| < draft-nir-tls-eap-10.txt | draft-nir-tls-eap-11.txt > | |||
|---|---|---|---|---|
| TLS Working Group Y. Nir | TLS Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track Y. Sheffer | Intended status: Standards Track Y. Sheffer | |||
| Expires: September 1, 2011 Independent | Expires: September 11, 2011 Independent | |||
| H. Tschofenig | H. Tschofenig | |||
| NSN | NSN | |||
| P. Gutmann | P. Gutmann | |||
| University of Auckland | University of Auckland | |||
| February 28, 2011 | March 10, 2011 | |||
| TLS using EAP Authentication | TLS using EAP Authentication | |||
| draft-nir-tls-eap-10 | draft-nir-tls-eap-11 | |||
| Abstract | Abstract | |||
| This document describes an extension to the TLS protocol to allow TLS | This document describes an extension to the TLS protocol to allow TLS | |||
| clients to authenticate with legacy credentials using the Extensible | clients to authenticate with non-certificate credentials using the | |||
| Authentication Protocol (EAP). | Extensible Authentication Protocol (EAP). | |||
| This work follows the example of IKEv2, where EAP has been added to | This work follows the example of IKEv2, where EAP has been added to | |||
| the protocol to allow clients to use different credentials such as | the protocol to allow clients to use different credentials such as | |||
| passwords, token cards, and shared secrets. | passwords, token cards, and shared secrets. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 1, 2011. | This Internet-Draft will expire on September 11, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 15 ¶ | skipping to change at page 3, line 15 ¶ | |||
| 1. Introduction | 1. Introduction | |||
| This document describes a new extension to [TLS]. This extension | This document describes a new extension to [TLS]. This extension | |||
| allows a TLS client to authenticate using [EAP] instead of performing | allows a TLS client to authenticate using [EAP] instead of performing | |||
| the authentication at the application level. The extension follows | the authentication at the application level. The extension follows | |||
| [TLS-EXT]. For the remainder of this document we will refer to this | [TLS-EXT]. For the remainder of this document we will refer to this | |||
| extension as TEE (TLS with EAP Extension). | extension as TEE (TLS with EAP Extension). | |||
| TEE extends the TLS handshake beyond the regular setup, to allow the | TEE extends the TLS handshake beyond the regular setup, to allow the | |||
| EAP protocol to run between the TLS server (called an "authenticator" | EAP protocol to run between the TLS server (called an "authenticator" | |||
| in EAP) and the TLS client (called a "supplicant"). This allows the | in EAP) and the TLS client (called either a "supplicant" or a | |||
| TLS architecture to handle client authentication before exposing the | "peer"). This allows the TLS architecture to handle client | |||
| server application software to an unauthenticated client. In doing | authentication before exposing the server application software to an | |||
| this, we follow the approach taken for IKEv2 in [RFC5996]. However, | unauthenticated client. In doing this, we follow the approach taken | |||
| similar to regular TLS, we protect the user identity by only sending | for IKEv2 in [RFC5996]. However, similar to regular TLS, we protect | |||
| the client identity after the server has authenticated. In this our | the user identity by only sending the client identity after the | |||
| solution differs from that of IKEv2. | server has authenticated. In this our solution differs from that of | |||
| IKEv2. | ||||
| Currently used applications that rely on non-certificate user | Currently used applications that rely on non-certificate user | |||
| credentials use TLS to authenticate the server only. After that, the | credentials use TLS to authenticate the server only. After that, the | |||
| application takes over, and presents a login screen where the user is | application takes over, and presents a login screen where the user is | |||
| expected to present their credentials. | expected to present their credentials. | |||
| This creates several problems. It allows a client to access the | This creates several problems. It allows a client to access the | |||
| application before authentication, thus creating a potential for | application before authentication, thus creating a potential for | |||
| anonymous attacks on non-hardened applications. Additionally, web | anonymous attacks on non-hardened applications. Additionally, web | |||
| pages are not particularly well suited for long shared secrets and | pages are not particularly well suited for long shared secrets and | |||
| skipping to change at page 18, line 17 ¶ | skipping to change at page 18, line 17 ¶ | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. | [EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. | |||
| Levkowetz, "Extensible Authentication Protocol (EAP)", | Levkowetz, "Extensible Authentication Protocol (EAP)", | |||
| RFC 3748, June 2004. | RFC 3748, June 2004. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security | [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.1", RFC 4346, April 2006. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [TLS-EXT] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., | [TLS-EXT] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., | |||
| and T. Wright, "Transport Layer Security (TLS) | and T. Wright, "Transport Layer Security (TLS) | |||
| Extensions", RFC 4366, April 2006. | Extensions", RFC 4366, April 2006. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [Compound-Authentication] | [Compound-Authentication] | |||
| Puthenkulam, J., Lortz, V., Palekar, A., and D. Simon, | Puthenkulam, J., Lortz, V., Palekar, A., and D. Simon, | |||
| "The Compound Authentication Binding Problem", | "The Compound Authentication Binding Problem", | |||
| End of changes. 7 change blocks. | ||||
| 14 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||