120 likes | 289 Views
The PIC Pre-IKE Credential Provisioning Protocol. Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000. Overview. PIC is a method to provide credentials, based on legacy authentication Credentials to be used in a later IKE session Separate Authentication Server (AS)
E N D
The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000
Overview • PIC is a method to provide credentials, based on legacy authentication • Credentials to be used in a later IKE session • Separate Authentication Server (AS) • Flexible: authentication methods, credentials • Based on a dedicated, ISAKMP-based mechanism, plus XAuth • No modifications to IKE! • But significant reuse
Protocol Entities Authentication Server (AS) Legacy Authentication Server (LAS) Client/User Optional Link Security Gateway (SGW)
Separate Authentication Server • Eliminate user authentication from SGW • Simplified SGW can be used with/without PKI • DoS attack on AS will not break existing connections at SGW • AS may or may not be collocated with SGW • User authenticates once for many gateways
PIC Protocol Stages 1. Establish a one-way authenticated secure channel • Only server is authenticated 2. Authenticate user • Typically assisted by legacy server 3. Hand out credentials to user • Architecture similar to draft-bellovin-ipsra-getcert-00
Client sends HDR, SA, KE, Ni Message 2 of XAuth Credential request over XAuth AS sends HDR, SA, KE, Nr, IDr1,[ CERT, ] SIG_R Message 1 of XAuth User credentials (Somewhat) Detailed Protocol Calculate SKEYID Possibly more...
User Authentication Methods Anything that XAuth supports, for example: • Simple authentication • Challenge/response • Two-factor authentication • One-time password Note: may need to add machine authentication
Credentials • Certificate signing user’s public key • Possibly short-term • User certificate and private key • Shared secret • Requires channel between AS and SGW (adds protocol complexity) • Significantly improves DoS-resistance of SGW
Summary • Outlined PIC, a protocol to enable remote users to initiate an IKE exchange • Reusing XAuth mechanisms and existing IKE code • PIC is a practical alternative if IPSRA chooses a separate authentication server
References • PIC: draft-ietf-ipsra-pic-00.txt • XAuth: draft-ietf-ipsec-isakmp-xauth-06.txt • IPSRA requirements: draft-ietf-ipsra-reqmts-00 • Credentials over TLS:draft-bellovin-ipsra-getcert-00
Obtaining the AS Public Key • Needed at client anyway to initiate IKE • Much easier to distribute a site certificate than build a full-blown PKI • Alternatively, can tunnel EKE over PIC and pass server’s cert as part of credential • Client should trust the AS only when EKE exchange is over (complexity!) • Somewhat inefficient...