eap efficient re authentication
play

EAP Efficient Re-authentication Vidya Narayanan , vidyan@qualcomm.com - PowerPoint PPT Presentation

Jun 09, 2023 •752 likes •1.05k views

EAP Efficient Re-authentication Vidya Narayanan , vidyan@qualcomm.com Lakshminath Dondeti , ldondeti@qualcomm.com January 2007 Contents EAP Re-authentication and Fast Re-authentication Requirements for low latency re-authentication

  1. EAP Efficient Re-authentication Vidya Narayanan , vidyan@qualcomm.com Lakshminath Dondeti , ldondeti@qualcomm.com January 2007

  2. Contents • EAP Re-authentication and Fast Re-authentication • Requirements for low latency re-authentication • Constraints in designing extensions to EAP • Design Choices – Server vs. peer initiated – Re-authentication key hierarchy • With and without local re-auth server – Protocol transport – Lower layer requirements • Proposed Protocol 2

  3. EAP Re-authentication, as per today’s standards Peer Auth1 AAA-L AAA-H EAP Req/Identity Initial EAP Exchange EAP Resp/Identity Full EAP Method Exchange MSK1, EMSK1 MSK1, EMSK1 EAP Success EAP Success (MSK1) MSK1 3

  4. EAP Re-authentication, as per today’s standards Peer Auth1 Auth2 AAA-L AAA-H EAP Req/Identity Initial EAP Exchange EAP Resp/Identity Full EAP Method Exchange MSK1, EMSK1 MSK1, EMSK1 EAP Success EAP Success (MSK1) MSK1 Subsequent EAP Exchanges EAP Req/Identity EAP Resp/Identity Full EAP Method Exchange (or, Method-Specific Fast Re-authentication) MSK2, EMSK2 MSK2, EMSK2 EAP Success EAP Success (MSK2) MSK2 4

  5. Our Charter Dictates ☺ • Solutions specified by the HOKEY WG must: – Be responsive to handover and re-authentication latency performance objectives within a mobile wireless access network. – Fulfill the requirements in draft-housley-aaa-key-mgmt and draft-ietf- eap-keying. – Be independent of the access-technology. Any key hierarchy topology or protocol defined must be independent of EAP lower layers. The protocols may require additional support from the EAP lower layers that use it. – Accommodate inter-technology heterogeneous handover and roaming. – No changes to EAP methods. Any extensions defined to EAP must not cause changes to existing EAP methods. 5

  6. Re-auth Goals • MUST be better than full EAP authentication – “The protocol MUST be responsive to handover and re- authentication latency performance within a mobile access network” • EAP lower layer independence • EAP method independence • AAA protocol compatibility and keying • Co-existence with current EAP operation 6

  7. What is Low Latency? • Security becomes a burden when any latency or overhead is added to the critical handoff path ☺ – Mobile access networks resort to insecure practices when security adds latency to handoffs • Two aspects of latency – Number of roundtrips – Distance to the AS • Ideally, the protocol should be executable in parallel with connection establishment – I.e., add 0 incremental time to L2 handoffs • It may also be unacceptable to have to go back to the AS (EAP Server) upon every handoff – EAP Server may be too many hops away! 7

  8. Full EAP Authentication (E.g., EAP-AKA) EAP Peer Auth1 Server EAP Request Identity EAP Response Identity EAP Request (AKA Challenge) EAP Response (AKA Challenge) MSK1, EMSK1 MSK1, EMSK1 EAP Success EAP Success (MSK1) MSK1 EAP-AKA takes 2 Roundtrips over the infrastructure to Goal: Re-auth MUST complete; AKA fast re-authentication reduces computational finish in less than 2 expense, but takes the same number of roundtrips to complete. roundtrips AKA is one of the most commonly used protocols for network access authentication in mobile access networks. 8

  9. Server vs Peer Initiated Re-Auth • Server-initiated re-authentication preserves the EAP model – Allows for similar peer operation in open/access-controlled networks – Only model that supports legacy authenticators – Needs at least 1.5 roundtrips with modifications to authenticator operation – Needs at least 2 roundtrips with legacy authenticators • Peer-initiated re-authentication achieves more efficient operation – Can piggyback re-authentication on connection establishment on some wireless networks – Can finish in 1 roundtrip 9

  10. Server Initiated Re-Auth With Legacy Authenticators EAP Peer Auth1 Server EAP Request Identity EAP Response Identity EAP Request Re-auth EAP Response Re-auth MSK1, EMSK1 MSK1, EMSK1 EAP Success EAP Success (MSK1) MSK1 • The protocol operation is quite similar to AKA • No improvement over AKA in terms of latency or computational expense • The Peer has to provide either temporary or real identity in the Response/Identity message • EAP server has to prove possession of the key before the peer authenticates • Potential for DoS attacks on the EAP server 10

  11. Peer/Server Initiated Re-Auth With Upgraded Authenticators EAP Peer Auth1 Server EAP Request Identity EAP Initiate (Re-auth) EAP Finish (Re-auth) rMSK rMSK rMSK • The most optimal method of re-authentication is the peer-initiated model • Needs upgrades to authenticators • Optional server-initiated model is also feasible • EAP Request Identity from the Authenticator to the peer serves a trigger for Re-Auth • The Peer authenticates first • Uses temporary identity or a key identity for identity protection • The Finish message contains Server’s authentication and also serves the same purpose as EAP Success • To support peer-initiated operation, changes to peer’s state machine are needed • Peer must be able to maintain retransmission timers etc. 11

  12. Peer/Server Initiated Re-Auth With Legacy Authenticators EAP Peer Auth1 Server EAP Request Identity EAP Response Identity EAP Request Re-auth (Empty) EAP Response Re-auth (Initiate) EAP Request Re-auth (Finish) EAP Response Re-auth (Empty) MSK1, EMSK1 EAP Success EAP Success (MSK1) MSK1 • Optional EAP type-based transport with the peer-initiated model takes more roundtrips than say, EAP-AKA operation • Enables use of the same protocol over legacy authenticators • Only transport varies (code-based vs type-based) • Peer will have to prove possession of key material before server performs any computation • Perhaps acceptable as a transition mechanism over legacy authenticators • Useful for chatty EAP methods (e.g., TLS-based methods) 12

  13. Local Re-auth Server • Re-auth may still take too long if the AS is too many hops away • Must be able to perform re-auth with a local server when handing off within a local area • Key hierarchy must support both models • The re-auth protocol must support some bootstrapping capability – Local server must be provided a key – Peer may need to be provided a server ID 13

  14. Re-authentication Key Hierarchy rRK rIK rEK rMSK 1 … rMSK m TSK 1 TSK m • rRK is the Re-authentication Root Key • rIK is the Re-auth Integrity Key and used to provide proof of possession of Re-auth keys • rEK is the Encryption Key used to encrypt any confidential data exchanged between the peer and the EAP-ER server • rMSK is the MSK equivalent key • Derived based on the run of the EAP-ER protocol • Each Authenticator change, whether or not an Authenticator is revisited, is treated the same 14

  15. Where does the rRK come from? • There are at least two candidates for the parent key for the rRK – f(EMSK, “Re-authentication Root Key”) • The EMSK is managed by the EAP server – EAP server may be too many hops away from the Peer – f(Local MSK, “Re-authentication Root Key”) • Local MSK is a root key associated with an EAP-ER server in the Authenticator’s domain • Local MSK derivation itself is out of scope of the re- authentication solution 15

  16. Protocol Transport • Protocol transport considerations – EAP Code-based and Type-based transport • EAP Code-based implies authenticator support for new codes • EAP Type-based can work with current EAP authenticators – One option is to allow both • Re-auth messages may be carried in EAP Request/Response or EAP Initiate/Finish messages • Can re-auth be run over a protocol other than EAP? – Claimed benefit is to prevent any changes to EAP implementation • Peer and server implementations may treat re-auth as a new protocol for all practical purposes – At the authenticator, interactions with EAP are needed irrespective of the transport protocol used for re-auth • In many networks, access control enforcement is based on successfully finishing EAP authentication • Port control enforcement is contingent on EAP Success, MSK to TSK derivation and use • The goal of Re-Auth is also to derive the TSK eventually – port must be enabled after successful re-authentication 16

  17. Benefits of EAP-based Transport • If a new protocol were to be used to transport Re-Auth messages – Authenticators would have two different protocols and state machines installing SAs that enable controlled access • EAP-based transport allows: – Integration of state machines for initial and re-authentication – Specification benefits: • Will largely re-use: – RFC3748 – EAP keying framework – RFC3579 – RFC4072 – The list goes on… – Allows re-auth to be triggered by EAP Request Identity 17

  18. Co-existence with Vanilla EAP • Peers may roam in and out of networks that support re-authentication • Support for re-auth may be indicated by the lower layer for optimal operation • Alternatively, the peer may attempt re-auth – Upon a timeout/failure, the peer may do full authentication 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EAP Efficient Re-authentication Lakshminath Dondeti , ldondeti@qualcomm.com Vidya Narayanan ,

EAP Efficient Re-authentication Lakshminath Dondeti , ldondeti@qualcomm.com Vidya Narayanan ,

EAP Efficient Re-authentication Lakshminath Dondeti , ldondeti@qualcomm.com Vidya Narayanan , vidyan@qualcomm.com IETF68; March 2007 Re-auth Goals MUST be better than full EAP authentication The protocol MUST be responsive to handover

361 views • 17 slides
Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols

563 views • 22 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks Jo Van Bulck, Jan Tobias Mhlberg and Frank Piessens jo.vanbulck|jantobias.muehlberg@cs.kuleuven.be imec-DistriNet, KU Leuven, Celestijnenlaan

654 views • 28 slides
Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and Reliability PhD Candidate Vandana Rohokale (vmr@es.aau.dk) Supervisor Prof. Ramjee Prasad CTIF, Aalborg, Denmark Co-supervisors Assoc. Prof. Horia

372 views • 13 slides
Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying Vidya Narayanan , vidyan@qualcomm.com Lakshminath Dondeti , ldondeti@qualcomm.com IETF-67 San Diego, CA November 2006 Contents EAP keying

614 views • 15 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale

Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale

Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks Italo Dacosta and Patrick Traynor Performance, Scalability and Security Finding the right balance between performance /scalability

517 views • 24 slides
An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
EM 3 A : Efficient Mutual Multi-hop Mobile Authentication Scheme for PMIP Networks Sanaa Taha

EM 3 A : Efficient Mutual Multi-hop Mobile Authentication Scheme for PMIP Networks Sanaa Taha

EM 3 A Introduction System Model Security Analysis Performance Evaluation Conclusions and future work EM 3 A : Efficient Mutual Multi-hop Mobile Authentication Scheme for PMIP Networks Sanaa Taha November 18, 2011 Sanaa Taha EM 3 A :

361 views • 24 slides
ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit

ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit

ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit Kartik Mohanram Non-Volatile Memories Workshop March 12, 2018 San Diego, CA Electrical and Computer Engineering University of Pittsburgh

971 views • 50 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
sRDMA Efficient NICbased Authentication and Encryption for Remote Direct Memory Access

sRDMA Efficient NICbased Authentication and Encryption for Remote Direct Memory Access

spcl.inf.ethz.ch @spcl_eth Konstantin Taranov, Benjamin Rothenberger, Adrian Perrig, Torsten Hoefler sRDMA Efficient NICbased Authentication and Encryption for Remote Direct Memory Access spcl.inf.ethz.ch @spcl_eth RDMA networking is

2.47k views • 30 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the

msb( x ) in O(1) steps using 5 multiplications [M.L. Fredman, D.E. Willard, Surpassing the information theoretic bound with fusion trees , Journal of Computer and [ , , p g f f , p System Sciences 47 (3): 424436, 1993] Word size n =

184 views • 16 slides
Exploiting Functional Dependence in Bayesian Network Inference Ji r Vomlel Laboratory

Exploiting Functional Dependence in Bayesian Network Inference Ji r Vomlel Laboratory

Exploiting Functional Dependence in Bayesian Network Inference Ji r Vomlel Laboratory for Inteligent systems University of Economics, Prague This presentation is available from: http://www.utia.cas.cz/vomlel/ Original model HV2 HV1

301 views • 17 slides
Speeding-up Large-Scale Storage with Non-Volatile Memory CERN openlab Open Day 10 June 2015 KL

Speeding-up Large-Scale Storage with Non-Volatile Memory CERN openlab Open Day 10 June 2015 KL

Speeding-up Large-Scale Storage with Non-Volatile Memory CERN openlab Open Day 10 June 2015 KL Yong Sergio Ruocco Data Center Technologies Division about DSI DSI vision Founded in 1992, DSI vision is to be a vital node in a global

276 views • 13 slides
Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name no PKI necessary

815 views • 24 slides
Overview of the Active Neighbourhoods for Older Australians (ANOA) project for funded houses

Overview of the Active Neighbourhoods for Older Australians (ANOA) project for funded houses

Overview of the Active Neighbourhoods for Older Australians (ANOA) project for funded houses Musculoskeletal Australia (MSK) Musculoskeletal Australia has been supporting people with arthritis and musculoskeletal conditions for 50 years.

441 views • 20 slides
Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
Functional Encryption Lecture 23 ABE from LWE Functional

Functional Encryption Lecture 23 ABE from LWE Functional

Functional Encryption Lecture 23 ABE from LWE Functional Encryption f g h KeyGen PK SK SK f PK f(x) Dec SK g x g(x) Enc Dec Ciphertext SK h h(x) Dec Index-Payload Functions Message x=(

166 views • 13 slides
70 Years of MV cables in Brazil R eliability of: Cables; Splices and Potheads F(t)=1-e^(-((t-

70 Years of MV cables in Brazil R eliability of: Cables; Splices and Potheads F(t)=1-e^(-((t-

70 Years of MV cables in Brazil R eliability of: Cables; Splices and Potheads F(t)=1-e^(-((t- )/ ) ^ )) Defeitos em Cabos PILC - Weibull 2P t Cabo Emenda Total 14 0,0791 0,0535 0,0739 1,2000 15 0,1022 0,0746 0,1023 16 0,1293

242 views • 20 slides

More recommend