| EAP-PAX draft update | <– Date –> <– Thread –> |
From: T. Charles Clancy (clancy cs.umd.edu)
|
|
| Date: Mon, 4 Oct 2004 13:16:52 -0400 (EDT) | |
I recently submitted -01 of draft-clancy-eap-pax to the IETF. The HTML version can be found here: http://www.cs.umd.edu/~clancy/eap-pax/draft-clancy-eap-pax-01.html Major problem in -00: When using identity proteciton you had to know whether to run PAX-Auth or PAX-Update before you knew the user's identity. Without knowning the identity there was no way to know if a key update was needed, and hence a paradox ensued. Version -01 has some major changes to the protocol and draft itself: 1. separated in to two protocols, PAX_STD and PAX_IDP (identity protection) to solve the above mentioned problem 2. both are 2RT protocols, and can be used with or without DH for forward secrecy 3. mutual authentication is always performed 4. more implementation instruction for key updates to prevent desynchronization attacks 5. with the recent HMAC paranoia, added AES-CBC-MAC as a MAC, and internally define a PRF that doesn't use MD5 6. include appendices with suggested implementation and deployment strategies 7. lots of editorial revisions [ t. charles clancy ]--[ tcc [at] umd.edu ]--[ www.cs.umd.edu/~clancy ] [ computer science ]-----[ university of maryland | college park ]
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.