1 / 12

EAP-FAST: Flexible and Secure Authentication Method

EAP-FAST is a well-established and widely implemented authentication method that provides flexibility, security, and support for various password systems. It offers protection against dictionary attacks and man-in-the-middle attacks, as well as cryptographic binding and compound key generation for inner key methods. EAP-FAST simplifies migration to 802.1X and EAP methods and reduces the computation load on small format devices, improving the scaling of AAA servers.

alicianorton
Download Presentation

EAP-FAST: Flexible and Secure Authentication Method

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAP-FASTRFC 4851 Eugene Chang (genchang@cisco.com) EMU WG, IETF 70

  2. EAP-FAST Adoption Success • Stable implementation since 2003 • Gartner Dataquest, May 2006* • EAP-FAST ~20%, LEAP ~17%, EAP-TTLS <15% • Already shipping in 41 product lines* • Client Implementations • Acer, Apple, Arcadyan Technology, Ascom, Atheros Communications, Azimuth Systems, Broadcom, Cisco Systems, Cisco-Linksys, Conexant Systems, Datalogic Mobile, Dell, Devicescape Software, Fujitsu Access, Fujitsu, Fujitsu Media Devices, Fujitsu Software Technologies, Fujitsu-Siemens Computers, Gateway, Hewlett-Packard, Integrated System Solution Corp., Intel, Intermec Technologies, Juniper Networks, Lenovo, LXE, Marvell, NEC, Philips, Psion Teklogix, Quanta Computer, Research In Motion, Sony, Summit Data Communications, Texas Instruments, Toshiba, VeriWave • Server Implementations • Avenda Systems, Cisco, Juniper, PeriodikLabs * The Secret Life of EAP-FAST: Adoption under the Radar (Cisco) EAP-FAST for IETF EMU WG

  3. EAP-FAST for Authentication • TLS-based tunneled EAP method • Supports use cases for LEAP, PEAP, and EAP-TTLS • Supports end-point integrity (NAC) • Flexibility to support a wide range of password systems • MS-CHAP, LDAP, OTP • User Identity Protection • Mutual Authentication • Immunity to active and passive dictionary attacks • Immunity to man-in-the-middle attacks • Cryptographic binding and compound key generation for inner key methods • Protected conversation for intermediate and termination results indication EAP-FAST for IETF EMU WG

  4. EAP-FAST Beyond Authentication • Cryptographic binding and compound key generation for inner key methods • Protected conversation for intermediate and termination results indication • Extensive TLV framework for defining new data exchanges • Flexibility to support multiple inner EAP protocols • Inner EAP protocol sequencing EAP-FAST for IETF EMU WG

  5. EAP-FAST Other Features • Protected Access Credential (PAC) • RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State • Flexibility to balance security and ease of deployment • Support use of server root certificates • Option of other server credentials, e.g. PAC • Key to migrating users from LEAP • Reduced cryptographic workload for small wireless devices • Better scaling by reducing AAA server workload EAP-FAST for IETF EMU WG

  6. Main Options for EAP-FAST Authentication EAP-FAST for IETF EMU WG

  7. EAP-FAST Authentication Details RADIUS Server Supplicant EAP-Request/Identity EAP-Response/Identity (MyID1) EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello w/PAC-Opaque in SessionTicket ext) EAP-Request/EAP-FAST (TLS server_hello, TLS change_cipher_spec, TLS Finished) EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) TLS Tunnel Established (subsequent messages sent inside tunnel) Details in Slide 6 Tunnel Teardown EAP Success EAP-FAST for IETF EMU WG

  8. EAP-FAST Password Authentication Details RADIUS Server Supplicant TLS Tunnel Established (subsequent messages sent inside tunnel) EAP Payload TLV (EAP-Request/EAP-GTC (Challenge) EAP Payload TLV (EAP-Response/EAP-GTC(response with userID & password)) Optional additional exchanges (new pin mode, password change, etc.) Intermediate-Result TLV (Success) Crypto-Binding TLV (Request) Intermediate-Result TLV (Success) Crypto-Binding TLV (Response) Result TLV (Success) [Optional PAC TLV] Result TLV (Success) [PAC TLV Acknowledgement] Tunnel Teardown EAP-FAST for IETF EMU WG

  9. Documentation Status • RFC 4851 The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) • EAP-FAST Framework • draft-cam-winget-eap-fast-provisioning-05.txt • draft-zhou-emu-fast-gtc-00.txt • Passwords, OTC, password/PIN maintenance • RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State • PAC Opaque EAP-FAST for IETF EMU WG

  10. Evaluation Against Current Requirements EAP-FAST for IETF EMU WG

  11. Summary • EAP-FAST • Well-established EAP method • Stable design since 2003 • Widely implemented, shipping in 41 product lines • Well recognized and adopted by enterprise deployments • Seems to meet existing requirements • Support for many other features • Many authentication methods • Endpoint integrity checks (for NEA) • Simplify migration to 802.1X and EAP methods • Reduce computation load on small format devices • Improve scaling of AAA servers • Why have users start over with yet another EAP method? EAP-FAST for IETF EMU WG

  12. EAP-FAST for IETF EMU WG

More Related