EAP-PSK v8 IETF 63 – Paris, France August 2005. EAP-PSK: an independent submission to IESG Requested EAP method type number allocation Reviewed June 2005.

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Secure Socket Layer.

Authentication & Kerberos

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

D1 - 29/06/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

1 Update on draft-ietf-smime-cades Current Status Completed last call. Under review by IESG. Comments to be incorporated: –From Pavel Smirnov (during.

EAP Mutual Cryptographic Binding draft-ietf-karp-ops-model-03 draft-ietf-karp-ops-model-03 S. Hartman M. Wasserman D. Zhang.

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Wireless and Security CSCI 5857: Encoding and Encryption.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.

Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.

A Survey of Authentication Protocol Literature: Version 1.0 Written by John Clark and Jeremy Jacob Presented by Brian Sierawski.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

WEP Protocol Weaknesses and Vulnerabilities

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao

The PAK proposal for sacred WG Alec Brusilovsky

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Cryptographic Hash Functions and Protocol Analysis

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Doc.: IEEE /0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: Authors:

Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.

EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

Thoughts on KeySec John Viega

March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.

Wireless Network Security CSIS 5857: Encoding and Encryption.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Key Management in AAA Russ Housley Incoming Security Area Director.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

Doc.: IEEE /403r0 Submission July 2001 Albert Young, 3Com, et alSlide 1 Supplementary Functional Requirements for Tgi ESS Networks Submitted to.

1 EAP-MAKE2: EAP method for Mutual Authentication and Key Establishment, v2 EMU BoF Michaela Vanderveen IETF 64 November 2005.

November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.

K. Salah1 Security Protocols in the Internet IPSec.

Whatsapp Security Ahmad Hijazi Systèmes de Télécommunications & Réseaux Informatiques (STRI) 20 April 2016.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.

Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:

for IP Mobility Protocols

Pre-Shared Key EAP methods & EAP-PSK

P802.11aq Waiver request regarding IEEE RAC comments

IETF-70 EAP Method Update (EMU)

The Tunneled Extensible Authentication Method (TEAM)

Florent Bersani, France Telecom R&D

P802.11aq Waiver request regarding IEEE RAC comments

P802.11aq Waiver request regarding IEEE RAC comments

Presentation transcript:

EAP-PSK v8 IETF 63 – Paris, France August 2005

EAP-PSK: an independent submission to IESG Requested EAP method type number allocation Reviewed June 2005 by expert Jesse Walker – Update from v07 to v08 following this review – Ongoing private discussion with J. Walker on remaining open points Opened to any proposal to move forward!

Expert review received by EAP- PSK Many thanks to Jesse for his thorough review and detailed comments! Some remarks have been included into EAP- PSK which prompted update of EAP-PSK from v07 to v08 Some issues remain open…

AK and KDK derivation Issue: should AK and KDK drivation from PSK take identities of the parties into account? Applicability: problem arises if the same PSK is used by multiple parties (>2), which is explicitly forbidden in the draft (section «EAP-PSK assumes that the PSK is known only to the EAP peer and EAP server. The security properties of the protocol may be compromised if it has wider distribution ») Proposed solution: – Nice feature but for the sake of simplicity, should this be the case? – Ongoing cryptographic analysis on « simple » ways to do this – The discouraged PSK from password algorithm could be enhanced to better support this feature (already partially supported)

Mutual authentication Issue: security review claims mutual authentication is flawed Claim: – This is not the case as mutual authentication is a cut-and- paste from a well-known cryptographic protocol – Only difference is explicit or implicit communication of elements over the wire. Be the communication of these elements explicit or implicit, there are included in the cryptographic calculations according to the protocol!

EAP-PSK authentication is a cut- and-paste from AKEP2 Source: [EAKD], Figure 2 Source: EAP- PSK, Figure 8 Notation: [x] K := x || MAC(x,K) = B || A || R A || R B || MAC(B || A || R A || R B,a) = A || R B || MAC(A || R B,a)

Key control Issue: only RAND_P (and KDK of course) are used in the TEK, MSK and EMSK derivation Claim: – This is explicitly noted in EAP-PSK section 6.7 («It should be emphasized that the peer has control of the session keys derived by EAP-PSK. In particular, it can easily choose the random number it sends in EAP-PSK so that one of the nine derived 16-byte key blocks (see Section 2.1) takes a pre-specified value. It was chosen not to prevent this control of the session keys by the peer because: a) Preventing it would have added some complexity to the protocol (typically, the inclusion of a one-way mode of operation of AES in the key derivation part). b) It is believed that the peer won't try to force the server to use some pre- specified value for the session keys. Such an attack is outside the threat model and seems to have little value compared to a peer sharing its PSK. This is however not the behavior recommended by EAP in section 7.10 of [2].)Section 2.1[2] – Is this a blocking point?

Other miscellaneous issues NAK and Expanded-NAK: To what extent doesn’t EAP-PSK comply with NAKs and Expanded-NAKs? Key naming: what would be the purpose and the value of EAP-PSK including explicit key names as there is no fast reconnect mechanism? And usual wording and clarity of text…

And now? Take the opened review issues to the list? Add more issues?

Any feedback welcome! Florent Bersani, France Telecom R&D