[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on "Hybrid Auth. mode for IKE"

To: "'Moshe Litvin'" <moshe@checkpoint.com>
Subject: RE: Comments on "Hybrid Auth. mode for IKE"
From: Greg Carter <greg.carter@entrust.com>
Date: Thu, 23 Jul 1998 16:45:56 -0400
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

SecurID uses time based, the card MUST be synchronized to the server or it
doesn't work, each response is valid for 2 minutes (I think).  So that is
plenty of time to do a look up of the response on the Gateway side.  DES
cards do not require perfect synchronization.  The Next Challenge
calculation can be emulated (in most cases, I only know how a few of the
cards do the calculation) in software without the knowledge of the DES key,
only the last response is needed.  So you can display the expected Challenge
to the user without going to the backend server.  If it doesn't match the
one displayed on the card all the user has to do is enter the one displayed
by your software, and they are back in sync.  If your software and the
backend server get out of sync then have the Gateway configured to allow the
user limited access to a www page where they can go get back in sync. Does
the user care that IKE is used for synchronization ? probably not.  Also
either you or the card vendor can write the software to 'look ahead' X
number of responses for auto resync.  Although when used this way it means
you are returned X number of keys to try to authenticate HASH_I or HASH_R.
As long as a central server with some sort of look ahead is used I don't see
synchronization being that big a deal where it can't be done by some means
out of band to IKE since it will be infrequent.

Bye.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com


> ----------
> From: 	Moshe Litvin[SMTP:moshe@CheckPoint.COM]
> Sent: 	Thursday, July 23, 1998 1:45 PM
> To: 	Greg Carter
> Cc: 	moshe@CheckPoint.COM; ipsec@tis.com; Pat Calhoun (E-mail)
> Subject: 	Re: Comments on "Hybrid Auth. mode for IKE"
> 
> Greg,
> 
> You proposal require perfect state synchronization between the client
> and the server (either what is the last challenge "sent" or the exact
> time). It is impossible in practice especially since there are no means
> to synchronize them.
> 
> Also notice that in the hybrid mode no challenge and no reply are
> passing in the clear.
> 
> Regards,
> 
> 	Moshe
> 
> 
>

Follow-Ups:

Re: Comments on "Hybrid Auth. mode for IKE"

From: Moshe Litvin <moshe@checkpoint.com>

Prev by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
Next by Date: RE: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: RE: Comments on "Hybrid Auth. mode for IKE"
Next by thread: Re: Comments on "Hybrid Auth. mode for IKE"
Index(es):
- Main
- Thread