[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)

To: "'Hugo Krawczyk'" <hugo@xxxxxxxxxxxxxxxxx>, "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Subject: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
From: "Kavsan, Bronislav" <bkavsan@xxxxxxxxxxxxxxx>
Date: Wed, 21 Jun 2000 09:03:50 -0400
Cc: "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Using PKI-based authentication doesn't remove the need of authenticating
access to a private key store.
Therefore, there is still a need for so-called "legacy" authentication to
access your private key using password or PIN to unlock Smartcard or SecurID
token to access Virtual Smart card, etc.

> -----Original Message-----
> From: Hugo Krawczyk [mailto:hugo@xxxxxxxxxxxxxxxxx]
> Sent: Wednesday, June 21, 2000 8:41 AM
> To: CHINNA N.R. PELLACURU
> Cc: 'IPSRA list'
> Subject: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
> 
> 
> 
> 
> On Tue, 20 Jun 2000, CHINNA N.R. PELLACURU wrote:
> 
> [.....]
> 
> > 
> > I don't think there is any real cryptographic benefit of 
> "bootstrapping"
> > IKE credentials (that are capable of several magnitudes stronger
> > cryptographic authentication) using legacy authentication. 
> Bootstrapping a
> > cryptographically very very strong authentication using legacy
> > authencition is useless, because the weakest link in this 
> system is still
> > the legacy authentication.
> 
> The benefit of "bootstrapping" IKE credentials using legacy 
> authentication
> (which is the approach predicated by getcert and adopted by PIC)
> is that it provides the "glue" between legacy authentication and IKE,
> without changing the legacy authentication or IKE, and 
> provides for the
> best possible deployment path for strong user-based 
> credentials (such as 
> smart cards). Indeed, whoever upgrades his own system from legacy
> authentication to public-key cryptography just throws away 
> the PIC code
> and goes ahead with pure IKE.
> 
> (As an aside note and in contrast to the above it seems to me that
> l2tp/ppp-based solutions create the "next generation legacy systems";
> we will hear in a few years "we already invested in l2tp so 
> let's keep it
> even when it is less than the sub-optimal solution). 
> 
> > 
> > And I don't think this scheme could provide "machine authentication"
> > because the credentials that would be used to do any kind of further
> > authentication is predicated on the "user authentication" 
> that is done
> > first. So, it would still be "user authentication".
> 
> No. If I am roaming with my company's laptop I can do a PIC 
> authentication
> in a way that the authentication server learns/verifies two 
> things: the
> remote entity to whom I am talking is "user Hugo" working from 
> "machine Warrior".
> 
> That is, you have both user authentication (e.g. via a password-based
> legacy authentication scheme ) and machine authentication (e.g. via a
> 1024-bit RSA signature key for which the authentication 
> server knows the
> public verification key).
> 
> Hugo
> 
> > 
> >     chinna
> > 
> > > 
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> > chinna narasimha reddy pellacuru
> > s/w engineer
> > 
> > 
>

Prev by Date: Re: l2tp as ipsra solution
Next by Date: Re: l2tp as ipsra solution
Previous by thread: ipsra requirements
Next by thread: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Index(es):
- Date
- Thread