info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Authentication Protocols for Provisioned Users with Devices using Preshared Secrets?
33 views
Skip to first unread message
Jeffrey Walton
Aug 19, 2013, 1:01:49 PM8/19/13
to
Hi All,
I'm trying to locate a protocol that allows me to provision a user with a workstation or device, and then authenticate both. Or, provision a user and workstation or device, and then authenticate the user while authorizing access to a resource based on the workstation or device.
In this scenario, the user might be an employee, and he or she would be allowed access to low/medium/high value data if working from a provisioned workstation; while the same user would only be allowed to access low value data from a device.
Additionally, a user with a valid username/password but no worksation or device should not be allowed access to any resources since the hardware is not provisioned.
Finally, I don't want to suffer all the failures of running basic_auth over SSL/TLS. So I want something that properly binds the encryption tunnel with the authentication mechanism (much like TLS-SRP or TLS-PSK).
My Google Scholar-fu is really off since I have not been able to find a toe-hold in the literature.
Is anyone aware of a protocol that authenticates both the user and his/her device?
Thanks in advance,
Jeffrey Walton
I'm trying to locate a protocol that allows me to provision a user with a workstation or device, and then authenticate both. Or, provision a user and workstation or device, and then authenticate the user while authorizing access to a resource based on the workstation or device.
In this scenario, the user might be an employee, and he or she would be allowed access to low/medium/high value data if working from a provisioned workstation; while the same user would only be allowed to access low value data from a device.
Additionally, a user with a valid username/password but no worksation or device should not be allowed access to any resources since the hardware is not provisioned.
Finally, I don't want to suffer all the failures of running basic_auth over SSL/TLS. So I want something that properly binds the encryption tunnel with the authentication mechanism (much like TLS-SRP or TLS-PSK).
My Google Scholar-fu is really off since I have not been able to find a toe-hold in the literature.
Is anyone aware of a protocol that authenticates both the user and his/her device?
Thanks in advance,
Jeffrey Walton
Collin Stocks
Aug 22, 2013, 3:37:59 PM8/22/13
to
It sounds like you are asking for a practical implementation of what you want
in software, rather than a theoretical approach. Am I correct?
Does anyone know if there is a way to set something like this up with SSH?
in software, rather than a theoretical approach. Am I correct?
Does anyone know if there is a way to set something like this up with SSH?
max.k...@gmail.com
Aug 23, 2013, 5:08:38 AM8/23/13
to
Is this for a web application or something else?
The sticking point might be binding them all together as peers if you want the encryption & authentication mechanism to include two components (device & user) for the authentication and bound together in a way that it's all or nothing. Is that a *hard* requirement?
There are PKI platforms that would do this for you but that might be overly complicated for what you want to achieve. Are the client applications within your control to develop?
M
0 new messages