[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)

To: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Subject: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
From: Hugo Krawczyk <hugo@xxxxxxxxxxxxxxxxx>
Date: Wed, 21 Jun 2000 15:41:04 +0300 (IDT)
Cc: "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

On Tue, 20 Jun 2000, CHINNA N.R. PELLACURU wrote:

[.....]

> 
> I don't think there is any real cryptographic benefit of "bootstrapping"
> IKE credentials (that are capable of several magnitudes stronger
> cryptographic authentication) using legacy authentication. Bootstrapping a
> cryptographically very very strong authentication using legacy
> authencition is useless, because the weakest link in this system is still
> the legacy authentication.

The benefit of "bootstrapping" IKE credentials using legacy authentication
(which is the approach predicated by getcert and adopted by PIC)
is that it provides the "glue" between legacy authentication and IKE,
without changing the legacy authentication or IKE, and provides for the
best possible deployment path for strong user-based credentials (such as 
smart cards). Indeed, whoever upgrades his own system from legacy
authentication to public-key cryptography just throws away the PIC code
and goes ahead with pure IKE.

(As an aside note and in contrast to the above it seems to me that
l2tp/ppp-based solutions create the "next generation legacy systems";
we will hear in a few years "we already invested in l2tp so let's keep it
even when it is less than the sub-optimal solution). 

> 
> And I don't think this scheme could provide "machine authentication"
> because the credentials that would be used to do any kind of further
> authentication is predicated on the "user authentication" that is done
> first. So, it would still be "user authentication".

No. If I am roaming with my company's laptop I can do a PIC authentication
in a way that the authentication server learns/verifies two things: the
remote entity to whom I am talking is "user Hugo" working from 
"machine Warrior".

That is, you have both user authentication (e.g. via a password-based
legacy authentication scheme ) and machine authentication (e.g. via a
1024-bit RSA signature key for which the authentication server knows the
public verification key).

Hugo

> 
>     chinna
> 
> > 
> > > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> chinna narasimha reddy pellacuru
> s/w engineer
> 
>

Follow-Ups:
- RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
  - From: CHINNA N.R. PELLACURU

References:
- RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
  - From: CHINNA N.R. PELLACURU

Prev by Date: Re: l2tp as ipsra solution
Next by Date: Re: l2tp as ipsra solution
Previous by thread: Re: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Next by thread: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Index(es):
- Date
- Thread