Very First EAP-TPM Prototype
Implemented by Carolin Latze
News
- [16.09.2009]: New versions of FreeRADIUS incl verification service ( = server-package-v0.2) and a new version of the certificate request/ generation tools on the client ( = client-package-v0.2) are available under downloads. wpa_supplicant has not changed
- [11.12.2008]: EAP-TPM is now running inside EAP-TTLS
(modified after an interesting discussion with Lars Völker at
LCN 2008)
- [06.11.2008]: New patch for wpa_supplicant-0.6.4 available
what is EAP-TPM?
EAP-TPM is a protocol I specify during my PhD studies. If you want to
read more about it, read
first the
paper published at SoftCOM07, followed
by some
implementation issued, published at ISSA08. If you have further
question, just write an email. :-) [carolin Punkt latze Ät unifr Punkt ch]
how to setup the prototype
Requirements
In general, four components are needed to have a working setup of this
prototype:
- a client with a TPM (Lenovo R61 in my case)
- an access point that supports authentication through a RADIUS server (Linksys WRT54GL v1.1 in my case)
- a RADIUS server (very old Dell Latitude C600 in my case)
- a verification server (Lenovo ThinkCentre in my case)
The following picture gives a nice overview (but does not show the AP!):
The following software has to run on the following components
(this file also contains detailed, but also
unneeded information):
The client
- wpa_supplicant (see below)
- trousers in order to be able to "speak" with the TPM
(download
from trousers.sf.net)
- OpenSSL (download from www.openssl.org)
- OpenSSL TPM Engine (see below)
- the client package provided below
The server
The verification server
how to use the prototype
In order to use the prototype, configure your access point to forward
authentication requests to your RADIUS server (some information for my
case may be found here). Afterwards start the
RADIUS server:
radiusd -X
Now, start the verification server:
./server
On the client, start the trousers tpm deamon:
tcsd -f
and configure the wpa_supplicant according to the config included in
the wpa_supplicant package below. Now, start wpa_supplicant:
wpa_supplicant -Dwext -iWLAN_IFACE -ddd -c /etc/wpa_supplicant/wpa_supplicant.conf
That's it! You should be authenticated.
using EAP-TPM inside EAP-TTLS
In the first prototype EAP-TPM is running as EAP-TLS inside
EAP-TTLS. In order to realize that using an engine in phase 2 EAP-TTLS
authentication in wpa_supplicant, the supplicant had to be
modified. There was a little bug, which prevented the usage of engines
in phase 2 (see below).
Example configuration files for wpa_supplicant and FreeRADIUS can also
be found below. The rest works as before.
known bugs
I am sure, there are many bugs (especially memory leaks), but this one is the biggest I know of:
- The X.509 extensions are stored and sent as strings. That means,
every time the signature includes a null character (= string end), the
verification server will crash. The workaround is to generate only
certificates with signatures not containing the null character as
described in the README of the client package
If you find more, please inform me.
files to download
last modified: 06.11.2008 by Carolin Latze