1 - 2 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X
method
Click on the red underlined text to get to the source
... connected to a user's computer, e.g., through a USB interface. The
method can be used to provide unilateral or mutual authentication,
and key material, in protocols utilizing EAP ...
... service. This document
describes an EAP method intended to meet the needs of organizations
wishing to use OTP tokens ...
... authenticate
users over EAP. The method is designed to be independent of
particular OTP algorithms ...
... 13]).
The basic variant of this method provides client authentication only.
This mode is only to be used within a secured tunnel ...
... EAP implementations. This makes it
easier to programmatically use the EAP method in the peer and the
authenticator, reducing the need for user interactions and allowing
...
... GTC does
not. To retain the generic nature of GTC, the EAP-POTP method has
been designed to support a wide range of OTP ...
... algorithm and is not related to the EAP
method defined in this document, other than that a profile of EAP-
...
...
The EAP-POTP method provides user authentication as defined below.
Additionally, it may provide mutual authentication ...
... keying material.
There are basically three entities in the authentication method
described here:
...
... "peer" is used in the following for these entities.
The EAP-POTP method assumes the use of a shared secret key, or
"seed", which is known both by the user ...
... authentication server.
In its most basic variant, the EAP-POTP method provides only one
Service (namely, user authentication ...
... Description of the EAP-POTP Method ...
...
Note: Since the EAP-POTP method is general in nature, the term
"POTP-X" is used below as a placeholder for an EAP ...
... "POTP-X" is used below as a placeholder for an EAP method type
identifier, identifying the use of a particular OTP ...
... TLV indicates the highest and lowest version of
this method supported by the server. The EAP server typically
...
... POTP-X or if it does not support a version of this
method that is also supported by the server, as indicated in the
server's Version ...
...
If the peer supports a version of this method that is also
supported by the EAP server, the peer generates an EAP-Response ...
... EAP server may try with
another EAP method. Otherwise, the EAP server checks the peer's
supported version ...
... packets, the EAP server shall instead send an EAP-Success method
to the peer to indicate successful protocol completion. The EAP
server may not continue the conversation unless it indicates its
...
...
The EAP-POTP method provides a version negotiation mechanism that
enables implementations to be backward compatible with previous
...
... EAP server. This will allow the EAP
server to use another EAP method for peer authentication.
...
... EAP-POTP will not be possible,
and another mutually acceptable EAP method will need to be negotiated
if authentication is to proceed.
...
... EAP does not allow for the sending of an EAP-Response of type Nak (3)
within a method after the initial EAP-Request and EAP-Response pair
...
... EAP-Request and EAP-Response pair
of that particular method has been exchanged (see [1], Section 2.1).
Instead, when a peer is unable to continue an EAP-POTP ...
... Use of the EAP Notification Method ...
...
Except where explicitly allowed in the following, the EAP
Notification method MUST NOT be used within an EAP-POTP session. The
...
... transmitted "Identifier" field is not always known to the EAP method
layer. The reason for excluding the "Length" field is to allow the
...
... wireless LAN environments), the P bit MUST be set, or,
alternatively, the EAP-POTP method MUST be carried out inside an
authenticated tunnel that provides a cryptographic ...
... The T bit only carries meaning for OTP methods normally
incorporating a user PIN in the OTP computation.
...
...
This bit allows methods that distinguish between two different PIN
types (e.g., decimal vs. alphanumeric) to designate whether the
augmented set is to be used (when set) or not (when not set). The
...
... 1], the following security claims are
made for the EAP-POTP method:
Authentication mechanism ...
... algorithm, pepper
length, iteration count, and whether the
method is used within a tunnel such as
PEAPv2 ...
... OTPs and mutual
authentication is not used) of this EAP method does not provide
session privacy ...
... In order to protect against these attacks, the peer MUST only use the
basic variant of this method over a server-authenticated and
confidentiality ...
... information about the user's PIN. Clearly, this is also true for the
basic variant. Implementations of this EAP method, where user PINs
are sent with OTPs, are therefore RECOMMENDED to ensure regular user
...
... binding with inner EAP methods). If initial exchanges do not occur
in a secure environment, the iteration count MUST be significantly
higher than for messages where a pre-shared pepper is used. The
...
... fragmentation of EAP messages, it is possible (in the
basic variant of this method) for an attacker to listen to most of an
OTP ...
... method 32 as a profile of the general
method. Extending the set of EAP-POTP TLVs or the set of EAP-POTP
...
... versions of an RSA SecurID EAP method while working for RSA
Laboratories. The inspiration for the TLV-type ...
... Stanley, D., Walker, J., and B. Aboba, "Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs ...