EAP
57th IETF
WIEN, Austria, July 13-18, 2003
“EAP support in smartcards”
Draft-urien-EAP-smartcard-02.txt
Pascal Urien & All
ENST
[email protected]
Slide 1/8
07/17/03
EAP Support in Smartcard.
EAP
 Goals
 Definition of an “universal” ISO 7816 interface, e.g.
supporting most of EAP authentication protocols.
 EAP smartcard benefits
 Network credentials are securely stored.
 Smartcard bearer doesn’t know its network credentials
(shared secret, asymmetric keys…)
 EAP protocols are computed in a trusted environment.
 Smartcard can’t be cloned.
 Smartcard is blocked/unblocked by the user’s PIN-code
 Other aspects
 Scalability. Half a billion smartcards produced in 2001.
 Multiple form factors (ISO 7816 Credit Card Format, SIM
GSM 11.11, USB…).
 Sufficient cryptographic performances (RSA 2048 bits
calculation in 500 ms), memory size around 128 kb, one
Slide 2/8
Mb with the FLASH technology).
07/17/03
Overview
EAP
Smartcard
Authenticator
Supplicant
EAP
EAP
profile
RADIUS
server
EAP
profile
EAP / 7816
EAP / LAN
EAP / RADIUS
802.1x
RADIUS
EAP
Engine
ISO 7816
EAP-ID
EAP-Type
Crypto Key(s)
Slide 3/8
07/17/03




Secure Authentication.
User authentication rather than computer authentication
One smartcard for several networks.
Interoperability between EAP smartcards.
EAP
Basic Concepts
 Identity
 A pointer to a set of information that is needed for
processing EAP-Messages,
 EAP-ID, EAP-Type, Cryptographic Keys
 User Profile, information meaningful for the terminal or the
network (SSID, radio channel, X509 certificates…)
 Profile
 Implementation recommendation for particular EAPType.
 PIN Management
 EAP smartcard may be protected by a PIN code, only
knew/managed by its bearer.
 EAP Application.
 An EAP (smartcard) application may be associated to
one or more EAP-Type. In that case it is started by a
Slide 4/8
Select-AID command.
07/17/03
EAP Smartcard Services 1/3
EAP
 Four logical interfaces.
 Network interface.
 Smartcard directly processes EAP messages (requests,
notifications).
 EAP profiles definition. A set of rules (if needed) for supporting a
particular authentication protocol (messages maximum size, …).
 Operating System/Terminal interface.
 Identity management. Multiple triplets (EAP-ID, EAP-Type,
cryptographic keys) are stored in the smartcard; a triplet is
required by each network.
 User profile, typically an LDAP record stored in the smartcard
(under discussion).
 Management/Personalization interface.
 Identities & profiles download and update. Management could be
done via dedicated EAP protocols (under discussion).
 User Interface
Slide 5/8
07/17/03
 Personal Identification Number (PIN code) management
EAP Smartcard Services 2/3
EAP
Secure EAP
Framework
Get-Next-Identity()
Get-Preferred-Identity()
Get-Current-Identity()
Set-Identity()
Set-Multiple-Identity()
Get-Session()
Get-Profile-Data()
Select-AID()
Add-Identity()
6/8Delete-Identity()
Slide
07/17/03
OTHER
EAP-SIM
EAP-MD5
Identity List
EAP-TLS
EAP authentication protocols profiles
IDENTITY
EAP-ID
EAP
TYPE
CRYPTO
Key(s)
PROFILE
My-Home
dad
MD5
Password
-
My-Office
[email protected]
TLS
RSA Keys
Credentials
SF-Airport
[email protected]
SIM
Ki
Subscription
OS/Terminal
Interface
Network
interface
Management
Personalization
Interface
User
Interface
Process-EAP()
Verify-PIN()
Change-PIN()
Enable-PIN()
Disable-PIN()
Unblock-PIN()
EAP smartcard Services 3/3.
EAP
SERVICE
APDU
CLA INS P1 P2 Lc Le
COMMENTS
Process-EAP
Ax
80 00 ii xx yy
Process an EAP message
Add-Identity
Ax
17 00 81 xx 00
Add an identity entry to the EAP smartcard
Delete-Identity
Ax
17 00 82 xx 00
Delete an identity entry
Get-Current-Identity
Ax
16 00 00 00 xx
Get the current identity
Get-Next-Identity
Ax
16 00 01 00 xx
Extract the identity from a circular list
Get-Preferred-Identity
Ax
16 00 02 00 xx
Get the preferred identity
Set-Identity
Ax
16 00 80 xx 00
Set the smartcard current identity
Set-Multiple-Identity
Ax
16 00 83 xx 00
Set an multiple identity
Get-Profile-Data
Ax
1A 00 00 00 xx
Get the subscriber profile.
Get-Current-Version
Ax
10 xx yy 00 02
P1#0 is the EAP-Type, P2=0 EAP version, P2=1
WLAN Smartcard Consortium version
Get-Session-Key
Ax
A6 00 ii 00 20
Get the session key.
Verify-PIN
A0
20 00 00 08 00
Verify the user current PIN code
Change-PIN
A0
24 00 00 10 00
Change the user current PIN code
Enable-PIN
A0
26 00 00 08 00
Enable pin code use
Disable-PIN
A0
28 00 00 08 00
Disable pin code use
Unblock-PIN
A0
2C 00 00 10 00
Unblock EAP smartcard
Select-AID
00
A0 04 00 xx 00
Start an EAP smartcard application
Slide 7/8
07/17/03
EAP smartcard profiles.
EAP
Profile
Comments
MD5
Informative purpose
EAP-SIM
Profile for EAP-SIM
EAP-TLS
PEAP
Slide 8/8
07/17/03
Fragmentation issue under
discussion
Under Discussion