[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Weak authentication in Xauth and IKE

To: John Pliam <pliam@ima.umn.edu>
Subject: Re: Weak authentication in Xauth and IKE
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Mon, 23 Aug 1999 12:35:35 -0700
cc: Tamir Zegman <zegman@checkpoint.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 23 Aug 1999 17:04:06 -0000." <37C17F06.92CED2BF@ima.umn.edu>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 23 Aug 1999 17:04:06 -0000 John Pilam wrote
> 
> I must first make clear that, IMHO, XAUTH/Hybrid is the only proposal for
> legacy authentication within IPSEC that can reasonably be said to provide
> strong authentication.  By that standard, it is therefore the only one
> which is ISAKMP compliant.  All others fall to variants of the attacks I
> have posted.

  Let me propose another technique then. One that doesn't require any 
asymmetry in the IKE negotiation, doesn't imply a weakly authenticated 
IKE SA, and allows for strong, mutual authentication.

  I believe that CMC allows for token card authentication; the token
card credentials authenticate enrollment into a CA. This can be used to
deliver a very short lived (or one-time) certificate. The client then
uses this certificate in the standard way-- no modification to IKE is
necessary. Due to the short lifetime of the certificate the client would
be forced to use it immediately in a standard IKE exchange. The IKE 
implementation on the non-client end need not have any special hooks to 
understand an extended or asymmetric authentication. It's just a plain, 
vanilla, IKE.

  This solves the concern of a private key (whose public analog is contained
in the certificate) from living on a transient device like a lap top for an
extended period of time. The public/private key pair can be generated 
immediately prior to authentication using the token card and once the 
resulting certificate is used any exposure of the private key would not be 
catastrophic since the certificate would no longer be valid.

  It allows the issuing entity full flexibility in setting the lifetime
of the certificates. It would not be necessary to have the device speaking
IKE be the same device that is authenticating the remote client and issuing
the certificate-- it could be, but need not be.

  It requires no hacks to IKE. Granted, it does require implementation of CMC,
which is no small matter, but it seems to me that a profile of CMC-- some 
subset of the full CMC functionality-- could be defined to meet these needs.
This subset need not be much greater than what is already required for XAUTH
but with the added benefit of not having to modify IKE.

  It addresses the concern that people have that their token cards must be
used in some manner as a way of amortizing the cost (this is largely a 
political arguement but one that is very compelling nonetheless). Since it
uses certificates it is a must smoother transition to get people off the
token card addiction than either XAUTH or XAUTH+Hybrid.

  Finally, it separates the two steps-- token card authentication and the
IKE protocol-- and eliminates the need to change your IKE implementation.
There is no need for a "remote access IKE" and a separate "VPN IKE".

  Is there any desire in the WG to pursue this? 

  Dan.

References:

Re: Weak authentication in Xauth and IKE

From: John Pliam <pliam@ima.umn.edu>

Prev by Date: Re: Weak authentication in Xauth and IKE
Next by Date: attack on identity protection in IKE
Prev by thread: Re: Weak authentication in Xauth and IKE
Next by thread: attack on identity protection in IKE
Index(es):
- Main
- Thread