EAP-TLS-PSK draft-otto-emu-eap-tls-psk-00.txt

1
EAP-TLS-PSKdraft-otto-emu-eap-tls-psk-00.txt

• Thomas Otto
• Hannes Tschofenig
• IETF 66th, July 2006, EMU Working Group

2
Motivation for EAP-TLS-PSK

• December 2005 Publication of RFC 4279 (TLS
  Pre-Shared Key Ciphersuites)
• EAP-TLSbis will be backward compatible and only
  support certificate-based ciphersuites
• Pre-shared key based authentication is very
  performant and highly appreciable for constrained
  environments
• gt There is need for an EAP method that supports
  the TLS ciphersuites of RFC 4279

3
Ciphersuites of RFC 4279

• RFC 4279 specifies three ciphersuites
• PSK
• Mutual authentication based on a pre-shared key
  using symmetric cryptography only
• DHE_PSK
• Use the pre-shared key to authenticate an
  ephemeral Diffie-Hellman key exchange
• RSA_PSK
• Authenticate the server certificate-based and
  the client pre-shared key based

4
EAP-TLS-PSK message flow
EAP peer
EAP server
EAP-Request/Identity EAP-Response/Identity
(MyID) EAP-Request/TypeEAP-TLS-PSK (TLS
Start) EAP-Response/TypeEAP-TLS-PSK (ClientHello
) EAP-Request/TypeEAP-TLS-PSK
(ServerHello, Certificate, ServerKeyExchange,
ServerHelloDone) EAP-Response/TypeEAP-TLS-PSK (C
lientKeyExchange, ChangeCipherSpec, Finished)
EAP-Request/TypeEAP-TLS-
PSK (ChangeCipherSpec, Finished) EAP-Response/Typ
eEAP-TLS-PSK() EAP-Success
5
Questions?