Wireless LAN Certificate Extensions

1
Wireless LAN Certificate Extensions

• Russ Housley
• RSA Laboratories

2
Motivation

• Several EAP authentication methods employ
  certificates
• EAP-TLS used with PPP and IEEE 802.1X
• Desire automated selection of client certificates
  for PPP and IEEE 802.1X
• Certificate extensions identify intended
  environment, minimizing user input

3
EAP Extended Key Usage Values

• Extended Key Usage extension
• id-ce-extKeyUsage OBJECT IDENTIFIER id-ce
  37
• ExtKeyUsageSyntax SEQUENCE SIZE (1..MAX) OF
  KeyPurposeId
• KeyPurposeId OBJECT IDENTIFIER
• Key purpose values assigned for EAP
• id-kp-eapOverPPP OBJECT IDENTIFIER
  id-kp 13
• id-kp-eapOverLAN OBJECT IDENTIFIER
• id-kp 14

4
Support for Multiple Networks
Station
Access Point
AuthenticationServer

• Certificates
• Company WLAN
• Hotel ISP WLAN
• Airport ISP WLAN
• Hot Spot WLAN

Want to select certificate for the
current environment without user interaction.
5
WLAN SSID Extension (1 of 2)

• Each IEEE 802.11 WLAN has a different Service Set
  Identifier (SSID)
• If network operators have a roaming agreement,
  then one certificate could provide access to more
  than one WLAN
• WLAN SSID extension includes a list of SSIDs for
  automatic selection of an appropriate certificate

6
WLAN SSID Extension (2 of 2)

• WLAN SSID extension
• id-pe-wlanSSID OBJECT IDENTIFIER id-pe 13
  
• SSIDList SEQUENCE SIZE (1..MAX) OF SSID
  SSID OCTET STRING (SIZE (1..32))

7
Questions?