Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

Published byClarence Griffin Modified over 9 years ago

Similar presentations

Presentation on theme: "EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft."— Presentation transcript:

1 EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft

2 Outline The problem The participants The conversation The requirements The invariants EAP key hierarchy Key naming Key lifetime issues

3 The Participants +-+-+-+-+ | | | EAP | | Peer | | | +-+-+-+-+ | | | Peer Ports / | \ Phase 0: Discovery / | \ Phase 1: Authentication / | \ Phase 2: Secure / | \ Association / | \ / | \ | | | | | | | | | Authenticator Ports +-+-+-+-+ +-+-+-+-+ +-+-+-+-+ | | | | | | | Auth. | | Auth. | | Auth. | | | | | | | +-+-+-+-+ +-+-+-+-+ +-+-+-+-+ \ | / EAP over AAA \ | / (optional) \ | / \ | / +-+-+-+-+ | | | AAA | |Server | | | +-+-+-+-+ AAA WG

4 Conversation Phases Phase 0: Discovery Phase 1: Authentication 1a: EAP authentication (RFC 3748) 1b: AAA-Key Transport (optional) Phase 2: Secure Association Establishment 2a: Unicast Secure Association 2b: Multicast Secure Association (optional) EAP WG AAA WG Lower Layer

5 The Conversation EAP peer Authenticator Auth. Server -------- ------------- ------------ | | | | Discovery (phase 0) | | | | | | EAP auth (phase 1a) | AAA pass-through (optional) | | | | | | AAA-Key transport | | | (optional; phase 1b) | | | | | Unicast Secure association | | | (phase 2a) | | | | | | Multicast Secure association | | | (optional; phase 2b) | | | | |

6 The Requirements Outlined by Russ Housley at IETF 56 All AAA WG documents doing key distribution need to meet these requirements EAP Key Management Framework document chartered to analyze the security of the EAP system

7 Acceptable solution MUST… (Housley, IETF 56) Be algorithm independent protocol For interoperability, select at least one suite of algorithms that MUST be implemented Establish strong, fresh session keys Maintain algorithm independence Include replay detection mechanism Authenticate all parties Maintain confidentiality of authenticator NO plaintext passwords

8 Acceptable solution MUST also … Perform client and NAS authorization Maintain confidentiality of session keys Confirm selection of “best” ciphersuite Uniquely name session keys Compromise of a single NAS cannot compromise any other part of the system, including session keys and long-term keys Bind key to appropriate context

9 EAP Invariants Media Independence EAP methods can operate on any lower layer meeting the criteria outlined in [RFC3748], Section 3.1. EAP methods cannot be assumed to have knowledge of the lower layer over which they are transported. Method Independence Authenticators can support any method implemented on the peer and server. Authenticators acts as forwarders for methods not locally supported. Ciphersuite Independence EAP methods negotiate the ciphersuite used in protection of the EAP conversation only; data protection is negotiated out-of-band. The backend authentication server is not a party to the ciphersuite negotiation nor is it an intermediary in the data flow between the EAP peer and authenticator. An EAP method may not have knowledge of the ciphersuite that has been negotiated between the peer and authenticator.

10 Types of EAP Keys Keys calculated locally by the EAP method but not exported by the EAP method, such as the Transient EAP Keys. Keys exported by the EAP method: MSK, EMSK, IV Keys calculated from exported quantities: AAA-Key, Application Master Session Keys (AMSKs). Keys calculated by the Secure Association Protocol: Transient Session Keys.

11 EAP Key Hierarchy +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+ | EAP Method | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | | | | | | | | | | | EAP Method Key | | Long-Term | | | | | Derivation | | Credential | | | | | | | | | | | | | +-+-+-+-+-+-+-+ | Local to | | | | | EAP | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Method | | | | | | | | V | | | | | +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ | | | | TEK | | MSK | |EMSK | |IV | | | | |Derivation | |Derivation | |Derivation | |Derivation | | | | +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ | | | | | | | | | | | | | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+ | | | ^ | | | | | MSK (64B) | EMSK (64B) | IV (64B) | | | | Exported| | | | by | V V V EAP | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ Method| | AAA Key Derivation, | | Known | | | Naming & Binding | |(Not Secret) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ V | ---+ | Transported | | AAA-Key by AAA | | Protocol | V V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+ | | ^ | TSK | Ciphersuite | | Derivation | Specific | | | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+

12 Key Placement +-+-+-+-+-+ +-+-+-+-+-+ | | | | | Cipher- | | Cipher- | | Suite | | Suite | | | | | +-+-+-+-+-+ +-+-+-+-+-+ ^ ^ | | V V +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ | |===============| |========| | | |EAP, TEK Deriv.| | | | | | | backend | | | | | | | | | Secure Assoc. | | AAA-Key| | | peer | |Authenti-|<-------| auth | | |===============| cator |========| server | | | Link Layer | | AAA | (EAP | | | (PPP,IEEE 802)| |Protocol| server) | |MSK,EMSK | | | | | | AAA-Key | | AAA-Key | |MSK,EMSK,| | (TSKs) | | (TSKs) | | AAA-Key | | | | | | | +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ ^ ^ | | | MSK, EMSK | MSK, EMSK | | +-+-+-+-+-+ +-+-+-+-+-+ | | | | | EAP | | EAP | | Method | | Method | | | | | | (TEKs) | | (TEKs) | | | | | +-+-+-+-+-+ +-+-+-+-+-+

13 Key Naming MSK MSK and EMSK names are only known by the EAP method, and are exported from the method. Name is the (hash of the?) concatenation of the string "MSK", EAP Method Type, EAP peer name, EAP server name, EAP peer nonce, and the EAP server nonce. EMSK (Hash of the?) concatenation of the string "EMSK", the EAP Method Type, EAP peer name, EAP server name, EAP peer nonce, and the EAP server nonce. AMSK (Hash of the?) concatenation of the string "AMSK", key label, application data (Appendix F) and EMSK Name. AAA-Key (Hash of the?) concatenation of the string "AAA-Key", the authenticator name, and the name of the key from which the AAA-Key is derived (MSK or AMSK Name). For the purpose of identifying the authenticator, the contents of the NAS- Identifier attribute is recommended. In order to ensure that all parties can agree on the authenticator name the authenticator needs to advertise its name. Note that the AAA-Key name does not include the peer or authenticator port over which the EAP conversation took place. This is because the AAA-Key is not bound to a specific peer or authenticator port.

14 Key Name Characteristics Key Name is not based on the key itself (unlike IEEE 802.11i) Key Name used for cache negotiation between peer and authenticator AAA server provides the Key Name (and AAA-Key) ot the authenticator Key Name sent to the authenticator by the EAP server along with the key Key Name not known by the authenticator prior to this. No reason for an authenticator to ask the AAA server for a key by name.

15 Key Lifetime Issues Management How are the key lifetimes managed on the peer, authenticator, and AAA server? Negotiation Out of band management Resource reclamation What happens if resources need to be reclaimed and key state is removed by one or more of the parties?

16 Key Lifetime Management Transient EAP Keys (TEKs) Internal to the EAP method. Valid only for the duration of the EAP conversation. MSK, EMSK, IV Existing attributes (e.g. Session-Timeout) define the lifetime of a key that is in use. In EAP, not possible to re-key the exported keys without re- authentication (but can re-key the TSKs) Exported keys may be cached prior to session start (pre- authentication), and may continue to live after the session has ended. AAA-Key may be cached on the authenticator EMSK may be cached on the AAA server Calculated keys The lifetime of keys calculated from key material exported by EAP methods can be no larger than the lifetime of the exported keying material.

17 Thoughts on Exported Key Lifetimes Where we are today EAP methods do not negotiate the lifetime of the exported keys. EAP, defined in [RFC3748], also does not support the negotiation of lifetimes for exported keying material such as the MSK, EMSK and IV. To date, Secure Association Protocols also do not negotiate the lifetime of exported keys. Gap may exist between EAP authentication and the Secure Association Protocol, so not clear it would help Discovery (phase 0) solutions under investigation Recommendations On the EAP server, it is RECOMMENDED that the cache lifetime of exported keys be managed as a system parameter. Where a negotiation mechanism is not provided by the lower lower, it is RECOMMENDED that the peer assume a default value of the exported key lifetime. May be desirable to manage the TSK re-key time via AAA. Not clear it is helpful that AAA management of exported key cache lifetime is helpful. AAA server is not aware of authenticator resource constraints Not clear how AAA server, authenticator and peer keep in sync Per-user cache lifetime management may complicate discovery phase solutions

18 Feedback?

Download ppt "EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Michal Rapco 05, 2005 Security issues in Wireless LANs.

Michal Rapco 05, 2005 Security issues in Wireless LANs.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.

EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE 802.11-04/1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
21-07-xxxx-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-xxxx-00-0000 Title: IETF Liaison Report Date Submitted: July 19, 2007 Presented at.

21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: IETF Liaison Report Date Submitted: July 19, 2007 Presented at.
July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,

July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,

Similar presentations

Ads by Google