20 likes | 172 Views
draft-badra-eap-double-tls-04.txt. « EAP-Double-TLS Authentication Protocol » Pascal.Urien@enst.fr. Goal & news. Authentication with shared key, based on the TLS standard resume mode Session-id: client login Master-secret: client shared secret EAP-ID: session-id or session-id@server.com
E N D
draft-badra-eap-double-tls-04.txt « EAP-Double-TLS Authentication Protocol » Pascal.Urien@enst.fr
Goal & news • Authentication with shared key, based on the TLS standard resume mode • Session-id: client login • Master-secret: client shared secret • EAP-ID: session-id or session-id@server.com • Main idea: Ensuring user’s anonymity • A second TLS handshake or AVP mechanism may be used to modify the tuple (session-id, master-secret) • What is new • Draft clarification • First byte of the SessionID is used as second phase discriminator struct { opaque random_bytes<0..24>; SecondPhaseExchange second_phase_exchange<1..8>; } SessionID; SecondPhaseExchange None = { 0x00 }; SecondPhaseExchange TLS = { 0x01 }; SecondPhaseExchange TLS_RSA_anon = { 0x02 }; SecondPhaseExchange TLS_DH_anon = { 0x03 }; SecondPhaseExchange AVP = { 0x04 };