1 / 5

IETF 66 Enhanced EAP-TLS Discussion

IETF 66 Enhanced EAP-TLS Discussion. Hao Zhou Cisco Systems, Inc. hzhou@cisco.com. Requirements. RFC2716bis focuses on describing current EAP-TLS implementation, no new enhancements New cipher suites, such as PSK, Kerberos, ECC

quinto
Download Presentation

IETF 66 Enhanced EAP-TLS Discussion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IETF 66Enhanced EAP-TLS Discussion Hao Zhou Cisco Systems, Inc. hzhou@cisco.com EMU WG, IETF 66

  2. Requirements • RFC2716bis focuses on describing current EAP-TLS implementation, no new enhancements • New cipher suites, such as PSK, Kerberos, ECC • New TLS extensions, e.g., authorization extension, identity protection extension. • RFC4017 requirements: channel binding, identity protection, shared state equivalence. • RFC4017 requirement: authentication methods beyond certificates • User name and password, secure token card, mobile credentials, asymmetric credentials (password one side and private/public key on other side) • Any others: enrollment, arbitrary data exchange, bootstrapping? EMU WG, IETF 66

  3. Weak Password Support • Part of the WG charter • Support existing databases with weak password • Existing solutions are thru tunneling TLS based method., e.g., PEAP, EAP-FAST, EAP-TTLS. • Do we continue to use TLS-based approach? • Does it make sense to develop a single enhanced EAP-TLS protocol to address this requirement? EMU WG, IETF 66

  4. How Many EAP-TLS Types are Required? • Type 13 for RFC2716 EAP-TLS • Type X for Enhanced EAP-TLS • Type Y For EAP-TLS PSK • Type Z for weak password support • Type ? for … Or a single EAP-TLS based method to support all enhanced features? EMU WG, IETF 66

  5. Proposal • Develop an Enhanced EAP-TLS method supports all requirements in Slide 2. • Allow client optionally not send client certificate in TLS handshake but go thru a second inner authentication in the protected TLS tunnel, which supports legacy weak password database. • It could be done thru inner EAP method in TLS Application data or TLS InnerApplication exchange. EMU WG, IETF 66

More Related