November 2005 IETF 64, Vancouver, Canada 1
EAP-POTP
The Protected One-Time Password EAP Method
Magnus Nystrom,David Mitton
RSA Security, Inc.
November 2005 IETF 64, Vancouver, Canada 2
Background
• EAP-POTP is an EAP method designed for One-Time Password (OTP) tokens
• EAP-POTP offers;– Strong user authentication– Mutual authentication– Protection of OTPs in transit– Establishment of key material– Fast session resumption
• …capabilities that are missing from existing EAP methods used with OTP tokens
November 2005 IETF 64, Vancouver, Canada 3
Objectives
• End-to-end protection of OTP value• Provide key material for lower layers (MSK, EMSK)• Minimal initial configuration• Minimize number of roundtrips• No PKI requirements
– But complements PEAP, TTLS, and other tunneling methods
• Meet RFC 3748, RFC 4017 requirements as well as requirements in keying-08
• Support OTP “corner cases” such as– Next OTP– New PIN mode
November 2005 IETF 64, Vancouver, Canada 4
Typical Deployment,Wireless Authentication
802.1xAuthentication
802.11
POTP Method
Token AuthToken Auth
POTP Method
802.1x Authentication
RADIUS Server
Secured Access Protocol
AAA ServerRemote Access
Client
RADIUS Client
EAP Authenticator
802.11
802.1x Authentication
Wireless Access Point
Username, Passcode
POTP Resolver
OTP Auth Server
November 2005 IETF 64, Vancouver, Canada 5
Method Specifics
• Packet format builds on the use of TLVs– Similar to PEAP
• “Hardens” OTPs to protect against eavesdroppers and MITMs
• Extensible to various OTP types• Optional channel binding• Session Resumption mechanism
For further information, see the presentation made to the EAP WG at IETF-62http://www.drizzle.com/~aboba/IETF62/eap/ietf62_eap_potp.ppt
November 2005 IETF 64, Vancouver, Canada 6
A few Security Features
• Freshness: each peer contributes a nonce
• Channel binding: the client indicates the server it thinks it’s talking to
• Protected Pin change
• Protected results: Client confirmation exchange
• Selection: Server realm ID in initial request
November 2005 IETF 64, Vancouver, Canada 7
Some Recent Updates
• Introduction of Protected TLV– To take advantage of established key material
already in the EAP session itself– Essentially, the protected TLV wraps other
TLVs and integrity-protects them
• Session resumption defined for basic mode
November 2005 IETF 64, Vancouver, Canada 8
Planned Updates & Current Status
• Planned Updates– Protected ciphersuite negotiation– Use of dedicated session resumption key for session
resumption (and not EMSK)
• Status– Commercial implementations of protocol version 0
exist. Will work on distinguishing differences.– RSA willing to contribute the method to the EMU
community if there is interest in adopting it as a standards-track work item
November 2005 IETF 64, Vancouver, Canada 9
IPR
• RSA offers a reciprocal royalty-free license under RAND to all implementers– For details, see http://tinyurl.com/cvrfs
November 2005 IETF 64, Vancouver, Canada 10
Documents & Information
• draft-nystrom-eap-potp-03.txt– Part of One-Time-Password Specifications
http://www.rsasecurity.com/rsalabs/otps• CT-KIP: Cryptographic Token Key Initialization Protocol• OTP PKCS#11 Mechanisms• OTP CAPI – MS CryptoAPI OTP extensions• OTP WSS Token: WS-Security OTP Token format• OTP Validation Service: Web service for OTP validation
• Mailing list: subscribe otps to [email protected]– Archive available by sending get otps otps.05 to
the above email address