MS> How about an EXTREEMLY secure solution. A secure path
MS> (perhaps the 'net, using PGP) is used to transmit a 100KB
MS> compressed file full of lets say 200,000 keys.
MS> When the client logs into the system, the next key is asked
MS> for, and if given correctly, access will be allowed. That
MS> key is then deleted from the file, and the next is used on
MS> the next login.
MS> Cumbersome, but secure.
Keep in mind that the whole point of any reasonable cryptographic algorithm is
to generate a pseudo-random sequence of numbers such that they appear random to
any prospective attacker but need not actually be stored as a list because they
can be generated on demand. Numerous very simple challenge and response
schemes have been developed, from APOP in POP3 to CHAP in PPP, which are much
superior to just storing a long list of codes.
Where one gets the list, whether from a one-time pad or an algorithm, seems
entirely irrelevant in terms of whether such authentication methods would be
permitted by regulation. As I explained in a prior message, U.S. regulations
do not prohibit the use of encryption unless the intent is to transmit messages
where the meaning is obscured. In the case of authentication systems, where
the "messages" are by definition arbitrary and without meaning, cryptographic
methods are allowed.
-- Mike