[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comment on xauth and hybrid
Hi,
How are PKI 'soft' tokens (by that I guess you mean private keys stored on
disk, password protected) less secure?
How is a one way proprietary authentication scheme more secure than mutual
authentication? with shared secrets or PKI? Its been awhile since I looked
at the internals of the ACE server but I believe it too uses DES shared
secrets between the server and the NAS, Most of the other DES based token
cards rely on RADIUS to act as their authentication server, so now we are
down to MD5 hiding.
One way authentication is pointless, IMHO.
Oh, what about soft tokens, most of the DES based challenge/response token
vendors offer software based tokens, I believe SecurID does as well. So how
does your SGW know if the user is using a true hardware token or a soft
token, it doesn't. A soft token will be susceptible to the same attacks as
your shared key file, yet offers only one way authentication.
Bye.
-----Original Message-----
From: Tamir Zegman [mailto:zegman@checkpoint.com]
Sent: Wednesday, July 21, 1999 1:12 PM
To: Scott G. Kelly
Cc: ipsec@lists.tislabs.com; ietf-ipsra@vpnc.org
Subject: Re: Comment on xauth and hybrid
I think that there is a consensus that static passwords are BAD.
XAUTH/Hybrid are not there to support static passwords but to
support stronger
authentication schemes.
In some cases PKI with "soft" tokens are even less secure than
legacy
authentication schemes such as SecurID tokens.
In the absence of PKI, IKE users will fall back to use pre-shared
keys. Do we
want that? In some aspects IKE pre-shared secrets are even less
secure than
XAUTH/Hybrid with fixed passwords since they are susceptible to
off-line
dictionary attacks. Why not ban pre-shared secrets?
Tamir.
Follow-Ups: