Chapter 7

Cryptography and Security Services: Mechanisms and Applications

Manuel [email protected]

M. Mogollon 1

Chapter 7Access Authentication

M. Mogollon 2IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509

• Authentication Concepts• IEEE 802.1X Authentication• Extensible Authentication Protocol (EAP)• EAP Password Mechanisms• Other Password Mechanisms• Password Security Considerations• EAP Authentication Servers• Remote Authentication Dial-in User Service (RADIUS)• The Needham-Schroeder Protocol, Kerberos V5.1 • ITU-T X.509

Session 5 – Contents


Security Concerns• Browsing

— The attacker tries to get access to a database to get information.

• Spoofing— The attacker pretends to be a user with certain privileges.

• Session Hijacking— The attacker tries to take over an existing connection between two

computers.

• Electronic Eavesdropping or Sniffing— The attacker records all the traffic going through the network interface card

(NIC) or on a server node.

• Exhaustive Attacks— The attacker tries to identify secret information by testing all possibilities. Also

called Brute Force Attack.


What is Authentication?

authentication / n. (1) The act of identifying or verifying the entity that originated the message or the corroboration (proof) of the sender's identity, i.e. that he is who he claims to be. Written messages are authenticated with a handwritten signature so the receiver of the message is able to validate the message. (2) access. The act of identifying or verifying the eligibility of a station, originator or individual to access specific categories of information.

Longley, D., & Shain, M. (1989). Data & Computer Security Dictionary of Standards Concepts and Terms (p26). Boca Raton, FL:CRC Press, Inc.


Access Authentication

Firewall

Wireless Access Authentication

Access Authentication• Dial-up User Authentication• Wireline User Authentication.• Wireless User Authentication• Device Authentication.

Home office

Router

Router

VoIP

Intranet

Authentication Server

Device Authentication

User Authentication

RouterInternet,IPWAN

PSTNNAS

Dial-up User Authentication


Access AuthenticationAccess

Authentication

Protocol

IEEE 802.1X

EAP Method Mechanism

EAP-TTLS

EAP-PEAP

EAP-TLS

MS-CHAP v2

OTP

GTC

CHAP

EAP-AKA

EAP-PSK

EAP-SIM

IEEE 802.1X: Port-based Access Control ProtocolEAP: Extensible Authentication ProtocolTLS: Transport Layer SecurityTTLS: Tunneled Transport Layer Security

Digital Certificates

The prevention of the unauthorized use of a resource.

PEAP: Protected EAPCHAP: Challenge-Handshake Authentication ProtocolOTP: One-Time PasswordGTC: Generic Token Card


Authentication Factors• What the user knows

— Something secret only the user knows– A memorized personal identification number (PIN) or password

• What the user has — Something unique the user possesses

– SecureID card (token generating a one-time password)– A smartcard that can perform cryptographic operations on behalf

of a user).– Digital certificate

• What the user is— Something unique to the user— Biometrics (Fingerprints, voiceprint)


Access Authentication vs. Authorization• Access Authentication

— Defines whether Access-Accept or Access-Reject is returned by the authenticator server.

• Authorization— Defines user’s environment once access is granted.— Controls or restricts what user is allowed to do on a network access

server (NAS) or network.


IEEE 802.1X Authentication• The IEEE 802.1X-2004 is a data link layer transport

protocol that defines wireless and physical networks port-access control standards. — Port access refers to “user port” access controlled by a wireless

access point or wired switch. Users do not get IP-connectivity until they have successfully authenticated.

• IEEE802.1X deployment requires the installation of three components: — Supplicant authentication software and hardware. — Authenticator – 802.1X EAP compatible. — Authentication Server. In IEEE 802.11, the Access Point acts as an

authenticator, while a wireless station (e.g., a laptop) is the supplicant. A Port Access Entity (PAE) is an entity that is able to control the authorized/unauthorized state of its controlled port.


802.1X Port-based Access Control Protocol

Services offered by the authenticator

systemAuthenticator

Port Access Entity

LAN

Controlled Port

Port Unauthorized Uncontrolled

PortAuthControlledPortStatus

MAC Enable/Disable

Authentication System Authentication Server System

Authentication Protocol

Exchanges

AuthenticationServer


EAP Stack

Auth. Layer

Media Layer

Method Layer

PPP 802.11802.5802.3

Extensible Authentication Protocol (EAP)

EAP over LAN (EAPOL)

TLS TTLS PEAP

Connection and Login Process

EAP Layer

Protection Layer

Ethernet Token Ring Wireless LAN


Extensible Authentication Protocol• Originally created for use with PPP, it has since been adopted for use with IEEE

802.1X -2004 "Port-Based Network Access Control". • Supports authentication mechanisms such as smart cards, Kerberos, digital

certificates, one-time-passwords, and others.— Authentication mechanisms are implemented in a number of ways called EAP methods, e.g.,

EAP-TLS, EAP-TTLS, EAP-PEAP, etc.• EAP is extensible because any authentication mechanism can be encapsulated within

EAP messages.• EAP allows the deployment of new protocols between the supplicant and the

authentication server.— The encapsulation technique used to carry EAP packets between peer and authenticator in a LAN

environment is known as EAP over LANs, or EAPOL• Authentication Mechanisms

— MD5-Challenge: Analogous to the PPP CHAP protocol with MD5 as the specified algorithm, RFC 1994. The Request contains a "challenge" message to the peer.

— One-Time Password (OTP): Defined in "A One-Time Password System," RFC 1938. The Request contains a displayable message containing an OTP challenge.

— Generic Token Card (GTC): Defined for use with various token card implementations which require user input. The Request contains an ASCII text message and the Reply contains the token card information necessary for authentication.


EAP Authentication Process

The Authenticator functions as an AAA

client to the Authentication Server


Radius, Kerberos, PKI, OTP, Token

Password Authentication Database

Token Authentication Database

X.509 Directory

Kerberos Ticket Granting ServerSupplicants

EAP over Ethernet

EAP Method

Authenticator

AAA – Authentication, Authorization and Accounting


EAP Certificate and Hybrid Methods• Certificate Method

— EAP-TLS: The Extensible Authentication Protocol-Transport Layer Security uses X.509 digital certificates for secure mutual authentication client and server.

• EAP Hybrid Methods— EAP-TTLS (Tunneled TLS): Based on asymmetric cryptography

reusing TLS mechanisms. In EAP-TTLS, the TLS handshake can be mutual, or it can be one-way, in which only the server is authenticated to the client.

— PEAP (Protected Extensible Authentication Protocol): Based on asymmetric cryptography reusing TLS mechanisms. Provides an encrypted and authenticated tunnel based on transport layer security (TLS) that encapsulates EAP authentication mechanisms.


Protected EAP

• First a TLS tunnel ( ) is established, and then the tunnel is used to run legacy authentication protocols in the inner tunnel ( ).

Cipher Suite

Cipher Suite

Client

Authenticator (Dual Port)

EAP Method


Trust

Keys

EAP API EAP APIAuthenticator with Controlled Port Disabled.

EAP Method

LAN, Wireless

Services offered by the authenticator

system

EAP Methods, EAP-TLS, EAP-GTC,

MS-CHAPv2


EAP SIM-Based Methods• EAP-AKA (Authentication and Key Agreement):

— Based on the 3rd generation Authentication and Key Agreement mechanism (AKA) specified for Universal Mobile Telecommunications System (UMTS) and for cdma2000.

— Based on challenge-response mechanisms and symmetric cryptography. It uses shared secrets between the User and the Authenticator together with a sequence number to perform the Authentication.

• EAP-SIM (Subscriber Identity Module)— Based on symmetric cryptography that reuses the GSM

authentication infrastructure. — Useful for scenarios where SIMs are already deployed (e.g.,

authentication of GPRS clients on a WLAN connected to a 3GPP network).


EAP Pre-Shared Key Methods• EAP-TLS-PSK: TLS Pre-Shared Key

— A possible future EAP method based on TLS that would support authentication based on pre-shared keys.

— TLS-PSK uses one of the following:– 1. Symmetric key operations for authentication; – 2. Diffie-Hellman exchange authenticated with a pre-shared key; – 3. Combined public key authentication of the server with pre-shared key authentication of the

client.• EAP-IKEv2:

— Based on the symmetric and asymmetric cryptography of IKEv2, a protocol whose security has received considerable expert review.

— Could be an excellent candidate to replace EAP-MD5. • EAP-PSK (Pre-Shared Key)

— Based on symmetric cryptography. — Advantages:

– Simplicity: Easy to implement and to deploy without any pre-existing infrastructure. – Wide applicability: Can be used to authenticate over any network, in particular for WLANs. – Security: Based on AES.– Extensibility: Can add extensions as needed.– Patent-avoidance: No Intellectual Property Right claims.


Password-Based EAP Methods• EAP-PAX

— Designed for device authentication using a shared key, a personal identification number (PIN). Instead of using a symmetric key exchange, the client and server perform a Diffie-Hellman key exchange, which provides forward secrecy.

— Supports the generation of strong key material; mutual authentication; resistance to desynchronization, dictionary, and man-in-the-middle attacks; ciphersuite extensibility with protected negotiation; identity protection; and the authenticated exchange of data, useful for implementing channel binding. EAP-PAX is ideal for wireless environments such as IEEE 802.11.

• EAP-SPEKE (Simple Password Exponential Key Exchange)— Based on symmetric cryptography and asymmetric key cryptography to provide

password-only authenticated key exchange.— Useful only when authentication is based on user-provided password information.— Unnecessarily complex for device authentication (e.g., it makes heavy use of public

key cryptography).— Improved protocol supports mutual authentication and key exchange and it works on

the Elliptic Curve Cryptosystems (ECC) base, as well as the DH (Diffie-Hellman) base.


Road to AuthenticationStep 1 Step 2

EAP MethodStep 3Authentication Mechanism

Note 1: Strong Access Control protocol. Must be coupled with a secure EAP method.Note 2: No need to issue certificate to the clientNote 3: Both the client and the server must be assigned a digital certificate signed by a

certificate authority. Requires PKI

802.1XPort-Based Network Control

Public-Key Certificates

Yes

No

Client and Server Certificates

Yes

No, Only Server

EAP-TLS

EAP-TTLS

PEAP

EAP-PSKEAP-IKE v2

EAP-SIMEAP-AKA

EAP-SPEKE

EAP Methods, CHAP, PAP, MS-CHAP and MS-CHAPv2.

Pre-Shared-Keys

(Note 1)

(Note 3)

(Note 2)

EAP Methods, EAP-TLS, EAP-GTC, MS-CHAPv2

Client Certificate

RSA / ECC

EAP-PAX Passwords

EAP-TLS-PSK

SIM-based


EAP Key Material• User authentication protocols perform two functions:

— Verifying the identity of one or both parties, and— Producing ephemeral secret keys shared between the parties that are used

subsequently for data origin authentication.

• During authentication, key material is transported or agreed to.— In key transport, both parties share a key-encrypting key that is used to wrap

(encipher) the key that is going to be transported - exchanged.— A key agreement algorithm allows two parties to generate a secret key computed from

public key algorithms such as Diffie-Hellman.

• Exchanged or generated keys are used to generate key material.• In EAP, the following keys are derived: Master Session Key (MSK),

Extended Master Session Key (EMSK), AAA Key, Application-Specific Master Session Keys (AMSK), Transient Session Keys (TSK), Initialization Vector (IV), and Transient EAP Keys (TEK)

• The MSK is used to derive the AAA Key; the AAA Key is used to derive the Transient Session Keys (TSKs), and the TSKs are used to protect data.


EAP Password Mechanisms • Legacy authentication systems are based on passwords

or token-based authentication systems.• EAP is used with legacy authentication systems by first

establishing a secure tunnel (e.g. TLS), and then using that tunnel to run the legacy authentication protocols, so the authentication is running in an inner tunnel.

• Two EAP methods, TTLS and PEAP, have been proposed to support legacy authentication systems.— EAP-TTLS supports all EAP methods, CHAP, PAP, MS-CHAP, and

MS-CHAPv2. — EAP-PEAP supports all EAP methods, as well as EAP-TLS, EAP-

GTC, MS-CHAPv2. PAP and CHAP are not recommended for use as authentication methods with EAP-PEAP.


EAP PEAP with MS-CHAP-v2

AuthenticatorClientRequest Identity Message

Client or Computer IdentityAuthenticator Challenge (16-octet

random number)Client Challenge Response (24-octet)

Client Challenge (16-octet random number)

Success MessageResponse to Client

Challenge

Ack Message

Success Message

The entire authentication exchange is encrypted through the TLS channel created in PEAP


EAP Generic Token Card (GTC)

Encipher with Key

User’s Key

Same

Encipher with Key

Authenticator

User

PIN

Seed

Token

Seed

Access Control Server

Database


EAP One-Time Password (OTP)

Network Access Server

Same

Hash Function

AuthenticatorUser

Hash Function

Seed and Challenge numbers

User’s secretpass-phrase

or PIN

Secret pass-phrase and seed are hashed the number of times to be equal to the Challenge number and then become a One-Time

Password.

Database

User’s secretpass-phrase or PIN

One-Time Password Systems• New password required for each session.• IETF standardized OTP in RFC 2289.• Difficult to administer the secret pass-phrase

list and, therefore, not very scalable.

One-Time Password

ConcatenateConcatenate

Seed and Challenge numbers


Password Security Considerations• Passwords are prearranged identifiers that the user possesses,

such as words, special coded phrases, personal identification numbers (PINs), etc.

• Password systems require a single coded response from the user to be allowed access to the host computer.

• When writing a password policy, organizations should consider the following:— How the password will be selected— How often the password will be changed— How long the password will be used— How the system will handle (transmit) the password

• Users normally choose unsatisfactory or poor passwords, such as words from a dictionary, words spelled backwards, first names, surnames, address numbers, telephone numbers, and social security numbers.


Password Guessing• In 1985, the Department of Defense published the Password Management

Guideline, CSC-STD-002-85, that described how to calculate the maximum lifetime of a password.

whereL = Maximum lifetime for a passwordP = Probability that a password can be guessed within its lifetime, assuming continuous guesses for that period.R = Number of guesses possible to make per unit of time.S = Password space; the total number of passwords that can be generated.S = AM (A = number of alphabet symbols, M = password length)

• For P = 10-6; R = 500K guesses/sec = 43.2 x 108/day.• For a password that consists of a combination of ten upper and lower case

letters and numbers 0 - 9, then

and

RSx P= L

10x = = A= S M 1710 39.862

days = x

10 x . x 10 = L1-

43.19102.43

3988

76


Password Guidelines• Must contain a combination of at least eight alphanumeric characters

including at least one alphabetic, one numeric, and one special (e.g., punctuation) character, as well as one upper case and one lower case character.

• Must be a minimum length of ten characters (not eight) if the system does not distinguish between upper and lower case.

• Must not contain the user ID or portion thereof.• Must not be a combination of year and date.• Must not contain any two or more letters in forward or reverse alphabetic

sequence, ASCII sequence, or QWERTY sequence, regardless of the case.• In the Windows NT environment, it is better to use passwords that are

exactly 7 or 14 characters in length.• The system should not modify the end-user password, i.e., convert the

password to all lower case, or truncate the password.• Passwords must not be stored or retained in clear at any location; instead,

a hash of the password should be stored. The Secure Hash Algorithm SHA (224, 256, 384, or 512) should be used and the hashed password should not be truncated.


Access Authentication• Two-Factor Authentication

— To identify and authenticate an authorized system user, two factors are necessary: (1) Something secret only the user knows – a memorized personal identification number (PIN) or password; (2) Something unique the user possesses – a token.

• Time Synchronizing— The authorized system user carries a token which generates a unique, one-

time, unpredictable access code every 60 seconds. To gain access to a protected resource, a user simply enters his or her secret PIN, followed by the current code displayed on the token.

— Authentication is assured when the authenticator recognizes the token’s unique code in combination with the user’s unique PIN. Software synchronizes each token with hardware at the authenticator.

— RSA SecurID token is a good example of a product providing an easy, one-step process to positively identify network and system users.


RADIUS Authentication Server • Used for Remote Authentication Dial-In User Services• Is an easy method for authentication, authorization and accounting

of dial-in users (AAA).• Relies on basic Request/Accept messaging.• Uses UDP (User Datagram Protocol).• Relies on “shared secret” for NAS authentication• Access-Request

— Sent by RADIUS client (Network Access Server - NAS)— Contains username, password and particulars such as NAS ID, port number,

access type, etc.• Password encrypted with shared secret• Access-Accept or Access-Reject

— Returned by RADIUS server— Contains list of attributes (called authorization info) used by the NAS


RADIUSClient(User)

Network Access Server

(NAS)NAS operates as a Client of Radius

RADIUS Server DatabaseList of requirements which must be met to allow access for the user.

Access-Request

Access-Request• User dials into

remote access server

• User Name• Password

(Hidden using RSA Message Digest Algorithm, MD5)

• NAS ID• Port ID

Access-Reject or Challenge

Smart Card, Software

Challenge Response

Resubmit Access-Request

Resubmit Access- Request

• Original Access- Request with the User Password Attribute replaced by the encrypted response.

1

2

3

4

5

6

7

1• NAS sends

request for RADIUS authentication and authorization.

• RADIUS checks against its user ID database, and

• Provides info to NAS whether the user is in the database or not.

72 - 4• Sends Access-

Reject or Challenge (random number)

• User enciphers Challenge with Smart Card or encryption software.

5 - 6


Needham and Schroeder Authentication

1. A T: {A ¦B ¦RA}

2. T A: EKA {RA ¦ B ¦ K ¦EB(K

¦A)}3. A B: E B {K ¦A}

4. B A: E K {R B}

5. A B: E K {RB – 1}3

5

21

Trusted Entity

BA 4


Kerberos Authentication Method• Internet security standard protocol RFC 1510 based on trusted third-party

centralized authentication to offer authentication services to users and servers in an open distributed environment.— Used in Windows 2000

• Relies on secret-key symmetric ciphers for encryption and authentication.• Requires trust in a third party (the Kerberos server) for authentication.

— If the server is compromised, the integrity of the whole system is lost.

• Does not use public-key encryption, therefore, does not produce digital signatures or authentication of authorship of documents.

• Version 4 still used.• Version 4 makes use of DES in Propagating Cipher Block Chaining (PCBC)• Version 5 (RFC 1510) uses any encryption algorithm. If DES is used it has to

be in CBC mode.ftp://ftp.isi.edu/in-notes/rfc1510.txt .


Kerberos

• Kerberos server performs the functions of a Key Distribution Center (KDC).— Keeps the secret keys of all users.— Authenticates the identities of users and distributes session keys to users and servers.

• Application servers do not communicate with the Kerberos server.

I am Alice’s workstation and I want to use database # 1

in the application server “B”. Here is my user ID.

I believe you. Here is your ticket with your user ID, network address, and the server ID for the application server “B” you want to access.

I am Alice, and I want to use your database #1.

Here is my ticket.

I believe you, and here is your access to the database services.

Kerberos Server

ClientWorkstation

Application Server “B”

Database # 1I am Alice, and here is my password to prove

it.

Ticket is encrypted using the secret key shared by the Kerberos server and the Application server.

1

2 3

4

5


Kerberos’ Abbreviations and ProtocolsC = Client S = ServerTGS = Ticket Granting Serveradddrx = x’s network addressAx = x’s authentication (name, address, and timestamp)IDx = x’s identificationKx = x’s secret keyKx,y = Session key for x and y

communicationsKx {m} = m encrypted with x’s secret keyTxy = x’s ticket to use with yTGSx = TGS used by Ctimes = beginning and ending validity time for a ticket, timestamp|| = concatenation

1

5

32

C

AS TGS

6

4

S• IDC || TGSC || time

• EKC { K C, TGS } || E KTGS

{ TC,TGS } || time

• IDS || E KTGS { TC,TGS } || E K C, TGS

{ AC }

• E K C, TGS { KC,S } || E Ks

{ TC,S }

• E Ks {TC,S} || EKC,S

{ AC }

• EKC,S { timestamp, Subkey, Seq # }

Kerberos’ ticket for x to talk with y

Tx,y = EKy { IDx, addrx, times, Kx,y }

Once per user log

on

Once per type of service

Once per service session


Kerberos Encryption and Checksum

Confounder Message Padding Confounder Message Padding

Encipher

HMAC

Ciphertext Output = E (Ke, confounder || message || padding) || HMAC(Ki, confounder || message || padding)

KeKi

Encryption

Checksum Confounder Message Padding

HMACKi

Encipher

Ke Encipher

Ke

Checksum Output = E (Ke, confounder) || E [Ke, (HMAC(Ki confounder || message || padding)]


Kerberos Security Concerns• Secret keys should be distributed in a secure way.• Kerberos servers have same concerns about secret-key

encryption, i.e. confidentiality and timeliness that apply to Kerberos’ secret keys.

• Kerberos servers should be located in physically secure environments with restricted physical access.

• Multiple-service-granting tickets are reusable, so an opponent may capture the ticket and use it. — Tickets should have a timestamp and a lifetime to prevent replay

attacks (Version 5).


X.509 Authentication Method• ITU-T recommendation X.509 is part of the X.500 series of

recommendations that define a directory service.• X.509 is the primary standard for certificates. It specifies not only

the format of the certificate, but also the conditions under which certificates are created and used.

• Two types of authentication are used.— Simple Authentication using passwords.— Strong Authentication using public-key crypto systems.

• Public Key Infrastructure (PKI) is based on X.509, Version 3.— Each certificate contains the public key of a user and is signed with the

private key of a CA.— RSA is recommended for use in X.509.

• X.509 is used in S/MIME, IP Security, TLS/SSL and SET.


X.509 – Simple Authentication

1. Alice sends her ID and password to Bob;

2. Bob sends Alice’s ID and password to the Directory, where the password is checked against the information held for Alice.

3. The Directory confirms (or denies) to Bob that the credentials are valid.

4. The success (or failure) of authentication may be conveyed to Alice.

1

4

32

Directory

BA

The password is sent in cleartext


X.509 – Simple Protected Authentication

• Using a one-way function, Alice creates a hash of her ID, password, time stamp and a random number.

• Alice sends in clear her ID, time stamp and random number. The time stamp and/or random number (when used) is used to minimize replay and to conceal the password.

• Bob generates Alice’s hash by using Alice’s ID and optional time stamp and/or random number, together with the Directory’s local copy of Alice’s password.

• Bob compares Alice’s hash with the locally generated hash value.

ID, Password,

Time Stamp, and Random

Number

Hash

One-Way Function

One-Way Function

Hash

Compare

Alice’s Password from Directory

Transmit

Alice

ID, Time Stamp, and

Random Number

Alice

Hash

ID, Time Stamp, and

Random Number

Bob


X.509 – One-way Strong Authentication

Non-repeating number rA

Using Bob’s

Public Key

Alice

Bob

Time Stamp tA

Alice’s Digital Signature sgnData

Secret Key [encData]

Bob’s ID IDB

Authentication Message

Encipher

Alice’s Certificate and

path to CA

Enciphered, and signed

authentication message

Using Alice’s Private

Key

Encipher

Alice’s public key and info

CA’sPublic Key

Alice’s CA

Decipher Using CA’s Public Key

DecipherUsing Alice’s

Public Key

rA , tA, IDB ,

Bp[encData]

DecipherUsing Bob’s Private Key


Bob checks if Alice’s certificate has expired.

Bob• Checks that Alice’s

non-repeating number has not been replayed.

• Checks that Alice’s time stamp is current.

• Verifies that Bob himself is the intended recipient.

Bp[encData]


Non-repeating number rB

Using Alice’s Public Key

Bob

Alice

Time Stamp tB

Bob’s Digital Signature sgnData


Alice’s ID IDA

Authentication Message

Encipher

Bob’s Certificate

Enciphered, and signed

authentication message

Using Bob’s

Private Key

Encipher

Bob’s public key and info

CA’sPublic Key

Bob’s CA

DecipherUsing CA’s Public Key

DecipherUsing Bob’s

Public Key

rB , tB, IDA ,

Bp[encData]

Decipher Using Alice’s Private Key


Alice checks if Bob’s certificate has expired.

Alice• Checks that Bob’s

non-repeating number has not been replayed.

• Checks that Bob’s time stamp is current.

• Verifies that Alice herself is the intended recipient.

Ap[encData]

X.509 – Two-way Strong Authentication


Key Length Equivalent Strengths

15360

7680

3072

2048

1024

Diffie-Hellman and RSA

Modulus Size

512641024SHA-512AES-512256

384641024SHA-384AES-256192

25632512SHA-256AES-128128

22432512SHA-13DES112

16032512SHA-1SKIPJACK80

ECCWord Size (Bits)

Block Size (Bits)

Hash Algorithm

Symmetric Encryption Algorithm

Security (Bits)


To Probe Further• Public-Key Infrastructure (X.509) (PKIX) Charter. Links to many X.509 RFP web sites.

http://www.ietf.org/html.charters/pkix-charter.html• Directories and X.500: An Introduction, Information Technology Services, National

Library of Canada. Retrieved August 20, 2002 from http://www.nlc-bnc.ca/9/1/p1-244-e.html

• RFC 2865 Remote Authentication Dial-in User Service (RADIUS) describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server that desires to authenticate its links and a RADIUS Server. http://www.ietf.org/rfc/rfc2865.txt?number=2865

• Password Management Guideline, CSC-STD-002-85 http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html

• One-Time Password System RFC 2289. IETF. http://www.ietf.org/rfc/rfc2289.txt?number=2289

• The Kerberos Network Authentication Service (V5). RFC 1510. IETF. http://www.ietf.org/rfc/rfc1510.txt?number=1510

• Extensible Authentication Protocol RFC 2284 • Mishra, Arunesh, and William Arbaugh. (2001) "An Initial Security Analysis of the

IEEE 802.1X Security Standard. Paper available from http://www.cs.umd.edu/~waa/1x.pdf


To Probe Further• Needham R. M., M. D. Schroeder, Using Encryption for Authentication in Large

Networks of Computers Communications of the ACM, Vol. 21 (12), pp. 993-99.


802.1X Ethernet Packet

Dest. MAC0180C200000F

Type8180

ProtocolVersion

01

PacketType

6 bytes 6 bytes 2 bytes 1 byte

SourceMAC

1 byte

PacketBody

Length

2 bytes

PacketBody

n bytes

00 EAP-Packet01 EAPOL-Start *02 EAPOL-Logoff *03 EAPOL-Key04 EAPOL-Encapsulated-ASF-Alert

Code Identifier Length Data

1 byte 1 byte 2 bytes n bytes

DescriptorType

KeyLength

ReplayCounter Key IV

1 bytes 2 bytes 8 bytes 16 bytesKey

IndexKey

Signature Key

1 bytes n bytes16 bytes

* No Packet Body Field

1 Request2 Response3 Success4 Failure

EAP Payload (EAP-TLS, EAP-TTLS, EAP PEAP)

Packet Body Field

Nonce

32 bytes


VPN Applications:Extranets and Remote Access

Internet

Tunnel Mode

Security Policy Server

Laptop with VPN and MCS Client Software

VPN Gateway

Nortel’s Protected Intranet

Router

VoIP and data packets are enciphered between the

laptop and the VPN Gateway


EAP Authentication Process


Radius, Kerberos, PKI, OTP, Token

Password Authentication Database

Token Authentication Database

X.509 Directory

Kerberos Ticket Granting Server

EAP over Ethernet

EAP Method

AuthenticatorIP Phone User Authentication


VoIP VPN Tunnel using IPSec

Router

IP PhoneRouter

Internet,IPWAN

IP Phone

VPN Tunnel


VoIP using TLS (SSL)

Shared Master Secret Key Shared Master Secret Key

Use Diffie-Hellman Public Key Exchange Algorithm to negotiate a key

AES

Cleartext Block

Ciphertext Block

Ciphertext Block

IV + +

AES

Master Shared

Secret Key

Cleartext Block

AES

Cleartext Block

Ciphertext Block

Ciphertext Block

IV+ +

AES

Cleartext Block

Master Shared

Secret KeyUse AES to encipher and decipher a secure TLS (SSL) VoIP phone call.

Encipher Decipher

The negotiated secret key is used to encipher all IP voice packets during the the phone call.


Extensible Authentication Protocol

Radius Access Request

Radius Access Challenge

Radius Access Accepted

EAP Request Identity

EAP Response

EAPOL Start

EAP Response IdentityRadius Access Request

Client (Peer, Supplicant) Authenticator Authentication

Server (Radius)

EAP Request

EAPOL Success

Chapter 7

Documents

user authentication

authentication conceptsieee

types of authentication

strong authentication

message entity authentication

eap methods of authentication

data origin authentication

peer entity authentication