[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comment on xauth and hybrid



Hi Greg,
Let me try to answer the questions you have posed:

Greg Carter wrote:

Hi,
How are PKI 'soft' tokens (by that I guess you mean private keys stored on
disk, password protected) less secure?

How is a one way proprietary authentication scheme more secure than mutual
authentication? with shared secrets or PKI?  Its been awhile since I looked
at the internals of the ACE server but I believe it too uses DES shared
secrets between the server and the NAS, Most of the other DES based token
cards rely on RADIUS to act as their authentication server, so now we are
down to MD5 hiding.

One way authentication is pointless, IMHO.
 

I agree - One way authentication is indeed pointless. But that's not what Hybrid is all about.
In Hybrid you first authenticate the Gateway using signatures. Only then you authenticate the client using "legacy" authentication schemes.
Authentication is mutual but different methods are employed to authenticate the client and the Gateway, hence the term Hybrid.
 
Oh, what about soft tokens, most of the DES based challenge/response token
vendors offer software based tokens, I believe SecurID does as well.  So how
does your SGW know if the user is using a true hardware token or a soft
token, it doesn't.  A soft token will be susceptible to the same attacks as
your shared key file, yet offers only one way authentication.
 
Again I agree.
It might be that I was misunderstood.
I argue that in some cases hardware based legacy authentication schemes (e.g. SecurID cards) have advantages over PKI software tokens.
One can copy your software token without you even noticing it and then mount on it an offline dictionary attack.

I agree that XAUTH/Hybrid can be abused by employing weak authentication methods.
I don't endorse static passwords or other weak authentication methods and I believe they should not be used.
I do believe that there are strong legacy authentication methods. They are widely used today and should be supported.

Regards,
Tamir.
 


References: