Test Certificates?

Joel Snyder Joel.Snyder at OPUS1.COM
Fri Dec 29 08:46:44 EST 2000 

"Christopher S. Gripp" wrote:
>
> Well, the reason they are more "secure" is due to the key length.  It is
> essentially a MUCH larger static key.

I wouldn't NECESSARILY agree with that, although your conclusion is probably
correct given real-world constraints.

First, I am assuming that when you say "static key," you mean "pre-shared
secret," not manual keying.  In the case of pre-shared secrets, the secret is
transmitted during configuration, and is transmitted across the wire (encrypted)
each time an IKE authentication occurs.  The management overhead with existing
products to pair-wise PSS is so high that real VPNs rarely use them in a secure
way.  In addition, while many implementations give you the option of long PSS,
there are practical limits (such as UDP packet length and management GUI) which
typically limit the size of PSS to some small value, such as 80 octets.

By contrast, certified public keys in IKE authentication do NOT transmit the
private key ever in IKE, and often are configured in such a way that the private
key is private to the device/user and never transmitted to the CA.

>From a cryptographer's point of view, you cannot compare these two approaches,
since they are apples & oranges.  However, from a management point of view, the
way that real products actually implement both PSS and certified public keys
does often lead to better MANAGED VPNs, which typically results in an IKE
authentication approach with a higher face validity.

jms

>
> Chris
>
> -----Original Message-----
> From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Ryan
> McBride
> Sent: Wednesday, December 20, 2000 7:40 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Test Certificates?
>
> On Wed, Dec 20, 2000 at 01:52:55PM -0600, James Russell wrote:
>
> > Some cohorts and myself have just purchased copies of Safenet's SoftPk VPN
> > Windows2000 client for securing our connections to one another.  It was so
> > amazingly easy to get everything up and running using fixed keys that I'm
> > now considering trying to use certificates because I know they're more
> > secure.
>
> They're not necessarily more secure than using fixed keys - they're
> one way to handle the problem of key management, but the're definately
> not a panacea.
>
> > I know I should probably leave well enough alone, but does anyone know of
> a
> > Certificate Authority where I can just get testing or temporary
> certificates
> > to see if I can get them working?  The Certificate Manager on the client
> > looks easy enough, so I'd like to give it a shot.
>
> I've had good experiences using OpenSSL (on OpenBSD) to generate x509
> certificates for use with the SafeNet client. If you have access to a
> Unix system that you can install OpenSSL on, you can generate all the
> certificates you like.
>
> -Ryan
>
> --
> Ryan McBride - mcbride at countersiege.com
> Systems Security Consultant
> Countersiege Systems Corporation - http://www.countersiege.com
>
> VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ 85719
Phone: +1 520 324 0494 (voice)   +1 520 324 0495 (FAX)
jms at Opus1.com http://www.opus1.com/jms Opus One
This was sent from home, so calling now won't catch me.

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list