the pic pre ike credential provisioning protocol
Download
Skip this Video
Download Presentation
The PIC Pre-IKE Credential Provisioning Protocol

Loading in 2 Seconds...

play fullscreen
1 / 10

The PIC Pre-IKE Credential Provisioning Protocol - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

The PIC Pre-IKE Credential Provisioning Protocol. Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) December 2000. Overview. PIC is a method to provide credentials, based on legacy authentication Credentials are used in a later IKE session

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The PIC Pre-IKE Credential Provisioning Protocol' - ginger


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the pic pre ike credential provisioning protocol

The PIC Pre-IKE Credential Provisioning Protocol

Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion)

December 2000

overview
Overview
  • PIC is a method to provide credentials, based on legacy authentication
    • Credentials are used in a later IKE session
  • Supports arbitrary authentication methods, credentials
  • Based on a dedicated ISAKMP-based mechanism plus EAP
  • No modifications to IKE!
    • But significant code reuse
changes in 01
Changes in -01
  • Changed from XAuth to the standard Extensible Authentication Protocol (EAP, RFC 2284)
  • Added much detail, payload types etc.
    • New ISAKMP exchange type
    • 3 new payloads
  • Streamlined the protocol, eliminating one round trip
protocol entities
Protocol Entities

Authentication Server (AS)

Legacy Authentication Server (LAS)

Client/User

Optional Link

Security Gateway (SGW)

conceptual protocol stages
Conceptual Protocol Stages

1. Establish a one-way authenticated secure channel

    • Only server is authenticated

2. Authenticate user

    • Typically assisted by legacy server
    • Protected by secured one-way channel

3. Hand out credentials to user

  • Architecture similar to getcert
extensible authentication protocol eap
Extensible Authentication Protocol (EAP)
  • RFC 2284 (proposed standard)
  • PPP authentication by arbitrary methods
  • Multiple authentication methods
    • Simple password, challenge-response, OTP and more
  • Simple protocol, simple wire format
  • Few PPP dependencies (overridden)
    • Packet order, retransmission
somewhat detailed protocol
Client sends:

HDR, SA, KE, Ni

HDR*, HASH, EAP, [EAP...,] [CRED-REQ]

AS sends:

HDR, SA, KE, Nr, IDir, SIG_R, HASH, [,…]

HDR*, HASH, EAP, [EAP...,] [CRED]

(Somewhat) Detailed Protocol

An SA is created

Messages (3) and (4) may repeat

credentials
Credentials
  • Certificate signing user’s public key
    • Possibly short-term
  • User certificate and private key
  • Using PKCS #{7,10,12} for both cases
  • Shared secret
    • Requires channel between AS and SGW (adds protocol complexity)
    • Improves DoS-resistance of SGW
summary
Summary
  • Outlined PIC, a protocol to enable remote users to initiate an IKE exchange using legacy authentication
  • Reusing existing IKE code
  • Using a standard protocol, EAP, for authentication
  • Lightweight and simple
references
References
  • PIC: draft-ietf-ipsra-pic-01.txt
  • EAP: RFC 2284
  • IPSRA requirements: draft-ietf-ipsra-reqmts-02
  • Credentials over HTTP/TLS:draft-ietf-ipsra-getcert-00
ad