{"draft":"draft-funk-eap-ttls-v0-05","doc_id":"RFC5281","title":"Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)","authors":["P. Funk","S. Blake-Wilson"],"format":["ASCII","HTML"],"page_count":"51","pub_status":"INFORMATIONAL","status":"INFORMATIONAL","source":"IETF - NON WORKING GROUP","abstract":"EAP-TTLS is an EAP (Extensible Authentication Protocol) method that\r\nencapsulates a TLS (Transport Layer Security) session, consisting of\r\na handshake phase and a data phase.  During the handshake phase, the\r\nserver is authenticated to the client (or client and server are\r\nmutually authenticated) using standard TLS procedures, and keying\r\nmaterial is generated in order to create a cryptographically secure\r\ntunnel for information exchange in the subsequent data phase.  During\r\nthe data phase, the client is authenticated to the server (or client\r\nand server are mutually authenticated) using an arbitrary\r\nauthentication mechanism encapsulated within the secure tunnel.  The\r\nencapsulated authentication mechanism may itself be EAP, or it may\r\nbe another authentication protocol such as PAP, CHAP, MS-CHAP, or\r\nMS-CHAP-V2.  Thus, EAP-TTLS allows legacy password-based authentication\r\nprotocols to be used against existing authentication databases,\r\nwhile protecting the security of these legacy protocols against\r\neavesdropping, man-in-the-middle, and other attacks.  The data phase\r\nmay also be used for additional, arbitrary data exchange.  This memo \r\nprovides information for the Internet community.","pub_date":"August 2008","keywords":["EAP","AAA","Authentication","TLS"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":["RFC8996","RFC9427"],"see_also":[],"doi":"10.17487\/RFC5281","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc5281"}