Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005.

Published byAmbrose Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005."— Presentation transcript:

1 Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005

2 Introduction If you have, what EAP methods could you use? Focus on methods documented in internet-drafts (really old ones omitted) –Only EAP-TLS is an RFC

3 X.509 PKI EAP-TLS EAP-IKEv2 Private keys could be in software or hardware tokens (7816, USB, …)

4 Shared secrets EAP-IKEv2 EAP-PAX EAP-SKL EAP-PSK EAP-MAKE EAP-Double-TLS EAP-TLS with TLS-PSK + some that I probably forgot (sorry!) + several expired drafts

5 Passwords My definition –Shared secret methods require the EAP server to have the shared secret –Password methods work with existing user/password databases (the EAP server does not necessarily have the password) You don’t have to agree with this definition!

6 Passwords (cont.) Tunneled methods: EAP-FAST, EAP- TTLSv0, EAP-TTLSv1, PEAP v0, PEAP v1, PEAP v2 Inside tunnel: –PAP/GTC (=just send the password) –CHAP/MD5 –MS-CHAP –MS-CHAP-v2 EAP server authenticated using certificates

7 One-time passwords/tokens Tunneled methods + inside tunnel: –PAP/GTC (=just send the password) –OTP –EAP-POTP

8 Cellular infrastructure EAP-SIM EAP-AKA

9 Kerberos No currently active methods? –EAP-GSS expired –Some password methods might be able to use Kerberos back-end

10 Other ways EAP is used Provisioning/enrollment –Provisioning certificates (instead of existing certificate management protocols) –Enrolling strong credential from weak single-use credential –draft-mahy-eap-enrollment, EAP-FAST, PEAP Client integrity checks Two-factor / two-entity (device and user) authentication (sequences) + Other things I don’t even want to mention…

11 Summary structure Status –What’s the situation, both in standardization and deployment Need for new work –Problems not yet solved? –Real demand for solving them? Chances of success –How likely that WG could achieve rough consensus on the problem and solution(s)? –How likely that the solutions would have impact? Note: These are just my opinions. They will change. You don’t have to agree.

12 Summary (1/5) X.509 PKI –Status: EAP-TLS. –Need for new work: Some. EAP-TLS works, but the spec would benefit from updates. –Chances of success: Good. Shared secrets –Status: No standardized methods. –Need for new work: Yes. –Chances of success: Good — but requires draft author interest in standardization

13 Summary (2/5) Passwords –Status: Proprietary methods widely used. –Need for new work: Standardized method would be “nicer”, but… –Chances of success: …depends? Are the existing vendors interested? Difficult to get consensus about anything related to passwords in IETF One-time passwords/tokens –See “Passwords” (or is POTP different case?)

14 Summary (3/5) Cellular infrastructure –Status: 3GPP has EAP-SIM/EAP-AKA, 3GPP2 has something, too –Need for new work: No Kerberos –Status: No methods –Need for new work: Not much demand?

15 Summary (4/5) Other types of infrastructure or credentials? –Credit card payment? –Biometrics? –Chances of success: unclear.

16 Summary (5/5) Provisioning/enrollment –Status: Unclear. –Need for new work: Unclear. Client integrity checks –Status: Proprietary things exist, TNC working on standardizing some parts –Need for new work: Depends on what TNC and vendors want. Two-factor authentication / sequences –Status: Supported by tunnel methods, but not widely used? –Need for new work: Unclear.

17 Other possible WG work items Channel bindings –Status: Proposals exist. –Need for new work: Some? –Chances of success: Moderate.

Download ppt "Overview of proposed EAP methods, credential types, and uses Pasi Eronen IETF64 EMU BoF November 10 th, 2005."

Similar presentations

CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.

SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Certificate and Key Storage Tokens and Software

Certificate and Key Storage Tokens and Software

Similar presentations

Ads by Google