1 / 9

EAP Password Authenticated eXchange (PAX)

EAP Password Authenticated eXchange (PAX). I-D.clancy-eap-pax-00. T. Charles Clancy William A. Arbaugh {clancy,waa}@cs.umd.edu Department of Computer Science University of Maryland, College Park IETF 60, EAP WG August 4, 2004. PAX Design Goals.

mcgregor
Download Presentation

EAP Password Authenticated eXchange (PAX)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EAP Password Authenticated eXchange (PAX) I-D.clancy-eap-pax-00 T. Charles Clancy William A. Arbaugh {clancy,waa}@cs.umd.edu Department of Computer Science University of Maryland, College Park IETF 60, EAP WG August 4, 2004

  2. PAX Design Goals • Handheld devices in a wireless environment • Minimal complexity in terms of computation, packet count, and infrastructure • Bootstrap secure key derivation using a simple preshared secret (e.g. 4-digit PIN) • Server-controlled key management • Support for identity protection • Provably secure

  3. PAX Overview • PAX-Auth: 1 RT HMAC-based client authentication • Optional server-side certificate provides identity protection • Secure under the Standard model • PAX-Update: 2 RT mutually authenticated Diffie-Hellman protocol • Only used when key update is required • Optional server-side certificate provides identity protection and security against dictionary attacks • Secure under the RO model and DDH problem

  4. PAX-Auth Client Server X, [K, CertK] [EncK] ( Y, IDC, HMACP ( X, Y, IDC ) ) key K, certificate CertK, and public-key encryption EncK optional

  5. PAX-Update Client Server gX, [K, CertK] [EncK] ( gY, IDC, HMACP’ ( gX, IDC ) ) HMACP’ ( gX, gY, IDC ) NULL

  6. Key Derivation • Entropy e = (gXY)OR (X || Y) • P’ = TLS-PRF( P, "Authentication Key", e ) • MK = TLS-PRF( P', "Master Key”, e ) • MSK = TLS-PRF( MK, "Master Session Key", e ) • Secure under the RO model

  7. Cryptographic Primitives • Extensible • Currently supported: • HMAC: HMAC_SHA1_128 • DH: 3072-bit MODP Group [RFC3526] • PubKey: RSA-OAEP-2048

  8. Related Work • EKE, SPEKE, SRP: authentication schemes secure against dictionary attacks; IPR issues • TLS: slow; requires full PKI • PSK: no support for passwords; no key management

  9. Conclusion • PAX goals: • Bootstrap secure key derivation using weak PIN • Identity protection, key management • Looking for: • Community feedback • Method publication • Questions?

More Related