[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: dharkins@network-alchemy.com
Subject: Re: New XAUTH draft
From: Paul Koning <pkoning@xedia.com>
Date: Thu, 30 Sep 1999 15:26:51 -0400
Cc: Stephen.Waters@cabletron.com, ipsec@lists.tislabs.com
References: <199909301803.OAA10419@tonga.xedia.com><199909301902.MAA27764@Potassium.Network-Alchemy.COM>
Sender: owner-ipsec@lists.tislabs.com

Man in the middle attack?

The man in the middle has to be a member of the set authenticated by
the preshared key, right?  Otherwise you can't mount that attack
because main mode doesn't let joe random user do a man in the middle
attack against it.

So now the question becomes: for applications where XAUTH would be
considered, can you partition the set of clients into subsets such
that the members of a particular subset are trusted not to be
interested in mounting man in the middle attacks for impersonating
other members of that same subset?

If yes, then each subset can share a preshared key.  (If no, then and
only then is your argument against group shared keys valid for that
particular application.)

	paul

Follow-Ups:

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

References:

Re: New XAUTH draft

From: Paul Koning <pkoning@xedia.com>

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: RE: New XAUTH draft
Next by Date: RE: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Main
- Thread