EAP-LDAP draft-mancini-pppext-eap-ldap-00.txt - PowerPoint PPT Presentation

About This Presentation
Title:

EAP-LDAP draft-mancini-pppext-eap-ldap-00.txt

Description:

Challenge-based authentication methods require the back-end server ... Should seeded methods be dealt with? Can/Should the seed safely be communicated or known? ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 6
Provided by: helenam4
Learn more at: https://www.ietf.org
Category:
Tags: eap | ldap | draft | eap | ldap | mancini | pppext | seeded | txt

less

Transcript and Presenter's Notes

Title: EAP-LDAP draft-mancini-pppext-eap-ldap-00.txt


1
EAP-LDAPdraft-mancini-pppext-eap-ldap-00.txt
  • IETF 57
  • Avi Lior Helena Mancini
  • Bridgewater Systems

2
Background
  • Challenge-based authentication methods require
    the back-end server to hold the users password
    either in clear text or reversible encryption
  • Major drawback in particular for LDAP directories
    where the user password may be stored in SHA or
    CRYPT, for example
  • Need a means for supporting EAP challenge-based
    methods when the EAP server has no knowledge of,
    or access to, the users cleartext password

3
Goals Objectives
  • Allow for LDAP directories to maintain and
    continue provisioning one-way encrypted passwords
  • Allow for validation of the LDAP user without
    passing the cleartext password or the value
    stored in the LDAP directory
  • EAP-LDAP is a challenge-based authentication
    using MD5, in conjunction with the encryption
    algorithm used to store the password within the
    LDAP identity store
  • Recommend using EAP-LDAP in conjunction with
    tunneling EAP methods such as PEAP

4
How it works
  • During EAP negotiation, upon receipt of users
    identity, EAP Server responds with EAP-LDAP
    request which specifies primary encryption type
    (the method used in the datastore to store
    passwords) and a challenge
  • EAP Client applies primary encryption type to
    users password replies with a challenge
    Response generated by applying MD5 on the users
    encrypted password and challenge (secondary
    encryption type, implicitly MD5)
  • EAP Server re-computes MD5-Challenge Response
    using users encrypted password and challenge

5
Moving forward
  • Data Stores This could be extended to any data
    store that is storing one-way encrypted
    passwords. Should this be generalized beyond LDAP
    directories?
  • Primary Encryption Method Current algorithm,
    only speaks to unseeded methods (for example,
    SHA). Should seeded methods be dealt with?
    Can/Should the seed safely be communicated or
    known?
  • Secondary Encryption Method Beyond using MD5
    implicitly, is there a need to provide a means of
    negotiating other secondary types?
  • Proposal Wed like to have the draft taken on as
    an EAP WG item
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "EAP-LDAP draft-mancini-pppext-eap-ldap-00.txt" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!