| < draft-nir-tls-eap-07.txt | draft-nir-tls-eap-08.txt > | |||
|---|---|---|---|---|
| TLS Working Group Y. Nir | TLS Working Group Y. Nir | |||
| Internet-Draft Y. Sheffer | Internet-Draft Check Point | |||
| Intended status: Standards Track Check Point | Intended status: Standards Track Y. Sheffer | |||
| Expires: September 8, 2010 H. Tschofenig | Expires: January 12, 2011 Independent | |||
| H. Tschofenig | ||||
| NSN | NSN | |||
| P. Gutmann | P. Gutmann | |||
| University of Auckland | University of Auckland | |||
| March 7, 2010 | July 11, 2010 | |||
| TLS using EAP Authentication | TLS using EAP Authentication | |||
| draft-nir-tls-eap-07 | draft-nir-tls-eap-08 | |||
| Abstract | Abstract | |||
| This document describes an extension to the TLS protocol to allow TLS | This document describes an extension to the TLS protocol to allow TLS | |||
| clients to authenticate with legacy credentials using the Extensible | clients to authenticate with legacy credentials using the Extensible | |||
| Authentication Protocol (EAP). | Authentication Protocol (EAP). | |||
| This work follows the example of IKEv2, where EAP has been added to | This work follows the example of IKEv2, where EAP has been added to | |||
| the protocol to allow clients to use different credentials such as | the protocol to allow clients to use different credentials such as | |||
| passwords, token cards, and shared secrets. | passwords, token cards, and shared secrets. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF). Note that other groups may also distribute | |||
| other groups may also distribute working documents as Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | This Internet-Draft will expire on January 12, 2011. | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on September 8, 2010. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the BSD License. | described in the Simplified BSD License. | |||
| This document may contain material from IETF Documents or IETF | ||||
| Contributions published or made publicly available before November | ||||
| 10, 2008. The person(s) controlling the copyright in some of this | ||||
| material may not have granted the IETF Trust the right to allow | ||||
| modifications of such material outside the IETF Standards Process. | ||||
| Without obtaining an adequate license from the person(s) controlling | ||||
| the copyright in such materials, this document may not be modified | ||||
| outside the IETF Standards Process, and derivative works of it may | ||||
| not be created outside the IETF Standards Process, except to format | ||||
| it for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. EAP Applicability . . . . . . . . . . . . . . . . . . . . 5 | 1.1. EAP Applicability . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Comparison with Design Alternatives . . . . . . . . . . . 5 | 1.2. Comparison with Design Alternatives . . . . . . . . . . . 4 | |||
| 1.3. Conventions Used in This Document . . . . . . . . . . . . 5 | 1.3. Conventions Used in This Document . . . . . . . . . . . . 4 | |||
| 2. Operating Environment . . . . . . . . . . . . . . . . . . . . 6 | 2. Operating Environment . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1. The tee_supported Extension . . . . . . . . . . . . . . . 8 | 3.1. The tee_supported Extension . . . . . . . . . . . . . . . 7 | |||
| 3.2. The InterimAuth Handshake Message . . . . . . . . . . . . 8 | 3.2. The InterimAuth Handshake Message . . . . . . . . . . . . 7 | |||
| 3.3. The EapMsg Handshake Message . . . . . . . . . . . . . . . 9 | 3.3. The EapMsg Handshake Message . . . . . . . . . . . . . . . 8 | |||
| 3.4. Calculating the Finished message . . . . . . . . . . . . . 9 | 3.4. Calculating the Finished message . . . . . . . . . . . . . 8 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. InterimAuth vs. Finished . . . . . . . . . . . . . . . . . 11 | 4.1. InterimAuth vs. Finished . . . . . . . . . . . . . . . . . 10 | |||
| 4.2. Identity Protection . . . . . . . . . . . . . . . . . . . 11 | 4.2. Identity Protection . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.3. Mutual Authentication . . . . . . . . . . . . . . . . . . 12 | 4.3. Mutual Authentication . . . . . . . . . . . . . . . . . . 11 | |||
| 5. Performance Considerations . . . . . . . . . . . . . . . . . . 13 | 5. Performance Considerations . . . . . . . . . . . . . . . . . . 12 | |||
| 6. Operational Considerations . . . . . . . . . . . . . . . . . . 14 | 6. Operational Considerations . . . . . . . . . . . . . . . . . . 13 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9. Changes from Previous Versions . . . . . . . . . . . . . . . . 17 | 9. Changes from Previous Versions . . . . . . . . . . . . . . . . 16 | |||
| 9.1. Changes in version -02 . . . . . . . . . . . . . . . . . . 17 | 9.1. Changes in version -02 . . . . . . . . . . . . . . . . . . 16 | |||
| 9.2. Changes in version -01 . . . . . . . . . . . . . . . . . . 17 | 9.2. Changes in version -01 . . . . . . . . . . . . . . . . . . 16 | |||
| 9.3. Changes from the protocol model draft . . . . . . . . . . 17 | 9.3. Changes from the protocol model draft . . . . . . . . . . 16 | |||
| 10. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 10. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | 11.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . . 19 | 11.2. Informative References . . . . . . . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes a new extension to [TLS]. This extension | This document describes a new extension to [TLS]. This extension | |||
| allows a TLS client to authenticate using [EAP] instead of performing | allows a TLS client to authenticate using [EAP] instead of performing | |||
| the authentication at the application level. The extension follows | the authentication at the application level. The extension follows | |||
| [TLS-EXT]. For the remainder of this document we will refer to this | [TLS-EXT]. For the remainder of this document we will refer to this | |||
| extension as TEE (TLS with EAP Extension). | extension as TEE (TLS with EAP Extension). | |||
| TEE extends the TLS handshake beyond the regular setup, to allow the | TEE extends the TLS handshake beyond the regular setup, to allow the | |||
| skipping to change at page 21, line 16 ¶ | skipping to change at page 20, line 16 ¶ | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 67897 | Tel Aviv 67897 | |||
| Israel | Israel | |||
| Email: ynir@checkpoint.com | Email: ynir@checkpoint.com | |||
| Yaron Sheffer | Yaron Sheffer | |||
| Check Point Software Technologies Ltd. | Independent | |||
| 5 Hasolelim st. | ||||
| Tel Aviv 67897 | ||||
| Israel | ||||
| Email: yaronf@checkpoint.com | Email: yaronf.ietf@gmail.com | |||
| Hannes Tschofenig | Hannes Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| Linnoitustie 6 | Linnoitustie 6 | |||
| Espoo 02600 | Espoo 02600 | |||
| Finland | Finland | |||
| Phone: +358 (50) 4871445 | Phone: +358 (50) 4871445 | |||
| Email: Hannes.Tschofenig@gmx.net | Email: Hannes.Tschofenig@gmx.net | |||
| URI: http://www.tschofenig.priv.at | URI: http://www.tschofenig.priv.at | |||
| End of changes. 11 change blocks. | ||||
| 61 lines changed or deleted | 42 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||