Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SECMECH BOF EAP Methods IETF-63 Jari Arkko. 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods.

Published byGordon Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SECMECH BOF EAP Methods IETF-63 Jari Arkko. 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods."— Presentation transcript:

1 1 SECMECH BOF EAP Methods IETF-63 Jari Arkko

2 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods

3 3 EAP methods NamePublicationDemand Status MD5 (4)RFC2284bisExisting RFC OTP (5)RFC2284bisExisting RFC GTC (6)RFC2284bisExisting RFC EAP TLS (13)RFC 2716Existing RFC EAP SIM (18)draft-haverinen3GPP RFC-to-be EAP AKA (23)draft-arkko3GPP RFC-to-be

4 4 EAP methods NamePublicationDemand Status EAP TTLS (21)draft-ietf-pppextVendor I-D PEAPv0/1/2 (25)draft-joseffson*Vendor I-D MSCHAPv2 (26)draft-kamathVendor Expired EAP SSC (-)draft-urienVendor I-D EAP GSS (-)draft-abobaVendor Expired EAP TLS SASL (-)draft-anderssonVendor Expired

5 5 EAP methods NamePublicationDemand Status EAP MAKE (27)draft-berrendoVendor Expired EAP PSK (-)draft-bersaniVendor New I-D EAP FAST (43)draft-camVendor New I-D MD5 Tunneled (-)draft-funkVendor I-D EAP TLV (33)draft-josefsson*Vendor Expired EAP SRP-SHA1 (19)draft-ietf-pppextIETF Expired

6 6 EAP methods NamePublicationDemand Status EAP SecurID (32)draft-josefssonVendor Expired EAP Archie (-)draft-jwalkerVendor Expired EAP Bluetooth (-)draft-kimVendor New I-D EAP LDAP (-)draft-manciniVendor Expired EAP SKE (-)draft-salgarelliVendor Expired EAP GPRS (-)draft-salkiVendor I-D

7 7 EAP methods NamePublicationDemand Status EAP IKEv2 (-)draft-tschofenigVendor I-D EAP POTP (32)draft-nystromVendorI-D EAP KEA Valid. (12)-Vendor Undoc EAP Defender (14)-Vendor Undoc EAP SecurID (15)-Vendor Undoc EAP KEA (11)-Vendor Undoc

8 8 EAP methods NamePublicationDemand Status EAP Arcot (16)-Vendor Undoc Cisco LEAP (17)-Vendor Undoc EAP 3Com (24)-Vendor Undoc EAP Microsoft (26)-Vendor Undoc EAP CryptoCrd (28)-Vendor Undoc EAP RAS (22)-Vendor Undoc

9 9 EAP methods NamePublicationDemand Status EAP DynamID (30)-Vendor Undoc EAP Rob (31)-Vendor Undoc EAP Centrinet (34)-Vendor Undoc EAP Actiontec (35)-Vendor Undoc EAP Biometrics (36)-Vendor Undoc EAP AirFortress (37)-Vendor Undoc

10 10 EAP methods NamePublicationDemand Status EAP Digest (38)-Vendor Undoc EAP DevConn (40)-Vendor Undoc EAP MOBAC (42)-Vendor Undoc EAP ZoneLabs (44)-Vendor Undoc EAP SecureSuite (39)-Vendor Undoc EAP RSA PKA (9)-Vendor Undoc

11 11 Some observations A lot of methods, very few in RFCs –Not good! –Original, old EAP methods no longer suitable in wireless environment Undocumented methods proliferate, IETF submissions delayed as long as four years –Not good! A lot of methods with similar intents –E.g. tunneling -- not good either! A lot of methods with vendor background, a lot of expired methods –Status unknown

12 12 Technical Requirements “Does not break EAP” (RFC 3748) Security documentation must exist –Mechanism –Key hierarchy –Security claims –Vulnerabilities See also RFC 4017 for 802.11 requirements

13 13 Security Claims for EAP methods Protected ciphersuite negotation Mutual authentication Integrity protection, replay protection, confidentiality Key derivation, key strength Dictionary attack resistance Fast reconnect Cryptographic binding Session independence Channel binding

14 14 EAP WG Process for New Method Type Codes Either an official WG item or … … an individual submission –All the usual rules for these RFCs apply –Also need to pass “expert review” that the technical requirements are satisfied and sufficient documentation exists … a vendor-specific method

15 15 Need for New EAP Methods Undocumented and vendor-specific methods is not a good sign for openness and interoperability of a major interface EAP widely implemented and available, actual usage… not that big –But with WLAN phones, some 3G features, etc. the expectation is that a very large number of hosts will be using it Currently there is NO method that can be made mandatory to implement External SDO requirements (e.g. IEEE, TCG)

16 16 Some Interesting New EAP Methods An update of RFC 2617 (EAP-TLS) to bring it to standards track and take care of nits & observations gathered over the years A method that supports preshared secrets and generates keys (MD5 does not do the latter) -- e.g., EAP-PAX/PSK/IKEv2 Or a method that supports passwords Better support for channel bindings –802.11 AP -> VPN GW attack is currently possible

17 17 Some Concluding Thoughts It may be too late -- the IETF has been refusing to do this in various ways since the 1990’s OTOH, there is now interest, demands from SDOs, and new EAP usage => we can still have an effect, if done now The network access protocol stack is very important -- the IETF should worry about having an open, high-quality protocol set for this But don’t open the flood gates -- focus on limited number of methods (1-3) Integration of IETF auth frameworks is important, but network access application needs action now, not later

Download ppt "1 SECMECH BOF EAP Methods IETF-63 Jari Arkko. 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods."

Similar presentations

Authentication.

Authentication.
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005.

Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005.
August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing

1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

Similar presentations

Ads by Google