[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMP Extended Authentication
John Irish writes:
> Is anyone aware of an accepted method of having a server/gateway
> authenticate both a host, and the user on that host, using ISAKMP/Oakley?
> X.509 certificates will be used for all users and systems.
Yes, by using temporary certificates. Put the PKCS#10 certificate
request (or just read the certificate data from the normal
certificate) on the smart card and then the host starts it operation
by reading that out and signing it using the hosts own private key.
After that the authentication continues using the private key on the
smart card just as normally, except the host uses the temporary
certificate it created for the user, not the certificate in the
smartcard.
So the hierarchy will be like this:
CA Root ----------------------------------.
| \
Host key |
| |
Temporary user certificate permanent user certificate
Here "Temporary user certificate" and "permanent user certificate"
are both certificates for the private key in the smart card. If only
user authentication is needed then we use the "permanent user
certificate", and if the both user and host authentication is needed
then we have to create that "temporary user certificate" and use that.
The validity period of the temporary user certificate can be quite
short, and the host can revoke the certificate immediately when the
user removes his smart card. The host must of course also check that
the "permanent user certificate" is valid and the copy that
information to the temporary user certificate.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: