 YS-1 The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000.

Slides:



Advertisements
Similar presentations
Dynamic Symmetric Key Provisioning Protocol (DSKPP)
Advertisements

EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth
Internet Protocol Security (IP Sec)
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Authentication & Kerberos
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Guide to Network Defense and Countermeasures Second Edition
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Key Management/Distribution. Administrivia Snafu on books Probably best to buy it elsewhere Paper assignment and first homework Next week (9/24)
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Internet Protocol Security (IPSec)
Chapter 8 Web Security.
Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
CSCI 6962: Server-side Design and Programming
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Chapter 21 Distributed System Security Copyright © 2008.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
System Security: Cryptography Technologies CPE Operating Systems
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 24 Wireless Network Security
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
1 Number Theory and Advanced Cryptography 9. Authentication Protocols Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced.
3GPP GBA Overview Adrian Escott.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Establishing BGP Sessions.
1 Example security systems n Kerberos n Secure shell.
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
The Secure Sockets Layer (SSL) Protocol
Setting and Upload Products
Secure Sockets Layer (SSL)
Google 2 Step Verification Backup Codes Google 2 Steps Verification Backup Codes is very important to get access Gmail account. Backup codes is usually.
File Transfer Protocol
The Secure Sockets Layer (SSL) Protocol
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
Presentation transcript:

 YS-1 The PIC Pre-IKE Credential Provisioning Protocol Yaron Sheffer (RADGUARD) and Hugo Krawczyk (Technion) March 2000

 YS-2 Overview  PIC is a method to provide credentials, based on legacy authentication  Credentials to be used in a later IKE session  Separate Authentication Server (AS)  Flexible: authentication methods, credentials  Based on a dedicated, ISAKMP-based mechanism, plus XAuth  No modifications to IKE! –But significant reuse

 YS-3 Protocol Entities Client/User Authentication Server (AS) Legacy Authentication Server (LAS) Security Gateway (SGW) Optional Link

 YS-4 Separate Authentication Server  Eliminate user authentication from SGW –Simplified SGW can be used with/without PKI  DoS attack on AS will not break existing connections at SGW  AS may or may not be collocated with SGW  User authenticates once for many gateways

 YS-5 PIC Protocol Stages 1. Establish a one-way authenticated secure channel –Only server is authenticated 2. Authenticate user –Typically assisted by legacy server 3. Hand out credentials to user  Architecture similar to draft-bellovin-ipsra- getcert-00

 YS-6 (Somewhat) Detailed Protocol Client sends –HDR, SA, KE, Ni –Message 2 of XAuth –Credential request over XAuth AS sends –HDR, SA, KE, Nr, IDr1,[ CERT, ] SIG_R –Message 1 of XAuth –User credentials Calculate SKEYID Possibly more...

 YS-7 User Authentication Methods Anything that XAuth supports, for example:  Simple authentication  Challenge/response  Two-factor authentication  One-time password Note: may need to add machine authentication

 YS-8 Credentials  Certificate signing user’s public key –Possibly short-term  User certificate and private key  Shared secret –Requires channel between AS and SGW (adds protocol complexity) –Significantly improves DoS-resistance of SGW

 YS-9 Summary  Outlined PIC, a protocol to enable remote users to initiate an IKE exchange  Reusing XAuth mechanisms and existing IKE code  PIC is a practical alternative if IPSRA chooses a separate authentication server

 YS-10 References  PIC: draft-ietf-ipsra-pic-00.txt  XAuth: draft-ietf-ipsec-isakmp-xauth-06.txt  IPSRA requirements: draft-ietf-ipsra-reqmts-00  Credentials over TLS: draft-bellovin-ipsra-getcert-00

 YS-11 Backup

 YS-12 Obtaining the AS Public Key  Needed at client anyway to initiate IKE  Much easier to distribute a site certificate than build a full-blown PKI  Alternatively, can tunnel EKE over PIC and pass server’s cert as part of credential –Client should trust the AS only when EKE exchange is over (complexity!) –Somewhat inefficient...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.