Presentation is loading. Please wait.

Presentation is loading. Please wait.

 YS-1 The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: " YS-1 The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000."— Presentation transcript:

1  YS-1 The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000

2  YS-2 Overview  PIC is a method to provide credentials, based on legacy authentication  Credentials to be used in a later IKE session  Separate Authentication Server (AS)  Flexible: authentication methods, credentials  Based on a dedicated, ISAKMP-based mechanism, plus XAuth  No modifications to IKE! –But significant reuse

3  YS-3 Protocol Entities Client/User Authentication Server (AS) Legacy Authentication Server (LAS) Security Gateway (SGW) Optional Link

4  YS-4 Separate Authentication Server  Eliminate user authentication from SGW –Simplified SGW can be used with/without PKI  DoS attack on AS will not break existing connections at SGW  AS may or may not be collocated with SGW  User authenticates once for many gateways

5  YS-5 PIC Protocol Stages 1. Establish a one-way authenticated secure channel –Only server is authenticated 2. Authenticate user –Typically assisted by legacy server 3. Hand out credentials to user  Architecture similar to draft-bellovin-ipsra- getcert-00

6  YS-6 (Somewhat) Detailed Protocol Client sends –HDR, SA, KE, Ni –Message 2 of XAuth –Credential request over XAuth AS sends –HDR, SA, KE, Nr, IDr1,[ CERT, ] SIG_R –Message 1 of XAuth –User credentials Calculate SKEYID Possibly more...

7  YS-7 User Authentication Methods Anything that XAuth supports, for example:  Simple authentication  Challenge/response  Two-factor authentication  One-time password Note: may need to add machine authentication

8  YS-8 Credentials  Certificate signing user’s public key –Possibly short-term  User certificate and private key  Shared secret –Requires channel between AS and SGW (adds protocol complexity) –Significantly improves DoS-resistance of SGW

9  YS-9 Summary  Outlined PIC, a protocol to enable remote users to initiate an IKE exchange  Reusing XAuth mechanisms and existing IKE code  PIC is a practical alternative if IPSRA chooses a separate authentication server

10  YS-10 References  PIC: draft-ietf-ipsra-pic-00.txt  XAuth: draft-ietf-ipsec-isakmp-xauth-06.txt  IPSRA requirements: draft-ietf-ipsra-reqmts-00  Credentials over TLS: draft-bellovin-ipsra-getcert-00

11  YS-11 Backup

12  YS-12 Obtaining the AS Public Key  Needed at client anyway to initiate IKE  Much easier to distribute a site certificate than build a full-blown PKI  Alternatively, can tunnel EKE over PIC and pass server’s cert as part of credential –Client should trust the AS only when EKE exchange is over (complexity!) –Somewhat inefficient...

Download ppt " YS-1 The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000."

Similar presentations

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth

EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.

DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Authentication & Kerberos

Authentication & Kerberos
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Similar presentations

Ads by Google