auf einem entfernten System stattfindet, müssen die Benutzernamen- und Passwort- Informationen über das Netz übertragen werden. In gewissen Fällen wird zusammen mit dem Benutzernamen das eingegebene Passwort im Klartext übertragen (z.b. bei ftp, telnet, POP), in anderenfällenerfolgt eine Umcodierung (z.b. bei Web-Access) und in wieder anderen Fällen wird nur der mit der Einwegfunktion bestimmte Passwort-Hashwert übertragen. 39

40 HTTP Basic Authentication Client Server GET / WWW Client HTTP/ Unauthorized WWW-authenticate: Basic realm= MyServer" GET / Authorization: Basic QWxhZGRpbjpv WWW Server base64 t Show Document t RFC HTTP Authentication: Basic and Digest Access Authentication, June /30/ The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-id and a password.. The server will service the request only if it can validate the user-id and password for the protection space of the Request-URI. HTTP/1.0 includes the specification for the Basic Access Authentication scheme. Upon receipt of an unauthorized request for a URI within the protection space, the origin server MAY respond with a challenge like the following: WWW-Authenticate: Basic realm="wallyworld. To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials. 1. Client > Server: HTTP-Request (get) 2. Server > Client: 401 Unauthorized Authentication Request 3a. Client: Basic Authentication possible? 3b. Client > Server: HTTP-Request User-ID/Password (not encrypted, just BASE64 encoded) 4a. Server: Compare ID/Password with.access file 4b. Server > Client: Show Document The Basic Access Authentication scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form. 40

41 One-Time-Password: Scratch list Scratch list Scratch list Client uses next password widely used in Telebanking Sent to user over independent channel Created randomly 11/30/ Bei der Streichlisten-Authentisierung erhält jeder Benutzer eine Liste mit Einmal-Passwörtern. Nach der ersten Authentisierung streicht der Benutzer das erste Passwort durch. Bei der zweiten Authentisierung gibt er das zweite Passwort auf der Liste an und streicht es nach Gebrauch; und so weiter und so fort. Das Gegenstück ist ein System, welches auf eine Datenbank zugreift, die für jeden Benutzer die Liste der Einmal-Passwörter enthält. Sobald der Grossteil der Einmal- Passwörter der Liste gestrichen ist, erhält der Benutzer eine neue Liste um unterbrechungsfrei arbeiten zu können. Dieses Verfahren ist relativ günstig, aber die ganze Sicherheit hängt von der sicheren Aufbewahrung der Streichliste ab. Ein weiterer Nachteil ist, dass der Benutzer automatisch zum Supportfall wird, falls er die Streichliste nicht ordnungsgemäss verwendet und ein Passwort nach Gebrauch nicht streicht. [ Beim Einsatz von Grid cards wird als Challenge eine Passwort Nummer geschickt. 41