[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on CRACK





> In message <3815F49E.BFABF7C9@cisco.com>, Roy Pereira writes:
> 
> > 
> > Let me ask everyone who is interested;  How do we support existing
> > legacy user authentication within IKE without using a PKI ?
> 
> With a protocol that lets the customer download an encrypted private key/
> certificate pair from a server, followed by ordinary IKE.
> 
> 		--Steve Bellovin
> 

  A perfect lead-in for what I've been thinking about for some time
  now :-)
  
  How about using an HTML forms based interaction over HTTPS between
  a webserver and a user to accomplish what you state.
  
           Internet                           Intranet
  
                               |
                               |          +--> Legacy Auth server
           SSL/TLS protected   |         /
     user =================== HTTPS <---+
                              server
                               |
                               |
                              
   This interaction can easily accomodate legacy user auth mechanisms
   like SecureID, DES Gold, OTP, CHAP because the HTTPS server has access
   to authentication tokens in the clear. Even multiple rounds don't
   pose a problem. After the Auth server responds with "OK", the
   HTTP server can squirt out a special MIME datatype and the browser 
   could be set up to automatically invoke the IKE daemon (or companion
   software) to handle that MIME type. The HTTPS may need to coordinate
   with the IPSec gateway on the Intranet side.
   
   This could be a reasonable solution for the road warrior VPN scenario.
   I've heard Paul Hoffman use the term "user authentication in Phase 0.5"
   for an approach like this (in contrast to Hybrid's Phase 1.5).

   (Maybe now's a good time to go look for that fire extingusher :-)).   
   
   vipul
   
   
                              



Follow-Ups: