eap-pax draft-clacy-eap-pax-05
DESCRIPTION
T. Charles Clancy [email protected] Department of Computer Science University of Maryland, College Park Laboratory for Telecommunication Sciences US Department of Defense IETF 64, EMU BoF, November 10, 2005. EAP-PAX draft-clacy-eap-pax-05. Overview. - PowerPoint PPT PresentationTRANSCRIPT
UMD DEPARTMENT OF
COMPUTER SCIENCE
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
EAP-PAXdraft-clacy-eap-pax-05
T. Charles [email protected]
Department of Computer ScienceUniversity of Maryland, College Park
Laboratory for Telecommunication Sciences US Department of Defense
IETF 64, EMU BoF, November 10, 2005
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 2
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Overview• Basic shared-key mutual authentication method• Includes support for:
– Ciphersuite extensibility
– Provisioning with a weak key or password
– Key management (deriving new authentication keys) with perfect forward secrecy (using Diffie-Hellman)
– Identity protection / user anonymity
– Authenticated data exchange (supports channel binding)
• Provably secure
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 3
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Subprotocols: PAX_STD
A
B, CID, MACCK(A, B, CID)
MACCK(B, CID)
ACK
CLIENT SERVER
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 4
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Changes since -04• Completed full proof of security, publication
pending, will be available online:
http://www.cs.umd.edu/~clancy/eap-pax/
• Added support for the authenticated exchange of data, targeted at channel binding
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 5
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Subprotocols: PAX_SEC
M, PK or CertPK
ENCPK(M, N, CID)
A, MACN(M, CID)
B, MACCK(A, B, CID)
CLIENT SERVER
MACCK(B, CID)
ACK
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 6
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Certificate Requirements• Use of certificate with PAX_SEC is RECOMMENDED
Certificate Mode
Provisioning Identity Protection
No Certificate MitM offline dictionary attack
ID reveal attack
Self-Signed Certificate
MitM offline dictionary attack
ID reveal attack
Key Caching MitM offline dictionary attack
ID reveal attack during first auth
CA-Signed Certificate
secure mutual authentication
secure mutual authentication
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 7
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Security Properties• Extensible Ciphersuite
– MAC Primatives: • HMAC-SHA1
• AES-CBC-MAC
– Public-Key Primatives: • RSA-OAEP-2048
• DH-3072, 256-bit exponents
• Attack Resistance (dictionary, replay, negotiation)
• Confidentiality (in ID protect mode)
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 8
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Provable Security• Random Oracle Model [Bellare 93]• Supported primitives all act like Random
Oracles [Bellare 94, Bellare 96, Bellare 00]• Assume probabilistic, polynomial-time attacker• EAP-PAX is secure against:
– passive attacks if:• PAX_STD without DH: Key O(2k)• PAX_STD with DH: Key O(1)• PAX_SEC without DH: Key O(2k)• PAX_SEC with DH: Key O(1)
– active attacks if:• PAX_STD: Key O(2k), auth limit O(kn)• PAX_SEC with cert: Key O(kn), auth limit O(1)• PAX_SEC without cert: Key O(2k), auth limit O(kn)
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 9
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Channel Binding• Validate lower-layer EAP parameters during
authentication• Need secure mechanism for exchanging
parameters• What is needed? Confidentiality? Authenticity?• PAX provides authenticity, but not
confidentiality (would require additional symmetric-key ciphersuite)
• Attach “Authenticated Data Exchange” frames during authentication once keys have been derived
{ }
UMD DEPARTMENT OF
COMPUTER SCIENCE
Slide 10
DOD LABORATORY FOR
TELECOMMUNICATION SCIENCES
Channel Binding
A
B, CID, MAC, ADE(type1, value1)
MAC, ADE(type2, value2)
ACK, ADE(type3, value3)
CLIENT SERVER
ACK, ADE(typeN, valueN)
ACK, ADE(typeN+1, valueN+1)
EAP-Success / EAP-Failure
…
…