April 25, 2020

How PAC Works with EAP-FAST?

In this blog, let me explain in simple terms, on how PAC, Protected Access Credentials, is used in  EAP-FAST (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling).

I assume that you already know what PAC and EAP-FAST are. In this blog, I will take you through the steps involved in EAP-FAST authentication.

PAC Provisioning Process. (Phase 0)

1. A-ID (PAC Server) creates a Master secret key and it is known only to the A-ID. This is like a PRIVATE Key in PKI.

2. I-ID (PAC Client) Client sends a request to A-ID requesting for a PAC.

3. A-ID and I-ID use Diffie Hellmann algorithm to create a secure communication channel

4. A-ID Generates a random secret key, called the PAC-Key, specific to this client I-ID.

5. A-ID encrypts this PAC-Key (along with I-ID and Lifetime) with its Master Secret key. This encrypted information is called PAC Opaque

6. A-ID creates a PAC-Info field, that contains the information about the A-ID itself (PAC server)

7. All the below 3 fields are put together and is called PAC

PAC = [ PAC-Key + PAC Opaque + PAC-Info ]

8. This PAC is now sent to the client securely over the secure channel created by the DH algorithm.

9. DH channel is taken down.

10. A-ID forgets the PAC.

How PAC is used during EAP-FAST Authentication (Phase 1)

1. The client sends its ID to the PAC-Server. This is anonymous id and not the real id of the client. 

2. PAC Server returns its A-ID to the client. 

3. The client verifies if it has received a PAC that was generated by this A-ID. If so, it returns the PAC-Opaque to the A-ID (PAC-Server).

4. PAC Server decrypts the PAC-Opaque using its Master Secret Key (only known to the A-ID. This is like the Private Key in PKI) and obtains the PAC-Key for that client. Remember from step 5 above, PAC-Opaque contains the PAC-Key in the encrypted format.

5. Now that the client and the server have the PAC-Key, only known to both of them, they can use the PAC-Key to encrypt and decrypt the traffic between them, creating the Phase 1 tunnel of EAP-FAST. (Remember from step 7 and 8 above, the client also has the PAC-Key received from the Server as part of PAC)

Phase 2

1. In Phase 2 of EAP-FAST, another authentication method such as MS-CHAPv2 or EAP-TLS will be used to authenticate the client to the server, inside the secure tunnel that was built in Phase 1.

2. After the authentication is successful, the EAP-FAST tunnel is taken down.

3. The client and the server lived happily, until the next authentication.

I hope that was useful. Please feel free to leave your comments below.








No comments:

Post a Comment

Please feel free to leave your comments here: