An EAP Enrollment Method draft-mahy-eap-enrollment-00.txt

1. An EAP Enrollment Methoddraft-mahy-eap-enrollment-00.txt Rohan Mahyrohan@ekabal.com

2. Motivation and Requirements • Small Wireless Devices are a pain to enroll onto WLANs (ex: typing 802.1x credentials into WLAN phone with multitap) • phones have small numeric keypads • most PDAs have no keyboard • some devices have no display • After enrollment, devices need to work with existing WLAN infrastructure and auth mechanisms. • EAP TLS w/ mutual auth — certs (best) • WPA(2) Enterprise — user/pass (good) [no CA] • WPA(2) Personal — shared secret (ok for consumer) [no AAA] • We want to start with weak/convenient, temporary credentials, and bootstrap once to strong (high-entropy), permanent credentials • Once we have an IP address on a secure WLAN, device can fetch rest of its config just like wired devices.

3. The Approach • Use existing methods (EAP-TLS) to get a secure channel and authenticate the server • Emphasis on semantics needed to get strong credentials to the device • Doesn’t invent new crypto or key derivation • Enrolled keys are not algorithmically related to the original weak credentials • Thoughts?