The most secure authentication method provided by the firewall is a random challenge/response exchange using digital signatures. To use this, users install the citauth.exe program on their Microsoft Windows host, and use it to generate private and public keys. The private half is encrypted (using a password known only to the user) and stored on the local hard drive, while the public half is emailed to the firewall administrator or placed in a shared filesystem for the administrator to access. The public keys are installed in the firewall's key database by the administrator using a key manager.
When the user attempts to make a connection, the firewall sends a random string back as a challenge. The random string is signed using the user's private key, and sent back as a response. The firewall can then use the user's public key to verify that the user is indeed the holder of the associated private key. Unlike S/Key, this method does not involve expiry of the key - the same keys can be used as many times as desired with very little risk.
The firewall supports both the RSA and DSA digital signature schemes. RSA is faster than DSA, but is protected by patent in the USA. Copies of CEQURUX Technologies products registered for use in the USA have their RSA capabilities disabled until September 20th, 2000, when the RSA patent expires.