EAP-TLS-PSK draft-otto-emu-eap-tls-psk-00.txt

1. Thomas Otto Hannes Tschofenig IETF 66th, July 2006, EMU Working Group EAP-TLS-PSKdraft-otto-emu-eap-tls-psk-00.txt

2. Motivation for EAP-TLS-PSK • December 2005: Publication of RFC 4279 (TLS Pre-Shared Key Ciphersuites) • EAP-TLSbis will be backward compatible and only support certificate-based ciphersuites • Pre-shared key based authentication is very performant and highly appreciable for constrained environments • => There is need for an EAP method that supports the TLS ciphersuites of RFC 4279

3. Ciphersuites of RFC 4279 • RFC 4279 specifies three ciphersuites • PSK • Mutual authentication based on a pre-shared key using symmetric cryptography only • DHE_PSK • Use the pre-shared key to authenticate an ephemeral Diffie-Hellman key exchange • RSA_PSK • Authenticate the server certificate-based and the client pre-shared key based

4. EAP-TLS-PSK message flow EAP peer EAP server EAP-Request/Identity EAP-Response/Identity (MyID) EAP-Request/Type=EAP-TLS-PSK (TLS Start) EAP-Response/Type=EAP-TLS-PSK (ClientHello) EAP-Request/Type=EAP-TLS-PSK (ServerHello, [Certificate,] [ServerKeyExchange,] ServerHelloDone) EAP-Response/Type=EAP-TLS-PSK (ClientKeyExchange, ChangeCipherSpec, Finished) EAP-Request/Type=EAP-TLS-PSK (ChangeCipherSpec, Finished) EAP-Response/Type=EAP-TLS-PSK() EAP-Success

5. Questions?