[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New XAUTH draft
On Thu, 30 Sep 1999 06:50:04 EDT you wrote
> Dan,
>
> Would you comment on Tamir's reply about asymmetric authentication in IKE:
Oh darn I was trying to duck that one...
> > I agree with your disapproval of the use of a key shared by more than
> > two parties during Phase 1. This kind of modus operandi is even worse
> > than standard pre-shared key authentication which is already weak.
> >
> > However, I do not think we need to mandate that Phase 1 authenticates
> > both parties: For protection against man in the middle attacks it is
> > sufficient for only one peer to be authenticated. For the remote user
> > to trust the security gateway before divulging his credentials in
> > XAUTH it is sufficient that the edge device is authenticated.
> > Therefore, it seems that the demand for mutual Phase 1 authentication
> > prior to XAUTH can be relaxed and replaced with the demand that only
> > the edge device be authenticated. While asymmetric Phase 1
> > authentication with pre-shared keys seems unreasonable, the draft must
> > not rule out asymmetric Phase 1 authentication using signatures.
>
> Doesn't XAUTH combined with Tamir's assymetric Hybrid-Auth proposal
> provide a defense against man in the middle attacks? If it doesn't, please
> describe the attack. Otherwise, shouldn't we be discussing XAUTH _and_
> hybrid-auth as the solution to this problem?
My comments on XAUTH were not explicitly about man-in-the-middle-attacks.
Yes, Hybrid does foil those attacks where using a pre-shared key would not.
My comments were more about the fact that XAUTH does not effect the
authenticated nature of the phase 1 security association in any way (in
fact I think I used that sentence or something like it three times).
What I think people are missing here (and the comment in XAUTH about
"signing ISAKMP packets" really underscores that) is that the SKEYID
state is authenticated. The keying material gets authenticated in IKE
and it is that state of "authenticatedness" that is conveyed to the
IPSec SAs. If you do not authenticate, or weakly authenticate, the phase
1 SAs then <underline>it doesn't matter if you do XAUTH or not</underline>
because the IPSec SAs with be correspondingly unauthenticated.
> My customer's are insisting that they want compatibility with legacy
> authentication mechanisms as they incrementally roll out PKI. (Some may
> never use PKI due to substantial investments in token cards). While I
> agree PKI is best, it is not my position to force my customers to adopt
> a technology they don't think they need.
This is the Internet _Engineering_ Task Force not the Internet Make a
Quick Cludge for Customers that Don't Care Task Force.
> And they may be right. The customer should have a range of options for
> user authentication that match the value of their information and network
> access versus the cost of the authentication infrastructure. As an analogy,
> a bank doesn't need a vault with 4 foot thick steel walls and biometric
> authentication if their total deposits on hand are only $1000.
Oh what a great analogy. So what they would need then is the emasculated
vault with 4' thick steel walls and biometric authentication, right? They'd
remove the biometric authentication and change to something like a group
PIN and if the $1000 is stolen then oh well, it was just $1000. But why even
go that route. If that's their security concerns then don't sell them the
4' thick steel walled vault (IKE) sell them a wire birdcage. Like I said to
Stephen, design your own unauthenticated key exchange (with the security
of the birdcage-- I like this analogy!) and run XAUTH on top of that.
Or wait a few days. There's a draft in the works that will hopefully
address all concerns.
Dan.
References: