1. Field of the Invention
The present invention relates generally to computer-based systems and methods for the prevention of unauthorized access to information system resources, and in particular to the creation of stand-alone credentials for authentication and authorization.
2. Description of the Related Art
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, the approaches described in this section may not be prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
A node is a secure, networked device that gathers and distributes information about power grid components, such as transformers on pole-tops or concrete pads, on or near to which the node is mounted. A technician, an employee of the utility operating the power grid, may need to log in to the node locally while on a service call. When the node can connect to a network authentication server in a network operations center, it will forward local login requests to the network authentication server. However, when the node is offline, it will not be able to communicate with the network authentication server. There is a need for an offline authentication mechanism for a node as a backup to the network authentication server when the node is offline.
A common offline authentication mechanism is a local password file. The vulnerability of a local password file can be reduced by encrypting it, but even then the vulnerability is greater than the vulnerabilities of many other authentication mechanisms. Once an attacker gains physical access to a device that is secured using a local password file, it is only going to be a matter of time until the attacker is able read the local password file using a brute-force attack. The exposed location of a node makes the use of a local password file in the node particularly vulnerable. There is a need for an offline authentication mechanism for a node that is less vulnerable than using a local password file on the node.
One-time passwords are often used as the solution in similar situations; however, the inability to use a one-time password more than once would be inconvenient when a technician is on a service call to a node. The technician may need to log in to the node more than once during the service call. A reusable password will solve this problem, but will also introduce vulnerabilities of other types, including dictionary attacks, social engineering, theft, and accidental disclosure. Physical tokens have similar vulnerabilities and can be difficult for a technician to operate during a service call.
There is a need for an offline authentication mechanism for a node that allows repeated logins during a service call but is not as vulnerable as a reusable password or a physical token.