Hi folks,
The design team working on password based authentication has arrived at the set of requirements to be met by the following design and is looking for input from the WG on these requirements, especially on the second subset below. MUST requirements (design team has agreed on the "MUST"ness :-) ================= 1-Support transport of encrypted password to Support legacy user Data/password databases, 2-Provide server authentication 3-Provide resistance to offline dictionary attacks, man in the middle attacks, and replay attacks. 4--RFC 3748, RFC 4017 compliant, compliant with EAP-Keying draft (includes MSK and EMSK generation) 5--active User identity confidentiality for the peer 6-crypto-agility/ cipher suite negotiation (need to define mandatory supported ciphers) 7-Session Resumption (avoid need for new passwords when resuming) 8-Fragmentation and reassembly Requirements we are looking to WG for input, i.e. should we include the following requirements as MUST/SHOULD =============== 1-support password/pin change 2. Support other password based protocols (CHAP, MSCHAP, etc) 3. Cryptographic binding of password exchange to tunnel 4. Defined Extension Mechanism 5-Support transport of channel binding data FYI: the team is narrowing down its options towards use of TLS based encryption for the tunnel carrying pass-word exchanges. Comments/ input are welcome, Thanks and Regards, Madjid Nakhjiri On behalf of the password based authentication design team.
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
