Presentation Transcript
PlutoPlus:Policy and PKI Plans for FY00 : PlutoPlus: Policy and PKI Plans for FY00 Sheila Frankel
Systems and Network Security Group
Computer Security Division
NIST
sheila.frankel@nist.gov
PlutoPlus ‘99 : PlutoPlus ‘99 Peer authentication :
pre-shared secret keys
Policy:
Same policy for all peers
Initiator proposes single policy
Responder must accept proposed policy
Y2K PlutoPlus : Y2K PlutoPlus Peer authentication : choice of pre-shared secret keys, digital signature, or public key encryption
Policy:
Flexible policy database
Different policies for different peers
Initiator proposes multiple policies
Responder selects most preferable policy
What Constitutes Policy? : What Constitutes Policy? Encryption algorithm: DES, 3DES, Blowfish, IDEA, RC5
Encryption Key Length
Authentication algorithm: HMAC-MD5, HMAC-SHA1
Diffie-Hellman group: prime with 96, 128, or 192 bytes
Encapsulation mode: tunnel or transport
Policy Database Elements (cont’d) : Policy Database Elements (cont’d) Peer authentication: pre-shared secret key, digital signature, public key encryption
Negotiated Security Association’s Lifetime: seconds and/or kilobytes protected
Perfect Forward Secrecy for negotiated keys
Why PKI Interaction? : Why PKI Interaction? Peer authentication with pre-shared keys:
pre-shared secret key used to prove identity
limited scalability
opportunistic encryption impossible
Peer authentication with PKI
digital signature or public key used to prove identity
scalable
opportunistic encryption possible
Catch the
buzz on authorSTREAM
Copyright © 2002-2008 authorSTREAM. All rights reserved.