1 / 10

IETF 76 – Hiroshima Internet Draft : EAP-BIO

IETF 76 – Hiroshima Internet Draft : EAP-BIO. Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech. Introduction. Combine EAP-TTLS with Biometry Project developed for particular security conditions Administrative restricted access in sensitive areas Main ideas :

trynt
Download Presentation

IETF 76 – Hiroshima Internet Draft : EAP-BIO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IETF 76 – HiroshimaInternet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech

  2. Introduction • Combine EAP-TTLS with Biometry • Project developed for particular security conditions • Administrative restricted access in sensitive areas • Main ideas : • EAP-TTLS offers many choices for authentication protocols during Phase 2 • Advantages of biometry combined with the security of EAP-TTLS • Digital signatures added using smartcards

  3. EAP-TTLS Server certificate User profiles 802.1X RADIUS RADIUS Access point RADIUS Server HOME RADIUS Server EAP-TTLS Login, Password

  4. EAP-BIO EAP-TTLS session initiation User SmartCard Phase 1 : Mutual Authentication Client certificate Server certificate Server Biometric authentication Signed fingerprint Phase 2 : Biometric authentication Biometric reader AVP encapsulating the signed fingerprint Session Keys : f(Master_Secret, Client_Random, Server_Random)

  5. Mutual authentication – Phase 1 Client Access Point Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS(Access-Request) EAP-Request/TTLS-Start RADIUS(Access-Challenge) EAP-Response/ClientHello RADIUS(Access-Request) RADIUS(Access-Challenge)/ ServerHello, Certificate, ServerKeyExchange, ServerHelloDone EAP-Request/TTLS EAP-Response/ClientKeyExchange, Certificate, ChangeCipherSpec, Finished RADIUS(Access-Request) EAP-Request/TTLS RADIUS(Access-Challenge)/ ChangeCipherSpec, Finished

  6. Authentification – Phase 2 Client Access point Radius Server EAP-Response/ {Biometric fingerprint, timestamp, signatures} Verification of authentication data RADIUS(Access-Request) EAP-Success RADIUS(Access-Accept)

  7. EAP-BIO : Phase 1 • Phase 1 : Mutual authentication • Need of a client certificate • Can be stored on a smartcard along with the RSA private key • The card is used to initiate the EAP-TTLS session

  8. EAP-BIO : Phase 2 • Phase 2 : Biometric authentication • Biometric fingerprint encapsulated in AVPs with CBEFF format • Can be used on a 1:N or a 1:1 authentication • A 1:1 authentication is more performant • EAP-BIO performs a 1:1 authentication since the identity of the user is known through Phase 1 • Security problems to be solved about biometry • Certify the fingerprint issued by the biometric reader • Certify the voluntary action of the user • The reader must be secure (prevent the use false fingerprints)

  9. Security of EAP-BIO • Use of smartcards and digital signatures • Sign the fingerprint issued by the reader • Insert a timestamp to prevent replay attacks • Sign the fingerprint with the client before sending to the server • Certify the voluntary action of the user • Initiate the EAP-TTLS session with a smartcard • A signature from the user may be required • Session Keys : f(Master-Secret, Client-random, Server-random)

  10. AVP encapsulating the fingerprint Container Header Fingerprint (CBEFF Structure) PKCS#7 Capsule Containing signatures

More Related