EAP-POTP The Protected One-Time Password EAP Method

1
EAP-POTPThe Protected One-Time Password EAP
Method

• Magnus Nystrom,David Mitton
• RSA Security, Inc.

2
Background

• EAP-POTP is an EAP method designed for One-Time
  Password (OTP) tokens
• EAP-POTP offers
• Strong user authentication
• Mutual authentication
• Protection of OTPs in transit
• Establishment of key material
• Fast session resumption
• capabilities that are missing from existing EAP
  methods used with OTP tokens

3
Objectives

• End-to-end protection of OTP value
• Provide key material for lower layers (MSK, EMSK)
• Minimal initial configuration
• Minimize number of roundtrips
• No PKI requirements
• But complements PEAP, TTLS, and other tunneling
  methods
• Meet RFC 3748, RFC 4017 requirements as well as
  requirements in keying-08
• Support OTP corner cases such as
• Next OTP
• New PIN mode

4
Typical Deployment,Wireless Authentication
5
Method Specifics

• Packet format builds on the use of TLVs
• Similar to PEAP
• Hardens OTPs to protect against eavesdroppers
  and MITMs
• Extensible to various OTP types
• Optional channel binding
• Session Resumption mechanism
• For further information, see the presentation
  made to the EAP WG at IETF-62http//www.drizzle.c
  om/aboba/IETF62/eap/ietf62_eap_potp.ppt

6
A few Security Features

• Freshness each peer contributes a nonce
• Channel binding the client indicates the server
  it thinks its talking to
• Protected Pin change
• Protected results Client confirmation exchange
• Selection Server realm ID in initial request

7
Some Recent Updates

• Introduction of Protected TLV
• To take advantage of established key material
  already in the EAP session itself
• Essentially, the protected TLV wraps other TLVs
  and integrity-protects them
• Session resumption defined for basic mode

8
Planned Updates Current Status

• Planned Updates
• Protected ciphersuite negotiation
• Use of dedicated session resumption key for
  session resumption (and not EMSK)
• Status
• Commercial implementations of protocol version 0
  exist. Will work on distinguishing differences.
• RSA willing to contribute the method to the EMU
  community if there is interest in adopting it as
  a standards-track work item

9
IPR

• RSA offers a reciprocal royalty-free license
  under RAND to all implementers
• For details, see http//tinyurl.com/cvrfs

10
Documents Information

• draft-nystrom-eap-potp-03.txt
• Part of One-Time-Password Specifications
  http//www.rsasecurity.com/rsalabs/otps
• CT-KIP Cryptographic Token Key Initialization
  Protocol
• OTP PKCS11 Mechanisms
• OTP CAPI MS CryptoAPI OTP extensions
• OTP WSS Token WS-Security OTP Token format
• OTP Validation Service Web service for OTP
  validation
• Mailing list subscribe otps to
  majordomo_at_majordomo.rsasecurity.com
• Archive available by sending get otps otps.05 to
  the above email address