[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remote access from ubiquitous IPSec hosts
Vipul Gupta writes:
> The key requirement here is that even the Phase I exchange must
> rely on a "portable" authentication mechanism, i.e. authentication
> should be based on information supplied by the user and on such
> information alone. If authentication is based on certificates,
> there's the problem of easily transferring a user's keys into
> the IPSec host. While this is doable, it requires several
Whats wrong with the same idea that is used in the GSM phones, i.e.
using smartcards to handle the authentication (the SIM (subscriber
identity module) is really a smartcard that contains a keys and other
information for the customer).
You just take your smartcard with you and those machines have
smartcard reader where you can put your card in. The smartcard will
then do the certificate based authentication for you, and because the
private key never leaves the smartcard you can be sure that it cannot
be stored to the machine you are using.
> infrastructure changes. People have been drawn to more portable
> authentication mechanisms like token cards and OTPs for this reason.
> The current XAUTH proposal assumes that mutual authentication
> in Phase I can be accomplished without any user-specific input.
> This is hard to ensure in the remote access scenario above.
Not at all. If the company who is offering those machines are trusted
they propably will get the certificate for each machine from the
trusted CA vendor (or from several CA vendors). The company just have
to allow certificates signed by one of those CA vendors to create
ISAKMP SA with their security gateway and then they can allow extended
authentication using one time passwords or token cards.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: