Presentation is loading. Please wait.

Presentation is loading. Please wait.

UMD D EPARTMENT OF C OMPUTER S CIENCE D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES EAP-PAX draft-clacy-eap-pax-05 T. Charles Clancy

Published byJerome Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "UMD D EPARTMENT OF C OMPUTER S CIENCE D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES EAP-PAX draft-clacy-eap-pax-05 T. Charles Clancy"— Presentation transcript:

1 UMD D EPARTMENT OF C OMPUTER S CIENCE D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES EAP-PAX draft-clacy-eap-pax-05 T. Charles Clancy clancy@cs.umd.edu Department of Computer Science University of Maryland, College Park Laboratory for Telecommunication Sciences US Department of Defense IETF 64, EMU BoF, November 10, 2005

2 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 2 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Overview Basic shared-key mutual authentication method Includes support for: –Ciphersuite extensibility –Provisioning with a weak key or password –Key management (deriving new authentication keys) with perfect forward secrecy (using Diffie-Hellman) –Identity protection / user anonymity –Authenticated data exchange (supports channel binding) Provably secure

3 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 3 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Subprotocols: PAX_STD A B, CID, MAC CK (A, B, CID) MAC CK (B, CID) ACK CLIENTSERVER

4 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 4 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Changes since -04 Completed full proof of security, publication pending, will be available online: http://www.cs.umd.edu/~clancy/eap-pax/ Added support for the authenticated exchange of data, targeted at channel binding

5 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 5 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Subprotocols: PAX_SEC M, PK or CertPK ENC PK (M, N, CID) A, MAC N (M, CID) B, MAC CK (A, B, CID) CLIENTSERVER MAC CK (B, CID) ACK

6 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 6 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Certificate Requirements Use of certificate with PAX_SEC is RECOMMENDED Certificate ModeProvisioningIdentity Protection No CertificateMitM offline dictionary attack ID reveal attack Self-Signed Certificate MitM offline dictionary attack ID reveal attack Key CachingMitM offline dictionary attack ID reveal attack during first auth CA-Signed Certificate secure mutual authentication

7 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 7 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Security Properties Extensible Ciphersuite –MAC Primatives: HMAC-SHA1 AES-CBC-MAC –Public-Key Primatives: RSA-OAEP-2048 DH-3072, 256-bit exponents Attack Resistance (dictionary, replay, negotiation) Confidentiality (in ID protect mode)

8 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 8 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Provable Security Random Oracle Model [Bellare 93] Supported primitives all act like Random Oracles [Bellare 94, Bellare 96, Bellare 00] Assume probabilistic, polynomial-time attacker EAP-PAX is secure against: –passive attacks if: PAX_STD without DH: Key O(2 k ) PAX_STD with DH: Key O(1) PAX_SEC without DH: Key O(2 k ) PAX_SEC with DH: Key O(1) –active attacks if: PAX_STD: Key O(2 k ), auth limit O(k n ) PAX_SEC with cert: Key O(k n ), auth limit O(1) PAX_SEC without cert: Key O(2 k ), auth limit O(k n )

9 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 9 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Channel Binding Validate lower-layer EAP parameters during authentication Need secure mechanism for exchanging parameters What is needed? Confidentiality? Authenticity? PAX provides authenticity, but not confidentiality (would require additional symmetric-key ciphersuite) Attach “Authenticated Data Exchange” frames during authentication once keys have been derived

10 {} UMD D EPARTMENT OF C OMPUTER S CIENCE Slide 10 D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES Channel Binding A B, CID, MAC, ADE(type 1, value 1 ) MAC, ADE(type 2, value 2 ) ACK, ADE(type 3, value 3 ) CLIENTSERVER ACK, ADE(type N, value N ) ACK, ADE(type N+1, value N+1 ) EAP-Success / EAP-Failure … …

Download ppt "UMD D EPARTMENT OF C OMPUTER S CIENCE D O D L ABORATORY FOR T ELECOMMUNICATION S CIENCES EAP-PAX draft-clacy-eap-pax-05 T. Charles Clancy"

Similar presentations

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.

1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google