[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: mcr@xxxxxxxxxxxxxxxxxxxxxx, ipsec@xxxxxxxxxxxxxxxxx, ietf-ipsra@xxxxxxxx
Subject: Re: New XAUTH draft
From: "Roy Pereira" <rp96@xxxxxxxxxxx>
Date: Thu, 30 Sep 1999 21:50:53 EDT
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

I've heard this "hybrid vs. XAUTH" thing a couple of times now and I would like to dispel it. As Tamir would probably agree, Hybrid isn't a competitor to XAUTH and it isn't one or the other, they are complementary. XAUTH is actually used within Hybrid. XAUTH uses the already established authentication mechanisms of IKE while Hybrid establishes its own "hybrid" authentication schemes. Hybrid is invaluable when only the server has a certificate and the client does not. For the actual legacy authentication process, Hybrid uses XAUTH.

I guess the question for this thread is should XAUTH be allowed with shared secret authentication or should it mandate that it only be used with certificate-based authentication (RSA/enc, RSA/sig & DSA/enc) ?

From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
To: ipsec@xxxxxxxxxxxxxxxxx, ietf-ipsra@xxxxxxxx
Subject: Re: New XAUTH draft
Date: Thu, 30 Sep 1999 21:04:18 -0400
>>>>> "Tamir" == Tamir Zegman <zegman@xxxxxxxxxxxxxx> writes: Tamir> Actually I think I can give you such an attack. Assume that paul Tamir> and Daniel have the same shared key to connect to Security Gateway Tamir> (SG). Daniel can mount a simple man in the middle attack - When Tamir> Paul tries to connect to SG, Daniel spoofs the SG and

No need for IPsec to do this attack.
  This attack was demonstrated years ago on multiple token authentication
systems used to "secure" telnet connections. This attack is inherent in
token authentication systems that only authenticates only the client to the
server, and not the server to the client.
  There are challenge/response systems (some can involve tokens) that do
not have this property that XAUTH could mediate.
Dan, I have a question (even though I've been trying hard to delete every message that says "XAUTH" or "Hybrid" in it), do *you* prefer hybrid to XAUTH?

] Train travel features AC outlets with no take-off restrictions| firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Previous by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Date
- Thread