[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on "Hybrid Auth. mode for IKE"




Suresh, Steve

> > >Within an exchange-type authentication, you could authenticate a
> > >client in more than one-way. For example: Challenge/response
> > >authentication, followed by smart token card authentication.
> > >In general, the exchange type authentication could combine multiple
> > >authentications and hence is a stronger mechanism for auth than a
> > >single-payload-type authentcation.
> > 
> > I don't agree.  Several mediocre or poor methods are not 
> necessarily as
> > good much less better than one very good method.
> > 
> 
> Well, exchange-type authentication is a strong requirement for legacy 
> verification schemes. To that extent, it is valuable. I was merely 
> extrapolating the process to suggest that we could use the scheme to
> perform multiple authentications in succession (example - 2 very good 
> methods, one after the other). Apparantly, I have not been able to
> articulate this well. So, I will drop that line of discussion for the
> time being.

For mobile users I think a good case can be made for having more than 
one round of authentication for the same reason that in order to take 
money out of an ATM machine I need a card and a PIN. If I lose my wallet

containing all my token cards and smart cards, then it helps that they 
are useless to anyone else unless they also know the associated PIN /
passwords etc. No matter how strong the authentication used to verify 
that the remote party is in possession of a valid card, it doesn't mean 
that it hasn't fallen into the wrong hands.

Bryan