[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How do IKE peers synchronize public keys ?

To: Sara Bitan <sarab@radguard.com>
Subject: How do IKE peers synchronize public keys ?
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 11 Nov 1998 12:56:45 +0200 (EET)
Cc: Yael Dayan <yael@radguard.com>, ipsec@tis.com
In-Reply-To: <36494BF5.9FC5F0CC@radguard.com>
Organization: SSH Communications Security Oy
References: <36494BF5.9FC5F0CC@radguard.com>
Sender: owner-ipsec@ex.tis.com

Sara Bitan writes:
> Suppose two IKE peers want to issue an ISAKMP sa using RSA signature (or
> encryption) mode.
> The initiator has two certificates, one from CA A, and another from CA
> B. He now has two make a decision which public key to use for the ID
> message authentication.
> So he sends two certificate requests to the responder, one
> with CA A, the other with CA B. There is a hidden assumption here, taken
> by the initiator : if the responder sends back a certificate or a
> certificate chain) for a certain CA then he is ready to use a
> certificate (chain) issued by this CA.
> 
> Assume further that the responder has certificates both from CA A and
> from CA B, so he sends both certificates to the initiator. 

If the certificates both are for the same public key this is ok, and
it doesn't matter which one the initiator uses. If the public key is
different, then I think the responder MUST not send two end user
certificates, only one.

> The initiator now uses one of his keys (either the one certified by CA
> A, or the one certified by CA B) to authenticate the ID message. The
> responder doesn't know which key was used by the initiator (unless he
> checks all possibilities).
> 
> I think that this scenario is possible with the current IKE/ISAKMP
> drafts.

Yes, the current draft doesn't limit that, but implementations
should... 

> A possible solution might be that the responder will
> send always only one certificate, and this certificate will be used for
> the authentication. We can view that as a proposal for several
> certificate sent by the initiator, to which the responder answer with a
> single choice.

I would say that the IKE endpoint must only sent certificates leading
to one public key, which must also match the one used in the
authentication. The draft should say that IKE endpoint MUST not send
end user certificates for multiple public keys.

> The problem becomes even worse when both peers start caching their
> certificates. If you have several certificates you have already received
> from a peer, how do you know which one to use to authenticate his ID
> message?
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:

Re: How do IKE peers synchronize public keys ?

From: Sara Bitan <sarab@radguard.com>

Re: How do IKE peers synchronize public keys ?

From: Sara Bitan <sarab@radguard.com>

References:

How do IKE peers synchronize public keys ?

From: Sara Bitan <sarab@radguard.com>

Prev by Date: How do IKE peers synchronize public keys ?
Next by Date: Re: How do IKE peers synchronize public keys ?
Prev by thread: How do IKE peers synchronize public keys ?
Next by thread: Re: How do IKE peers synchronize public keys ?
Index(es):
- Main
- Thread