1. Eugene Chang (genchang@cisco.com) EMU WG, IETF 70
EAP-FAST RFC 4851
Eugene Chang
EMU WG, IETF 70

2. EAP-FAST Adoption Success
Stable implementation since 2003
Gartner Dataquest, May 2006*
EAP-FAST ~20%, LEAP ~17%, EAP-TTLS <15%
Already shipping in 41 product lines*
Client Implementations
Acer, Apple, Arcadyan Technology, Ascom, Atheros Communications, Azimuth Systems, Broadcom, Cisco Systems, Cisco-Linksys, Conexant Systems, Datalogic Mobile, Dell, Devicescape Software, Fujitsu Access, Fujitsu, Fujitsu Media Devices, Fujitsu Software Technologies, Fujitsu-Siemens Computers, Gateway, Hewlett-Packard, Integrated System Solution Corp., Intel, Intermec Technologies, Juniper Networks, Lenovo, LXE, Marvell, NEC, Philips, Psion Teklogix, Quanta Computer, Research In Motion, Sony, Summit Data Communications, Texas Instruments, Toshiba, VeriWave
Server Implementations
Avenda Systems, Cisco, Juniper, PeriodikLabs
* The Secret Life of EAP-FAST: Adoption under the Radar (Cisco)
December 4, 2007
EAP-FAST for IETF EMU WG

3. EAP-FAST for Authentication
TLS-based tunneled EAP method
Supports use cases for LEAP, PEAP, and EAP-TTLS
Supports end-point integrity (NAC)
Flexibility to support a wide range of password systems
MS-CHAP, LDAP, OTP
User Identity Protection
Mutual Authentication
Immunity to active and passive dictionary attacks
Immunity to man-in-the-middle attacks
Cryptographic binding and compound key generation for inner key methods
Protected conversation for intermediate and termination results indication
December 4, 2007
EAP-FAST for IETF EMU WG

4. EAP-FAST Beyond Authentication
Cryptographic binding and compound key generation for inner key methods
Protected conversation for intermediate and termination results indication
Extensive TLV framework for defining new data exchanges
Flexibility to support multiple inner EAP protocols
Inner EAP protocol sequencing
December 4, 2007
EAP-FAST for IETF EMU WG

5. EAP-FAST Other Features
Protected Access Credential (PAC)
RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State
Flexibility to balance security and ease of deployment
Support use of server root certificates
Option of other server credentials, e.g. PAC
Key to migrating users from LEAP
Reduced cryptographic workload for small wireless devices
Better scaling by reducing AAA server workload
December 4, 2007
EAP-FAST for IETF EMU WG

6. Main Options for EAP-FAST Authentication
Provisioning
Manually provision device with server root certificate
Manually provision device with server generated PAC
Dynamically provision device with server generated PAC
Mutual Authentication
Authenticate server with server certificate
Authenticate server with PAC
Establish TLS tunnel
Perform client authentication in secure tunnel
(using TLV object exchanges with crypto-binding and result indication)
December 4, 2007
EAP-FAST for IETF EMU WG

7. EAP-FAST Authentication Details
Supplicant
RADIUS
Server
EAP-Request/Identity
EAP-Response/Identity (MyID1)
EAP-Request/EAP-FAST (S=1, A-ID)
EAP-Response/EAP-FAST (TLS client_hello w/PAC-Opaque in SessionTicket ext)
EAP-Request/EAP-FAST (TLS server_hello, TLS change_cipher_spec, TLS Finished)
EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished)
TLS Tunnel Established (subsequent messages sent inside tunnel)
Details in Slide 6
Tunnel Teardown
EAP Success
December 4, 2007
EAP-FAST for IETF EMU WG

8. EAP-FAST Password Authentication Details
Supplicant
RADIUS
Server
TLS Tunnel Established (subsequent messages sent inside tunnel)
EAP Payload TLV (EAP-Request/EAP-GTC (Challenge)
EAP Payload TLV (EAP-Response/EAP-GTC(response with userID & password))
Optional additional exchanges (new pin mode, password change, etc.)
Intermediate-Result TLV (Success) Crypto-Binding TLV (Request)
Intermediate-Result TLV (Success) Crypto-Binding TLV (Response)
Result TLV (Success) [Optional PAC TLV]
Result TLV (Success) [PAC TLV Acknowledgement]
Tunnel Teardown
December 4, 2007
EAP-FAST for IETF EMU WG

9. EAP-FAST for IETF EMU WG
Documentation Status
RFC 4851 The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)
EAP-FAST Framework
draft-cam-winget-eap-fast-provisioning-05.txt
draft-zhou-emu-fast-gtc-00.txt
Passwords, OTC, password/PIN maintenance
RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State
PAC Opaque
December 4, 2007
EAP-FAST for IETF EMU WG

10. Evaluation Against Current Requirements
EAP-FAST
Transport of encrypted password for support of legacy password databases OK
Mutual authentication
Resistance to offline dictionary attacks, man-in-the-middle attacks, replay attacks
Cryptographic tunnel binding
Compliance with RFC 3748, RFC 4017 and EAP keying (including EMSK and MSK generation)
Peer identity confidentiality
Crypto agility and cipher suite negotiation
Based on TLS 1.1,
revisit when TLS 1.2 done
Session resumption
Protected result indication
Fragmentation and reassembly
Support for other password protocols
Password/PIN change
Transport Channel binding data
Transport other EAP methods
Support for other data transport (NAC/NEA)
Extension mechanism
Support for certificate validation protocols
December 4, 2007
EAP-FAST for IETF EMU WG

11. EAP-FAST for IETF EMU WG
Summary
EAP-FAST
Well-established EAP method
Stable design since 2003
Widely implemented, shipping in 41 product lines
Well recognized and adopted by enterprise deployments
Seems to meet existing requirements
Support for many other features
Many authentication methods
Endpoint integrity checks (for NEA)
Simplify migration to 802.1X and EAP methods
Reduce computation load on small format devices
Improve scaling of AAA servers
Why have users start over with yet another EAP method?
December 4, 2007
EAP-FAST for IETF EMU WG

12. EAP-FAST for IETF EMU WG
December 4, 2007
EAP-FAST for IETF EMU WG