Eugene Chang (genchang@cisco.com) EMU WG, IETF 70 EAP-FAST RFC 4851 Eugene Chang (genchang@cisco.com) EMU WG, IETF 70

EAP-FAST Adoption Success Stable implementation since 2003 Gartner Dataquest, May 2006* EAP-FAST ~20%, LEAP ~17%, EAP-TTLS <15% Already shipping in 41 product lines* Client Implementations Acer, Apple, Arcadyan Technology, Ascom, Atheros Communications, Azimuth Systems, Broadcom, Cisco Systems, Cisco-Linksys, Conexant Systems, Datalogic Mobile, Dell, Devicescape Software, Fujitsu Access, Fujitsu, Fujitsu Media Devices, Fujitsu Software Technologies, Fujitsu-Siemens Computers, Gateway, Hewlett-Packard, Integrated System Solution Corp., Intel, Intermec Technologies, Juniper Networks, Lenovo, LXE, Marvell, NEC, Philips, Psion Teklogix, Quanta Computer, Research In Motion, Sony, Summit Data Communications, Texas Instruments, Toshiba, VeriWave Server Implementations Avenda Systems, Cisco, Juniper, PeriodikLabs * The Secret Life of EAP-FAST: Adoption under the Radar (Cisco) December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST for Authentication TLS-based tunneled EAP method Supports use cases for LEAP, PEAP, and EAP-TTLS Supports end-point integrity (NAC) Flexibility to support a wide range of password systems MS-CHAP, LDAP, OTP User Identity Protection Mutual Authentication Immunity to active and passive dictionary attacks Immunity to man-in-the-middle attacks Cryptographic binding and compound key generation for inner key methods Protected conversation for intermediate and termination results indication December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST Beyond Authentication Cryptographic binding and compound key generation for inner key methods Protected conversation for intermediate and termination results indication Extensive TLV framework for defining new data exchanges Flexibility to support multiple inner EAP protocols Inner EAP protocol sequencing December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST Other Features Protected Access Credential (PAC) RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State Flexibility to balance security and ease of deployment Support use of server root certificates Option of other server credentials, e.g. PAC Key to migrating users from LEAP Reduced cryptographic workload for small wireless devices Better scaling by reducing AAA server workload December 4, 2007 EAP-FAST for IETF EMU WG

Main Options for EAP-FAST Authentication Provisioning Manually provision device with server root certificate Manually provision device with server generated PAC Dynamically provision device with server generated PAC Mutual Authentication Authenticate server with server certificate Authenticate server with PAC Establish TLS tunnel Perform client authentication in secure tunnel (using TLV object exchanges with crypto-binding and result indication) December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST Authentication Details Supplicant RADIUS Server EAP-Request/Identity EAP-Response/Identity (MyID1) EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello w/PAC-Opaque in SessionTicket ext) EAP-Request/EAP-FAST (TLS server_hello, TLS change_cipher_spec, TLS Finished) EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) TLS Tunnel Established (subsequent messages sent inside tunnel) Details in Slide 6 Tunnel Teardown EAP Success December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST Password Authentication Details Supplicant RADIUS Server TLS Tunnel Established (subsequent messages sent inside tunnel) EAP Payload TLV (EAP-Request/EAP-GTC (Challenge) EAP Payload TLV (EAP-Response/EAP-GTC(response with userID & password)) Optional additional exchanges (new pin mode, password change, etc.) Intermediate-Result TLV (Success) Crypto-Binding TLV (Request) Intermediate-Result TLV (Success) Crypto-Binding TLV (Response) Result TLV (Success) [Optional PAC TLV] Result TLV (Success) [PAC TLV Acknowledgement] Tunnel Teardown December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST for IETF EMU WG Documentation Status RFC 4851 The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) EAP-FAST Framework draft-cam-winget-eap-fast-provisioning-05.txt draft-zhou-emu-fast-gtc-00.txt Passwords, OTC, password/PIN maintenance RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State PAC Opaque December 4, 2007 EAP-FAST for IETF EMU WG

Evaluation Against Current Requirements EAP-FAST Transport of encrypted password for support of legacy password databases OK Mutual authentication Resistance to offline dictionary attacks, man-in-the-middle attacks, replay attacks Cryptographic tunnel binding Compliance with RFC 3748, RFC 4017 and EAP keying (including EMSK and MSK generation) Peer identity confidentiality Crypto agility and cipher suite negotiation Based on TLS 1.1, revisit when TLS 1.2 done Session resumption Protected result indication Fragmentation and reassembly Support for other password protocols Password/PIN change Transport Channel binding data Transport other EAP methods Support for other data transport (NAC/NEA) Extension mechanism Support for certificate validation protocols December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST for IETF EMU WG Summary EAP-FAST Well-established EAP method Stable design since 2003 Widely implemented, shipping in 41 product lines Well recognized and adopted by enterprise deployments Seems to meet existing requirements Support for many other features Many authentication methods Endpoint integrity checks (for NEA) Simplify migration to 802.1X and EAP methods Reduce computation load on small format devices Improve scaling of AAA servers Why have users start over with yet another EAP method? December 4, 2007 EAP-FAST for IETF EMU WG

EAP-FAST for IETF EMU WG December 4, 2007 EAP-FAST for IETF EMU WG