Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt
Slide 2/8 07/17/03 EAP EAP Support in Smartcard. Goals Definition of an “universal” ISO 7816 interface, e.g. supporting most of EAP authentication protocols. EAP smartcard benefits Network credentials are securely stored. Smartcard bearer doesn’t know its network credentials (shared secret, asymmetric keys…) EAP protocols are computed in a trusted environment. Smartcard can’t be cloned. Smartcard is blocked/unblocked by the user’s PIN-code Other aspects Scalability. Half a billion smartcards produced in Multiple form factors (ISO 7816 Credit Card Format, SIM GSM 11.11, USB…). Sufficient cryptographic performances (RSA 2048 bits calculation in 500 ms), memory size around 128 kb, one Mb with the FLASH technology).
Slide 3/8 07/17/03 EAP Overview EAP / RADIUS EAP / LAN EAP / 7816 RADIUS802.1xISO 7816 Secure Authentication. User authentication rather than computer authentication One smartcard for several networks. Interoperability between EAP smartcards. Smartcard Supplicant AuthenticatorRADIUS server EAP EAP Engine EAP profile EAP profile EAP-ID EAP-Type Crypto Key(s)
Slide 4/8 07/17/03 EAP Basic Concepts Identity A pointer to a set of information that is needed for processing EAP-Messages, EAP-ID, EAP-Type, Cryptographic Keys User Profile, information meaningful for the terminal or the network (SSID, radio channel, X509 certificates…) Profile Implementation recommendation for particular EAP- Type. PIN Management EAP smartcard may be protected by a PIN code, only knew/managed by its bearer. EAP Application. An EAP (smartcard) application may be associated to one or more EAP-Type. In that case it is started by a Select-AID command.
Slide 5/8 07/17/03 EAP EAP Smartcard Services 1/3 Four logical interfaces. Network interface. Smartcard directly processes EAP messages (requests, notifications). EAP profiles definition. A set of rules (if needed) for supporting a particular authentication protocol (messages maximum size, …). Operating System/Terminal interface. Identity management. Multiple triplets (EAP-ID, EAP-Type, cryptographic keys) are stored in the smartcard; a triplet is required by each network. User profile, typically an LDAP record stored in the smartcard (under discussion). Management/Personalization interface. Identities & profiles download and update. Management could be done via dedicated EAP protocols (under discussion). User Interface Personal Identification Number (PIN code) management
Slide 6/8 07/17/03 EAP EAP Smartcard Services 2/3 Secure EAP Framework EAP-MD5 EAP-SIMEAP-TLS OTHER IDENTITYEAP-IDEAP TYPE CRYPTO Key(s) PROFILE My-HomedadMD5Password- KeysCredentials EAP authentication protocols profiles Management Personalization Interface OS/Terminal Interface Get-Next-Identity() Get-Preferred-Identity() Get-Current-Identity() Set-Identity() Set-Multiple-Identity() Get-Session() Get-Profile-Data() Select-AID() Add-Identity() Delete-Identity() Network interface Process-EAP() Identity List User Interface Verify-PIN() Change-PIN() Enable-PIN() Disable-PIN() Unblock-PIN()
Slide 7/8 07/17/03 EAP EAP smartcard Services 3/3. SERVICE APDU CLA INS P1 P2 Lc Le COMMENTS Process-EAP Ax ii xx yyProcess an EAP message Add-Identity Ax xx 00Add an identity entry to the EAP smartcard Delete-Identity Ax xx 00Delete an identity entry Get-Current-Identity Ax xxGet the current identity Get-Next-Identity Ax xxExtract the identity from a circular list Get-Preferred-Identity Ax xxGet the preferred identity Set-Identity Ax xx 00Set the smartcard current identity Set-Multiple-Identity Ax xx 00Set an multiple identity Get-Profile-Data Ax 1A xxGet the subscriber profile. Get-Current-Version Ax 10 xx yy 00 02P1#0 is the EAP-Type, P2=0 EAP version, P2=1 WLAN Smartcard Consortium version Get-Session-Key Ax A6 00 ii 00 20Get the session key. Verify-PIN A Verify the user current PIN code Change-PIN A Change the user current PIN code Enable-PIN A Enable pin code use Disable-PIN A Disable pin code use Unblock-PIN A0 2C Unblock EAP smartcard Select-AID 00 A xx 00Start an EAP smartcard application
Slide 8/8 07/17/03 EAP EAP smartcard profiles. ProfileComments MD5Informative purpose EAP-SIMProfile for EAP-SIM EAP-TLSFragmentation issue under discussion PEAPUnder Discussion