Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt.

Published byMerryl Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt."— Presentation transcript:

1

2 Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Pascal.Urien@enst.fr Draft-urien-EAP-smartcard-02.txt

3 Slide 2/8 07/17/03 EAP EAP Support in Smartcard. Goals  Definition of an “universal” ISO 7816 interface, e.g. supporting most of EAP authentication protocols. EAP smartcard benefits  Network credentials are securely stored.  Smartcard bearer doesn’t know its network credentials (shared secret, asymmetric keys…)  EAP protocols are computed in a trusted environment.  Smartcard can’t be cloned.  Smartcard is blocked/unblocked by the user’s PIN-code Other aspects  Scalability. Half a billion smartcards produced in 2001.  Multiple form factors (ISO 7816 Credit Card Format, SIM GSM 11.11, USB…).  Sufficient cryptographic performances (RSA 2048 bits calculation in 500 ms), memory size around 128 kb, one Mb with the FLASH technology).

4 Slide 3/8 07/17/03 EAP Overview EAP / RADIUS EAP / LAN EAP / 7816 RADIUS802.1xISO 7816  Secure Authentication.  User authentication rather than computer authentication  One smartcard for several networks.  Interoperability between EAP smartcards. Smartcard Supplicant AuthenticatorRADIUS server EAP EAP Engine EAP profile EAP profile EAP-ID EAP-Type Crypto Key(s)

5 Slide 4/8 07/17/03 EAP Basic Concepts Identity  A pointer to a set of information that is needed for processing EAP-Messages, EAP-ID, EAP-Type, Cryptographic Keys User Profile, information meaningful for the terminal or the network (SSID, radio channel, X509 certificates…) Profile  Implementation recommendation for particular EAP- Type. PIN Management  EAP smartcard may be protected by a PIN code, only knew/managed by its bearer. EAP Application.  An EAP (smartcard) application may be associated to one or more EAP-Type. In that case it is started by a Select-AID command.

6 Slide 5/8 07/17/03 EAP EAP Smartcard Services 1/3 Four logical interfaces.  Network interface. Smartcard directly processes EAP messages (requests, notifications). EAP profiles definition. A set of rules (if needed) for supporting a particular authentication protocol (messages maximum size, …).  Operating System/Terminal interface. Identity management. Multiple triplets (EAP-ID, EAP-Type, cryptographic keys) are stored in the smartcard; a triplet is required by each network. User profile, typically an LDAP record stored in the smartcard (under discussion).  Management/Personalization interface. Identities & profiles download and update. Management could be done via dedicated EAP protocols (under discussion).  User Interface Personal Identification Number (PIN code) management

7 Slide 6/8 07/17/03 EAP EAP Smartcard Services 2/3 Secure EAP Framework EAP-MD5 EAP-SIMEAP-TLS OTHER IDENTITYEAP-IDEAP TYPE CRYPTO Key(s) PROFILE My-HomedadMD5Password- My-Officedad@dot.comTLSRSA KeysCredentials SF-Airportdad@Airport.comSIMKiSubscription EAP authentication protocols profiles Management Personalization Interface OS/Terminal Interface Get-Next-Identity() Get-Preferred-Identity() Get-Current-Identity() Set-Identity() Set-Multiple-Identity() Get-Session() Get-Profile-Data() Select-AID() Add-Identity() Delete-Identity() Network interface Process-EAP() Identity List User Interface Verify-PIN() Change-PIN() Enable-PIN() Disable-PIN() Unblock-PIN()

8 Slide 7/8 07/17/03 EAP EAP smartcard Services 3/3. SERVICE APDU CLA INS P1 P2 Lc Le COMMENTS Process-EAP Ax 80 00 ii xx yyProcess an EAP message Add-Identity Ax 17 00 81 xx 00Add an identity entry to the EAP smartcard Delete-Identity Ax 17 00 82 xx 00Delete an identity entry Get-Current-Identity Ax 16 00 00 00 xxGet the current identity Get-Next-Identity Ax 16 00 01 00 xxExtract the identity from a circular list Get-Preferred-Identity Ax 16 00 02 00 xxGet the preferred identity Set-Identity Ax 16 00 80 xx 00Set the smartcard current identity Set-Multiple-Identity Ax 16 00 83 xx 00Set an multiple identity Get-Profile-Data Ax 1A 00 00 00 xxGet the subscriber profile. Get-Current-Version Ax 10 xx yy 00 02P1#0 is the EAP-Type, P2=0 EAP version, P2=1 WLAN Smartcard Consortium version Get-Session-Key Ax A6 00 ii 00 20Get the session key. Verify-PIN A0 20 00 00 08 00Verify the user current PIN code Change-PIN A0 24 00 00 10 00Change the user current PIN code Enable-PIN A0 26 00 00 08 00Enable pin code use Disable-PIN A0 28 00 00 08 00Disable pin code use Unblock-PIN A0 2C 00 00 10 00Unblock EAP smartcard Select-AID 00 A0 04 00 xx 00Start an EAP smartcard application

9 Slide 8/8 07/17/03 EAP EAP smartcard profiles. ProfileComments MD5Informative purpose EAP-SIMProfile for EAP-SIM EAP-TLSFragmentation issue under discussion PEAPUnder Discussion

Download ppt "Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt."

Similar presentations

Authentication.

Authentication.
Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Slide 1/7 03/17/03 56th IETF San Francisco CA, March 16-21, 2003 “EAP support in smartcards” My name is Pascal Urien, ENST Draft-urien-EAP-smartcard-01.txt.

Slide 1/7 03/17/03 56th IETF San Francisco CA, March 16-21, 2003 “EAP support in smartcards” My name is Pascal Urien, ENST Draft-urien-EAP-smartcard-01.txt.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.

An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

Similar presentations

Ads by Google