90 likes | 107 Views
EAP Password Authenticated eXchange (PAX). I-D.clancy-eap-pax-00. T. Charles Clancy William A. Arbaugh {clancy,waa}@cs.umd.edu Department of Computer Science University of Maryland, College Park IETF 60, EAP WG August 4, 2004. PAX Design Goals.
E N D
EAP Password Authenticated eXchange (PAX) I-D.clancy-eap-pax-00 T. Charles Clancy William A. Arbaugh {clancy,waa}@cs.umd.edu Department of Computer Science University of Maryland, College Park IETF 60, EAP WG August 4, 2004
PAX Design Goals • Handheld devices in a wireless environment • Minimal complexity in terms of computation, packet count, and infrastructure • Bootstrap secure key derivation using a simple preshared secret (e.g. 4-digit PIN) • Server-controlled key management • Support for identity protection • Provably secure
PAX Overview • PAX-Auth: 1 RT HMAC-based client authentication • Optional server-side certificate provides identity protection • Secure under the Standard model • PAX-Update: 2 RT mutually authenticated Diffie-Hellman protocol • Only used when key update is required • Optional server-side certificate provides identity protection and security against dictionary attacks • Secure under the RO model and DDH problem
PAX-Auth Client Server X, [K, CertK] [EncK] ( Y, IDC, HMACP ( X, Y, IDC ) ) key K, certificate CertK, and public-key encryption EncK optional
PAX-Update Client Server gX, [K, CertK] [EncK] ( gY, IDC, HMACP’ ( gX, IDC ) ) HMACP’ ( gX, gY, IDC ) NULL
Key Derivation • Entropy e = (gXY)OR (X || Y) • P’ = TLS-PRF( P, "Authentication Key", e ) • MK = TLS-PRF( P', "Master Key”, e ) • MSK = TLS-PRF( MK, "Master Session Key", e ) • Secure under the RO model
Cryptographic Primitives • Extensible • Currently supported: • HMAC: HMAC_SHA1_128 • DH: 3072-bit MODP Group [RFC3526] • PubKey: RSA-OAEP-2048
Related Work • EKE, SPEKE, SRP: authentication schemes secure against dictionary attacks; IPR issues • TLS: slow; requires full PKI • PSK: no support for passwords; no key management
Conclusion • PAX goals: • Bootstrap secure key derivation using weak PIN • Identity protection, key management • Looking for: • Community feedback • Method publication • Questions?