Internet Draft : EAP-BIO

erosjellySecurity

Feb 23, 2014 (3 years and 3 months ago)

70 views

IETF 76


Hiroshima


Internet Draft : EAP
-
BIO

Pascal URIEN


Telecom ParisTech

Christophe KIENNERT


Telecom ParisTech

Introduction


Combine EAP
-
TTLS with Biometry


Project developed for particular security
conditions


Administrative restricted access in sensitive areas


Main ideas :



EAP
-
TTLS offers many choices for authentication
protocols during Phase 2



Advantages of biometry combined with the security of
EAP
-
TTLS



Digital signatures added using smartcards

EAP
-
TTLS

User

profiles

Server

certificate

RADIUS

RADIUS

802.1X

EAP
-
TTLS


Login, Password

Access point

RADIUS Server

HOME RADIUS

Server

EAP
-
BIO

User

SmartCard

Biometric

reader

AVP encapsulating

the signed fingerprint

Server

certificate

Phase 1 : Mutual Authentication

Phase 2 : Biometric authentication

Session Keys : f(Master_Secret, Client_Random, Server_Random)

Server

Mutual authentication


Phase 1

Access Point

EAPOL
-
Start

EAP
-
Request/Identity

EAP
-
Response/Identity

RADIUS(Access
-
Request)

EAP
-
Request/TTLS
-
Start

RADIUS(Access
-
Challenge)

EAP
-
Response/
ClientHello

RADIUS(Access
-
Request)

EAP
-
Request/TTLS

RADIUS(Access
-
Challenge)/

ServerHello,
Certificate
,

ServerKeyExchange, ServerHelloDone

EAP
-
Response/
ClientKeyExchange
,

Certificate
, ChangeCipherSpec, Finished

RADIUS(Access
-
Request)

EAP
-
Request/TTLS

RADIUS(Access
-
Challenge)/

ChangeCipherSpec, Finished

Client

Radius Server

Authentification


Phase 2

Client

Access point

Radius Server

EAP
-
Response/

{Biometric fingerprint,
timestamp, signatures}

RADIUS(Access
-
Request)

EAP
-
Success

RADIUS(Access
-
Accept)

Verification of

authentication

data

EAP
-
BIO : Phase 1


Phase 1 : Mutual authentication



Need of a client certificate



Can be stored on a smartcard along with the
RSA private key



The card is used to initiate the EAP
-
TTLS
session


EAP
-
BIO : Phase 2


Phase 2 : Biometric authentication



Biometric fingerprint encapsulated in AVPs with
CBEFF format



Can be used on a 1:N or a 1:1 authentication


A 1:1 authentication is more performant


EAP
-
BIO performs a 1:1 authentication since the identity of the
user is known through Phase 1



Security problems to be solved about biometry


Certify the fingerprint issued by the biometric reader


Certify the voluntary action of the user


The reader must be secure (prevent the use false fingerprints)

Security of EAP
-
BIO


Use of smartcards and digital signatures



Sign the fingerprint issued by the reader


Insert a timestamp to prevent replay attacks



Sign the fingerprint with the client before
sending to the server



Certify the voluntary action of the user


Initiate the EAP
-
TTLS session with a smartcard


A signature from the user may be required



Session Keys : f(Master
-
Secret, Client
-
random, Server
-
random)

AVP encapsulating the
fingerprint

Container

Fingerprint

(CBEFF Structure)

PKCS#7 Capsule

Containing signatures

Header