1 / 12

The PIC Pre-IKE Credential Provisioning Protocol

The PIC Pre-IKE Credential Provisioning Protocol. Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000. Overview. PIC is a method to provide credentials, based on legacy authentication Credentials to be used in a later IKE session Separate Authentication Server (AS)

maili
Download Presentation

The PIC Pre-IKE Credential Provisioning Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000

  2. Overview • PIC is a method to provide credentials, based on legacy authentication • Credentials to be used in a later IKE session • Separate Authentication Server (AS) • Flexible: authentication methods, credentials • Based on a dedicated, ISAKMP-based mechanism, plus XAuth • No modifications to IKE! • But significant reuse

  3. Protocol Entities Authentication Server (AS) Legacy Authentication Server (LAS) Client/User Optional Link Security Gateway (SGW)

  4. Separate Authentication Server • Eliminate user authentication from SGW • Simplified SGW can be used with/without PKI • DoS attack on AS will not break existing connections at SGW • AS may or may not be collocated with SGW • User authenticates once for many gateways

  5. PIC Protocol Stages 1. Establish a one-way authenticated secure channel • Only server is authenticated 2. Authenticate user • Typically assisted by legacy server 3. Hand out credentials to user • Architecture similar to draft-bellovin-ipsra-getcert-00

  6. Client sends HDR, SA, KE, Ni Message 2 of XAuth Credential request over XAuth AS sends HDR, SA, KE, Nr, IDr1,[ CERT, ] SIG_R Message 1 of XAuth User credentials (Somewhat) Detailed Protocol Calculate SKEYID Possibly more...

  7. User Authentication Methods Anything that XAuth supports, for example: • Simple authentication • Challenge/response • Two-factor authentication • One-time password Note: may need to add machine authentication

  8. Credentials • Certificate signing user’s public key • Possibly short-term • User certificate and private key • Shared secret • Requires channel between AS and SGW (adds protocol complexity) • Significantly improves DoS-resistance of SGW

  9. Summary • Outlined PIC, a protocol to enable remote users to initiate an IKE exchange • Reusing XAuth mechanisms and existing IKE code • PIC is a practical alternative if IPSRA chooses a separate authentication server

  10. References • PIC: draft-ietf-ipsra-pic-00.txt • XAuth: draft-ietf-ipsec-isakmp-xauth-06.txt • IPSRA requirements: draft-ietf-ipsra-reqmts-00 • Credentials over TLS:draft-bellovin-ipsra-getcert-00

  11. Backup

  12. Obtaining the AS Public Key • Needed at client anyway to initiate IKE • Much easier to distribute a site certificate than build a full-blown PKI • Alternatively, can tunnel EKE over PIC and pass server’s cert as part of credential • Client should trust the AS only when EKE exchange is over (complexity!) • Somewhat inefficient...

More Related