IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech.

Slides:

Advertisements

Similar presentations

draft-urien-tls-psk-emv-00

Advertisements

Internet Protocol Security (IP Sec)

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

We leave the world of cryptography for a while.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

A Survey of WAP Security Architecture Neil Daswani

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中日期 :

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

1 Authentication Applications Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW.

Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Using Digital Credentials On The World-Wide Web M. Winslett.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

Intro to SSL/TLS Network Security Gene Itkis. 6/23/2015 cs Network Security (Gene Itkis) 2 Origins Internet Engineering Task Force (IETF) –

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

孫國偉 Efficient Password authenticated key agreement using smart cards Author : Wen-Shenq Juang* Date : in Computers & Security.

May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

SACMAT02-1 Security Prototype Defining a Signature Constraint.

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.

Information Security for Managers (Master MIS)

Secure Socket Layer (SSL)

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.

Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.

1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.

Security in Skype Prepared by Prithula Dhungel. Security in Skype2 The Skype Service P2P based VoIP software Founded by the founders of Kazaa Can be downloaded.

TLS user mapping hint extension Stefan Santesson Microsoft.

EAP-POTP Magnus Nyström, RSA Security 23 May 2005.

Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.

draft-urien-tls-psk-emv-01

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

Biometrics and Security Colin Soutar, CTO Bioscrypt Inc. 10th CACR Information Security Workshop May 8th, 2002.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Secure Socket Layer Protocol Dr. John P. Abraham Professor, UTRGV.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Information Systems Design and Development Security Precautions Computing Science.

Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.

Port Based Network Access Control

Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

TLS authentication using ETSI TS and IEEE certificates

Network Security Gene Itkis

Mark Brown RedPhone Security

CSCE 715: Network Systems Security

CSE 4095 Transport Layer Security TLS, Part II

CSE 4095 Transport Layer Security TLS

Security at the Transport Layer: SSL and TLS

CSCE 815 Network Security Lecture 16

Presentation transcript:

IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech

Introduction Combine EAP-TTLS with Biometry Project developed for particular security conditions  Administrative restricted access in sensitive areas Main ideas :  EAP-TTLS offers many choices for authentication protocols during Phase 2  Advantages of biometry combined with the security of EAP-TTLS  Digital signatures added using smartcards

EAP-TTLS User profiles Server certificate RADIUS 802.1X EAP-TTLS Login, Password Access point RADIUS ServerHOME RADIUS Server

EAP-BIO EAP-TTLS session initiation Biometric authentication User SmartCard Biometric reader AVP encapsulating the signed fingerprint Signed fingerprint Client certificate Server certificate Phase 1 : Mutual Authentication Phase 2 : Biometric authentication Session Keys : f(Master_Secret, Client_Random, Server_Random) Server

Mutual authentication – Phase 1 Access Point EAPOL-Start EAP-Request/Identity EAP-Response/IdentityRADIUS(Access-Request) EAP-Request/TTLS-StartRADIUS(Access-Challenge) EAP-Response/ClientHelloRADIUS(Access-Request) EAP-Request/TTLS RADIUS(Access-Challenge)/ ServerHello, Certificate, ServerKeyExchange, ServerHelloDone EAP-Response/ ClientKeyExchange, Certificate, ChangeCipherSpec, Finished RADIUS(Access-Request) EAP-Request/TTLSRADIUS(Access-Challenge)/ ChangeCipherSpec, Finished ClientRadius Server

Authentification – Phase 2 ClientAccess pointRadius Server EAP-Response/ {Biometric fingerprint, timestamp, signatures} RADIUS(Access-Request) EAP-SuccessRADIUS(Access-Accept) Verification of authentication data

EAP-BIO : Phase 1 Phase 1 : Mutual authentication  Need of a client certificate  Can be stored on a smartcard along with the RSA private key  The card is used to initiate the EAP-TTLS session

EAP-BIO : Phase 2 Phase 2 : Biometric authentication  Biometric fingerprint encapsulated in AVPs with CBEFF format  Can be used on a 1:N or a 1:1 authentication A 1:1 authentication is more performant EAP-BIO performs a 1:1 authentication since the identity of the user is known through Phase 1  Security problems to be solved about biometry Certify the fingerprint issued by the biometric reader Certify the voluntary action of the user The reader must be secure (prevent the use false fingerprints)

Security of EAP-BIO Use of smartcards and digital signatures  Sign the fingerprint issued by the reader Insert a timestamp to prevent replay attacks  Sign the fingerprint with the client before sending to the server  Certify the voluntary action of the user Initiate the EAP-TTLS session with a smartcard A signature from the user may be required  Session Keys : f(Master-Secret, Client- random, Server-random)

AVP encapsulating the fingerprint Container Fingerprint (CBEFF Structure) PKCS#7 Capsule Containing signatures Header