HIPL certificate problem

Hello,

on Apr 11, 2012, at 3:50 PM, changyou xing wrote:

> New question #193325 on HIPL:
> https://answers.launchpad.net/hipl/+question/193325
>
> Hi, I'm wondering whether HIPL still supports certificate verification any more? When I use the command "hipconf acquire certificate #HIT_OF_C# > host-cert.der", it tells me command wrong, and hipconf can only be followed by daemon and firewall.

Please use the current syntax:

hipconf daemon acquire certificate <hit-of-peer>

Please also note that this will only work if there currently exists a Host Association with the particular peer, because generation of a certificate requires knowledge of the peer's public key.

Please let us know whether this works for you.

> Besides, if I want to add certificates authentication mechanism by modifying the BEX process, for example, the initiator communicate with CA to authenticate the responser after receiving the R1 packet, and the responser communicate with CA to authenticate the initiator after receiving the I2 packet, could you tell me which source files should I modify? Thank you very much.

I'm not sure what you're attempting to do, and why. Could you please elaborate on the purpose of your modification? Why do you need to communicate with a CA in real-time, during HIP connection establishment?

Cheers,

  Christoph

--
 <email address hidden>

Thank you for your help, but when I use the command syntax given by you, there is sitill an error, and the daemon give the following output.

Invalid action argument 'acquire'
Error: Cannot configure the daemon.

I'm using the version 1.0.6, does it still support such a certificate authentication method?

For the second problem, I want to implement a strengthed security and trust communication environment based on HIPL, in which the initiator and responder can anthenticate each other's HIT before their communication process begins. Now I plan to let the initiator and responder communicate with the CA after receiving R1 and I2 packet, so that they can verify the identity of each other. but I'm not sure which source files should be modified. And is there any better solutions to implement the authentication of both initiator and responder?

Are you using the binaries from the release? If yes, please switch to more current binaries at http://hipl.hiit.fi/index.php?index=download

I have updated the binaries today (and release binaries are a bit older). Alternatively, you create your own binaries (i.e., checkout code and run "make bin").

Regarding your second problem:
You probably want the Initiator (I) and the Responder (R) to grab the CA certificate (CA-cert) before I and R start communicating. The CA-cert then would be the trust anchor in your environment.
I and R would furthermore request their own certificates (i.e., I-cert and R-cert respectively) from the CA. Next I sends I-cert to R and R sends R-cert to I. Both I and R can now verify the validity of the certificates by validating the certificate chains (I-cert + CA-cert and R-cert + CA-cert).

Yes, our designing is just as what René Hummen said. But now we cannot find a detailed description of HIPL implementation document, so could you give me some advices on how to implement it, and which source files should I modify? Thank you very much.

Thanks Miika Komu, that solved my question.