RE: Comment on xauth and hybrid

[Greg Carter <greg.carter@entrust.com>]

Hi Stephen,
Not to be flippant but fortunately the first two are outside the scope of
IPSec, the last already exists in IKE.

We can not engineer IKE to the point of requiring Tempest shielded
workstations...
If an attacker can install a keyboard monitoring app, then why can't they
install a shim to monitor IP traffic, which would make all the
authentication in the world useless since they can just grab the plain text.
If your software allows trivial passwords, or stores private keys/shared
keys in the clear, or any of the other arguments I have heard for one-way
auth... then its less than adequate to say the least.

I actually have no problems in allowing vendors to do XAUTH, I have no
doubts that any implementation that requires the user to enter two
passwords, a challenge and a response and only provide one way
authentication will never win in the market.  I have problems with such a
protocol being developed (and market) under the notion that it is some how
more secure than the current IKE authentication mechanisms.
Bye.

-----Original Message-----
From: Waters, Stephen [mailto:Stephen.Waters@cabletron.com]
Sent: Thursday, July 22, 1999 7:08 AM
To: Dennis Glatting
Cc: ipsec@lists.tislabs.com; ietf-ipsra@vpnc.org
Subject: RE: Comment on xauth and hybrid



Maybe if we write down the ideal requirements, something will pop-up (humm):
1) no passwords needed, since passwords get written down!
2) client authentication that can not be cracked off-line 
3) a single, strong authentication mechanism that can be used without the
need of XAUTH

---

• Prev by Date: RE: XAUTH is broken
• Next by Date: Re: Checking incoming traffic against SPD
• Prev by thread: RE: Comment on xauth and hybrid
• Next by thread: RE: Comment on xauth and hybrid
• Index(es):
  • Main
  • Thread