emu-3----Page:5
1 2 3 4 5 6 7 8 9 10 11 12
|
How the Design Requirements Are Met? Support secure transport of clear text password to support legacy user name and password databases, such as One-time Password (OTP) and LDAP – send clear text password in Password-Authentication TLV. Provide mutual authentication – server authentication in Phase 1 and client authentication in phase 2 using password. Provide resistance to offline dictionary attacks, man-in-the-middle attacks, and replay attacks – provided by TLS. Comply with RFC 3748, RFC 4017, EAP keying management framework draft (including MSK and EMSK generation) - see security claims & key hierarchy. Support user identity confidentiality for the peer – exchange real identity in phase 2. Support cipher suite negotiation and cryptographic algorithm agility – provided by TLS Support session resumption and avoid the need for use to re-enter the password every time) – provided by TLS. Support fragmentation and reassembly – provided by TLS. Cryptographic binding – supported and always enforced, including version negotiation validation Password/PIN change – supported thru Password-Authentication TLV. Transport Channel Binding data – supported thru defining and exchange additional TLV. Support protected result indication – thru Result TLV exchange. Support for certificate validation protocols – via TLS extension. Support standard way of extending inner data exchanges to other than password-based authentications – thru defining additional TLVs. |