Simplify PKI with Hybrid Auth, XAuth

Companies deploying VPNs are turning to digital certificates to achieve the security essential to an effective VPN. Digital certificates, which must be managed by a public-key infrastructure (PKI), provide a level of privacy and security to VPNs unequalled by any other authentication method.

Deploying a full-blown PKI is highly complex and potentially disruptive to a network and its users. Two new protocols - Hybrid Auth and XAuth - are being developed by the Internet Engineering Task Force (IETF). They will enable companies to employ a more manageable, phased approach to PKI deployment.

Hybrid Auth and XAuth are extensions to the Internet Key Exchange (IKE) protocol. IKE is an important element of PKI that defines how security credentials are exchanged over the IP Security (IPSec) tunneling protocol.

Using IPSec with IKE, one of two types of authentication to access the network can be employed: preshared keys or digital certificates. While preshared keys, which are unique to each user, are fine when employed by a small number of users, deploying a unique key for each remote user in situations where there may be hundreds or thousands of remote users can be an administrative burden and a management nightmare.

For simplicity, some companies deploy one key that is shared among all users.

However, if the password is compromised, every user name must be associated with the new key.

When deploying IPSec with IKE to many users, digital certificates are the most scalable option for enterprise security. However, a full PKI environment, which can be costly to implement and complex to deploy, is required. In addition, remote users must "enroll" in the PKI. Enrollment can be disruptive and add many opportunities for error.

Certain VPN implementations of Hybrid Auth are enabling companies to solve some of these issues by leveraging legacy authentication systems and by allowing the use of a PKI to be centrally deployed and managed in practical implementation phases, rather than all at once. In this approach, a digital certificate is deployed on the VPN server at the central site, while remote users continue to utilize such legacy authentication methods as RADIUS or SecurID to access the corporate network. Because there's no change in how remote users authenticate, this Hybrid Authentication environment simplifies initial digital certificate deployment, controls operational expenses, and minimizes end-user impact.

The Hybrid Auth extension allows the asymmetric use of digital certificates between client and server. The client verifies the authenticity of the server's credentials (certificate), and the server verifies the authenticity of the client's credentials. Companies benefit from the interoperability of standards-based IPSec with IKE as well as the increased security of the PKI at the central site, with no disruption to remote users.

The XAuth standard may be seen as the next phase of PKI migration. As organizations move to a full PKI, digital certificates are used at the central site and on remote users' desktops. Certain implementations of the XAuth protocol give companies the option to combine use of legacy authentication methods and digital certificates. The XAuth extension to the IKE protocol allows two-factor authentication for remote users: The digital certificate authenticates the user's machine or desktop, while the use of passwords or tokens binds that user to his digital ID and authorizes him for network access.

VPN implementation using XAuth allows network managers to centrally control authentication policy on a group-level basis, remotely synchronizing and enforcing authentication policy changes out to remote users' desktops as the organization moves from passwords to digital certificates.

The Hybrid Auth and XAuth protocols are especially beneficial when utilizing digital certificates as the authentication method for VPNs. The many benefits these protocols promise - greater manageability, stronger security, greater protection of legacy system investments and a more practical approach to PKI - suggest that they will become Internet Engineering Task Force (IETF) standards.

Companies would do well to ensure that the VPNs they are deploying support Hybrid Auth and XAuth.

Silvia is senior product manager at Indus River Networks Inc., a developer of remote access products. She can be reached at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about IETFIndusIndus RiverIndus River NetworksInternet Engineering Task Force

Show Comments