EAP-Kerberos

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

EAP-Kerberos

Thomas Otto
Hi Chris, Saber, Sam, all,

(sth went wrong with my first email, I try it again)


I read your discussion in the Kerberos Mailing List regarding
Kerberos for Wireless Authentication (June 2005). In February 05,
I already thought a little bit about using Kerberos as single
logon for both
* gaining access to a wireless network and
* using the offered kerberized services,
so that I began writing an EAP method which uses Kerberos,
(the draft is at http://www-public.tu-bs.de:8080/~y0013790/ ,
but so dramatically immature that it is not worth to be read ;-).

There are generally two ways how to apply Kerberos to WLAN
authentication:

1) The user has nothing but his username/password. The EAP-
conversation is carried out in order to authenticate at the
AS and to get a TGT.
>From this point, the client uses this TGT to request the TGS
for service tickets.

2) The user has already network access and a TGT. In this case,
the authenticator (access point) is a service, so that the
goal is to get a service ticket for the service "access point,
wireless network access".
Therefore, a proxy Kerberos Server is inside the access point
and talks EAP to the client, and talks in the other direction
over IP with the Kerberos TGS. (I think this is covered by
an older proposal, EAP-GSS).

Case 1 is interesting. It would be nice if a user types only
once, namely at the initial logon, his username password, and
subsequently get access to the network and the therein
advertised services.

Is this situation realistic?

Where could one use Kerberos in wireless authentication otherwise?

I'd be glad if you tell me your ideas, and especially if you see the
need for an EAP Kerberos method.

Best regards,
Thomas


PS. I'm aware of the property catalogue for an EAP method, which is intended
to be used in wireless networks ( http://www.ietf.org/rfc/rfc4017.txt ).
The major issue is the dictionary attack problem, but I think it could be
mitigated by using some strong password protocol (like the paper of Wu it
proposes).

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: EAP-Kerberos

Tim Alsop
Thomas,

Perhaps you need to look at the solution implemented by Symbol
(www.symbol.com). Their WLAN products already use kerberos for WLAN
authentication and key management as an alternative to WEP. The normal
approach with WEP is to share a secret between the AP and WLAN client,
but with Kerberos the session key can be used instead. The WLAN
connection to the network through the access point should not be
accepted until the user has authenticated to the AP. This is the Symbol
approach, but they are not using EAP. Instead they have implemented
Kerberos in the firmware of their products. I would love to see Kerberos
implemented for same solution using EAP-GSS so that more WLAN vendors
can take advantage and gain SSO and strong key management for WLAN
authentication.

Regards, Tim

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Thomas Otto
Sent: 14 July 2005 22:44
To: [hidden email]
Subject: EAP-Kerberos

Hi Chris, Saber, Sam, all,

(sth went wrong with my first email, I try it again)


I read your discussion in the Kerberos Mailing List regarding Kerberos
for Wireless Authentication (June 2005). In February 05, I already
thought a little bit about using Kerberos as single logon for both
* gaining access to a wireless network and
* using the offered kerberized services, so that I began writing an EAP
method which uses Kerberos, (the draft is at
http://www-public.tu-bs.de:8080/~y0013790/ , but so dramatically
immature that it is not worth to be read ;-).

There are generally two ways how to apply Kerberos to WLAN
authentication:

1) The user has nothing but his username/password. The EAP- conversation
is carried out in order to authenticate at the AS and to get a TGT.
>From this point, the client uses this TGT to request the TGS
for service tickets.

2) The user has already network access and a TGT. In this case, the
authenticator (access point) is a service, so that the goal is to get a
service ticket for the service "access point, wireless network access".
Therefore, a proxy Kerberos Server is inside the access point and talks
EAP to the client, and talks in the other direction over IP with the
Kerberos TGS. (I think this is covered by an older proposal, EAP-GSS).

Case 1 is interesting. It would be nice if a user types only once,
namely at the initial logon, his username password, and subsequently get
access to the network and the therein advertised services.

Is this situation realistic?

Where could one use Kerberos in wireless authentication otherwise?

I'd be glad if you tell me your ideas, and especially if you see the
need for an EAP Kerberos method.

Best regards,
Thomas


PS. I'm aware of the property catalogue for an EAP method, which is
intended to be used in wireless networks (
http://www.ietf.org/rfc/rfc4017.txt ).
The major issue is the dictionary attack problem, but I think it could
be mitigated by using some strong password protocol (like the paper of
Wu it proposes).

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos