Click here to get back home

I can't underestand IKE Authentication!
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
I can't underestand IKE Authentication! ArshinK 10-28-2007
Posted by ArshinK on October 28, 2007, 12:31 pm
Please log in for more thread options
 Hi
I have a problem when trying to understand Certificate-Authententication in
IKE.
The problem is that when we take an IPSec-certificates from CA and install
them in the Principal's-Store, it doesn't matter to what name we use for
Subject-Field.
So how it protects against Man-in-the-Middle Attack? as it is possible for
attacker to take a certificate with an optional name from the same CA and
performs a successful authentication?
In other word, what attribute (except that Subject) in the certificate
exactly determines the identification of other principal?
It is clear for me when using the Authentication Process in Kerberos or
Pre-Shared-Key but not about Certificate when no field in the certificate is
related to other principal!

Please help !
Thanks



Posted by Gaurav Kumar on October 28, 2007, 11:29 pm
Please log in for more thread options
 ArshinK,
Information at
http://technet2.microsoft.com/windowsserver/en/library/47b6a8a2-c239-4264-ae23-9b220391293c1033.mspx?mfr=true
might help you.

---
Gaurav Kumar
Security Consultant
http://blogs.technet.com/gauravphoenix/








> Hi
> I have a problem when trying to understand Certificate-Authententication
> in IKE.
> The problem is that when we take an IPSec-certificates from CA and install
> them in the Principal's-Store, it doesn't matter to what name we use for
> Subject-Field.
> So how it protects against Man-in-the-Middle Attack? as it is possible for
> attacker to take a certificate with an optional name from the same CA and
> performs a successful authentication?
> In other word, what attribute (except that Subject) in the certificate
> exactly determines the identification of other principal?
> It is clear for me when using the Authentication Process in Kerberos or
> Pre-Shared-Key but not about Certificate when no field in the certificate
> is related to other principal!
>
> Please help !
> Thanks
>
>


Posted by ArshinK on October 29, 2007, 8:33 am
Please log in for more thread options
Thanks Gaurav,
but:
Authentication occures at the Step 5,6 in IKE-Main-Mode-Negotiations and
just before it the DH-Exchange is done with Man-In-The-Middle,
The main problem is that the Principals doesn't have any
Identification-parameters from each other except the Peer-IP-Address, so
what prevents the Man-In-The-Middle to introduce himself as a valid
principal?

In Kerberos, Tickets binds to Peer-IP-Address, also in PSK, only the real
principals have the Shared-Key, but in the certificate what field relates
the certificate to Peer-IP-Address?
We have only Peer-IP-Address as a valid parameter for communication and not
the Name or other things!



Similar ThreadsPosted
I can't underestand IKE Authentication! October 28, 2007, 12:33 pm
Kerberos machine authentication - apparent authentication failures May 30, 2005, 10:35 am
USB Authentication in TS December 13, 2005, 10:02 am
Authentication Across Domains using IIS July 29, 2005, 6:47 am
Re: Authentication Issue January 24, 2006, 10:44 am
Workstation Authentication December 4, 2007, 3:56 pm
How to set up Kerberos authentication? (some code :) August 18, 2005, 2:55 pm
Disable ALL Lan Manager Authentication September 20, 2005, 7:15 am
Branch Office Authentication? January 23, 2006, 10:55 am
machine authentication for web site? February 21, 2006, 10:09 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap