Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

Published byLouise Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)"— Presentation transcript:

1

2 1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC) Pascal.Urien@enst.fr

3 2 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 Why do we need a type for smartcard ? Why not?. Existing types relative to tokens or smartcards (according to www.IANA.org) 6 Generic Token Card (RFC3748), 14 Defender Token, 15 RSA Security SecurID EAP, 18 Nokia IP smart card authentication, 28 CRYPTOCard, 30 DynamID, 32 SecurID EAP, … Prerequisite Method may be implemented by other means than smartcards. True for all methods Method is clearly defined and standardized. Examples: EAP-TLS, EAP-SIM, EAP-AKA Smartcard interface, associated with a particular method is clearly defined and standardized. Example: draft-urien-eap-smartcard-08.txt Integration of EAP methods in smartcards reduce Trojan Horse threats EAP-TLS: trusted certificate chain EAP-SIM; cancel the risk of authentication-triplet theft EAP-AKA: embedded identity management Benefits Standardization of smartcards use with EAP platform. Avoid conflicts when the host supports multiple instances of a given type (EAP- TLS, …). Smartcard may be removed from the supplicant host, it’s clearly linked to terminal user. Proposed mechanism EAP in EAP encapsulation

4 3 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 Expert review summary (Glen Zorn ) 1. Does the method document its security properties in sufficient manner, as required by Section 7.2 of RFC 3748? [gwz] Yes and no: although all of the required sections are present, the method in fact appears to possess no security properties of its own; those security properties that are claimed (see below) are possessed by smart cards, not by the EAP-SC method. [pu] Agree. The goal of the draft is to define an unique type for all smartcards 1a. Mechanism. Is the mechanism explained? [gwz] Yes and no: this document does not actually define an authentication mechanism, nor does it define EAP support for any particular authentication mechanism. What it does define is a method for demultiplexing EAP type packets on the peer (this does not appear to be necessary on the authenticator side). This demultiplexing method is explained adequately. [pu] Agree. Multiplexing method is obviously needed on the server side, it will be added in the next version 1c. Justifications for the claims? Is an explanation or reference provided to each of the claims? [gwz] Yes and no: the references for those claims that are made (for Confidentiality, Key Derivation, Dictionary Attacks, Cryptographic Binding and Channel Binding) are internal to the document itself and refer to (claimed) properties of smart cards in general, rather than EAP-SC per se. [pu] EAP-SC is dedicated to smartcards. 1f. Indication of vulnerabilities. Are the known vulnerabilities documented? [gwz] Much space is dedicated in this document to the praise of the security capabilities claimed by smart cards; without discussing the validity of those claims, it appears that EAP-SC itself provides no assurance or even evidence of the actual presence or usage of a smart card in the peer system. For enable, I can find no protection against a Trojan horse, for example, having access to appropriate credentials claiming to be an EAP-SC client in the absence of a smart card. [pu] Trojan horse is a threat for all methods. EAP smartcards make these attacks more difficult (example embedded EAP-TLS) Furthermore smartcard can’t be cloned and reduces the eavesdropping risk. A section could be added to the document in order to fix the smartcard handler behavior in the absence of smartcard. 4a. Does the method comply with EAP-based IANA requirements defined in Section 6 of RFC 3748? That is, if it requests the allocation of new numbers in the EAP namespace [not applicable if the numbers have already been allocated], is the type of the document and process appropriate for the desired action? [gwz] No. [pu] Disagree. We need an unique type for smartcards in order to avoid conflicts with method running either on hosts and in smartcards

Download ppt "1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Slide 1/7 03/17/03 56th IETF San Francisco CA, March 16-21, 2003 “EAP support in smartcards” My name is Pascal Urien, ENST Draft-urien-EAP-smartcard-01.txt.

Slide 1/7 03/17/03 56th IETF San Francisco CA, March 16-21, 2003 “EAP support in smartcards” My name is Pascal Urien, ENST Draft-urien-EAP-smartcard-01.txt.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.

1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt.

Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt.
EAP Mutual Cryptographic Binding draft-ietf-karp-ops-model-03 draft-ietf-karp-ops-model-03 S. Hartman M. Wasserman D. Zhang.

EAP Mutual Cryptographic Binding draft-ietf-karp-ops-model-03 draft-ietf-karp-ops-model-03 S. Hartman M. Wasserman D. Zhang.

Similar presentations

Ads by Google