TEE: TLS Authentication Using EAP draft-nir-tls-eap-02.txt Yoav Nir Yaron Sheffer (presenter) Hannes Tschofenig Peter Gutmann IETF-70, Vancouver, Dec.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

MyProxy: A Multi-Purpose Grid Authentication Service

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

Small(er) Footprint for TLS Implementations Hannes Tschofenig Smart Object Security workshop, March 2012, Paris.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

802.1x EAP Authentication Protocols

Protected Extensible Authentication Protocol

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

Windows 2003 and 802.1x Secure Wireless Deployments.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Eugene Chang EMU WG, IETF 70

By: Alex Feldman.  A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE ) this would be an access.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Slide 1/4 03/29/ rd IETF Paris, France, March 25-30, 2012 “EAP support in smartcards” draft-urien-eap-smartcard-22.txt.

Module 9: Fundamentals of Securing Network Communication.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

EMU BOF EAP-TLS Experiment Report RFC 2716 Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Cryptography and Network Security Chapter 16 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.

Network Access Control

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 draft-urien-eap-smartcard-06.txt “EAP-Support in Smartcard”

IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.

SASL GSS-API Bridge: GS2

CredSSP in RDP Sreekanth Nadendla Windows Open Specifications.

Katrin Hoeper Channel Bindings Katrin Hoeper

GSS-API based Authentication and Key Establishment in TLS

The Tunneled Extensible Authentication Method (TEAM)

Diameter ABFAB Application

Presentation transcript:

TEE: TLS Authentication Using EAP draft-nir-tls-eap-02.txt Yoav Nir Yaron Sheffer (presenter) Hannes Tschofenig Peter Gutmann IETF-70, Vancouver, Dec. 2007

2 Reminder A TLS Extension EAP transported within TLS handshake messages “Finished” message means both handshake and authentication are complete, and “regular” data can flow

3 Why This is a Good Idea EAP support in operating systems is constantly improving (802.11i, 802.1X etc.) EAP provides multiple methods for user auth in the enterprise environment –PEAP variants, SecureID, and a bunch of experimental stuff –IPR-related issues with password auth, unfortunately –Potentially more general than GSS-API, which is typically only used for Kerberos TLS used in a new product category: SSL VPNs –Both “clientless” and thin clients –Not standardized, yet EAP applicable to “network access authentication”, highly applicable to SSL VPNs –Implement in the thin client; if successful, move to OS infrastructure

4 Why Not at the Application Layer EAP transport would need to be standardized –As well as EAP-TLS channel binding Do we want to allow the application access to raw credentials –Ideally the OS provides the UI, possibly with a trusted path Can enforce policy and select mechanisms better if auth done at same layer as TLS –E.g. server auth in TLS, client auth in EAP –Or anonymous in TLS, mutual auth in EAP APIs need to be extended to enable channel binding –Per RFC 5056, the unencrypted Finished message(s)

Thank you!