[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: Re: New XAUTH draft
From: Ben McCann <bmccann@indusriver.com>
Date: Thu, 30 Sep 1999 06:50:04 -0400
CC: ipsec@lists.tislabs.com
References: <199909281959.MAA23397@Potassium.Network-Alchemy.COM>
Sender: owner-ipsec@lists.tislabs.com

Dan,

Would you comment on Tamir's reply about asymmetric authentication in IKE:

> I agree with your disapproval of the use of a key shared by more than
> two parties during Phase 1.  This kind of modus operandi is even worse
> than standard pre-shared key authentication which is already weak.
> 
> However, I do not think we need to mandate that Phase 1 authenticates
> both parties: For protection against man in the middle attacks it is
> sufficient for only one peer to be authenticated.  For the remote user
> to trust the security gateway before divulging his credentials in
> XAUTH it is sufficient that the edge device is authenticated.
> Therefore, it seems that the demand for mutual Phase 1 authentication
> prior to XAUTH can be relaxed and replaced with the demand that only
> the edge device be authenticated.  While asymmetric Phase 1
> authentication with pre-shared keys seems unreasonable, the draft must
> not rule out asymmetric Phase 1 authentication using signatures.

Doesn't XAUTH combined with Tamir's assymetric Hybrid-Auth proposal
provide a defense against man in the middle attacks? If it doesn't, please
describe the attack. Otherwise, shouldn't we be discussing XAUTH _and_
hybrid-auth as the solution to this problem?

My customer's are insisting that they want compatibility with legacy
authentication mechanisms as they incrementally roll out PKI. (Some may
never use PKI due to substantial investments in token cards). While I
agree PKI is best, it is not my position to force my customers to adopt
a technology they don't think they need.

And they may be right. The customer should have a range of options for
user authentication that match the value of their information and network
access versus the cost of the authentication infrastructure. As an analogy,
a bank doesn't need a vault with 4 foot thick steel walls and biometric
authentication if their total deposits on hand are only $1000.

-Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111

Follow-Ups:

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

References:

New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: WWW based IPSec/IKE interoperability test sites
Next by Date: ICMP errors to IPSECed data?
Prev by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Main
- Thread