Re: Comment on xauth and hybrid

[Tamir Zegman <zegman@checkpoint.com>]

"Scott G. Kelly" wrote:

> Tamir Zegman wrote:
> >
> > Dennis Glatting wrote:
> >
> <trimmed...>
> > > The PKI reality is there isn't one, so shared secrets, I expect, will
> > > be the IPsec authentication mechanism of choice until products mature
> > > and prices decline. The difference between simple shared secrets and
> > > xauth/hybrid is xauth/hybrid extends existing, seemingly easy to
> > > manage, managed shared secret technologies yielding, in my opinion, no
> > > motivation to improve the security of infrastructures (i.e.,
> > > transition to PKI). Is this where we want to be after several years of
> > > work and some cantankerous meetings?
> > >
> >
> > There is another side for this coin.
> > We have many customers that are deferring their migration to IPSec because
> > they feel they are not ready to deploy a full scale PKI.
> > Xauth/Hybrid makes the move to IPSec easier and allows gradual deployment
> > of PKI.
> > Sometimes it's easier to jump over two small hurdles rather than over a
> > big one.
>
> I agree with Tamir on this point, but think that if we are indeed
> viewing this (xauth, hybrid) as an intermediate step, then we should
> make this exceedingly clear, and the transition path should be clearly
> stated ("clearly" being a relative term at this point in the game).
>
> <more trimmed...>
>
> > >
> > > I offer the following suggestions. First, finish a combined
> > > xauth/hybrid draft and classify it as experimental. Second, the
> > > Security Considerations section of the draft be written not by the
> > > draft's proponents but by at least two of its detractors. Finally, set
> > > a deadline (perhaps three years) where the PS is committed to
> > > historic.
> >
> > I'll accept your offer with regard to the Security Consideration section.
> > Any volunteers?
> > I do not believe that the experimental is the right track for this.
>
> I'd be willing to contribute to the security considerations text.
>
> I'm not sure if the experimental track is right or not, though I do
> think that somehow limiting the lifetime of password-based approaches
> has a certain appeal. We must grease the skids for PKI deployment, and
> not simply provide an excuse for maintaining the status quo, but this is
> a complex issue. That is why I think we need a working group to iron it
> out.
>
> Scott

Hi Scott,

I think that there is a consensus that static passwords are BAD.
XAUTH/Hybrid are not there to support static passwords but to support stronger
authentication schemes.
In some cases PKI with "soft" tokens are even less secure than legacy
authentication schemes such as SecurID tokens.
In the absence of PKI, IKE users will fall back to use pre-shared keys. Do we
want that? In some aspects IKE pre-shared secrets are even less secure than
XAUTH/Hybrid with fixed passwords since they are susceptible to off-line
dictionary attacks. Why not ban pre-shared secrets?

Tamir.

---

Follow-Ups:

• Re: Comment on xauth and hybrid
• From: Dennis Glatting <dennis.glatting@software-munitions.com>

References:

• Comment on xauth and hybrid
• From: Dennis Glatting <dennis.glatting@software-munitions.com>
• Re: Comment on xauth and hybrid
• From: Tamir Zegman <zegman@checkpoint.com>
• Re: Comment on xauth and hybrid
• From: "Scott G. Kelly" <skelly@redcreek.com>

---

• Prev by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication (was ASN.1 vs XML which in turn was something else)
• Next by Date: RE: XAUTH?
• Prev by thread: Re: Comment on xauth and hybrid
• Next by thread: Re: Comment on xauth and hybrid
• Index(es):
  • Main
  • Thread