Greg Carter wrote:
Hi,I agree - One way authentication is indeed pointless. But that's not what Hybrid is all about.
How are PKI 'soft' tokens (by that I guess you mean private keys stored on
disk, password protected) less secure?How is a one way proprietary authentication scheme more secure than mutual
authentication? with shared secrets or PKI? Its been awhile since I looked
at the internals of the ACE server but I believe it too uses DES shared
secrets between the server and the NAS, Most of the other DES based token
cards rely on RADIUS to act as their authentication server, so now we are
down to MD5 hiding.One way authentication is pointless, IMHO.
Again I agree.
Oh, what about soft tokens, most of the DES based challenge/response token
vendors offer software based tokens, I believe SecurID does as well. So how
does your SGW know if the user is using a true hardware token or a soft
token, it doesn't. A soft token will be susceptible to the same attacks as
your shared key file, yet offers only one way authentication.
I agree that XAUTH/Hybrid can be abused by employing weak authentication
methods.
I don't endorse static passwords or other weak authentication methods
and I believe they should not be used.
I do believe that there are strong legacy authentication methods. They
are widely used today and should be supported.
Regards,
Tamir.