Title: EAP%20Password%20Authenticated%20eXchange%20(PAX)
1EAP Password Authenticated eXchange (PAX)
draft-clancy-eap-pax-01
- T. Charles Clancy William A. Arbaugh
- clancy,waa_at_cs.umd.edu
- Department of Computer Science
- University of Maryland, College Park
- IETF 61, EAP WG
- November 10, 2004
2PAX Introduction
- 2 round-trip MAC-based mutual authentication
- Supports provisioning with a weak pre-shared key
- Optional server-side certificate provides secure
provisioning - Supports key management with forward secrecy
using Diffie-Hellman - Optional support for identity protection
(requires server-side certificate) - Extensible ciphersuite
3Major Changes from -00 to -01
- Address Crypto Concerns
- mutual authentication
- multiple uses of certain keys with different
primitives - Protocol Implementation Issues
- identity protection paradox
- new identity protection subprotocol
- Paranoia with MD5 and TLS-PRF
- extensible key derivation function
- support for HMAC-SHA1 and AES-CBC-MAC
4PAX_STD (no identity protection)
X, Y rand(2256) If keyUpdate then A gX, B
gY, E gXY else A X, B Y, E (X
Y) AK, CK, SessionKeys KDF(AK E
KeyName)
Server
Client
A, SID, PK, CertPK
EncPK (B, CID, MACCK(A, B, CID, SID))
MACCK(B, CID, SID)
ACK
5PAX_IDP (identity protection)
M, N, X, Y rand(2256) If keyUpdate then A
gX, B gY, E gXY else A X, B Y, E (X
Y) AK, CK, SessionKeys KDF(AK E
KeyName)
Server
Client
M, SID, PK, CertPK
EncPK (M, N, CID)
A, MACN(A, CID, SID)
B, MACCK(A, B, CID, SID)
6Cryptographic Primitives
- Extensible
- Key Derivation Function
- KDF16X(Y) MACX(Y 1)
- KDF64X(Y) MACX(Y 1) MACX(Y 2)
- MACX(Y 3) MACX(Y 4)
- Currently supported
- MAC HMAC-SHA1-128
- AES-CBC-MAC-128
- DH 3072-bit MODP Group RFC3526
- PubKey RSA-OAEP-2048
7PAX Implementation
- Currently Supports
- FreeRADIUS 1.0.1
- XSupplicant 1.0.1
- Authentication, Key Update
- Plan to Support
- Microsoft IAS
- Windows XP Supplicant
- Provisioning, Identity Protection
- Timings Experiment
- Cisco 1200 AP
- Pentium 3 1.2GHz, Linux 2.4.26
8PAX Implementation Timings
Protocol PK Crypto RT Time (ms)
PAX, no update PAX, key update PAX, provision - DH-3072 DH-3072/RSA-2048 2 2 3 9.6 127.3 N/A
EAP-TLS EAP-TLS DH-512/RSA-512 DH-3072/RSA-2048 5 7 89.8 1076.7
PEAP-MSCHAPv2 PEAP-MSCHAPv2 DH-512/RSA-512 DH-3072/RSA-2048 8 10 90.4 1027.3
TLS/PEAP used OpenSSL DSA-DH parameters, PAX used
3072-bit prime and 256-bit exponent as
recommended in RFC3766