[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use IPSEC as SSH replacement
Will Price writes:
> Well, that pretty much rules out X.509 certs.
Not really. It rules out normal use of X.509 certificates and CA's.
Also the normal X.509 trust model is not usefull in that case. But you
can just create self signed certificates for each host, and when you
see first occurance of that certificate you store it to some database
and next time you take connection to that host you check that the
public key is still same.
This is what the SSH program does. When you first time connect to new
host it prints out message saying that the host key is not found from
the local database, and requests you to verify that you really want to
continue this operation. If you answer yes to that then it just takes
the public key and stores it to the local database. Next time it just
verifies that the public key is still same and if it is it allows you
to take connection.
If the public key ever changes it prints out large banner warning you
that something nasty is going on, and requests verification that user
really want to continue operation.
This makes man in the middle attacks possible, but only for the first
connection attempt. After the first connection without man in the
middle it is safe.
So this is just compromise between security and usablity.
> I don't think what you want exists today, but the specs for IPSEC certainly
> support it. The following would solve the issue were the following to exist:
>
> 1] Use IKE with OpenPGP certs. They don't constantly expire, don't
> cost money, and you can use whatever trust model you want with them
> (hierarchy, WOT, etc...) The ISAKMP RFC already has an ID for
> OpenPGP certs, so no changes required. (see RFC 2044 for OpenPGP)
PGP certificate would of course be better than X.509 certificates
because the trust model is already different, and you can propably use
the normal PGP web of trust model without change. The problem is that
I don't know any implementations that support PGP certificates in IKE.
> 2] To be just like SSH in terms of ease of use, your IKE
> implementation must be able to be configured such that the
> certificate received when the first Phase 1 SA is established with
> any other host on the internet is implictly accepted. That
I think we must consult the user about this. Otherwise we are
vulnerable to DNS attacks. The attacker just changes the www.foo.com
IP address to something else and that happens to be new host, so the
IKE will see new public key from the new host.
If we put dialog to user, he can see that something funny is going on,
this host should be already inside my database...
> certificate from then on is required for authentication whenever
> communicating with the same remote host. While this introduces a
> minor security issue for first connections, this is something most
> people have been willing to live with for years with SSH. To
> eliminate this security issue, just use the web of trust to validate
> the certs. If that doesn't scale to your organization, use OpenPGP
> meta-introducers to establish a hierarchy.
>
> One day if these worldwide CA-based pay-for-each-cert IPSEC X.509
> PKI ramblings become accepted and popular, your IKE implementation
> could also support X.509 and be compatible with that too. In the
> meantime, I agree that it would be nice to get IKE widely usable
> without the hurdles that seem to have been erected for it.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: