Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP Scenarios and 802.1af Joseph Salowey 1/12/2006.

Published byAmelia Jenkins Modified over 10 years ago

Similar presentations

Presentation on theme: "EAP Scenarios and 802.1af Joseph Salowey 1/12/2006."— Presentation transcript:

1 EAP Scenarios and 802.1af Joseph Salowey jsalowey@cisco.com 1/12/2006

2 Basic EAP Model EAP Peer EAP Authen- ticator EAP Server Authentication Keys

3 AAA Model EAP Peer EAP Authen- ticator AAA Server Authentication Keys (Authorization) EAP Server

4 AAA Model Notes Peer authenticates AAA server AAA server provides authenticator with key Possession indicates to peer that authenticator is authorized Peer does not know the identity of the authenticator, by default it cant differentiate between authenticators Authenticator receives authorizations from AAA server

5 3 rd Party Authentication Model EAP Peer EAP Authen- ticator Authentication Services Authentication EAP Server (Online or Offline)

6 3 rd Party Authentication Model Notes Peer authenticates the authenticator Peer knows the authenticators identity Peer must be able to authorize based on identity information Authenticator does not get authorization based on authentication exchange Authentication service may be offline as in PKI CA Authentication service may be online as in Kerberos

7 Approaches to modifying the AAA model (channel bindings) Bind authenticator/service identity into EAP exchange –EAP methods do not interpret the data, instead transport data –Draft-arkko-eap-service-identity-auth-04 Specify target authenticator/service –Mechanism dependent implementation (kerberos, channel binding, credential selection) Bind authenticator/service identity to key material –Draft-obha-aaa-key-binding-01

8 3 rd Party authentication case SW1SW2 Authentication Services (offline) Authentication Mutual

9 Unilateral AAA case SW1SW2 Mutual Authentication AAA

10 Bilateral AAA case SW1SW2 Mutual Authentication x 2 AAA AZ

11 EAP and keys EAP methods can derive key material –MSK available to the authenticator –EMSK reserved (for derivation of other keys TBD) MSK may be used to derive session keys data encryption (802.11i) MSK may be used to derive KEK to encrypt key descriptor to distribute keys (group keys) Either or both approaches may be useful for CAK establishment

Download ppt "EAP Scenarios and 802.1af Joseph Salowey 1/12/2006."

Similar presentations

Authentication.

Authentication.
1 Multi Kingdom AAA Security using Kerberos v5 Kaushik Narayan.

1 Multi Kingdom AAA Security using Kerberos v5 Kaushik Narayan.
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: The Role of a Media Independent Authenticator Date Submitted: December 30, 2009.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: The Role of a Media Independent Authenticator Date Submitted: December 30, 2009.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0014-00-0sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE 802.21.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.

1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.
EPON Technology Team 2/9/2014 Key Management [802.1af - Issues] 2004. 5. 12 Jee-Sook Eun Electronics and Telecommunications Research Institute.

EPON Technology Team 2/9/2014 Key Management [802.1af - Issues] Jee-Sook Eun Electronics and Telecommunications Research Institute.
21-07-0297-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0297-00-0000 Title: Possible MIH security approaches and issues Date Submitted: September.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Possible MIH security approaches and issues Date Submitted: September.
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
EAP Channel Bindings TF-MNM Lyon, February 16, 2011 Alan DeKok FreeRADIUS.

EAP Channel Bindings TF-MNM Lyon, February 16, 2011 Alan DeKok FreeRADIUS.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
WLAN IW Enhancement for Multiple Authentications Support Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to.

WLAN IW Enhancement for Multiple Authentications Support Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to.
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

Similar presentations

Ads by Google