[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))

To: Stephen Kent <kent@xxxxxxx>
Subject: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
From: "Waters, Stephen" <Stephen.Waters@xxxxxxxxxxxxx>
Date: Mon, 19 Jul 1999 23:17:23 +0100
Cc: ietf-pkix@xxxxxxx, ipsec@xxxxxxxxxxxxxxxxx

>>5) My PC uses one of the approaches above, but once authentication via the
>>certificate is complete, enforces a secondary authentication. This
>>authentication is under the control of the server, and so can't be cracked
>>off-line. If an attack is mounted, the VPN server will receive 'warnings'
in
>>the form of authentication failures (I hope).  The authentication
>>information provided in this secondary phase MUST NOT be part of the VPN
>>client's automatic function.

>What exaclty is an example fo the second phase authentication here?  If one
>assumes use of a SecurID card, for example, why not postulate that it was
>tolen at the same time as the smart card?  If a password is used, then we
>have all the usual password-related problems that make guessing possible.

I like 'guessing possible', provided that the guessing can only be done
on-line. If I am using a SecureID card, for example, the card itself can not
help you know when you have the right pin number, only the server in the
head office knows which pin number goes with which card.  To crack-in using
IKE XAUTH, I need to go on-line and interface directly with the server. If
the server get suspicious that I'm guessing, it can take action.  I agree
that badly chosen passwords/pin-numbers will be a problem, but apart from
that, it does give the server a way of keeping a secret that is not (should
not) be recorded in any place other than the users head, and the server's
database.

If 'normal' smartcards can be dismantled and interrogated as you suggest,
then that is a worry that secondary authentication seems to help with.
Maybe 'normal' Smartcards are not enough?  We need super, FIP-140 level-4
type devices that can defend themselves against all manor of creepy
crawlies?  Fortezza?

On a related point, since IKE XAUTH is typically one-way (server
authenticating client), secondary authentication does leave the problem of
the server being spoofed with a compromised key!



Steve.

Follow-Ups:
- RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
  - From: Stephen Kent

Prev by Date: Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp- 00.txt))
Next by Date: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp- 00.txt))
Previous by thread: Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp- 00.txt))
Next by thread: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
Index(es):
- Date
- Thread