Abhishek Singh
SafeNet Infotech Pvt. Ltd.
Secure Communication of EAP - Radius messages.
draft-abhi-eap-radius-00.txt
By submitting this Internet-Draft, each author represents
that any applicable patent or other IPR claims of which he
or she is aware have been or will be disclosed, and any of
which he or she becomes aware will be disclosed, in accordance
with Section 6 of BCP 79."
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note
that other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
EAP is used to establish secure communication channel in
IKEv2 and in Wireless Security. EAP-TLS, EAP-TTLS, EAP-MD5,
EAP-SIM uses radius protocol for communication bewteen
radius server and the client. These protocols are used in
both Wireless network authentication and in IKEV2 authentication
to establish VPN tunnel.
+----------+ +----------+ +----------+
| | EAPOL | EAP | RADIUS | |
| EAP |<------>| Server |<------>| RADIUS |
| Client | EAPOW | | (EAP) | Server |
| | | | | |
+----------+ +----------+ +----------+
This draft presents the security protocol which can be used
to establish the secure communication channel between the
radius server and pass through server. Pass through server
is access point in the case of wireless communication and
it is gateway in case of IKEV2 authnetication.
[page 1]
Table of Content
1.0 Introduction ......................................2.0
2.0 Secure Message Exchange............................3.0
References ............................................4.0
Authors Address .......................................5.0
Full Copyright Statement ..............................5.0
1 Introduction
Extensible Authentication Protocol(EAP), rfc2284, is a general
protocol that allows network access points to support multiple
authentication methods. RADIUS attribute used for EAP is EAP-Message
79 (rfc2869). RADIUS communicates all EAP messages by embedding them in
this attribute.
RADIUS/EAP is used in order to provide authentication and authorization
for network access. As a result, both the RADIUS and EAP portions of the
conversation are potential targets of an attack. Threats are discussed
in [RFC2607], [RFC2865], and [RFC3162].
Some of the serious problem with the Radius Packet include:
[1]An adversary may attempt to acquire confidential data and
identities by snooping RADIUS packets. For example in case of
IKEv2, EAP-TLS authentication, the confidetial data can be
shared keys which is generated after EAP-TLS authentication.
The shared keys is transferred by the Radius Server to the
EAP Server and is further used by EAP server for the generation
of AUTH.
[2]An adversary may attempt to modify packets containing RADIUS
messages.
[page 2]
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1.0 Showing the Radius packet
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value .....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Figure 2.0 Attributes containing the following Structure
2. The Secure message exchange between the Radius and
the Pass through Server.
EAP Server Radius Server
---------- --------------
Public_Key_of_EAP_Server
-------------------------->
Public_key_of_Radius_Server
<----------------------------
Encrypt_date_with_pubic_key_Radius
---------------------------------->
Encrypt_data_with_Public_key_EAP_Server
<-----------------------------------------
EAP Server must have the public keys of the Radius server
and the Radius server must have the public keys of the EAP.
The exchange of the public keys can be done in message
exchanges between the EAP server and Radius or it can be
done manually. The public keys must encrypt the value field.
If the packet shown in figure 1.0 is streamed from the EAP server,
[page 3]
the public keys of the Radius server must encrypt the value field
shown in figure 2.0. This packet when reaches the Radius server,
the value field is decrypted with the private keys of the radius.
Similarly, for the packets, which are getting streamed by the
Radius Server, the value field must be encrypted by the public
keys of the EAP server and is decrypted by the private keys of
the EAP server.
The above mention procedure will ensure that the value field shown
in figure 2.0 is encrypted and hence will prevent the compromise and
modification of the confidential data in the radius packets.
3. References
[RFC 3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004.
[RFC 4306] C. Kaufman, "Internet key Exchange Protocol (Ikev2
protocol)"
[RFC 2869] C.Rigney, Livingston, W.Willats, P.Calhoun "RADIUS
Extensions", June 2000.
[RFC 2284] L. Blunk, J. Vollbrecht, "PPP Extensible Authentication
Protocol (EAP)", March 1998
[RFC 2716] B. Aboba, D. Simons, "PPP EAP TLS Authentication Protocol",
October 1999.
[RFC 2607] B.Abobaba, J. Vollbertcht, "Proxy Chaining and Policy
Implementation in Roaming", June 1999.
[RFC 2865] C. RIgney, S. Willens, A. Rubens, W.Simpson, "Remote
Authentication Dial in User Service ", June 2000.
[RFC 3162] B.Aboba, G.Zorn, D.Mitton, "Radius and IPv6", August 2001.
[page 4]
Author's Address
----------------
Abhishek Singh
SafeNet InfoTech Pvt. Ltd.
Logix TechnoPark
5th & 6th Floor, Plot No.5
Sector - 127
Taj Express Way
Noida - 201301. U.P.
Email: asingh3@in.safenet-inc.com
abhicc285@gmail.com
Phone : 9899835649
Copyright (C) The IETF Trust (2008)
-------------------------------------
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights."
"This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
[page 5]