In this blog, let me explain in simple terms, on how PAC, Protected Access Credentials, is used in EAP-FAST (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling).
I assume that you already know what PAC and EAP-FAST are. In this blog, I will take you through the steps involved in EAP-FAST authentication.
I assume that you already know what PAC and EAP-FAST are. In this blog, I will take you through the steps involved in EAP-FAST authentication.
PAC Provisioning Process. (Phase 0)
1. A-ID (PAC Server) creates a Master secret key and it is known only to the A-ID. This is like a PRIVATE Key in PKI.
2. I-ID (PAC Client) Client sends a request to A-ID requesting for a PAC.
3. A-ID and I-ID use Diffie Hellmann algorithm to create a secure communication channel
4. A-ID Generates a random secret key, called the PAC-Key, specific to this client I-ID.
5. A-ID encrypts this PAC-Key (along with I-ID and Lifetime) with its Master Secret key. This encrypted information is called PAC Opaque
6. A-ID creates a PAC-Info field, that contains the information about the A-ID itself (PAC server)
7. All the below 3 fields are put together and is called PAC
PAC = [ PAC-Key + PAC Opaque + PAC-Info ]
8. This PAC is now sent to the client securely over the secure channel created by the DH algorithm.
9. DH channel is taken down.
10. A-ID forgets the PAC.
How PAC is used during EAP-FAST Authentication (Phase 1)
1. The client sends its ID to the PAC-Server. This is anonymous id and not the real id of the client.
2. PAC Server returns its A-ID to the client.
3. The client verifies if it has received a PAC that was generated by this A-ID. If so, it returns the PAC-Opaque to the A-ID (PAC-Server).
4. PAC Server decrypts the PAC-Opaque using its Master Secret Key (only known to the A-ID. This is like the Private Key in PKI) and obtains the PAC-Key for that client. Remember from step 5 above, PAC-Opaque contains the PAC-Key in the encrypted format.
5. Now that the client and the server have the PAC-Key, only known to both of them, they can use the PAC-Key to encrypt and decrypt the traffic between them, creating the Phase 1 tunnel of EAP-FAST. (Remember from step 7 and 8 above, the client also has the PAC-Key received from the Server as part of PAC)
Phase 2
1. In Phase 2 of EAP-FAST, another authentication method such as MS-CHAPv2 or EAP-TLS will be used to authenticate the client to the server, inside the secure tunnel that was built in Phase 1.
2. After the authentication is successful, the EAP-FAST tunnel is taken down.
3. The client and the server lived happily, until the next authentication.
I hope that was useful. Please feel free to leave your comments below.
No comments:
Post a Comment
Please feel free to leave your comments here: