Download presentation
Presentation is loading. Please wait.
Published byMerryl Young Modified over 9 years ago
2
Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Pascal.Urien@enst.fr Draft-urien-EAP-smartcard-02.txt
3
Slide 2/8 07/17/03 EAP EAP Support in Smartcard. Goals Definition of an “universal” ISO 7816 interface, e.g. supporting most of EAP authentication protocols. EAP smartcard benefits Network credentials are securely stored. Smartcard bearer doesn’t know its network credentials (shared secret, asymmetric keys…) EAP protocols are computed in a trusted environment. Smartcard can’t be cloned. Smartcard is blocked/unblocked by the user’s PIN-code Other aspects Scalability. Half a billion smartcards produced in 2001. Multiple form factors (ISO 7816 Credit Card Format, SIM GSM 11.11, USB…). Sufficient cryptographic performances (RSA 2048 bits calculation in 500 ms), memory size around 128 kb, one Mb with the FLASH technology).
4
Slide 3/8 07/17/03 EAP Overview EAP / RADIUS EAP / LAN EAP / 7816 RADIUS802.1xISO 7816 Secure Authentication. User authentication rather than computer authentication One smartcard for several networks. Interoperability between EAP smartcards. Smartcard Supplicant AuthenticatorRADIUS server EAP EAP Engine EAP profile EAP profile EAP-ID EAP-Type Crypto Key(s)
5
Slide 4/8 07/17/03 EAP Basic Concepts Identity A pointer to a set of information that is needed for processing EAP-Messages, EAP-ID, EAP-Type, Cryptographic Keys User Profile, information meaningful for the terminal or the network (SSID, radio channel, X509 certificates…) Profile Implementation recommendation for particular EAP- Type. PIN Management EAP smartcard may be protected by a PIN code, only knew/managed by its bearer. EAP Application. An EAP (smartcard) application may be associated to one or more EAP-Type. In that case it is started by a Select-AID command.
6
Slide 5/8 07/17/03 EAP EAP Smartcard Services 1/3 Four logical interfaces. Network interface. Smartcard directly processes EAP messages (requests, notifications). EAP profiles definition. A set of rules (if needed) for supporting a particular authentication protocol (messages maximum size, …). Operating System/Terminal interface. Identity management. Multiple triplets (EAP-ID, EAP-Type, cryptographic keys) are stored in the smartcard; a triplet is required by each network. User profile, typically an LDAP record stored in the smartcard (under discussion). Management/Personalization interface. Identities & profiles download and update. Management could be done via dedicated EAP protocols (under discussion). User Interface Personal Identification Number (PIN code) management
7
Slide 6/8 07/17/03 EAP EAP Smartcard Services 2/3 Secure EAP Framework EAP-MD5 EAP-SIMEAP-TLS OTHER IDENTITYEAP-IDEAP TYPE CRYPTO Key(s) PROFILE My-HomedadMD5Password- My-Officedad@dot.comTLSRSA KeysCredentials SF-Airportdad@Airport.comSIMKiSubscription EAP authentication protocols profiles Management Personalization Interface OS/Terminal Interface Get-Next-Identity() Get-Preferred-Identity() Get-Current-Identity() Set-Identity() Set-Multiple-Identity() Get-Session() Get-Profile-Data() Select-AID() Add-Identity() Delete-Identity() Network interface Process-EAP() Identity List User Interface Verify-PIN() Change-PIN() Enable-PIN() Disable-PIN() Unblock-PIN()
8
Slide 7/8 07/17/03 EAP EAP smartcard Services 3/3. SERVICE APDU CLA INS P1 P2 Lc Le COMMENTS Process-EAP Ax 80 00 ii xx yyProcess an EAP message Add-Identity Ax 17 00 81 xx 00Add an identity entry to the EAP smartcard Delete-Identity Ax 17 00 82 xx 00Delete an identity entry Get-Current-Identity Ax 16 00 00 00 xxGet the current identity Get-Next-Identity Ax 16 00 01 00 xxExtract the identity from a circular list Get-Preferred-Identity Ax 16 00 02 00 xxGet the preferred identity Set-Identity Ax 16 00 80 xx 00Set the smartcard current identity Set-Multiple-Identity Ax 16 00 83 xx 00Set an multiple identity Get-Profile-Data Ax 1A 00 00 00 xxGet the subscriber profile. Get-Current-Version Ax 10 xx yy 00 02P1#0 is the EAP-Type, P2=0 EAP version, P2=1 WLAN Smartcard Consortium version Get-Session-Key Ax A6 00 ii 00 20Get the session key. Verify-PIN A0 20 00 00 08 00Verify the user current PIN code Change-PIN A0 24 00 00 10 00Change the user current PIN code Enable-PIN A0 26 00 00 08 00Enable pin code use Disable-PIN A0 28 00 00 08 00Disable pin code use Unblock-PIN A0 2C 00 00 10 00Unblock EAP smartcard Select-AID 00 A0 04 00 xx 00Start an EAP smartcard application
9
Slide 8/8 07/17/03 EAP EAP smartcard profiles. ProfileComments MD5Informative purpose EAP-SIMProfile for EAP-SIM EAP-TLSFragmentation issue under discussion PEAPUnder Discussion
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.