November 2005 IETF 64, Vancouver, Canada 1

EAP-POTP

The Protected One-Time Password EAP Method

Magnus Nystrom,David Mitton

RSA Security, Inc.

November 2005 IETF 64, Vancouver, Canada 2

Background

• EAP-POTP is an EAP method designed for One-Time Password (OTP) tokens

• EAP-POTP offers;– Strong user authentication– Mutual authentication– Protection of OTPs in transit– Establishment of key material– Fast session resumption

• …capabilities that are missing from existing EAP methods used with OTP tokens

November 2005 IETF 64, Vancouver, Canada 3

Objectives

• End-to-end protection of OTP value• Provide key material for lower layers (MSK, EMSK)• Minimal initial configuration• Minimize number of roundtrips• No PKI requirements

– But complements PEAP, TTLS, and other tunneling methods

• Meet RFC 3748, RFC 4017 requirements as well as requirements in keying-08

• Support OTP “corner cases” such as– Next OTP– New PIN mode

November 2005 IETF 64, Vancouver, Canada 4

Typical Deployment,Wireless Authentication

802.1xAuthentication

802.11

POTP Method

Token AuthToken Auth

POTP Method

802.1x Authentication

RADIUS Server

Secured Access Protocol

AAA ServerRemote Access

Client

RADIUS Client

EAP Authenticator

802.11

802.1x Authentication

Wireless Access Point

Username, Passcode

POTP Resolver

OTP Auth Server

November 2005 IETF 64, Vancouver, Canada 5

Method Specifics

• Packet format builds on the use of TLVs– Similar to PEAP

• “Hardens” OTPs to protect against eavesdroppers and MITMs

• Extensible to various OTP types• Optional channel binding• Session Resumption mechanism

For further information, see the presentation made to the EAP WG at IETF-62http://www.drizzle.com/~aboba/IETF62/eap/ietf62_eap_potp.ppt

November 2005 IETF 64, Vancouver, Canada 6

A few Security Features

• Freshness: each peer contributes a nonce

• Channel binding: the client indicates the server it thinks it’s talking to

• Protected Pin change

• Protected results: Client confirmation exchange

• Selection: Server realm ID in initial request

November 2005 IETF 64, Vancouver, Canada 7

Some Recent Updates

• Introduction of Protected TLV– To take advantage of established key material

already in the EAP session itself– Essentially, the protected TLV wraps other

TLVs and integrity-protects them

• Session resumption defined for basic mode

November 2005 IETF 64, Vancouver, Canada 8

Planned Updates & Current Status

• Planned Updates– Protected ciphersuite negotiation– Use of dedicated session resumption key for session

resumption (and not EMSK)

• Status– Commercial implementations of protocol version 0

exist. Will work on distinguishing differences.– RSA willing to contribute the method to the EMU

community if there is interest in adopting it as a standards-track work item

November 2005 IETF 64, Vancouver, Canada 9

IPR

• RSA offers a reciprocal royalty-free license under RAND to all implementers– For details, see http://tinyurl.com/cvrfs

November 2005 IETF 64, Vancouver, Canada 10

Documents & Information

• draft-nystrom-eap-potp-03.txt– Part of One-Time-Password Specifications

http://www.rsasecurity.com/rsalabs/otps• CT-KIP: Cryptographic Token Key Initialization Protocol• OTP PKCS#11 Mechanisms• OTP CAPI – MS CryptoAPI OTP extensions• OTP WSS Token: WS-Security OTP Token format• OTP Validation Service: Web service for OTP validation

• Mailing list: subscribe otps to majordomo@majordomo.rsasecurity.com– Archive available by sending get otps otps.05 to

the above email address