The pic pre ike credential provisioning protocol
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

The PIC Pre-IKE Credential Provisioning Protocol PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

The PIC Pre-IKE Credential Provisioning Protocol. Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) December 2000. Overview. PIC is a method to provide credentials, based on legacy authentication Credentials are used in a later IKE session

Download Presentation

The PIC Pre-IKE Credential Provisioning Protocol

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The pic pre ike credential provisioning protocol

The PIC Pre-IKE Credential Provisioning Protocol

Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion)

December 2000


Overview

Overview

  • PIC is a method to provide credentials, based on legacy authentication

    • Credentials are used in a later IKE session

  • Supports arbitrary authentication methods, credentials

  • Based on a dedicated ISAKMP-based mechanism plus EAP

  • No modifications to IKE!

    • But significant code reuse


Changes in 01

Changes in -01

  • Changed from XAuth to the standard Extensible Authentication Protocol (EAP, RFC 2284)

  • Added much detail, payload types etc.

    • New ISAKMP exchange type

    • 3 new payloads

  • Streamlined the protocol, eliminating one round trip


Protocol entities

Protocol Entities

Authentication Server (AS)

Legacy Authentication Server (LAS)

Client/User

Optional Link

Security Gateway (SGW)


Conceptual protocol stages

Conceptual Protocol Stages

1. Establish a one-way authenticated secure channel

  • Only server is authenticated

    2. Authenticate user

  • Typically assisted by legacy server

  • Protected by secured one-way channel

    3. Hand out credentials to user

  • Architecture similar to getcert


  • Extensible authentication protocol eap

    Extensible Authentication Protocol (EAP)

    • RFC 2284 (proposed standard)

    • PPP authentication by arbitrary methods

    • Multiple authentication methods

      • Simple password, challenge-response, OTP and more

    • Simple protocol, simple wire format

    • Few PPP dependencies (overridden)

      • Packet order, retransmission


    Somewhat detailed protocol

    Client sends:

    HDR, SA, KE, Ni

    HDR*, HASH, EAP, [EAP...,] [CRED-REQ]

    AS sends:

    HDR, SA, KE, Nr, IDir, SIG_R, HASH, <EAP> [,<EAP>…]

    HDR*, HASH, EAP, [EAP...,] [CRED]

    (Somewhat) Detailed Protocol

    An SA is created

    Messages (3) and (4) may repeat


    Credentials

    Credentials

    • Certificate signing user’s public key

      • Possibly short-term

    • User certificate and private key

    • Using PKCS #{7,10,12} for both cases

    • Shared secret

      • Requires channel between AS and SGW (adds protocol complexity)

      • Improves DoS-resistance of SGW


    Summary

    Summary

    • Outlined PIC, a protocol to enable remote users to initiate an IKE exchange using legacy authentication

    • Reusing existing IKE code

    • Using a standard protocol, EAP, for authentication

    • Lightweight and simple


    References

    References

    • PIC: draft-ietf-ipsra-pic-01.txt

    • EAP: RFC 2284

    • IPSRA requirements: draft-ietf-ipsra-reqmts-02

    • Credentials over HTTP/TLS:draft-ietf-ipsra-getcert-00


  • Login