Browse Prior Art Database

KICE - Kerberose IPSec Configuration Exchange

IP.com Disclosure Number: IPCOM000015834D
Original Publication Date: 2002-Sep-23
Included in the Prior Art Database: 2003-Jun-21
Document File: 2 page(s) / 41K

Publishing Venue

IBM

Abstract

KICE Kerberose IPSec Configuration Exchange This invention, Kerberose IPSec Configuration Exchange (KICE), is a method of imbedding the IPSec configuration and secret session key, within the Kerberose client authentication method to be used by the client starting the communication and the target (peer) to which the client wants to communicate with. The primary roadblock users experience when setting up a Virtual Private Network with IPSec is the configuration. IPSec was intended to be very flexible, which lead to a large variety of configuration options. This along with the problem of sharing some configuration variables, such as encryption keys, in a safe, out of band, manner. This problem has lead to the addition to security certificates, which simplify the configuration in one manner but complicate it in another, i.e. the creation and management of the security certificates and certificate issuers. Because of these configuration problems, the mainstay security technologies like kerberose remain popular. Their ease of use comes from being a client server (token server) based. Therefore the server provides a single point of authentication control. Whereas IPSec is peer to peer, and thus each peer must contain the configuration on all of the peers it will communicate with. The kerberose method only requires that the client authenticate with the kerberose server. If a client is trusted by a kerberose server then the other clients trust this client. This scheme will be illustrate later as the idea of this invention unfolds.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

KICE - Kerberose IPSec Configuration Exchange

This invention, Kerberose IPSec Configuration Exchange (KICE), is a method of imbedding the IPSec configuration and secret session key, within the Kerberose client authentication method to be used by the client starting the communication and the target (peer) to which the client wants to communicate with.

The primary roadblock users experience when setting up a Virtual Private Network with IPSec is the configuration. IPSec was intended to be very flexible, which lead to a large variety of configuration options. This along with the problem of sharing some configuration variables, such as encryption keys, in a safe, out of band, manner. This problem has lead to the addition to security certificates, which simplify the configuration in one manner but complicate it in another, i.e. the creation and management of the security certificates and certificate issuers.

Because of these configuration problems, the mainstay security technologies like kerberose remain popular. Their ease of use comes from being a client server (token server) based. Therefore the server provides a single point of authentication control. Whereas IPSec is peer to peer, and thus each peer must contain the configuration on all of the peers it will communicate with. The kerberose method only requires that the client authenticate with the kerberose server. If a client is trusted by a kerberose server then the other clients trust this client. This scheme will be illustrate later as the idea of this invention unfolds.

Currently Kerberose used the following communication exchange before two clients can be authenticated and begin communication. Below is the current state of the art for kerberose:

Client Alice wishes to communicate with Bob. She must have a session key which is a unique and randomly generated secret key to be used for this particular session with Bob. Alice and Bob must also be authenticated so we know there is not an impostor in Alice's or Bob's place. This is what transpires when you dce_login, you get a session key to be used when you communicate with the dce...