The PIC PreIKE Credential Provisioning Protocol - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

The PIC PreIKE Credential Provisioning Protocol

Description:

The PIC Pre-IKE Credential Provisioning Protocol. Yaron Sheffer (RADGUARD) and ... PIC is a method to provide credentials, based on legacy authentication ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 11
Provided by: vpnc
Category:

less

Transcript and Presenter's Notes

Title: The PIC PreIKE Credential Provisioning Protocol


1
The PIC Pre-IKE Credential Provisioning Protocol
  • Yaron Sheffer (RADGUARD) and Hugo Krawczyk
    (Technion)
  • December 2000

2
Overview
  • PIC is a method to provide credentials, based on
    legacy authentication
  • Credentials are used in a later IKE session
  • Supports arbitrary authentication methods,
    credentials
  • Based on a dedicated ISAKMP-based mechanism plus
    EAP
  • No modifications to IKE!
  • But significant code reuse

3
Changes in -01
  • Changed from XAuth to the standard Extensible
    Authentication Protocol (EAP, RFC 2284)
  • Added much detail, payload types etc.
  • New ISAKMP exchange type
  • 3 new payloads
  • Streamlined the protocol, eliminating one round
    trip

4
Protocol Entities
Authentication Server (AS)
Legacy Authentication Server (LAS)
Client/User
Optional Link
Security Gateway (SGW)
5
Conceptual Protocol Stages
  • 1. Establish a one-way authenticated secure
    channel
  • Only server is authenticated
  • 2. Authenticate user
  • Typically assisted by legacy server
  • Protected by secured one-way channel
  • 3. Hand out credentials to user
  • Architecture similar to getcert

6
Extensible Authentication Protocol (EAP)
  • RFC 2284 (proposed standard)
  • PPP authentication by arbitrary methods
  • Multiple authentication methods
  • Simple password, challenge-response, OTP and more
  • Simple protocol, simple wire format
  • Few PPP dependencies (overridden)
  • Packet order, retransmission

7
(Somewhat) Detailed Protocol
  • Client sends
  • HDR, SA, KE, Ni
  • HDR, HASH, EAP, EAP..., CRED-REQ
  • AS sends
  • HDR, SA, KE, Nr, IDir, SIG_R, HASH,
    ,
  • HDR, HASH, EAP, EAP..., CRED

An SA is created
Messages (3) and (4) may repeat
8
Credentials
  • Certificate signing users public key
  • Possibly short-term
  • User certificate and private key
  • Using PKCS 7,10,12 for both cases
  • Shared secret
  • Requires channel between AS and SGW (adds
    protocol complexity)
  • Improves DoS-resistance of SGW

9
Summary
  • Outlined PIC, a protocol to enable remote users
    to initiate an IKE exchange using legacy
    authentication
  • Reusing existing IKE code
  • Using a standard protocol, EAP, for
    authentication
  • Lightweight and simple

10
References
  • PIC draft-ietf-ipsra-pic-01.txt
  • EAP RFC 2284
  • IPSRA requirements draft-ietf-ipsra-reqmts-02
  • Credentials over HTTP/TLSdraft-ietf-ipsra-getcer
    t-00
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "The PIC PreIKE Credential Provisioning Protocol" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!