Robert G. Moskowitz

1
Needham-Schroeder Key Descriptor

• Robert G. Moskowitz
• ICSAlabs
• IEEE 802 Plenary Meeting
• Kauai, Nov 12, 2002

2
Needham-Schroeder Method
AS
Supp
Credential Request
Encrypted Credential
Authed Credential
Auth
Authed ACK
3
Needham-Schroeder in an EAP method

• Model is the reverse of many EAP methods
• The Supplicant drives the authentication
• Initial Request might be just a filler record
• Needham-Schroeder Request goes into an EAP
  Response
• EAP finishes with the Supplicant having the
  credential for the Authenticator
• But Needham-Schroeder exchange is not complete
• Supplicant needs a methodology to deliver the
  credential to the Authenticator

4
Needham-Schroeder in an EAP method

• Authenticator needs a methodology to reply to the
  supplicant
• After which, the authentication is Successful,
  i.e. the EAP method is Successful
• This can best be performed in an EAPOL-Key
  Exchange

5
802.1x/EAP Exchange

• The 802.1x/EAP flow for Kerberos might be
• AUTH EAP Ident REQ
• SUPP EAP Ident REP
• AS EAP REQ -- Kerberos
• SUPP EAP REP -- KRB_AS_REQ
• AS EAP REQ -- KRB_AS_REP
• SUPP EAPOL-Key -- KRB_AP_REQ
• AUTH EAPOL-Key -- KRB_AP_REP
• SUPP EAP REP -- Finished
• AS RADIUS Accept
• AUTH EAP Success

6
802.1x/EAP Reconnect Exchange

• The 802.1x/EAP flow for Kerberos might be
• AUTH EAP Ident REQ
• SUPP EAP Ident REP
• AS EAP REQ -- Kerberos
• SUPP EAPOL-Key -- KRB_AP_REQ
• AUTH EAPOL-Key -- KRB_AP_REP
• SUPP EAP REP -- Finished
• AS RADIUS Accept
• AUTH EAP Success

7
EAPOL-Key Format
Octet Number 1 1 2-3 4-N
Descriptor Type (7.6.1)
EAP Type
Length
Needham-Schroeder Body
8
Samples of Needham-Schroeder Body

• KRB_AP_REQ (RFC 1510)
• KRB_AP_REP (RFC 1510)