[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "Hybrid Auth. mode for IKE"

To: Stephen Kent <kent@bbn.com>
Subject: Re: Comments on "Hybrid Auth. mode for IKE"
From: Steve Bellovin <smb@research.att.com>
Date: Mon, 03 Aug 1998 15:33:31 -0400
cc: suresh@livingston.com (Pyda Srisuresh), ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

In message <v03110700b1e2448c6f64@[128.89.0.110]>, Stephen Kent writes:
> 
> User's with passwords can be issued certs readily.

This is a very important point.  Rather than touching ipsec and IKE,
a better solution would be to define a certificate retrieval/generation
protocol.  That is, suppose a user has a "conventional" authentication
mechanism, such as a password or a token.  Use that mechanism to contact
a server that will send you your stored certificate.  If you don't have
one, a short-lived certificate, suitable for use with IKE, can be
generated for you on the fly.  Its lifetime can be whatever is
appropriate; if something like 4-8 hours, it need not use high-quality
RSA moduli since ipsec will provide perfect forward secrecy.

If I were to design such a protocol, I'd probably use something like
EKE (www.research.att.com/~smb/papers/neke.ps or .pdf; also aeke.{ps,pdf})
to provide protection against password-guessing.  (Disclaimer -- EKE and
AEKE are patented.)  Or the client can generate a certificate on the
fly, and send the public portion off to the server, along with an
authenticator, to be signed.  Either way, there's no need to touch
IKE.

Prev by Date: Re: an inbound SPD-check question
Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Next by thread: Re: an inbound SPD-check question
Index(es):
- Main
- Thread