1 / 8

57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards”

57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards”. Pascal Urien & All ENST Pascal.Urien@enst.fr. Draft-urien-EAP-smartcard-02.txt. EAP Support in Smartcard. Goals Definition of an “universal” ISO 7816 interface, e.g. supporting most of EAP authentication protocols.

oki
Télécharger la présentation

57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 57th IETFWIEN, Austria, July 13-18, 2003“EAP support in smartcards” Pascal Urien & All ENST Pascal.Urien@enst.fr Draft-urien-EAP-smartcard-02.txt

  2. EAP Support in Smartcard. • Goals • Definition of an “universal” ISO 7816 interface, e.g. supporting most of EAP authentication protocols. • EAP smartcard benefits • Network credentials are securely stored. • Smartcard bearer doesn’t know its network credentials (shared secret, asymmetric keys…) • EAP protocols are computed in a trusted environment. • Smartcard can’t be cloned. • Smartcard is blocked/unblocked by the user’s PIN-code • Other aspects • Scalability. Half a billion smartcards produced in 2001. • Multiple form factors (ISO 7816 Credit Card Format, SIM GSM 11.11, USB…). • Sufficient cryptographic performances (RSA 2048 bits calculation in 500 ms), memory size around 128 kb, one Mb with the FLASH technology).

  3. EAP profile EAP profile Overview Authenticator RADIUS server Smartcard Supplicant EAP EAP / 7816 EAP / LAN EAP / RADIUS EAP Engine ISO 7816 802.1x RADIUS EAP-ID EAP-Type Crypto Key(s) • Secure Authentication. • User authentication rather than computer authentication • One smartcard for several networks. • Interoperability between EAP smartcards.

  4. Basic Concepts • Identity • A pointer to a set of information that is needed for processing EAP-Messages, • EAP-ID, EAP-Type, Cryptographic Keys • User Profile, information meaningful for the terminal or the network (SSID, radio channel, X509 certificates…) • Profile • Implementation recommendation for particular EAP-Type. • PIN Management • EAP smartcard may be protected by a PIN code, only knew/managed by its bearer. • EAP Application. • An EAP (smartcard) application may be associated to one or more EAP-Type. In that case it is started by a Select-AID command.

  5. EAP Smartcard Services 1/3 • Four logical interfaces. • Network interface. • Smartcard directly processes EAP messages (requests, notifications). • EAP profiles definition. A set of rules (if needed) for supporting a particular authentication protocol (messages maximum size, …). • Operating System/Terminal interface. • Identity management. Multiple triplets (EAP-ID, EAP-Type, cryptographic keys) are stored in the smartcard; a triplet is required by each network. • User profile, typically an LDAP record stored in the smartcard (under discussion). • Management/Personalization interface. • Identities & profiles download and update. Management could be done via dedicated EAP protocols (under discussion). • User Interface • Personal Identification Number (PIN code) management

  6. EAP Smartcard Services 2/3 EAP authentication protocols profiles Identity List OTHER EAP-TLS EAP-SIM EAP-MD5 Secure EAP Framework Get-Next-Identity() Get-Preferred-Identity() Get-Current-Identity() Set-Identity() Set-Multiple-Identity() Get-Session() Get-Profile-Data() Select-AID() OS/Terminal Interface Network interface Process-EAP() Management Personalization Interface Verify-PIN() Change-PIN() Enable-PIN() Disable-PIN() Unblock-PIN() User Interface Add-Identity() Delete-Identity()

  7. EAP smartcard Services 3/3.

  8. EAP smartcard profiles.

More Related