Ann Arbor, MI-based Interlink Networks
makes Secure.XS (pronounced "Secure Access"), a $2500+ Linux and Windows-based
solution for 802.1X authentication, authorization, and accounting (AAA). In
the last few months the company has announced that Secure.XS support for a variety
of Extensible Authentication Protocols (EAP) including PEAP, TLS, TTLS, LEAP,
MD5, and others.
Now they are adding a new protocol called SPEKE — Simple Password
Exponential Key Exchange — to that list.
SPEKE comes from Phoenix Technologies
of San Jose,
CA, the company behind the "global core systems software" — the BIOS
— found in thousands of personal computers. Phoenix got the technology in an
acquisition of Integrity Sciences in early 2001.
The reason to integrate SPEKE? No certificates for authentication. Instead,
according to Mike Klein, CEO and president at Interlink, "it allows you
to establish a strong username and password approach."
Phoenix calls SPEKE a "leading cryptographic system for zero-knowledge
password proof." That means when in use for authentication the password
is not actually revealed to either the server or the client — they only know
they share it.
The password never travels on the network so potential attackers using man-in-the-middle
attacks can never find out what it is. The password doesn’t travel the network
because SPEKE instead uses a hash of the password to generate a key (using Diffie-Hellman
Key Exchange) which is sent instead. Since both parties have the password,
the generated key is also the same, but without knowing the hidden exponent
on the other end.
In short, this makes security much easier on the end users and administrators.
"The feedback we got consistently was that having certificates and establishing
certificate authority was a real barrier for enterprises that want to get wireless
security," says Klein.
SPEKE is provided by Phoenix in a software development kit (SDK) for developers
to use when embedding the technology. Thus SPEKE is not exclusive to Interlink’s
Secure.XS program, but they are the first to integrate it. Right now, Interlink
still has use of SPEKE in Secure.XS in beta, but Klein expects availability
by the end of the first quarter. Pricing for the SPEKE add-on to Secure.XS has
not yet been established.