1 / 10

EAP-POTP The Protected One-Time Password EAP Method

EAP-POTP The Protected One-Time Password EAP Method. Magnus Nystrom, David Mitton RSA Security, Inc. Background. EAP-POTP is an EAP method designed for One-Time Password (OTP) tokens EAP-POTP offers; Strong user authentication Mutual authentication Protection of OTPs in transit

tarala
Download Presentation

EAP-POTP The Protected One-Time Password EAP Method

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAP-POTPThe Protected One-Time Password EAP Method Magnus Nystrom,David Mitton RSA Security, Inc. IETF 64, Vancouver, Canada

  2. Background • EAP-POTP is an EAP method designed for One-Time Password (OTP) tokens • EAP-POTP offers; • Strong user authentication • Mutual authentication • Protection of OTPs in transit • Establishment of key material • Fast session resumption • …capabilities that are missing from existing EAP methods used with OTP tokens IETF 64, Vancouver, Canada

  3. Objectives • End-to-end protection of OTP value • Provide key material for lower layers (MSK, EMSK) • Minimal initial configuration • Minimize number of roundtrips • No PKI requirements • But complements PEAP, TTLS, and other tunneling methods • Meet RFC 3748, RFC 4017 requirements as well as requirements in keying-08 • Support OTP “corner cases” such as • Next OTP • New PIN mode IETF 64, Vancouver, Canada

  4. Typical Deployment,Wireless Authentication IETF 64, Vancouver, Canada

  5. Method Specifics • Packet format builds on the use of TLVs • Similar to PEAP • “Hardens” OTPs to protect against eavesdroppers and MITMs • Extensible to various OTP types • Optional channel binding • Session Resumption mechanism For further information, see the presentation made to the EAP WG at IETF-62http://www.drizzle.com/~aboba/IETF62/eap/ietf62_eap_potp.ppt IETF 64, Vancouver, Canada

  6. A few Security Features • Freshness: each peer contributes a nonce • Channel binding: the client indicates the server it thinks it’s talking to • Protected Pin change • Protected results: Client confirmation exchange • Selection: Server realm ID in initial request IETF 64, Vancouver, Canada

  7. Some Recent Updates • Introduction of Protected TLV • To take advantage of established key material already in the EAP session itself • Essentially, the protected TLV wraps other TLVs and integrity-protects them • Session resumption defined for basic mode IETF 64, Vancouver, Canada

  8. Planned Updates & Current Status • Planned Updates • Protected ciphersuite negotiation • Use of dedicated session resumption key for session resumption (and not EMSK) • Status • Commercial implementations of protocol version 0 exist. Will work on distinguishing differences. • RSA willing to contribute the method to the EMU community if there is interest in adopting it as a standards-track work item IETF 64, Vancouver, Canada

  9. IPR • RSA offers a reciprocal royalty-free license under RAND to all implementers • For details, see http://tinyurl.com/cvrfs IETF 64, Vancouver, Canada

  10. Documents & Information • draft-nystrom-eap-potp-03.txt • Part of One-Time-Password Specifications http://www.rsasecurity.com/rsalabs/otps • CT-KIP: Cryptographic Token Key Initialization Protocol • OTP PKCS#11 Mechanisms • OTP CAPI – MS CryptoAPI OTP extensions • OTP WSS Token: WS-Security OTP Token format • OTP Validation Service: Web service for OTP validation • Mailing list: subscribe otps to majordomo@majordomo.rsasecurity.com • Archive available by sending get otps otps.05to the above email address IETF 64, Vancouver, Canada

More Related