[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on CRACK
Vipul Gupta wrote:
> > In message <3815F49E.BFABF7C9@cisco.com>, Roy Pereira writes:
> >
> > >
> > > Let me ask everyone who is interested; How do we support existing
> > > legacy user authentication within IKE without using a PKI ?
> >
> > With a protocol that lets the customer download an encrypted private key/
> > certificate pair from a server, followed by ordinary IKE.
> >
> > --Steve Bellovin
> >
>
> A perfect lead-in for what I've been thinking about for some time
> now :-)
>
> How about using an HTML forms based interaction over HTTPS between
> a webserver and a user to accomplish what you state.
>
> Internet Intranet
>
> |
> | +--> Legacy Auth server
> SSL/TLS protected | /
> user =================== HTTPS <---+
> server
> |
> |
>
> This interaction can easily accomodate legacy user auth mechanisms
> like SecureID, DES Gold, OTP, CHAP because the HTTPS server has access
> to authentication tokens in the clear. Even multiple rounds don't
> pose a problem. After the Auth server responds with "OK", the
> HTTP server can squirt out a special MIME datatype and the browser
> could be set up to automatically invoke the IKE daemon (or companion
> software) to handle that MIME type. The HTTPS may need to coordinate
> with the IPSec gateway on the Intranet side.
>
> This could be a reasonable solution for the road warrior VPN scenario.
> I've heard Paul Hoffman use the term "user authentication in Phase 0.5"
> for an approach like this (in contrast to Hybrid's Phase 1.5).
>
> (Maybe now's a good time to go look for that fire extingusher :-)).
>
> vipul
>
>
>
This is one neat solution and works OK with browser ( user intervention is
required ). What about a router which gets dynamic IP address from the
ISP and needs to authenticate itself to the remote access router ( without
user intervention )?
Srini
References: