Internet Draft EAPBIO Pascal URIEN Telecom ParisTech Christophe KIENNERT Telecom ParisTech Introduction Combine EAPTTLS with Biometry Project developed for particular security conditions ID: 225168
Download Presentation The PPT/PDF document "IETF 76 – Hiroshima" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
IETF 76 – HiroshimaInternet Draft : EAP-BIO
Pascal URIEN – Telecom ParisTech
Christophe KIENNERT – Telecom ParisTechSlide2
Introduction
Combine EAP-TTLS with Biometry
Project developed for particular security conditions
Administrative restricted access in sensitive areas
Main ideas :
EAP-TTLS offers many choices for authentication protocols during Phase 2
Advantages of biometry combined with the security of EAP-TTLS
Digital signatures added using smartcardsSlide3
EAP-TTLS
User
profiles
Server
certificate
RADIUS
RADIUS
802.1X
EAP-TTLS
Login, Password
Access point
RADIUS Server
HOME RADIUS
ServerSlide4
EAP-BIO
EAP-TTLS session initiation
Biometric authentication
User
SmartCard
Biometric
reader
AVP encapsulating
the signed fingerprint
Signed fingerprint
Client certificate
Server
certificate
Phase 1 : Mutual Authentication
Phase 2 : Biometric authentication
Session Keys : f(Master_Secret, Client_Random, Server_Random)
ServerSlide5
Mutual authentication – Phase 1
Access Point
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
RADIUS(Access-Request)
EAP-Request/TTLS-Start
RADIUS(Access-Challenge)
EAP-Response/
ClientHello
RADIUS(Access-Request)
EAP-Request/TTLS
RADIUS(Access-Challenge)/
ServerHello,
Certificate
,
ServerKeyExchange, ServerHelloDone
EAP-Response/
ClientKeyExchange
,
Certificate
, ChangeCipherSpec, Finished
RADIUS(Access-Request)
EAP-Request/TTLS
RADIUS(Access-Challenge)/
ChangeCipherSpec, Finished
Client
Radius ServerSlide6
Authentification – Phase 2
Client
Access point
Radius Server
EAP-Response/
{Biometric fingerprint, timestamp, signatures}
RADIUS(Access-Request)
EAP-Success
RADIUS(Access-Accept)
Verification of
authentication
dataSlide7
EAP-BIO : Phase 1
Phase 1 : Mutual authentication
Need of a client certificate
Can be stored on a smartcard along with the RSA private key
The card is used to initiate the EAP-TTLS sessionSlide8
EAP-BIO : Phase 2
Phase 2 : Biometric authentication
Biometric fingerprint encapsulated in AVPs with CBEFF format
Can be used on a 1:N or a 1:1 authentication
A 1:1 authentication is more performant
EAP-BIO performs a 1:1 authentication since the identity of the user is known through Phase 1
Security problems to be solved about biometry
Certify the fingerprint issued by the biometric readerCertify the voluntary action of the user
The reader must be secure (prevent the use false fingerprints)Slide9
Security of EAP-BIO
Use of smartcards and digital signatures
Sign the fingerprint issued by the reader
Insert a timestamp to prevent replay attacks
Sign the fingerprint with the client before sending to the server
Certify the voluntary action of the user
Initiate the EAP-TTLS session with a smartcard
A signature from the user may be required
Session Keys : f(Master-Secret, Client-random, Server-random)Slide10
AVP encapsulating the fingerprint
Container
Fingerprint
(CBEFF Structure)
PKCS#7 Capsule
Containing signatures
Header