EAP Password Authenticated eXchange (PAX) - PowerPoint PPT Presentation

About This Presentation
Title:

EAP Password Authenticated eXchange (PAX)

Description:

Title: Slide 1 Author: Charles Clancy Last modified by: rbunch Created Date: 3/15/2004 6:08:02 PM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 9
Provided by: CharlesC174
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: EAP Password Authenticated eXchange (PAX)


1
EAP Password Authenticated eXchange (PAX)
draft-clancy-eap-pax-01
  • T. Charles Clancy William A. Arbaugh
  • clancy,waa_at_cs.umd.edu
  • Department of Computer Science
  • University of Maryland, College Park
  • IETF 61, EAP WG
  • November 10, 2004

2
PAX Introduction
  • 2 round-trip MAC-based mutual authentication
  • Supports provisioning with a weak pre-shared key
  • Optional server-side certificate provides secure
    provisioning
  • Supports key management with forward secrecy
    using Diffie-Hellman
  • Optional support for identity protection
    (requires server-side certificate)
  • Extensible ciphersuite

3
Major Changes from -00 to -01
  • Address Crypto Concerns
  • mutual authentication
  • multiple uses of certain keys with different
    primitives
  • Protocol Implementation Issues
  • identity protection paradox
  • new identity protection subprotocol
  • Paranoia with MD5 and TLS-PRF
  • extensible key derivation function
  • support for HMAC-SHA1 and AES-CBC-MAC

4
PAX_STD (no identity protection)
X, Y rand(2256) If keyUpdate then A gX, B
gY, E gXY else A X, B Y, E (X
Y) AK, CK, SessionKeys KDF(AK E
KeyName)
Server
Client
A, SID, PK, CertPK
EncPK (B, CID, MACCK(A, B, CID, SID))
MACCK(B, CID, SID)
ACK
5
PAX_IDP (identity protection)
M, N, X, Y rand(2256) If keyUpdate then A
gX, B gY, E gXY else A X, B Y, E (X
Y) AK, CK, SessionKeys KDF(AK E
KeyName)
Server
Client
M, SID, PK, CertPK
EncPK (M, N, CID)
A, MACN(A, CID, SID)
B, MACCK(A, B, CID, SID)
6
Cryptographic Primitives
  • Extensible
  • Key Derivation Function
  • KDF16X(Y) MACX(Y 1)
  • KDF64X(Y) MACX(Y 1) MACX(Y 2)
  • MACX(Y 3) MACX(Y 4)
  • Currently supported
  • MAC HMAC-SHA1-128
  • AES-CBC-MAC-128
  • DH 3072-bit MODP Group RFC3526
  • PubKey RSA-OAEP-2048

7
PAX Implementation
  • Currently Supports
  • FreeRADIUS 1.0.1
  • XSupplicant 1.0.1
  • Authentication, Key Update
  • Plan to Support
  • Microsoft IAS
  • Windows XP Supplicant
  • Provisioning, Identity Protection
  • Timings Experiment
  • Cisco 1200 AP
  • Pentium 3 1.2GHz, Linux 2.4.26

8
PAX Implementation Timings
Protocol PK Crypto RT Time (ms)
PAX, no update PAX, key update PAX, provision - DH-3072 DH-3072/RSA-2048 2 2 3 9.6 127.3 N/A
EAP-TLS EAP-TLS DH-512/RSA-512 DH-3072/RSA-2048 5 7 89.8 1076.7
PEAP-MSCHAPv2 PEAP-MSCHAPv2 DH-512/RSA-512 DH-3072/RSA-2048 8 10 90.4 1027.3
TLS/PEAP used OpenSSL DSA-DH parameters, PAX used
3072-bit prime and 256-bit exponent as
recommended in RFC3766
Write a Comment
User Comments (0)
About PowerShow.com