IETF 66 Enhanced EAP-TLS Discussion

1
IETF 66Enhanced EAP-TLS Discussion

• Hao Zhou
• Cisco Systems, Inc.
• hzhou_at_cisco.com

2
Requirements

• RFC2716bis focuses on describing current EAP-TLS
  implementation, no new enhancements
• New cipher suites, such as PSK, Kerberos, ECC
• New TLS extensions, e.g., authorization
  extension, identity protection extension.
• RFC4017 requirements channel binding, identity
  protection, shared state equivalence.
• RFC4017 requirement authentication methods
  beyond certificates
• User name and password, secure token card, mobile
  credentials, asymmetric credentials (password one
  side and private/public key on other side)
• Any others enrollment, arbitrary data exchange,
  bootstrapping?

3
Weak Password Support

• Part of the WG charter
• Support existing databases with weak password
• Existing solutions are thru tunneling TLS based
  method., e.g., PEAP, EAP-FAST, EAP-TTLS.
• Do we continue to use TLS-based approach?
• Does it make sense to develop a single enhanced
  EAP-TLS protocol to address this requirement?

4
How Many EAP-TLS Types are Required?

• Type 13 for RFC2716 EAP-TLS
• Type X for Enhanced EAP-TLS
• Type Y For EAP-TLS PSK
• Type Z for weak password support
• Type ? for
• Or a single EAP-TLS based method to support all
  enhanced features?

5
Proposal

• Develop an Enhanced EAP-TLS method supports all
  requirements in Slide 2.
• Allow client optionally not send client
  certificate in TLS handshake but go thru a second
  inner authentication in the protected TLS tunnel,
  which supports legacy weak password database.
• It could be done thru inner EAP method in TLS
  Application data or TLS InnerApplication
  exchange.