[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on CRACK
> In message <3815F49E.BFABF7C9@cisco.com>, Roy Pereira writes:
>
> >
> > Let me ask everyone who is interested; How do we support existing
> > legacy user authentication within IKE without using a PKI ?
>
> With a protocol that lets the customer download an encrypted private key/
> certificate pair from a server, followed by ordinary IKE.
>
> --Steve Bellovin
>
A perfect lead-in for what I've been thinking about for some time
now :-)
How about using an HTML forms based interaction over HTTPS between
a webserver and a user to accomplish what you state.
Internet Intranet
|
| +--> Legacy Auth server
SSL/TLS protected | /
user =================== HTTPS <---+
server
|
|
This interaction can easily accomodate legacy user auth mechanisms
like SecureID, DES Gold, OTP, CHAP because the HTTPS server has access
to authentication tokens in the clear. Even multiple rounds don't
pose a problem. After the Auth server responds with "OK", the
HTTP server can squirt out a special MIME datatype and the browser
could be set up to automatically invoke the IKE daemon (or companion
software) to handle that MIME type. The HTTPS may need to coordinate
with the IPSec gateway on the Intranet side.
This could be a reasonable solution for the road warrior VPN scenario.
I've heard Paul Hoffman use the term "user authentication in Phase 0.5"
for an approach like this (in contrast to Hybrid's Phase 1.5).
(Maybe now's a good time to go look for that fire extingusher :-)).
vipul
Follow-Ups: