1. November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

2. November 2005IETF 64, Vancouver, Canada2 Background EAP-POTP is an EAP method designed for One-Time Password (OTP) tokens EAP-POTP offers; –Strong user authentication –Mutual authentication –Protection of OTPs in transit –Establishment of key material –Fast session resumption …capabilities that are missing from existing EAP methods used with OTP tokens

3. November 2005IETF 64, Vancouver, Canada3 Objectives End-to-end protection of OTP value Provide key material for lower layers (MSK, EMSK) Minimal initial configuration Minimize number of roundtrips No PKI requirements –But complements PEAP, TTLS, and other tunneling methods Meet RFC 3748, RFC 4017 requirements as well as requirements in keying-08 Support OTP “corner cases” such as –Next OTP –New PIN mode

4. November 2005IETF 64, Vancouver, Canada4 Typical Deployment, Wireless Authentication

5. November 2005IETF 64, Vancouver, Canada5 Method Specifics Packet format builds on the use of TLVs –Similar to PEAP “Hardens” OTPs to protect against eavesdroppers and MITMs Extensible to various OTP types Optional channel binding Session Resumption mechanism For further information, see the presentation made to the EAP WG at IETF-62 http://www.drizzle.com/~aboba/IETF62/eap/ietf62_eap_potp.ppt

6. November 2005IETF 64, Vancouver, Canada6 A few Security Features Freshness: each peer contributes a nonce Channel binding: the client indicates the server it thinks it’s talking to Protected Pin change Protected results: Client confirmation exchange Selection: Server realm ID in initial request

7. November 2005IETF 64, Vancouver, Canada7 Some Recent Updates Introduction of Protected TLV –To take advantage of established key material already in the EAP session itself –Essentially, the protected TLV wraps other TLVs and integrity-protects them Session resumption defined for basic mode

8. November 2005IETF 64, Vancouver, Canada8 Planned Updates & Current Status Planned Updates –Protected ciphersuite negotiation –Use of dedicated session resumption key for session resumption (and not EMSK) Status –Commercial implementations of protocol version 0 exist. Will work on distinguishing differences. –RSA willing to contribute the method to the EMU community if there is interest in adopting it as a standards-track work item

9. November 2005IETF 64, Vancouver, Canada9 IPR RSA offers a reciprocal royalty-free license under RAND to all implementers –For details, see http://tinyurl.com/cvrfshttp://tinyurl.com/cvrfs

10. November 2005IETF 64, Vancouver, Canada10 Documents & Information draft-nystrom-eap-potp-03.txt –Part of One-Time-Password Specifications http://www.rsasecurity.com/rsalabs/otps http://www.rsasecurity.com/rsalabs/otps CT-KIP: Cryptographic Token Key Initialization Protocol OTP PKCS#11 Mechanisms OTP CAPI – MS CryptoAPI OTP extensions OTP WSS Token: WS-Security OTP Token format OTP Validation Service: Web service for OTP validation Mailing list: subscribe otps to majordomo@majordomo.rsasecurity.com majordomo@majordomo.rsasecurity.com –Archive available by sending get otps otps.05 to the above email address