1. 1 EAP-MAKE2: EAP method for Mutual Authentication and Key Establishment, v2 EMU BoF Michaela Vanderveen IETF 64 November 2005

2. 2 Key Features  Pre-shared keys –Separate for authentication and key derivation  MIC and key derivation use IEEE 802.11i PRF –Computationally light –No extra crypto code for terminals employing link- layer RSN based on IEEE  Secure ciphersuite negotiation –Encryption use is optional  Support for user identity privacy –Temporary user ID generation+delivery optional  Commercial deployment (v1)

3. 3 Message Exchange (Bellare-Rogaway based) PeerServer Challenge(RANDS, ServerID) Challenge(RANDP, PeerID, SPIP, MIC) Confirm(SPIS, [EncrData], MIC) Confirm(MIC) EAP Success SPIP = Peer’s supported ciphers SPIS = Server’s chosen cipher EncrData = TempID, … MIC = computed over entire packet, both nonces and IDs

4. 4 Identity Request/Response PeerServer MAKE/Identity(PermID_REQ, ServerID) MAKE/Identity(PeerID) Server obtains TempID but requires PermID Typical EAP-MAKE2 exchange follows

5. 5 Authentication Failure PeerServer Challenge(RANDS, ServerID) Challenge(RANDP, PeerID, SPIP, MIC) EAP Failure Server finds MIC invalid

6. 6 Authentication Failure (con’t) PeerServer Challenge(RANDS, ServerID) Challenge(RANDP, PeerID, SPIP, MIC) Confirm(SPIS, MIC) Auth-Reject EAP Failure Peer finds MIC invalid

7. 7 Three-level Key Hierarchy Root Secret A pre-shared secret MAKE Master Secret (MMS-A) Transient EAP Keys (TEK-Auth, TEK-Cipher) Root Secret A pre-shared secret MAKE Master Secret (MMS-A) Session Keys (MSK, EMSK) RANDS RANDP cryptographically separate sign MIC encrypt attributes

8. 8 Thank You

9. 9 Security Claims & Vulnerabilities  Mutual Authentication  Integrity Protection  Replay protection  Confidentiality (optional)  Key derivation  Dictionary attack protection  Protected ciphersuite negotiation  No fragmentation  No channel binding  No crypto binding