1 / 10

The PIC Pre-IKE Credential Provisioning Protocol

The PIC Pre-IKE Credential Provisioning Protocol. Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) December 2000. Overview. PIC is a method to provide credentials, based on legacy authentication Credentials are used in a later IKE session

ginger
Download Presentation

The PIC Pre-IKE Credential Provisioning Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) December 2000

  2. Overview • PIC is a method to provide credentials, based on legacy authentication • Credentials are used in a later IKE session • Supports arbitrary authentication methods, credentials • Based on a dedicated ISAKMP-based mechanism plus EAP • No modifications to IKE! • But significant code reuse

  3. Changes in -01 • Changed from XAuth to the standard Extensible Authentication Protocol (EAP, RFC 2284) • Added much detail, payload types etc. • New ISAKMP exchange type • 3 new payloads • Streamlined the protocol, eliminating one round trip

  4. Protocol Entities Authentication Server (AS) Legacy Authentication Server (LAS) Client/User Optional Link Security Gateway (SGW)

  5. Conceptual Protocol Stages 1. Establish a one-way authenticated secure channel • Only server is authenticated 2. Authenticate user • Typically assisted by legacy server • Protected by secured one-way channel 3. Hand out credentials to user • Architecture similar to getcert

  6. Extensible Authentication Protocol (EAP) • RFC 2284 (proposed standard) • PPP authentication by arbitrary methods • Multiple authentication methods • Simple password, challenge-response, OTP and more • Simple protocol, simple wire format • Few PPP dependencies (overridden) • Packet order, retransmission

  7. Client sends: HDR, SA, KE, Ni HDR*, HASH, EAP, [EAP...,] [CRED-REQ] AS sends: HDR, SA, KE, Nr, IDir, SIG_R, HASH, <EAP> [,<EAP>…] HDR*, HASH, EAP, [EAP...,] [CRED] (Somewhat) Detailed Protocol An SA is created Messages (3) and (4) may repeat

  8. Credentials • Certificate signing user’s public key • Possibly short-term • User certificate and private key • Using PKCS #{7,10,12} for both cases • Shared secret • Requires channel between AS and SGW (adds protocol complexity) • Improves DoS-resistance of SGW

  9. Summary • Outlined PIC, a protocol to enable remote users to initiate an IKE exchange using legacy authentication • Reusing existing IKE code • Using a standard protocol, EAP, for authentication • Lightweight and simple

  10. References • PIC: draft-ietf-ipsra-pic-01.txt • EAP: RFC 2284 • IPSRA requirements: draft-ietf-ipsra-reqmts-02 • Credentials over HTTP/TLS:draft-ietf-ipsra-getcert-00

More Related