Presentation is loading. Please wait.

Presentation is loading. Please wait.

IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech.

Published byElisabeth Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech."— Presentation transcript:

1 IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech

2 Introduction Combine EAP-TTLS with Biometry Project developed for particular security conditions  Administrative restricted access in sensitive areas Main ideas :  EAP-TTLS offers many choices for authentication protocols during Phase 2  Advantages of biometry combined with the security of EAP-TTLS  Digital signatures added using smartcards

3 EAP-TTLS User profiles Server certificate RADIUS 802.1X EAP-TTLS Login, Password Access point RADIUS ServerHOME RADIUS Server

4 EAP-BIO EAP-TTLS session initiation Biometric authentication User SmartCard Biometric reader AVP encapsulating the signed fingerprint Signed fingerprint Client certificate Server certificate Phase 1 : Mutual Authentication Phase 2 : Biometric authentication Session Keys : f(Master_Secret, Client_Random, Server_Random) Server

5 Mutual authentication – Phase 1 Access Point EAPOL-Start EAP-Request/Identity EAP-Response/IdentityRADIUS(Access-Request) EAP-Request/TTLS-StartRADIUS(Access-Challenge) EAP-Response/ClientHelloRADIUS(Access-Request) EAP-Request/TTLS RADIUS(Access-Challenge)/ ServerHello, Certificate, ServerKeyExchange, ServerHelloDone EAP-Response/ ClientKeyExchange, Certificate, ChangeCipherSpec, Finished RADIUS(Access-Request) EAP-Request/TTLSRADIUS(Access-Challenge)/ ChangeCipherSpec, Finished ClientRadius Server

6 Authentification – Phase 2 ClientAccess pointRadius Server EAP-Response/ {Biometric fingerprint, timestamp, signatures} RADIUS(Access-Request) EAP-SuccessRADIUS(Access-Accept) Verification of authentication data

7 EAP-BIO : Phase 1 Phase 1 : Mutual authentication  Need of a client certificate  Can be stored on a smartcard along with the RSA private key  The card is used to initiate the EAP-TTLS session

8 EAP-BIO : Phase 2 Phase 2 : Biometric authentication  Biometric fingerprint encapsulated in AVPs with CBEFF format  Can be used on a 1:N or a 1:1 authentication A 1:1 authentication is more performant EAP-BIO performs a 1:1 authentication since the identity of the user is known through Phase 1  Security problems to be solved about biometry Certify the fingerprint issued by the biometric reader Certify the voluntary action of the user The reader must be secure (prevent the use false fingerprints)

9 Security of EAP-BIO Use of smartcards and digital signatures  Sign the fingerprint issued by the reader Insert a timestamp to prevent replay attacks  Sign the fingerprint with the client before sending to the server  Certify the voluntary action of the user Initiate the EAP-TTLS session with a smartcard A signature from the user may be required  Session Keys : f(Master-Secret, Client- random, Server-random)

10 AVP encapsulating the fingerprint Container Fingerprint (CBEFF Structure) PKCS#7 Capsule Containing signatures Header

Download ppt "IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech."

Similar presentations

draft-urien-tls-psk-emv-00

draft-urien-tls-psk-emv-00
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
We leave the world of cryptography for a while.

We leave the world of cryptography for a while.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :

Similar presentations

Ads by Google