SECMECH BOF EAP Methods

Slides:



Advertisements
Similar presentations
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Advertisements

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Ariel Eizenberg PPP Security Features Ariel Eizenberg
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Eugene Chang EMU WG, IETF 70
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),
Doc.: IEEE /524r0 Submission November 2001 Bernard Aboba, MicrosoftSlide 1 Secure Remote Password (SRP) Bernard Aboba Dan Simon Tim Moore Microsoft.
EMU BOF EAP-TLS Experiment Report RFC 2716 Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
1 Network Selection Problem Definition Draft-ietf-eap-netsel-problem-01.txt Jari Arkko Bernard Aboba.
1 EAP-MAKE2: EAP method for Mutual Authentication and Key Establishment, v2 EMU BoF Michaela Vanderveen IETF 64 November 2005.
1 Extensible Authentication Protocol (EAP) Working Group IETF-57.
1 EAP WG Methods Discussion IETF-62 Jari Arkko Bernard Aboba.
1 SECMECH BOF EAP Methods IETF-63 Jari Arkko. 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods.
7/24/2007IETF69 PANA WG1 PANA Issues and Resolutions draft-ietf-pana-pana-17.txt draft-ietf-pana-framework-09.txt Yoshihiro Ohba Alper Yegin.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 draft-urien-eap-smartcard-06.txt “EAP-Support in Smartcard”
1 RADEXT WG Agenda IETF-60 Bernard Aboba David Nelson.
Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.
PAWS Framework draft-lei-paws-framework-datamodel-00
SASL GSS-API Bridge: GS2
Authentication and handoff protocols for wireless mesh networks
Web Applications Security Cryptography 1
Extensible Authentication Protocol
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Phil Hunt, Hannes Tschofenig
Encryption and Network Security
Shi Yang David T. Perkins IETF 70th 3 Dec 2007, Vancouver
RPSEC WG Issues with Routing Protocols security mechanisms
IS-IS WG IS-IS Cryptographic Authentication Requirements
Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen)
for IP Mobility Protocols
Jari Arkko Bernard Aboba
editor: Stephen Farrell,
Pre-Shared Key EAP methods & EAP-PSK
IETF-70 EAP Method Update (EMU)
The Tunneled Extensible Authentication Method (TEAM)
Securing Access to Mobile Operator Core Networks using IKEv2
IETF Liaison Report November 2003 Dorothy Stanley – Agere Systems
– Chapter 5 (B) – Using IEEE 802.1x
EAP/SIM and EAP/AKA draft-haverinen-pppext-eap-sim-12: based on GSM authentication draft-arkko-pppext-eap-aka-11: based on UMTS authentication No open.
draft-ipdvb-sec-01.txt ULE Security Requirements
IETF Liaison Report March 2003 Dorothy Stanley – Agere Systems
My name is Pascal Urien, ENST
IETF-59 Jari Arkko Bernard Aboba
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Authentication and handoff protocols for wireless mesh networks
January doc.: IEEE xx/xxxx January 2006
Florent Bersani, France Telecom R&D
Security Activities in IETF in support of Mobile IP
IEEE IETF Liaison Report
Jesse Walker, Intel Corporation Russ Housley, Vigil Security
(draft-josefsson-pppext-eap-tls-eap-06.txt)
IETF Liaison Report January 2004 Dorothy Stanley – Agere Systems
Presentation transcript:

SECMECH BOF EAP Methods IETF-63 Jari Arkko

Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods

EAP methods Name Publication Demand Status MD5 (4) RFC2284bis Existing RFC OTP (5) RFC2284bis Existing RFC GTC (6) RFC2284bis Existing RFC EAP TLS (13) RFC 2716 Existing RFC EAP SIM (18) draft-haverinen 3GPP RFC-to-be EAP AKA (23) draft-arkko 3GPP RFC-to-be

EAP methods Name Publication Demand Status EAP TTLS (21) draft-ietf-pppext Vendor I-D PEAPv0/1/2 (25) draft-joseffson* Vendor I-D MSCHAPv2 (26) draft-kamath Vendor Expired EAP SSC (-) draft-urien Vendor I-D EAP GSS (-) draft-aboba Vendor Expired EAP TLS SASL (-) draft-andersson Vendor Expired

EAP methods Name Publication Demand Status EAP MAKE (27) draft-berrendo Vendor Expired EAP PSK (-) draft-bersani Vendor New I-D EAP FAST (43) draft-cam Vendor New I-D MD5 Tunneled (-) draft-funk Vendor I-D EAP TLV (33) draft-josefsson* Vendor Expired EAP SRP-SHA1 (19) draft-ietf-pppext IETF Expired

EAP methods Name Publication Demand Status EAP SecurID (32) draft-josefsson Vendor Expired EAP Archie (-) draft-jwalker Vendor Expired EAP Bluetooth (-) draft-kim Vendor New I-D EAP LDAP (-) draft-mancini Vendor Expired EAP SKE (-) draft-salgarelli Vendor Expired EAP GPRS (-) draft-salki Vendor I-D

EAP methods Name Publication Demand Status EAP IKEv2 (-) draft-tschofenig Vendor I-D EAP POTP (32) draft-nystrom Vendor I-D EAP KEA (11) - Vendor Undoc EAP KEA Valid. (12)- Vendor Undoc EAP Defender (14) - Vendor Undoc EAP SecurID (15) - Vendor Undoc

EAP methods Name Publication Demand Status EAP Arcot (16) - Vendor Undoc Cisco LEAP (17) - Vendor Undoc EAP RAS (22) - Vendor Undoc EAP 3Com (24) - Vendor Undoc EAP Microsoft (26) - Vendor Undoc EAP CryptoCrd (28) - Vendor Undoc

EAP methods Name Publication Demand Status EAP DynamID (30) - Vendor Undoc EAP Rob (31) - Vendor Undoc EAP Centrinet (34) - Vendor Undoc EAP Actiontec (35) - Vendor Undoc EAP Biometrics (36) - Vendor Undoc EAP AirFortress (37) - Vendor Undoc

EAP methods Name Publication Demand Status EAP Digest (38) - Vendor Undoc EAP SecureSuite (39)- Vendor Undoc EAP DevConn (40) - Vendor Undoc EAP MOBAC (42) - Vendor Undoc EAP ZoneLabs (44) - Vendor Undoc EAP RSA PKA (9) - Vendor Undoc

Some observations A lot of methods, very few in RFCs Not good! Original, old EAP methods no longer suitable in wireless environment Undocumented methods proliferate, IETF submissions delayed as long as four years A lot of methods with similar intents E.g. tunneling -- not good either! A lot of methods with vendor background, a lot of expired methods Status unknown

Technical Requirements “Does not break EAP” (RFC 3748) Security documentation must exist Mechanism Key hierarchy Security claims Vulnerabilities See also RFC 4017 for 802.11 requirements

Security Claims for EAP methods Protected ciphersuite negotation Mutual authentication Integrity protection, replay protection, confidentiality Key derivation, key strength Dictionary attack resistance Fast reconnect Cryptographic binding Session independence Channel binding

EAP WG Process for New Method Type Codes Either an official WG item or … … an individual submission All the usual rules for these RFCs apply Also need to pass “expert review” that the technical requirements are satisfied and sufficient documentation exists … a vendor-specific method

Need for New EAP Methods Undocumented and vendor-specific methods is not a good sign for openness and interoperability of a major interface EAP widely implemented and available, actual usage… not that big But with WLAN phones, some 3G features, etc. the expectation is that a very large number of hosts will be using it Currently there is NO method that can be made mandatory to implement External SDO requirements (e.g. IEEE, TCG)

Some Interesting New EAP Methods An update of RFC 2617 (EAP-TLS) to bring it to standards track and take care of nits & observations gathered over the years A method that supports preshared secrets and generates keys (MD5 does not do the latter) -- e.g., EAP-PAX/PSK/IKEv2 Or a method that supports passwords Better support for channel bindings 802.11 AP -> VPN GW attack is currently possible

Some Concluding Thoughts It may be too late -- the IETF has been refusing to do this in various ways since the 1990’s OTOH, there is now interest, demands from SDOs, and new EAP usage => we can still have an effect, if done now The network access protocol stack is very important -- the IETF should worry about having an open, high-quality protocol set for this But don’t open the flood gates -- focus on limited number of methods (1-3) Integration of IETF auth frameworks is important, but network access application needs action now, not later

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.