1 / 5

Enhancing EAP-TLS: Discussion on New Cipher Suites and Protocol Enhancements at IETF 66

This document discusses the requirements and proposals for enhancing EAP-TLS as presented at IETF 66. Key topics include current implementations without new enhancements, introduction of new cipher suites (PSK, Kerberos, ECC), and TLS extensions like authorization and identity protection. It also reviews the need for additional authentication methods beyond certificates, weak password support, and the possibility of a single enhanced EAP-TLS protocol to address diverse requirements. The proposal includes allowing optional client certificate transmission and supporting legacy authentication methods within a secure TLS tunnel.

graiden-sykes
Télécharger la présentation

Enhancing EAP-TLS: Discussion on New Cipher Suites and Protocol Enhancements at IETF 66

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IETF 66Enhanced EAP-TLS Discussion Hao Zhou Cisco Systems, Inc. hzhou@cisco.com EMU WG, IETF 66

  2. Requirements • RFC2716bis focuses on describing current EAP-TLS implementation, no new enhancements • New cipher suites, such as PSK, Kerberos, ECC • New TLS extensions, e.g., authorization extension, identity protection extension. • RFC4017 requirements: channel binding, identity protection, shared state equivalence. • RFC4017 requirement: authentication methods beyond certificates • User name and password, secure token card, mobile credentials, asymmetric credentials (password one side and private/public key on other side) • Any others: enrollment, arbitrary data exchange, bootstrapping? EMU WG, IETF 66

  3. Weak Password Support • Part of the WG charter • Support existing databases with weak password • Existing solutions are thru tunneling TLS based method., e.g., PEAP, EAP-FAST, EAP-TTLS. • Do we continue to use TLS-based approach? • Does it make sense to develop a single enhanced EAP-TLS protocol to address this requirement? EMU WG, IETF 66

  4. How Many EAP-TLS Types are Required? • Type 13 for RFC2716 EAP-TLS • Type X for Enhanced EAP-TLS • Type Y For EAP-TLS PSK • Type Z for weak password support • Type ? for … Or a single EAP-TLS based method to support all enhanced features? EMU WG, IETF 66

  5. Proposal • Develop an Enhanced EAP-TLS method supports all requirements in Slide 2. • Allow client optionally not send client certificate in TLS handshake but go thru a second inner authentication in the protected TLS tunnel, which supports legacy weak password database. • It could be done thru inner EAP method in TLS Application data or TLS InnerApplication exchange. EMU WG, IETF 66

More Related