Version%201%20of%20EAP-TTLS

1
Version 1 of EAP-TTLS

• draft-ietf-pppext-eap-ttls-05.txt
• http//www.funk.com/documents/draft-ietf-pppext-e
  ap-ttls-05.txt
• Paul Funk
• Funk Software

2
New Version of EAP-TTLS

• A version field is now defined in the Flag bits
• Previous version is 0, new version is 1.
• Version 1 features
• Session keys mixed with TLS master secret
• Secure exchange of result of inner authentication
• Exchange of inner AVPs moved from TLS data phase
  into TLS handshake
• New InnerApplication extension to TLS (TLS/IA)
  defined to carry inner AVPs within handshake
• TLS data phase is free for other uses
• EAP-TTLS v1 is one binding to TLS/IA
• Other protocols, such as HTTP, may also be bound
  to TLS/IA

3
TLS InnerApplication Extension(TLS/IA)

• Uses standard RFC 3546 extension mechanism
• InnerApplication extension appended to
  ClientHello, confirmed in ServerHello
• TLS/IA handshake is multi-phase
• Initial phase
• Normal TLS handshake
• Instantiate cipher suite to create tunnel
• Application phase(s) (normally one, may be more)
• Exchange AVPs for authentication and other
  applications
• Permute TLS master secret based on session keys
• Instantiate cipher suite with new master secret
• Phase Transitions
• PhaseFinished terminates each handshake phase
  prior to final
• Finished terminates final handshake phase

4
Comparison of TLS Encapsulation
In EAP-TTLS version 0 (as well as EAP-PEAP/FAST)
TLS handshake
data
Handshake msgs
CCS/Finished
AVPs
In EAP-TTLS version 1
TLS/IA handshake
data
Handshake msgs
CCS/PhaseFinished
AVPs
CCS/Finished
This space available
5
Session Key Binding

• Inner session keys are mixed into master key and
• confirmed by Finished message
• mixed into outer session keys (e.g. MPPE keys)
• TLS master secret permutation
• Initial master key is derived as usual during
  initial handshake phase
• Master key is permuted at the end of each
  application phase
• PRF is applied to create 48-octet vector
• Any inner session keys developed during this
  phase are arithmetically added to vector
• Result is new master key
• Master key at end of final phase is actual master
  key for session

6
Success/Failure Confirmation

• Handshake message confirmation
• Each PhaseFinished or Finished message confirms
  handshake messages in current and all previous
  handshake phases
• Inner authentication confirmation
• Success is signalled by exchange of Finished
  messages
• Failure is signalled by TLS failure alert
• Exchange of Finished messages prevents truncation
  attack

7
Other Uses of TLS/IA

• As with previous version, inner AVPs can be use
  for various purposes
• authentication
• key exchange
• client integrity attestation
• etc.
• TLS/IA can provide inner AVP capabilities to
  other protocols besides EAP-TTLS
• Possible other uses for TLS/IA
• HTTP with EAP authentication
• Alternative to IKE for IPsec authenticated key
  establishment
• Setting up SSL VPN

8
IETF Plans

• Split into 3 drafts
• EAP-TTLS v0, which is deployed and has several
  interoperable implementations
• TLS/IA, the InnerApplication extension to TLS
• EAP-TTLS v1, specified as an encapsulation of
  TLS/IA
• Submit each draft for RFC proposed standard
  status (weather permitting)