[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
Specifying pre-shared (secret) key mechanism does not prevent (or impede)
the use of manually installed certificates.
It is just that the two things are NOT equivalent.
ANY "manually installed", either with seret keys or certificates, is WEAK,
as it requires a direct human intervention.
It may be great for testing, and useful for fast-dirty security.
(And, yes, for manual installation I prefer certs too -- at least they do
not have secrecy protection requirements).
However, here, we are talking about GOOD security with GOOD performance.
It is in this domain where SHARED secret keys can be very useful.
Examples: organizations where the authentication services are provided
by a third party (a KDC, an authentication server, etc.)
In those cases, providing a fresh, strong, authenticated shared secret key
to both peers (e.g. a client and a gateway) is perfectly possible,
secure and computationally cheaper.
And I certainly do not have to tell you that these second and third-party
type models are in widespread use today.
They deserve a WELL-DESIGNED shared-key support in IKE.
Hugo
On 26 Nov 2001, Derek Atkins wrote:
> Sara,
>
> Sara Bitan <sarab@cs.Technion.AC.IL> writes:
>
> > I think pre-shared keys authentication is a requirement, and it doesn't
> > necessary imply huge overhead. There are several good (and popular)
>
> Do you mean pre-shared secret-key or pre-shared public-key? I happen
> to agree with Steve that pre-shared public-key is sufficient (and
> probably superior) to pre-shared secret-key authentication. In other
> words, we pre-share RSA Public Keys. No certificates are necessarily
> required. As was pointed out, see SSH for an example of how this
> works.
>
> -derek
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
>
Follow-Ups:
References: