| I-D ACTION:draft-nystrom-eap-potp-03.txt (fwd) | <– Date –> <– Thread –> |
From: Magnus Nystrom (magnus rsasecurity.com)
|
|
| Date: Mon, 24 Oct 2005 09:53:59 -0400 (EDT) | |
Dear All,
Internet-Drafts [at] ietf.org wrote:
Changes compared to version -02 include:
-Clarified usage of the NAK TLV and when it can be sent.
-Clarified that peers must support protected mode.
-Made the IV explicit in the Confirm TLV.
-- Magnus
Internet-Drafts [at] ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : The Protected One-Time Password Protocol (EAP-POTP)
Author(s) : M. Nystrom
Filename : draft-nystrom-eap-potp-03.txt
Pages : 76
Date : 2005-10-14
This document describes a general EAP method suitable for use with One-Time Password (OTP) tokens, in particular tokens with direct electronic interfaces to their associated clients. The method can be used to provide unilateral or mutual authentication, and key material, in protocols utilizing EAP, such as PPP, IEEE 802.1X and IKEv2.
A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-nystrom-eap-potp-03.txt
Changes compared to version -02 include:
-Use of the EMSK in session resumption. The reason for this is better security: Earlier the MSK was used, which meant that the EAP server as well as the peer had to store the MSK for future use, and an attacker which succeeded in compromising the MSK would be able to read current traffic. The EMSK is not used for session keys, so is not susceptible in this manner.
-Switched name of the Token Serial Number TLV to Token Key Identifier TLV. This is for alignment with other OTPS documents.
-Clarified usage of the NAK TLV and when it can be sent.
-Allowed the "auth_addr" component in the OTP TLV to be the empty string. The reason for this is that sometimes the peer will be unable to retrieve the information needed for this component.
-Clarified that peers must support protected mode.
-Various editorial clarifications and corrections, including some to comply with requirements in RFC 3748.
-Made the IV explicit in the Confirm TLV.
-Introduced a Protected TLV that is to be used whenever TLVs need to be exchanged after mutual authentication (and key establishment) has occurred. The Protected TLV wraps ordinary TLVs.
-Due to the last two changes above, the use of the EMSK, and the fact that there are EAP-POTP implementations, the protocol version had to be changed from 0 to 1.
-- Magnus
-
I-D ACTION:draft-nystrom-eap-potp-01.txt (fwd) Magnus Nystrom, April 25 2005
-
I-D ACTION:draft-nystrom-eap-potp-02.txt (fwd) Magnus Nystrom, July 6 2005
- I-D ACTION:draft-nystrom-eap-potp-03.txt (fwd) Magnus Nystrom, October 24 2005
-
I-D ACTION:draft-nystrom-eap-potp-02.txt (fwd) Magnus Nystrom, July 6 2005
Results generated by Tiger Technologies using MHonArc.