July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Internet Protocol Security (IP Sec)
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Wireless and Security CSCI 5857: Encoding and Encryption.
EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Chapter 21 Distributed System Security Copyright © 2008.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
EMU BOF EAP-TLS Experiment Report RFC 2716 Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
Guidelines for Cryptographic Algorithm Agility Russ Housley IETF 89 - SAAG Session.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Sec Title: Considerations on use of TLS for MIH protection Date Submitted: January 14, 2010.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
IETF68 DIME WG Open Issues for RFC3588bis Victor Fajardo (draft-ietf-dime-rfc3588bis-02.txt)
IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.
Key Management in AAA Russ Housley Incoming Security Area Director.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 EAP-MAKE2: EAP method for Mutual Authentication and Key Establishment, v2 EMU BoF Michaela Vanderveen IETF 64 November 2005.
August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.
K. Salah1 Security Protocols in the Internet IPSec.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.
Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:
Open issues with PANA Protocol
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Phil Hunt, Hannes Tschofenig
IETF-70 EAP Method Update (EMU)
PEKM (Post-EAP Key Management Protocol)
Agenda retrospective - B. Aboba Lunch
IEEE MEDIA INDEPENDENT HANDOVER
Presentation transcript:

July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna, Austria Bernard Aboba

July 16, 2003AAA WG, IETF 572 Goals & Objectives To provide a framework for evaluation of EAP key derivation mechanisms and transport mechanisms –Terminology –Architectural Model –Security – hierarchy overview –Requirements for EAP methods, AAA protocols and secure association protocols Key derivation algorithms are not specified in this document.

July 16, 2003AAA WG, IETF 573 EAP Invariants Media independence –EAP methods are designed to function on any lower layer meeting criteria in RFC 2284bis, Section 3.1 Ciphersuite independence –Ciphersuite negotiation occurs out of band of EAP –EAP methods generate keying material suitable for use with any ciphersuite Method independence –Pass-through authenticators cannot be assumed to implement method-specific code

July 16, 2003AAA WG, IETF 574 Protocol Relationships Discovery Phase (Phase 0) –EAP peer discovers the Authenticator –Discovery phase is out of band of EAP and may not be secure –Examples: PPPOE, Beacon, Probe Request/Response EAP (Phase 1) –Protocol spoken between EAP peer and EAP server –EAP SAs are bi-directional –Mutual authentication required for key deriving methods –EAP method provides keying material (MSK, EMSK) –Method may have no explicit key lifetime negotiation EAP SA state may be cached for significant periods after authentication completes (e.g. fast resume) –EAP only supports EAP SA creation, not deletion EAP peer or server can delete SA state at any time without notification –Multiple EAP SAs possible between an EAP peer and EAP server –TEKs derived for protection of EAP SA negotiation –MSK, EMSK, TEKs must be fresh, not used to protect data –Key deriving methods need to support replay protection

July 16, 2003AAA WG, IETF 575 Protocol Relationships (cont’d) AAA –Protocol spoken between NAS and AAA server –Mutual authentication required (RADIUS or Diameter) –Replay protection supported –MSK transported from AAA server to NAS MSK is “bound” to a particular NAS Secure Association Protocol (Phase 2) –Used by EAP peer to derive a security association with the EAP Authenticator in order to protect data, and indicate “I want to join the network connected to this NAS” –Demonstrates proof of possession of Phase 1 Keying Material “Binds” Phase 1 to Phase 2 –Supports secure capabilities negotiation Allows for secure verification of insecure discovery phase –Derives unicast and multicast transient session keys Fresh TSKs derived (even if MSK is not fresh) –Supports addition and deletion of Phase 2 SAs As with EAP, both peer and authenticator may delete Phase 2 key state at any time –Secure Association SAs may not be bi-directional

July 16, 2003AAA WG, IETF 576 The (Bermuda?) EAP Triangle

July 16, 2003AAA WG, IETF 577 Why Is Binding/Naming Important? Unlike IKE, EAP and Secure Association protocol may not be run between the same parties –EAP SA negotiated between EAP peer and EAP server –Phase 2 SA negotiated between EAP peer and Authenticator May not be clear which EAP (Phase 1) SA a Phase 2 SA is to be derived from –An EAP peer may have negotiated multiple EAP SAs to several EAP servers –Phase 2 SA may be based on a Phase 1 SA run through another NAS –Key name needed in Secure Association protocol for clarification

July 16, 2003AAA WG, IETF 578 Example EAP Peer A connects to NAS A, negotiates EAP SA with Server A Server A fails, NASes failover to Server B EAP Peer A connects to NAS B, negotiates EAP SA with Server B Server A recovers, NASes failback to Server A No synchronization between Server A and Server B EAP Peer A connects to NAS C, which indicates desire to skip EAP (Phase 1) and negotiate a secure association (Phase 2) –Which EAP SA is the Phase 2 SA based on? Server A? Server B?

July 16, 2003AAA WG, IETF 579 Issues with Synchronization of Key State EAP SA and secure association state can be deleted at any time by any party –EAP peer may delete EAP SA or Phase 2 SA –EAP authenticator may delete MSK or Phase 2 SA –AAA server may delete MK, MSK, EMSK, etc. Not clear whether AAA protocol should attempt to negotiate an “explicit key lifetime” with the NAS –May be no way for EAP peer to be informed of the key lifetime –NAS may not keep MSK around for the full lifetime if it reboots or needs to reclaim resources –Result: AAA server cannot assume key lifetime is obeyed by the NAS Lack of synch of SA state addressed by negotiating a new EAP SA –EAP peer request for “fast resume” is denied if EAP Server does not retain MK state Phase 2 “delete” operation may not be protectable –If EAP authenticator has deleted Phase 2 key state, there is no way to protect a “delete” message –If EAP peer has deleted Phase 2 key state, it cannot validate (or decrypt?) a “delete” message –Result: timeouts may be unavoidable

July 16, 2003AAA WG, IETF 5710 Issues with Peer-to-Peer Operation EAP is a peer-to-peer protocol, but… AAA protocol may not support role reversal (RFC 2869bis, Diameter EAP) EAP methods may be client/server –Example: EAP TLS TLS client certificate not the same as TLS server cert Implies that EAP peers must have two certs if role reversal is supported Secure association SAs may not be bi-directional –Example: IEEE i group key handshake is one-way, from Authenticator to EAP peer, since only AP can multicast Result: two EAP SAs may be required, one in each direction, even where mutual authentication is supported –Example: two group key exchanges, 4-way handshakes and EAP exchanges are needed in adhoc

July 16, 2003AAA WG, IETF 5711 Open Issues Issue 15: missing security reqts. –Additional discussion of key naming, synchronization and binding required –Proposal: Add material to address this in -07 Issue 47: key requirements unspecified –Size of MSK and EMSK –Minimum key strength in some/all scenarios? –Nonce exchange required in EAP methods? –Proposal: add nonce exchange requirement Issue 99: Double expansion –Expansion typically occurs from MK to MSK and MSK to TSK –Proposal: Reject – key strength is the issue, not double expansion Issue 119: EAP is inappropriate for Peer-to-Peer –Proposal: Add discussion of Peer-to-Peer issues in -07

July 16, 2003AAA WG, IETF 5712 Open Issues (cont’d) Issue 135: SSID in PRF –Proposal: Reject EAP is media independent, SSID equivalent does not exist on all media Not clear that the MSK is “bound” to a particular SSID, only to a particular Physical NAS –Example: Virtual AP Can support multiple SSIDs During pre-authentication, SSID may not be available or may only be inferred from the Called-Station-Id Virtual APs may share MSKs – enabled by key naming Result: Phase 2 SA may be negotiated based on Phase 1 SA derived via another Virtual AP (in another SSID!) on same physical AP

July 16, 2003AAA WG, IETF 5713 Roadmap Update -07 document –Include resolution of open issues Post -07 strawman for examination and discussion Request permission to submit as an EAP WG work item

July 16, 2003AAA WG, IETF 5714 Requirements Overview Key Management requirements presented by Russ Housley at IETF 56 EAP Key Management Framework document to provide system analysis –EAP, AAA, Secure Association requirements –Detailed discussion in EAP WG 2 nd session AAA documents can no longer reference Diameter CMS (work discontinued) –Best alternative is Diameter Re-direct Outstanding Issues –Key naming/binding (EAP Key Framework) –Re-direct authorization

July 16, 2003AAA WG, IETF 5715 Acceptable solution MUST… –Be algorithm independent protocol For interoperability, select at least one suite of algorithms that MUST be implemented –Response Diameter supports IKE, TLS security –Can negotiate ciphersuites, security parameters for protecting AAA sessions EAP provides algorithm, media independence –Any EAP method can work with any media and ciphersuite EAP provides a mandatory-to-implement method –Issue: Mandatory method does not support key derivation or mutual authentication

July 16, 2003AAA WG, IETF 5716 Acceptable solution MUST… Establish strong, fresh session keys –Maintain algorithm independence Include replay detection mechanism Response –Diameter security protocols (TLS, IKE) negotiate strong, fresh session keys to protect traffic, provide replay protection Key strength, replay protection can be provided regardless of key management algorithm –Key strength, Replay protection are security claims for EAP methods Issue: Not all methods will provide “strong” keys Issue: Not all methods will provide replay protection –Proposal to add Key freshness requirement Nonce exchange in EAP method guarantees MSK/EMSK freshness, unique key naming Nonce exchange in secure association protocol guarantees freshness of transient session keys even if MSK/EMSK is not fresh

July 16, 2003AAA WG, IETF 5717 Acceptable solution MUST… Authenticate all parties –Maintain confidentiality of authenticator –NO plaintext passwords Response –EAP does not support PAP –Diameter requires mutual authentication between NAS and AAA server, supports confidentiality Issue: authorization issues being addressed –Mutual authentication required for key-deriving EAP methods, secure association protocol –Question: What does “maintain confidentiality of authenticator” mean? Support for identity privacy?

July 16, 2003AAA WG, IETF 5718 Acceptable solution MUST also … Perform client and NAS authorization Response –Client authorization issues being addressed in RFC 2284bis –NAS/AAA server authorization issues being addressed in NASREQ, Diameter EAP

July 16, 2003AAA WG, IETF 5719 Acceptable solution MUST also … Maintain confidentiality of session keys Response –MSK transport is protected by Diameter transport security (IPsec, TLS) –Re-direct can restrict MSK access to those with “need to know” (NAS, AAA server, EAP peer) –Transient Session Keys are derived via secure association protocol

July 16, 2003AAA WG, IETF 5720 Acceptable solution MUST also … Confirm selection of “best” ciphersuite –Secure association protocol responsible for secure capabilities negotiation Used for communication of data between the EAP peer and NAS –Diameter security (IPsec, TLS) provides for secure negotiation of security parameters –EAP methods negotiate ciphersuites for use in protecting the EAP conversation Issue: Should we require that this negotiation be protected?

July 16, 2003AAA WG, IETF 5721 Acceptable solution MUST also … Uniquely name session keys Response –Work in progress EAP SA name: –Potential for multiple EAP SAs between an EAP peer and EAP server MK name: MSK name: –Binds the MSK to a particular NAS, avoids (inappropriate) reuse –Called-Station-Id best candidate for NAS Name since EAP peer may not know NAS-Identifier or NAS-IP-Address EMSK name: TSK name: Since names may be long, hash of the name used as a surrogate –Issue: How do the NAS, EAP peer and AAA server come to agree on the Key names? NAS operates in pass-through, does not have access to MK or EMSK

July 16, 2003AAA WG, IETF 5722 Acceptable solution MUST also … Compromise of a single NAS cannot compromise any other part of the system, including session keys and long-term keys Response –MK, EMSK only available to EAP peer, server, not to the NAS –Key freshness required in EAP method, secure association protocol –Requires that MSK, TEKs, TSKs at one NAS not be derivable based on quantities at another NAS For “fast handoff”, implies that master session keys be on different branches of the key hierarchy –Diameter security uses dynamic, not static session keys, and well understood ciphersuites Compromise of one NAS will not reveal Diameter session keys of another NAS Issue: Do we need to say not to use the same IKE pre-shared key for every NAS?

July 16, 2003AAA WG, IETF 5723 Acceptable solution MUST also … Bind key to appropriate context Response –Peer-Server Binding is implicit; no explicit key lifetime negotiation or EAP SA “delete” message –NAS-Peer Binding of TSKs to securely negotiated capabilities is the responsibility of the secure association protocol Binding of the key to the secure association SA the responsibility of the secure association protocol –AAA server-NAS Binding and context provided by Grouped Key AVP –Issue: Does the key name need to be provided along with the key in the Key Grouped AVP? –Issue: What other AVPs are needed to define the context?

July 16, 2003AAA WG, IETF 5724 Summary We are making progress Key naming and binding issues the most challenging Key Management Framework document will include system analysis

July 16, 2003AAA WG, IETF 5725 Feedback?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.