EAP-TTLS Status

1. EAP-TTLS Status draft-funk-eap-ttls-v0-00.txt draft-funk-eap-ttls-v1-00.txt draft-funk-tls-inner-application-extension-01.txt Paul Funk Funk Software

2. Overview of Draft Set • Names have changed • Previous name: draft-ietf-pppext-eap-ttls-nn. • Changed to individual submission, since pppext doesn’t do EAP any more. • Draft version reverted to 00. • Relationship between drafts • TTLS v0 is original protocol • TTLS v1 is new version • TTLS v1 is defined over TLS extension called TLS/IA • TLS/IA defined in separate draft: • draft-funk-tls-inner-application-extension-01.txt

3. EAP-TTLS v1 Overview • A version field is now defined in the Flag bits. • EAP-TTLS v1 is defined over TLS/IA. • It’s a much shorter draft. • But the new TLS/IA draft more than makes up for this. • The same AVP encapsulation defined in EAP-TTLS v0 is now defined in TLS/IA. • TLS/IA includes enhanced security features.

4. TLS “InnerApplication” Extension(TLS/IA) • TLS/IA defines a mechanism for embedding EAP authentication and other negotiations in TLS itself. • Allows any TLS-based protocol to use inner EAP authentication. • Uses standard RFC 3546 extension mechanism • Inner Application extension appended to ClientHello, confirmed in ServerHello • Defines new “Inner Application” record type. • Inner Application records follow immediately after TLS handshake, but prior to upper-layer data exchange. • New record type carries one or more “phases”. • Each phase consists of: • exchange of AVPs • permutation of Inner Secret • exchange of PhaseFinished messages for confirmation. • TLS handshake plus Inner Application records can be thought of as an “extended handshake”.

5. Comparison of TLS Encapsulation In EAP-TTLS version 0 (as well as EAP-PEAP/FAST) TLS handshake data Handshake msgs CCS/Finished AVPs In TLS/IA TLS handshake data Inner application Handshake msgs CCS/Finished AVPs PhaseFinished This space available In EAP-TTLS version 1 TLS handshake Inner application Handshake msgs CCS/Finished AVPs PhaseFinished

6. TLS/IA Security • Optional multi-phase negotiation. • Allows subsequent exchange to be predicated on success of prior exchange • Phases are optional in resumed sessions • Additional “Inner Secret” is computed. • Mixes TLS master secret and all session keys from inner authentications. • Prevents MitM attack. • Inner Secret is mutually confirmed at the end each phase. • Result of inner authentication is securely exchanged. • Prevents truncation attack. • No change to TLS handshake itself or cipher usage within TLS.

7. Session Key Binding • Inner Secret is initialized to master secret at conclusion of TLS handshake. • Inner Secret is permuted in each phase • All inner session keys developed during phase are concatenated into a vector in order of value • PRF is applied to label, randoms, and session key vector, using current Inner Secret as key • 48-octet result is new Inner Secret • Inner Secret is confirmed by PhaseFinished message. • Final Inner Secret from last phase is exported. • EAP-TTLS v1 derives MSK (i.e. MPPE keys) from Inner Secret.

8. Uses of TLS/IA Beyond TTLS • TLS/IA can provide inner AVP capabilities to other protocols besides EAP-TTLS. • Inner AVPs can be use for various purposes: • authentication • key exchange • endpoint integrity attestation • etc. • Possible other applications for TLS/IA: • HTTP with EAP authentication • Alternative to IKE for IPsec key establishment • Setting up SSL VPN