An EAP Enrollment Method draft-mahy-eap-enrollment-00.txt - PowerPoint PPT Presentation
Title:
An EAP Enrollment Method draft-mahy-eap-enrollment-00.txt
Description:
Small Wireless Devices are a pain to enroll onto WLANs ... WPA(2) Enterprise user/pass (good) [no CA] WPA(2) Personal shared secret (ok for consumer) [no AAA] ... – PowerPoint PPT presentation
Number of Views:26
Avg rating:3.0/5.0
Title: An EAP Enrollment Method draft-mahy-eap-enrollment-00.txt
1
An EAP Enrollment Methoddraft-mahy-eap-enrollment
-00.txt
- Rohan Mahyrohan_at_ekabal.com
2
Motivation and Requirements
- Small Wireless Devices are a pain to enroll onto
WLANs (ex typing 802.1x credentials into WLAN
phone with multitap) - phones have small numeric keypads
- most PDAs have no keyboard
- some devices have no display
- After enrollment, devices need to work with
existing WLAN infrastructure and auth mechanisms. - EAP TLS w/ mutual auth certs (best)
- WPA(2) Enterprise user/pass (good)
no CA - WPA(2) Personal shared secret (ok for consumer)
no AAA - We want to start with weak/convenient, temporary
credentials, and bootstrap once to strong
(high-entropy), permanent credentials - Once we have an IP address on a secure WLAN,
device can fetch rest of its config just like
wired devices.
3
The Approach
- Use existing methods (EAP-TLS) to get a secure
channel and authenticate the server - Emphasis on semantics needed to get strong
credentials to the device - Doesnt invent new crypto or key derivation
- Enrolled keys are not algorithmically related to
the original weak credentials - Thoughts?
