The EAP Protected One-Time Password Protocol (EAP-POTP)
Voir toute la rfc dans une seule page
Page : 5 / 82
Télécharger le PDF
Auteur(s) :
M. Nystroem
Classé sous :
Otp,
Extensible authentication protocol
RFC 4793 EAP-POTP February 2007
generated by the EAP server, is intended to be interpreted and acted
upon by humans. Furthermore, EAP-POTP allows for mutual
authentication and establishment of keying material, which GTC does
not. To retain the generic nature of GTC, the EAP-POTP method has
been designed to support a wide range of OTP algorithms, with
profiling expected for specific such algorithms. This document
provides a profile of EAP-POTP for RSA SecurID tokens.
1.4. Relationship with EAP Methods in RFC 3748
The EAP OTP method defined in [1], which builds on [14], is an
example of a particular OTP algorithm and is not related to the EAP
method defined in this document, other than that a profile of EAP-
POTP may be created for the OTP algorithm from [14].
The Generic Token Card EAP method defined in [1] is intended to work
with a variety of OTP algorithms. The same is true for EAP-POTP, the
EAP method defined herein. Advantages of profiling a particular OTP
algorithm for use with EAP-POTP, compared to using EAP GTC, are
described in Section 1.3.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", and "MAY", in this document are to be
interpreted as described in RFC 2119 [2].
3. Authentication Model
The EAP-POTP method provides user authentication as defined below.
Additionally, it may provide mutual authentication (authenticating
the EAP server to the EAP client) and establish keying material.
There are basically three entities in the authentication method
described here:
o A client, or "peer", using EAP terminology, acting on behalf of a
user possessing an OTP token;
o A server, or "authenticator", using EAP terminology, to which the
user needs to authenticate; and
o A backend authentication server, providing an authentication
service to the authenticator.
The term "EAP server" is used here with the same meaning as in [1].
Any protocol used between the authenticator and the backend
authentication server is outside the scope of this document, although
Nystroem Informational [Page 5]