[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on "Hybrid Auth. mode for IKE"



Greg,

>Benefits -
>No changes to IKE.
>May increase security of DES based challenge/response cards since known
>plain text/cipher text never flows over the network.  DES cards when used
>with protocols like RADIUS or TACACS do all the challenge/response in the
>open.  $250K and 56-224 hours later you have the key.  In this mode DES is
>combined with key hashes and no known text is transmitted over the network.
>Supports DES cards, Time based cards (OK they'll have to write some code on
>their server to give up the expected response based on ID, rather than a
>simple yes/no response, but nothing is for free), PAP/CHAP (no reason to do
>CHAP, just use the password as the secret...

I don't disagree that this approach is better than sending the output of
these tokens in the clear.  But that's not the alternative we are
considering in IPsec.  The alternative is using certs and matching private
keys to authenticate a user.

>Drawbacks
>Aggressive mode is the only practical choice.
>Initialization and resync.  Initialization is easily handled, resync is
>doable.
>Backend server will be needed to track card state.  Not really a drawback,
>every card manufacture I know offers a backend management server of some
>sort which already does this.  Since the backend server is now essentially a
>key server you should probably run IPSEC over the link from the Gateway to
>the server.
>
>Anyway my point is that it is doable with the current spec, no changes to
>token hardware, maybe a little coding on the server side.  Sure there are
>some drawbacks but you want to use 1980's technology...

Me, I don't want to use 80's technology :-)!

Steve




References: