2. Slide 1/7 03/17/03 56th IETF San Francisco CA, March 16-21, 2003 “EAP support in smartcards” My name is Pascal Urien, ENST Pascal.Urien@enst.fr Draft-urien-EAP-smartcard-01.txt

3. Slide 2/7 03/17/03 Draft Objectives 1/2 Standardization initiative for EAP support in smartcard.  Agreement between major smartcard manufacturers. Under discussion in the wlan smartcard consortium (www.wlansmartcard.org) supported by nineteen founding members.  Definition of an “universal” ISO 7816 interface, e.g. supporting most of EAP authentication protocols. Height services are defined in this version. Three logical interfaces.  Network interface. Smartcard directly processes EAP messages (requests, notifications). EAP profiles definition. A set of rules (if needed) for supporting a particular authentication protocol (messages maximum size, …).  Operating system interface. Identity management. Multiple triplets (EAP-ID, EAP-Type, cryptographic keys) are stored in the smartcard; a triplet is required by each network. User profile, typically an LDAP record stored in the smartcard (under discussion).  Management interface. Identities & profiles download and update. Management could be done via dedicated EAP protocols (under discussion).

4. Slide 3/7 03/17/03 Draft Objectives 2/2. EAP / RADIUS EAP / LAN EAP / 7816 RADIUS802.1xISO 7816  Secure Authentication.  User authentication rather than computer authentication  One smartcard for several networks.  Interoperability between EAP smartcards. Smartcard Supplicant AuthenticatorRADIUS server EAP EAP Engine EAP profile EAP profile EAP-ID EAP-Type Crypto Key(s)

5. Slide 4/7 03/17/03 Smartcard Facilities. Tamper resistant device, highly tested (credit card, GSM card, PKI card…) Low cost. Multiple form factors (ISO 7816 – credit card format, SIM GSM 11.11, USB…). Sufficient cryptographic performances (RSA 2048 bits calculation in 500 ms). Can be issued for millions users (half a billion – 600 millions of smartcard produced in 2001). Can compute multiple EAP protocols. Can be used in various networks (memory size around 128 kb, one Mb with the FLASH technology)

6. Slide 5/7 03/17/03 EAP smartcard components. Secure EAP Framework EAP-MD5 EAP-SIMEAP-TLS OTHER IDENTITYEAP-IDEAP TYPE CRYPTO Key(s) PROFILE My-HomedadMD5PasswordNetwork access policy My-Officedad@dot.comTLSRSA Keys + X509 certificate Office Credentials SF-Airportdad@Airport.comSIMKiSubscription EAP authentication protocols profiles Management Interface OS interface Get-Next-Identity() Get-Preferred-Identity() Set-Identity() Get-Pairwise-Master-Key() Get-Subscriber-Profile Add-Identity() Delete-Identity() Network interface EAP-Packets() Identity List

7. Slide 6/7 03/17/03 EAP smartcard, services list. SERVICEAPDUCOMMENTS Add-IdentityA0 16 81 P2 00 xxAdd an identity entry to the EAP smartcard Delete-IdentityA0 16 82 P2 00 00Delete an identity entry Get-Preferred- Identity A0 16 02 00 00 xxGet the preferred identity Get-Next-IdentityA0 16 01 00 00 xxExtract the next identity from a circular list Get-Subscriber- Profile A0 16 08 00 00 xxGet subscriber profile. Set-IdentityA0 16 08 00 xx 00Set the smartcard current identity EAP-PacketsA0 80 00 00 xx yyProcess an EAP message (requests and notifications. Produce a response is necessary Get-Pairwise- Master-Key A0 A6 00 00 00 20Get the session key.

8. Slide 7/7 03/17/03 EAP smartcard profiles. ProfileComments MD5Informative purpose EAP-SIMProfile for EAP-SIM EAP-TLSThe maximum EAP message length of a no fragmented packet is set to 240 bytes. For a fragmented EAP message, the maximum length value is 240 bytes. PEAPUnder Discussion