NewsBits, IEEE Cipher E60, E60.May-2004

News Bits

Cipher Newsletter E60, May 18, 2004,

IETF Revises Extensible Authentication Protocol
By Jari Arkko and Russ Housley

Network access technologies such as PPP employ EAP (Extensible Authentication Protocol, RFC 2284) for authenticating clients that are attempting to connect to the network.

In view of increased EAP usage in, for instance, IEEE 802.11 wireless LANs, the IETF has produced a revised version of the EAP specifications. The revised specifications include:

The EAP base specification, commonly called "RFC 2284bis", has been approved as a Proposed Standard, and it will be published as an RFC soon. The revised protocol specification includes requirements for EAP authentication methods, guidelines for running EAP over non-PPP links, and a comprehensive discussion of security issues related to EAP. This updated specification is expected to provide better interoperability among different products.
draft-ietf-eap-rfc2284bis-09.txt
The EAP state machine is as a companion Informational document. It is in the last steps of approval, so it should be published as an RFC soon.
draft-ietf-eap-statemachine-03.txt
The transport of EAP over RADIUS (RFC 3579) and the transport of EAP over Diameter (a very stable draft) provide details about the use of EAP with RADIUS and Diameter, respectively. The first of these specifications improves the interoperability and security of existing RADIUS transport, and the second one provides support for EAP in Diameter.
rfc3579.txt
draft-ietf-aaa-eap-05.txt

Ongoing work in the area includes guidelines and security considerations for use of EAP-derived cryptographic keys, and the publication of various authentication methods under the EAP framework.

For more information, contact Jari Arkko (jari.arkko@ericsson.com), Bernard Aboba (bernarda@microsoft.com), or Russ Housley (housley@vigilsec.com).

Task force releases security recommendations
Group includes reps from Microsoft, Computer Associates
By Paul Roberts, IDG News Service April 01, 2004

BOSTON - A computer industry task force that includes representatives from Microsoft Corp. and Computer Associates International Inc. issued its first round of recommendations on Thursday for improving software security, including a role for the U.S. government in supporting creation of secure software products.

Microsoft Shelves NGSCB Project As NX Moves To Center Stage
Windows XP SP2 hooks into No Execute technology in newer AMD, Intel processors
By Paula Rooney, CRN
9:32 AM EST Wed., May 05, 2004

After a year of tackling the Windows security nightmare, Microsoft has killed its Next-Generation Secure Computing Base (NGSCB) project and later this year plans to detail a revised security plan for Longhorn, the next major version of Windows, company executives said.

On Tuesday, Microsoft executives confirmed that NGSCB will be canned. The project, dreamed up with Intel in 2002, was once code-named Palladium.

Microsoft: 'Palladium' Is Still Alive and Kicking
By Mary Jo Foley, Microsoft Watch
May 5, 2004

SEATTLE -- Microsoft
Corp. spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology.

"NGSCB is alive and kicking," said Mario Juarez, a product manager in Microsoft's security and technology business unit.