[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRACK

(PKIX: CRACK refers to draft-harkins-ipsec-ike-crack-00.txt.)

Brian Korver wrote:

> Waters, Stephen writes:
> > Hi Dan,
> >
> > Looks good.
> >
> > Where did CRACK come from? A dubious name in a security protocol.

A very catching marketing trick, I presume. ;-)

>
> >
> > Can the client's private/public key be unique for each connection?
>
> Sure.  But that would require an implementation+policy that would generate
> a separate IKE SA for each connection.  If you connect frequently, I'm not
> sure you would want that.
>

There's another architectural thing you should consider. What about modifying
the protocol so that when the server starts believing in the authenticity of the
client, the server issues the client's public key a certificate? This certificate
would have a very limited life-time, just enough for the purpose at hand.
It would be transported to the client in the 'last' message, whatever that is.

Although this creates more public key operations, the legacy authentication
functionality could be located on a different physical box than the actual
security gateway.. This achieves a very similar function to the Kerberos ticket
granting server, and the certificate is similar to Kerberos tickets. You'd of
course have to set up the trust relations appropriately.

There could also exist "one time certificates" that can be used only once
during their life-time to gain access, similar to one time passwords. Some
way or another they would be revoked the moment they are used.

(CPU is basically very cheap. If not this year, then perhaps next..)

>
> >
> >
> > Steve.
>
> brian
> briank@network-alchemy.com

--
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

Data Fellows Corporation       http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security
Follow-Ups: References: