maryland information systems security lab d epartment of c omputer s cience eap password...
TRANSCRIPT
Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
EAP Password Authenticated eXchange (PAX)
T. Charles Clancy William A. Arbaugh{clancy,waa}@cs.umd.edu
Department of Computer Science
University of Maryland, College Park
IETF 61, EAP WG
November 10, 2004
draft-clancy-eap-pax-01
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
PAX Introduction
• 2 round-trip MAC-based mutual authentication• Supports provisioning with a weak pre-shared
key• Optional server-side certificate provides secure
provisioning• Supports key management with forward
secrecy using Diffie-Hellman• Optional support for identity protection (requires
server-side certificate)• Extensible ciphersuite
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
Major Changes from -00 to -01
• Address Crypto Concerns– mutual authentication– multiple uses of certain keys with different primitives
• Protocol Implementation Issues– identity protection paradox– new identity protection subprotocol
• Paranoia with MD5 and TLS-PRF– extensible key derivation function– support for HMAC-SHA1 and AES-CBC-MAC
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
PAX_STD (no identity protection)
A, SID, [PK, CertPK]
[EncPK] (B, CID, MACCK(A, B, CID, SID))
ServerClient
ACK
MACCK(B, CID, SID)
X, Y = rand(2256)If keyUpdate then A = gX, B = gY, E = gXY
else A = X, B = Y, E = (X || Y){AK’, CK, SessionKeys} = KDF(AK || E || KeyName)
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
PAX_IDP (identity protection)
M, SID, PK, CertPK
EncPK (M, N, CID)
ServerClient
B, MACCK(A, B, CID, SID)
A, MACN(A, CID, SID)
M, N, X, Y = rand(2256)If keyUpdate then A = gX, B = gY, E = gXY
else A = X, B = Y, E = (X || Y){AK’, CK, SessionKeys} = KDF(AK || E || KeyName)
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
Cryptographic Primitives
• Extensible• Key Derivation Function
– KDF16X(Y) = MACX(Y || 1)– KDF64X(Y) = MACX(Y || 1) || MACX(Y || 2) ||
MACX(Y || 3) || MACX(Y || 4)
• Currently supported:– MAC: HMAC-SHA1-128
AES-CBC-MAC-128– DH: 3072-bit MODP Group [RFC3526]– PubKey: RSA-OAEP-2048
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
PAX Implementation
• Currently Supports:– FreeRADIUS 1.0.1– XSupplicant 1.0.1– Authentication, Key Update
• Plan to Support:– Microsoft IAS– Windows XP Supplicant– Provisioning, Identity Protection
• Timings Experiment:– Cisco 1200 AP– Pentium 3 1.2GHz, Linux 2.4.26
{ }Maryland Information Systems Security Lab
DEPARTMENT OF
COMPUTER SCIENCE
PAX Implementation Timings
Protocol PK Crypto RT Time (ms)
PAX, no update
PAX, key update
PAX, provision
-
DH-3072
DH-3072/RSA-2048
2
2
3
9.6
127.3
N/A
EAP-TLS
EAP-TLS
DH-512/RSA-512
DH-3072/RSA-2048
5
7
89.8
1076.7
PEAP-MSCHAPv2
PEAP-MSCHAPv2
DH-512/RSA-512
DH-3072/RSA-2048
8
10
90.4
1027.3
TLS/PEAP used OpenSSL DSA-DH parameters, PAX used 3072-bit prime and 256-bit exponent as recommended in [RFC3766]