diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4764.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4764.txt')
-rw-r--r-- | doc/rfc/rfc4764.txt | 3587 |
1 files changed, 3587 insertions, 0 deletions
diff --git a/doc/rfc/rfc4764.txt b/doc/rfc/rfc4764.txt new file mode 100644 index 0000000..21cbff7 --- /dev/null +++ b/doc/rfc/rfc4764.txt @@ -0,0 +1,3587 @@ + + + + + + +Network Working Group F. Bersani +Request for Comments: 4764 France Telecom R&D +Category: Experimental H. Tschofenig + Siemens Networks GmbH & Co KG + January 2007 + + + The EAP-PSK Protocol: + A Pre-Shared Key Extensible Authentication Protocol (EAP) Method + +Status of This Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The IETF Trust (2007). + +IESG Note + + This RFC is not a candidate for any level of Internet Standard. The + IETF disclaims any knowledge of the fitness of this RFC for any + purpose and in particular notes that the decision to publish is not + based on IETF review for such things as security, congestion control, + or inappropriate interaction with deployed protocols. The RFC Editor + has chosen to publish this document at its discretion. Readers of + this document should exercise caution in evaluating its value for + implementation and deployment. See RFC 3932 for more information. + + The IESG thinks that this work is related to IETF work done in WGs + EMU and EAP, but this does not prevent publishing. + +Abstract + + This document specifies EAP-PSK, an Extensible Authentication + Protocol (EAP) method for mutual authentication and session key + derivation using a Pre-Shared Key (PSK). EAP-PSK provides a + protected communication channel when mutual authentication is + successful for both parties to communicate over. This document + describes the use of this channel only for protected exchange of + result indications, but future EAP-PSK extensions may use the channel + for other purposes. EAP-PSK is designed for authentication over + insecure networks such as IEEE 802.11. + + + + + +Bersani & Tschofenig Experimental [Page 1] + +RFC 4764 EAP-PSK January 2007 + + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Design Goals for EAP-PSK ...................................4 + 1.1.1. Simplicity ..........................................4 + 1.1.2. Wide Applicability ..................................5 + 1.1.3. Security ............................................5 + 1.1.4. Extensibility .......................................5 + 1.2. Terminology ................................................5 + 1.3. Conventions ................................................8 + 1.4. Related Work ...............................................9 + 2. Protocol Overview ..............................................12 + 2.1. EAP-PSK Key Hierarchy .....................................13 + 2.1.1. The PSK ............................................13 + 2.1.2. AK .................................................14 + 2.1.3. KDK ................................................14 + 2.2. The TEK ...................................................15 + 2.3. The MSK ...................................................15 + 2.4. The EMSK ..................................................15 + 2.5. The IV ....................................................15 + 3. Cryptographic Design of EAP-PSK ................................15 + 3.1. The Key Setup .............................................16 + 3.2. The Authenticated Key Exchange ............................19 + 3.3. The Protected Channel .....................................23 + 4. EAP-PSK Message Flows ..........................................25 + 4.1. EAP-PSK Standard Authentication ...........................26 + 4.2. EAP-PSK Extended Authentication ...........................28 + 5. EAP-PSK Message Format .........................................31 + 5.1. EAP-PSK First Message .....................................32 + 5.2. EAP-PSK Second Message ....................................34 + 5.3. EAP-PSK Third Message .....................................36 + 5.4. EAP-PSK Fourth Message ....................................39 + 6. Rules of Operation for the EAP-PSK Protected Channel ...........41 + 6.1. Protected Result Indications ..............................41 + 6.1.1. CONT ...............................................42 + 6.1.2. DONE_SUCCESS .......................................43 + 6.1.3. DONE_FAILURE .......................................43 + 6.2. Extended Authentication ...................................43 + 7. IANA Considerations ............................................45 + 7.1. Allocation of an EAP-Request/Response Type for EAP-PSK ....45 + 7.2. Allocation of EXT Type Numbers ............................45 + 8. Security Considerations ........................................46 + 8.1. Mutual Authentication .....................................46 + 8.2. Protected Result Indications ..............................47 + 8.3. Integrity Protection ......................................48 + 8.4. Replay Protection .........................................48 + 8.5. Reflection Attacks ........................................48 + 8.6. Dictionary Attacks ........................................49 + + + +Bersani & Tschofenig Experimental [Page 2] + +RFC 4764 EAP-PSK January 2007 + + + 8.7. Key Derivation ............................................49 + 8.8. Denial-of-Service Resistance ..............................51 + 8.9. Session Independence ......................................51 + 8.10. Exposition of the PSK ....................................52 + 8.11. Fragmentation ............................................52 + 8.12. Channel Binding ..........................................53 + 8.13. Fast Reconnect ...........................................53 + 8.14. Identity Protection ......................................53 + 8.15. Protected Ciphersuite Negotiation ........................55 + 8.16. Confidentiality ..........................................55 + 8.17. Cryptographic Binding ....................................55 + 8.18. Implementation of EAP-PSK ................................55 + 9. Security Claims ................................................56 + 10. Acknowledgments ...............................................57 + 11. References ....................................................57 + 11.1. Normative References .....................................57 + 11.2. Informative References ...................................58 + Appendix A. Generation of the PSK from a Password - Discouraged ...62 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 3] + +RFC 4764 EAP-PSK January 2007 + + +1. Introduction + +1.1. Design Goals for EAP-PSK + + The Extensible Authentication Protocol (EAP) [3] provides an + authentication framework that supports multiple authentication + methods. + + This document specifies an EAP method, called EAP-PSK, that uses a + Pre-Shared Key (PSK). + + EAP-PSK was developed at France Telecom R&D in 2003-2004. It is + published as an RFC for the general information of the Internet + community and to allow independent implementations. + + Because PSKs are of frequent use in security protocols, other + protocols may also refer to a PSK or contain this word in their name. + For instance, Wi-Fi Protected Access (WPA) [48] specifies an + authentication mode called "WPA-PSK". EAP-PSK is distinct from these + protocols and should not be confused with them. + + Design goals for EAP-PSK were: + + o Simplicity: EAP-PSK should be easy to implement and deploy without + any pre-existing infrastructure. It should be available quickly + because recently-released protocols, such as IEEE 802.11i [27], + employ EAP in a different threat model than PPP [44] and thus + require "modern" EAP methods. + + o Wide applicability: EAP-PSK should be suitable to authenticate + over any network, and in particular over IEEE 802.11 [28] wireless + LANs. + + o Security: EAP-PSK should be conservative in its cryptographic + design. + + o Extensibility: EAP-PSK should be easily extensible. + +1.1.1. Simplicity + + For the sake of simplicity, EAP-PSK relies on a single cryptographic + primitive, AES-128 [7]. + + Restriction to such a primitive, and in particular, not using + asymmetric cryptography like Diffie-Hellman key exchange, makes EAP- + PSK: + + + + + +Bersani & Tschofenig Experimental [Page 4] + +RFC 4764 EAP-PSK January 2007 + + + o Easy to understand and implement while avoiding cryptographic + negotiations. + + o Lightweight and well suited for any type of device, especially + those with little processing power and memory. + + However, as further discussed in Section 8, this prevents EAP-PSK + from offering advanced features such as identity protection, password + support, or Perfect Forward Secrecy (PFS). This choice has been + deliberately made as a trade-off between simplicity and security. + + For the sake of simplicity, EAP-PSK has also chosen a fixed message + format and not a Type-Length-Value (TLV) design. + +1.1.2. Wide Applicability + + EAP-PSK has been designed in a threat model where the attacker has + full control over the communication channel. This is the EAP threat + model that is presented in Section 7.1 of [3]. + +1.1.3. Security + + Since the design of authenticated key exchange is notoriously known + to be hard and error prone, EAP-PSK tries to avoid inventing any new + cryptographic mechanism. It attempts instead to build on existing + primitives and protocols that have been reviewed by the cryptographic + community. + +1.1.4. Extensibility + + EAP-PSK explicitly provides a mechanism to allow future extensions + within its protected channel (see Section 3.3). Thanks to this + mechanism, EAP-PSK will be able to provide more sophisticated + services as the need to do so arises. + +1.2. Terminology + + Authentication, Authorization, and Accounting (AAA) + Please refer to [10] for more details. + + AES-128 A block cipher specified in the Advanced Encryption + Standard [7]. + + Authentication Key (AK) + A 16-byte key derived from the PSK that the EAP peer and + server use to mutually authenticate. + + + + + +Bersani & Tschofenig Experimental [Page 5] + +RFC 4764 EAP-PSK January 2007 + + + AKEP2 An authenticated key exchange protocol; please refer to + [14] for more details. + + Backend Authentication Server + An entity that provides an authentication service to an + Authenticator. When used, this server typically executes + EAP methods for the Authenticator. (This terminology is + also used in [26], and has the same meaning in this + document.) + + CMAC Cipher-based Message Authentication Code. It is the + authentication mode of operation of AES recommended by NIST + in [8]. + + Extensible Authentication Protocol (EAP) + Defined in [3]. + + EAP Authenticator (or simply Authenticator) + The end of the EAP link initiating the EAP authentication + methods. (This terminology is also used in [26], and has + the same meaning in this document.) + + EAP peer (or simply peer) + The end of the EAP link that responds to the Authenticator. + (In [26], this end is known as the Supplicant.) + + EAP server (or simply server) + The entity that terminates the EAP authentication with the + peer. When there is no Backend Authentication Server, this + term refers to the EAP Authenticator. Where the EAP + Authenticator operates in pass-through mode, it refers to + the Backend Authentication Server. + + EAX An authenticated-encryption with associated data mode of + operation for block ciphers [4]. + + Extended Master Session Key (EMSK) + Additional keying material derived between the EAP peer and + server that is exported by the EAP method. The EMSK is + reserved for future uses that are not defined yet and is + not provided to a third party. Please refer to [9] for + more details. + EAP-PSK generates a 64-byte EMSK. + + Initialization Vector (IV) + A quantity of at least 64 bytes, suitable for use in an + initialization vector field, that is derived between the + peer and EAP server. Since the IV is a known value in + + + +Bersani & Tschofenig Experimental [Page 6] + +RFC 4764 EAP-PSK January 2007 + + + methods such as EAP-TLS [11], it cannot be used by itself + for computation of any quantity that needs to remain + secret. As a result, its use has been deprecated and EAP + methods are not required to generate it. Please refer to + [9] for more details. + EAP-PSK does not generate an IV. + + Key-Derivation Key (KDK) + A 16-byte key derived from the PSK that the EAP peer and + server use to derive session keys (namely, the TEK, MSK, + and EMSK). + + Message Authentication Code (MAC) + Informally, the purpose of a MAC is to provide assurances + regarding both the source of a message and its integrity + [40]. IEEE 802.11i uses the acronym MIC (Message Integrity + Check) to avoid confusion with the other meaning of the + acronym MAC (Medium Access Control). + + Master Session Key (MSK) + Keying material that is derived between the EAP peer and + server and exported by the EAP method. In existing + implementations, a AAA server acting as an EAP server + transports the MSK to the Authenticator [9]. + EAP-PSK generates a 64-byte MSK. + + Network Access Identifier (NAI) + Identifier used to identify the communicating parties [2]. + + One Key CBC-MAC 1 (OMAC1) + A method to generate a Message Authentication Code [29]. + CMAC is the name under which NIST has standardized OMAC1. + + Perfect Forward Secrecy (PFS) + The confidence that the compromise of a long-term private + key does not compromise any earlier session keys. In other + words, once an EAP dialog is finished and its corresponding + keys are forgotten, even someone who has recorded all of + the data from the connection and gets access to all of the + long-term keys of the peer and the server cannot + reconstruct the keys used to protect the conversation + without doing a brute-force search of the session key + space. + + EAP-PSK does not have this property. + + + + + + +Bersani & Tschofenig Experimental [Page 7] + +RFC 4764 EAP-PSK January 2007 + + + Pre-Shared Key (PSK) + A Pre-Shared Key simply means a key in symmetric + cryptography. This key is derived by some prior mechanism + and shared between the parties before the protocol using it + takes place. It is merely a bit sequence of given length, + each bit of which has been chosen at random uniformly and + independently. For EAP-PSK, the PSK is the long-term 16- + byte credential shared by the EAP peer and server. + + Protected Result Indication + Please refer to Section 7.16 of [3] for a definition of + this term. This feature has been introduced because EAP- + Success/Failure packets are unidirectional and are not + protected. + + Transient EAP Key (TEK) + A session key that is used to establish a protected channel + between the EAP peer and server during the EAP + authentication exchange. The TEK is appropriate for use + with the ciphersuite negotiated between the EAP peer and + server to protect the EAP conversation. Note that the + ciphersuite used to set up the protected channel between + the EAP peer and server during EAP authentication is + unrelated to the ciphersuite used to subsequently protect + data sent between the EAP peer and Authenticator [9]. + EAP-PSK uses a 16-byte TEK for its protected channel, which + is the only ciphersuite available between the EAP peer and + server to protect the EAP conversation. This ciphersuite + uses AES-128 in the EAX mode of operation. + +1.3. Conventions + + All numbers presented in this document are considered in network-byte + order. + + || denotes concatenation of strings (and not the logical OR). + + MAC(K, String) denotes the MAC of String under the key K (the + algorithm used in this document to compute the MACs is CMAC with AES- + 128; see Section 3.2). + + [String] denotes the concatenation of String with the MAC of String + calculated as specified by the context. Hence, we have, with K + specified by the context: [String]=String||MAC(K,String) + + ** denotes integer exponentiation. + + + + + +Bersani & Tschofenig Experimental [Page 8] + +RFC 4764 EAP-PSK January 2007 + + + "i" denotes the unsigned binary representation on 16 bytes of the + integer i in network byte order. Therefore, this notation only makes + sense when i is between 0 and 2**128-1. + + <i> denotes the unsigned binary representation on 4 bytes of the + integer i in network byte order. Therefore, this notation only makes + sense when i is between 0 and 2**32-1. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [1]. + +1.4. Related Work + + At the time this document is written, only three EAP methods are + standards track EAP methods per IETF terminology (see [17]), namely: + + o MD5-Challenge (EAP-Request/Response type 4), defined in [3], which + uses a MD5 challenge similar to [45]. + + o OTP (EAP-Request/Response type 5), defined in [3], which aims at + providing One-Time Password support similar to [22] and [39]. + + o GTC (EAP-Request/Response type 6), defined in [3], which aims at + providing Generic Token Card Support. + + Unfortunately, all three methods are deprecated for security reasons + that are explained in part in [3]. + + Myriads of EAP methods have, however, been otherwise proposed: + + o One as an experimental RFC (EAP-TLS [11]), which therefore is not + a standard (see [25]). + + o Some as individual Internet-Draft submissions (e.g., [42] or this + document). + + o And some even undocumented (e.g., Rob EAP, which has EAP-Request/ + Response type 31). + + However, no secure and mature Pre-Shared Key EAP method is yet easily + and widely available, which is all the more regrettable because Pre- + Shared Key methods are the most basic ones! + + The existing proposals for a future Pre-Shared Key EAP method are + briefly reviewed hereafter (please refer to [16] for a more thorough + synthesis of EAP methods). + + + + +Bersani & Tschofenig Experimental [Page 9] + +RFC 4764 EAP-PSK January 2007 + + + Among these proposals, there are some that: + + o Are broken from a security point of view, e.g.: + + * LEAP, which is specified in [38] and whose vulnerabilities are + discussed in [49]. + + * EAP-MSCHAPv2, which is specified in [34] and whose + vulnerabilities are indirectly discussed in [43]. + + o Essentially require additional infrastructure, e.g., EAP-SIM [24], + EAP-AKA [12], or OTP/token card methods like [31]. + + o Are not shared key methods but are often confused with them, + namely, the password methods, e.g., EAP-SRP [18] or SPEKE [30], + whose wide adoption very unfortunately seems to be hindered by + Intellectual Property Rights issues. + + o Are generic tunneling methods, which do not essentially rely on + Pre-Shared Keys as they require a public-key certificate for the + server and allow the peer to authenticate with whatever EAP method + or even other non-EAP authentication mechanisms, namely, [32] and + [21]. + + o Are abandoned but have provided the basis for EAP-PSK, namely, + EAP-Archie [47]. + + o Are possible alternatives to EAP-PSK (i.e., claimed to be secure + and subject of active work): + + * EAP-FAST [42]. + + * EAP-IKEv2 [46]. + + * EAP-TLS (when shared key/password support is added to TLS; see + [50]). + + EAP-PSK differs from the aforementioned methods on the following + points: + + o No attacks on EAP-PSK within its threat model have yet been found. + + o EAP-PSK was not designed to leverage a pre-existing + infrastructure. Thus, it does not inherit potential limitations + of such an infrastructure and it should be easier to deploy "from + scratch". + + o EAP-PSK wished to avoid IPR blockages. + + + +Bersani & Tschofenig Experimental [Page 10] + +RFC 4764 EAP-PSK January 2007 + + + o EAP-PSK does not have any dependencies on protocols other than + EAP. + + o EAP-PSK was restricted to simply proposing a Pre-Shared Key method + with symmetric cryptography + + * To remain simple to understand and implement + + * To avoid potentially complex configurations and negotiations + + o EAP-PSK was designed with efficiency in mind. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 11] + +RFC 4764 EAP-PSK January 2007 + + +2. Protocol Overview + + Figure 1 presents an overview of the EAP-PSK key hierarchy. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++ ---+ + | | ^ + | EAP-PSK Protocol: a Pre-Shared Key EAP Method | | + | | | + | +----------+ | | + | | PSK | | | + | |(16 bytes)| | | + | +----------+ | | + | | | | + | v | | + | *********************** | | + | *Modified Counter Mode* | | + | *********************** | | + | | | | | + | v v | | + | +----------+ +----------+ +----------------+ | | + | | AK | | KDK | | RAND_P | | | + | |(16 bytes)| |(16 bytes)| | (16 bytes) | | | + | +----------+ +----------+ +----------------+ | | + | | | | | + | | | | | + | +-----------+ | | | | + | +--------+|Plain Text | | | | | + |+-------+|Header H||Var.Length | | | | | + ||Nonce N||22 bytes|+-----------+ v v Local | + ||4 bytes|+--------+ | *********************** to EAP | + |+-------+ | +--------+ +------*Modified Counter Mode* Method | + | | v v v *********************** | | + | | ******* +--------+ |64 |64 | | + | | * EAX *-------|TEK | |bytes |bytes | | + | +-->******* |16 bytes| | | | | + | | +--------+ | | | | + | +-----+----+ | | | | + | v v | | | | + |+--------+ +-------------------+ | | | | + ||Tag | |Cipher Text Payload| | | | | + ||16 bytes| | Variable length L | | | | | + |+--------+ +-------------------+ | | | V + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++ ---+ + | | ^ + +-+-+-+-+-++ +-+-+-+-+-++ | + |MSK | |EMSK | | + | | | | Exported | + +-+-+-+-+-++ +-+-+-+-+-++ by EAP | + + + +Bersani & Tschofenig Experimental [Page 12] + +RFC 4764 EAP-PSK January 2007 + + + | | Method | + | | | + V V | + ************************* V + * AAA Key Derivation * ---+ + * Naming & Binding * + ************************* + + Figure 1: EAP-PSK Key Hierarchy Overview + +2.1. EAP-PSK Key Hierarchy + + This section presents the key hierarchy used by EAP-PSK. This + hierarchy is inspired by the EAP key hierarchy described in [9]. + +2.1.1. The PSK + + The PSK is shared between the EAP peer and the EAP server. + + EAP-PSK assumes that the PSK is known only to the EAP peer and EAP + server. The security properties of the protocol are compromised if + it has wider distribution. Please note that EAP-PSK shares this + property with all other symmetric key methods (including all + password-based methods). + + EAP-PSK also assumes the EAP server and EAP peer identify the correct + PSK to use with each other thanks to their respective NAIs. This + means that there MUST only be at most one PSK shared between an EAP + server using a given server NAI and an EAP peer using a given peer + NAI. + + This PSK is used, as shown in Figure 2, to derive two 16-byte static + long-lived subkeys, respectively called the Authentication Key (AK) + and the Key-Derivation Key (KDK). This derivation should only be + done once: it is called the key setup. See Section 3.1 for an + explanation of why PSK is not used as a static long-lived key, but + only as the initial keying material for deriving the static long- + lived keys, AK and KDK, which are actually used by the protocol EAP- + PSK. + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 13] + +RFC 4764 EAP-PSK January 2007 + + + +---------------------------+ + | PSK | + | (16 bytes) | + +---------------------------+ + | | + v v + +---------------------------+ +---------------------------+ + | AK | | KDK | + | (16 bytes) | | (16 bytes) | + +---------------------------+ +---------------------------+ + + Figure 2: Derivation of AK and KDK from the PSK + +2.1.2. AK + + EAP-PSK uses AK to mutually authenticate the EAP peer and the EAP + server. + + AK is a static long-lived key derived from the PSK; see Section 3.1. + AK is not a session key. + + The EAP server and EAP peer identify the correct AK to use with each + other thanks to their respective NAIs. This means that there MUST + only be at most one AK shared between an EAP server using a given + server NAI and an EAP peer using a given peer NAI. This is the case + when there is at most one PSK shared between an EAP server using a + given server NAI and an EAP peer using a given peer NAI; see + Section 2.1.1. + + The EAP peer chooses the AK to use based on the EAP server NAI that + has been sent by the EAP server in the first EAP-PSK message (namely, + ID_S; see Section 4.1) and the EAP peer NAI it chooses to include in + the second EAP-PSK message (namely, ID_P; see Section 4.1). + +2.1.3. KDK + + EAP-PSK uses KDK to derive session keys shared by the EAP peer and + the EAP server (namely, the TEK, MSK, and EMSK). + + KDK is a static long-lived key derived from the PSK; see Section 3.1. + KDK is not a session key. + + The EAP server and EAP peer identify the correct AK to use with each + other thanks to their respective NAIs. This means that there MUST + only be at most one AK shared between an EAP server using a given + server NAI and an EAP peer using a given peer NAI. This is the case + + + + + +Bersani & Tschofenig Experimental [Page 14] + +RFC 4764 EAP-PSK January 2007 + + + when there is at most one PSK shared between an EAP server using a + given server NAI and an EAP peer using a given peer NAI; see + Section 2.1.1. + + The EAP peer chooses the AK to use based on the EAP server NAI that + has been sent by the EAP server in the first EAP-PSK message (namely, + ID_S; see Section 4.1) and the EAP peer NAI it chooses to include in + the second EAP-PSK message (namely, ID_P; see Section 4.1). + +2.2. The TEK + + EAP-PSK derives a 16-byte TEK thanks to a random number exchanged + during authentication (RAND_P; see Section 5.1) and KDK. + + This TEK is used to implement a protected channel for both mutually + authenticated parties to communicate over securely. + +2.3. The MSK + + EAP-PSK derives a MSK thanks to a random number exchanged during + authentication (RAND_P; see Section 5.1) and the KDK. + + The MSK is 64 bytes long, which complies with [3]. + +2.4. The EMSK + + EAP-PSK derives an EMSK thanks to a random number exchanged during + authentication (RAND_P; see Section 5.1) and the KDK. + + The EMSK is 64 bytes long, which complies with [3]. + +2.5. The IV + + EAP-PSK does not derive any IV, which complies with [9]. + +3. Cryptographic Design of EAP-PSK + + EAP-PSK relies on a single cryptographic primitive, a block cipher, + which is instantiated with AES-128. AES-128 takes a 16-byte Pre- + Shared Key and a 16-byte Plain Text block as inputs. It outputs a + 16-byte Cipher Text block. For a detailed description of AES-128, + please refer to [7]. + + AES-128 has been chosen because: + + o It is standardized and implementations are widely available. + + + + + +Bersani & Tschofenig Experimental [Page 15] + +RFC 4764 EAP-PSK January 2007 + + + o It has been carefully reviewed by the cryptographic community and + is believed to be secure. + + Other block ciphers could easily be proposed for EAP-PSK, as EAP-PSK + does not intrinsically depend on AES-128. The only parameters of + AES-128 that EAP-PSK depends on are the AES-128 block and key size + (16 bytes). For the sake of simplicity, EAP-PSK has, however, been + chosen to restrict to a single mandatory block cipher and not allow + the negotiation of other block ciphers. In the case that AES-128 is + deprecated for security reasons, EAP-PSK should also be deprecated + and a cut-and-paste EAP-PSK' should be defined with another block + cipher. This EAP-PSK' should not be backward compatible with EAP-PSK + because of the security issues with AES-128. EAP-PSK' should + therefore use a different EAP-Request/Response Type number. With the + EAP-Request/Response Type number space structure defined in [3], this + should not be a problem. The use of a different EAP-Request/Response + Type number for EAP-PSK' will prevent this new method from being + vulnerable to chosen protocol attacks. + + EAP-PSK uses three cryptographic parts: + + o A key setup to derive AK and KDK from the PSK. + + o An authenticated key exchange protocol to mutually authenticate + the communicating parties and derive session keys. + + o A protected channel protocol for both mutually authenticated + parties to communicate over. + + Each part is discussed in more detail in the subsequent paragraphs. + +3.1. The Key Setup + + EAP-PSK needs two cryptographically separated 16-byte subkeys for + mutual authentication and session key derivation. Indeed, it is a + rule of thumb in cryptography to use different keys for different + applications. + + It could have implemented these two subkeys either by specifying a + 32-byte PSK that would then be split in two 16-byte subkeys, or by + specifying a 16-byte PSK that would then be cryptographically + expanded to two 16-byte subkeys. + + Because provisioning a 32-byte long-term credential is more + cumbersome than a 16-byte one, and the strength of the derived + session keys is 16 bytes either way, the latter option was chosen. + + + + + +Bersani & Tschofenig Experimental [Page 16] + +RFC 4764 EAP-PSK January 2007 + + + Hence, the PSK is only used by EAP-PSK to derive AK and KDK. This + derivation should be done only once, immediately after the PSK has + been provisioned. As soon as AK and KDK have been derived, the PSK + should be deleted. If the PSK is deleted, it should be done so + securely (see, for instance, [19] for guidance on secure deletion of + the PSK). + + Derivation of AK and KDK from the PSK is called the key setup: + + o The input to the key setup is the PSK. + + o The outputs of the key setup are AK and KDK. + + AK and KDK are derived from the PSK using the modified counter mode + of operation of AES-128. The modified counter mode is a length + increasing function, i.e., it expands one AES-128 input block into a + longer t-block output, where t>=2. This mode was chosen for the key + setup because it had already been chosen for the derivation of the + session keys (see Section 3.2). + + The details of the derivation of AK and KDK from the PSK are shown in + Figure 3. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 17] + +RFC 4764 EAP-PSK January 2007 + + + +--------------------------+ + | "0" | + | Input Block (16 bytes) | + +--------------------------+ + | + v + +----------------+ + | | + | AES-128(PSK,.) | + | | + +----------------+ + | + | + +----------------------------+ + | | + v v + +--------+ +---+ +--------+ +---+ + | c1="1" |->|XOR| | c2="2" |->|XOR| + |16 bytes| +---+ |16 bytes| +---+ + +--------+ | +--------+ | + | | + +----------------+ +----------------+ + | | | | + | AES-128(PSK,.) | | AES-128(PSK,.) | + | | | | + +----------------+ +----------------+ + | | + | | + v v + +------------------------+ +------------------------+ + | AK | | KDK | + | (16 bytes) | | (16 bytes) | + +------------------------+ +------------------------+ + + Figure 3: Derivation of AK and KDK from the PSK in Details + + The input block is "0". For the sake of simplicity, this input block + has been chosen constant: it could have been set to a value depending + on the peer and the server (for instance, the XOR of their respective + NAIs appropriately truncated or zero-padded), but this did not seem + to add much security to the scheme, whereas it added complexity. Any + 16-byte constant could have been chosen, as the security is not + supposed to depend on the particular value taken by the constant. "0" + was arbitrarily chosen. + + + + + + + +Bersani & Tschofenig Experimental [Page 18] + +RFC 4764 EAP-PSK January 2007 + + +3.2. The Authenticated Key Exchange + + The authentication protocol used by EAP-PSK is inspired by AKEP2, + which is described in [14]. + + AKEP2 consists of a one-and-a-half round-trip exchange, as shown in + Figure 4, which is inspired by Figure 5 of [14]. + + Bob Alice + | RA | + |<---------------------------------------------------------| + | | + | [B||A||RA||RB] | + |--------------------------------------------------------->| + | | + | [A||RB] | + |<---------------------------------------------------------| + + Figure 4: Overview of AKEP2 + + It is also worth noting that [14] focuses on cryptography and not on + designing a real-life protocol. Thus, as noted in subsection "Out- + Of-Band-Data" of [14], Alice has to send A, its identity, to Bob so + that Bob may select the appropriate credential for the sequel to the + conversation. This leads to a slightly complemented version of AKEP2 + for EAP-PSK as depicted in Figure 5. + + Bob Alice + | A||RA | + |<---------------------------------------------------------| + | | + | [B||A||RA||RB] | + |--------------------------------------------------------->| + | | + | [A||RB] | + |<---------------------------------------------------------| + + Figure 5: Overview of AKEP2 + + In AKEP2, + + o RA and RB are random numbers chosen respectively by Alice and Bob. + + o A and B are Alice's and Bob's respective identities. They allow + Alice and Bob to retrieve the key that they have to use to run an + authenticated key exchange between each other. They are also + included in the protocol for cryptographic reasons. + + + + +Bersani & Tschofenig Experimental [Page 19] + +RFC 4764 EAP-PSK January 2007 + + + o The MACs (see Section 1.3 for the notation "[]") are calculated + using a dedicated key. + + EAP-PSK instantiates this protocol with: + + o The server as Alice and the peer as Bob. + + o RA and RB as 16-byte random numbers, using Section 4.1 notations; + this means RA=RAND_S and RB=RAND_P. + + o A and B as Alice's and Bob's respective NAIs, using Section 4.1 + notations; this means A=ID_S and B=ID_P. + + o The MAC algorithm as CMAC with AES-128 using AK and producing a + tag length of 16 bytes. + + o The modified counter mode of operation of AES-128 using KDK, to + derive session keys as a result of this exchange. + + CMAC was chosen as the MAC algorithm because it is capable of + handling arbitrary length messages, and its design is simple. It + also enjoys up-to-date review by the cryptographic community, + especially using provable security concepts. It has been recommended + by the NIST. For a detailed description of CMAC, please refer to + [8]. + + In AKEP2, the key exchange is "implicit": the session keys are + derived from RB. In EAP-PSK, the session keys are thus derived from + RAND_P by using KDK and the modified counter mode of operation of + AES-128 described in [5]. This mode was chosen because it is a + simple key derivation scheme that relies on a block cipher and has a + proof of its security. It is a length increasing function, i.e., it + expands one AES-128 input block into a longer t-block output, where + t>=2. The derivation of the session keys is shown in Figure 6. + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 20] + +RFC 4764 EAP-PSK January 2007 + + + +--------------------------+ +-------------------------------+ + | RAND_P | | KDK | + | Input Block (16 bytes) | | Key Derivation Key (16 bytes) | + +--------------------------+ +-------------------------------+ + | | + v v + +-----------------------------------------------------------------+ + | | + | Modified Counter Mode | + | | + +-----------------------------------------------------------------+ + | | | + v v v + +------------+ +----------------------+ +----------------------+ + | TEK | | MSK | | EMSK | + | (16 bytes) | | (64 bytes) | | (64 bytes) | + +------------+ +----------------------+ +----------------------+ + + Figure 6: Derivation of the Session Keys + + The input to the derivation of the session keys is RAND_P. + + The outputs of the derivation of the session keys are: + + o The 16-byte TEK (the first output block). + + o The 64-byte MSK (the concatenation of the second to fifth output + blocks). + + o The 64-byte EMSK (the concatenation of the sixth to ninth output + blocks). + + The details of the derivation of the session keys are shown in + Figure 7. + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 21] + +RFC 4764 EAP-PSK January 2007 + + + +--------------------------+ + | RAND_P | + | Input Block (16 bytes) | + +--------------------------+ + | + v + +----------------+ + | | + | AES-128(KDK,.) | + | | + +----------------+ + | + | + +---------------------+-- - - - - - - - - - --+ + | | | + v v v + +--------+ +---+ +--------+ +---+ +--------+ +---+ + | c1="1" |->|XOR| | c2="2" |->|XOR|.......| c9="9" |->|XOR| + |16 bytes| +---+ |16 bytes| +---+ |16 bytes| +---+ + +--------+ | +--------+ | +--------+ | + | | | + +----------------+ +----------------+ +----------------+ + | | | | | | + | AES-128(KDK,.) | | AES-128(KDK,.) |......| AES-128(KDK,.) | + | | | | | | + +----------------+ +----------------+ +----------------+ + | | | + | | | + v v v + +-----------------+ +-----------------+ +------------------+ + | Output Block #1 | | Output Block #2 | | Output Block #9 | + | (16 bytes) | | (16 bytes) |.....| (16 bytes) | + | TEK | | MSK (block 1/4) | | EMSK (block 4/4) | + +-----------------+ +-----------------+ +------------------+ + + Figure 7: Derivation of the Session Keys in Details + + The counter values are set respectively to the first t integers (that + is, ci="i", with i=1 to 9). + + Keying material is sensitive information and should be handled + accordingly (see Section 8.10 for further discussion). + + + + + + + + + +Bersani & Tschofenig Experimental [Page 22] + +RFC 4764 EAP-PSK January 2007 + + +3.3. The Protected Channel + + EAP-PSK provides a protected channel for both parties to communicate + over, in case of a successful authentication. This protected channel + is currently used to exchange protected result indications and may be + used in the future to implement extensions. + + EAP-PSK uses the EAX mode of operation to provide this protected + channel. For a detailed description of EAX, please refer to [4]. + Figure 8 shows how EAX is used to implement EAP-PSK protected + channel. + + +-----------+ +----------------+ +---------------------+ +----------+ + | Nonce N | | Header H | | Plain Text Payload | | TEK | + | 4 bytes | | 22 bytes | | Variable length L | | 16 bytes | + +-----------+ +----------------+ +---------------------+ +----------+ + | | | | + v v v v + +-------------------------------------------------------------------+ + | | + | EAX | + | | + +-------------------------------------------------------------------+ + | | + v v + +---------------------+ +----------+ + | Cipher Text Payload | | Tag | + | Variable length L | | 16 bytes | + +---------------------+ +----------+ + + Figure 8: The Protected Channel + + This protected channel: + + o Provides replay protection. + + o Encrypts and authenticates a Plain Text Payload that becomes an + Encrypted Payload. The Plain Text Payload must not exceed 960 + bytes; see Sections 5.3, 5.4, and 8.11. + + o Only authenticates a Header that is thus sent in clear. + + EAX is instantiated with AES-128 as the underlying block cipher. + + AES-128 is keyed with the TEK. + + + + + + +Bersani & Tschofenig Experimental [Page 23] + +RFC 4764 EAP-PSK January 2007 + + + The nonce N is used to provide cryptographic security to the + encryption and data origin authentication as well as protection + replay. Indeed, N is a 4-byte sequence number starting from <0> that + is monotonically incremented at each EAP-PSK message within one EAP- + PSK dialog, except retransmissions, of course. + + N was taken to be 4 bytes to avoid 16-byte arithmetic. Since EAX + uses a 16-byte nonce, N is padded with 96 zero bits for its high- + order bits. + + For cryptographic reasons, N is not allowed to wrap around. In the + unlikely, yet possible, event of the server sending an EAP-PSK + message with N set to <2**32-2>, it must not send any further message + on this protected channel, which would cause to reusing the value 0. + Either the conversation is finished after the server receives the + EAP-PSK answer from the peer with N set to <2**32-1> and the server + proceeds (typically by sending an EAP-Success or Failure), or the + conversation is not finished and must then be aborted (a new EAP-PSK + dialog may subsequently be started to try again to authenticate). + Thus, the maximum number of messages that can be exchanged over the + same protected channel is 2**32 (which should not be a limitation in + practice, as this is approximately equal to 4 billion). + + The Header H consists of the first 22 bytes of the EAP Request or + Response packet (i.e., the EAP Code, Identifier, Length, and Type + fields followed by the EAP-PSK Flags and RAND_S fields). Although it + may appear unorthodox that an upper layer (EAP-PSK) protects some + information of the lower layer (EAP), this was chosen to comply with + EAP recommendation (see Section 7.5. of [3]) and seems to be existing + practice at IETF (see, for instance, [35]). + + The Plain Text Payload is the payload that is to be encrypted and + integrity protected. The Cipher Text Payload is the result of the + encryption of the Plain Text. + + The Tag is a MAC that protects both the Header and the Plain Text + Payload. The verification of the Tag must only be done after a + successful verification of the Nonce for replay protection. If the + verification of the Tag succeeds, then the Encrypted Payload is + decrypted to recover the Plain Text Payload. If the verification of + the Tag fails, then no decryption is performed and this MAC failure + should be logged. The tag length is chosen to be 16 bytes for EAX + within EAP-PSK. This length is considered appropriate by the + cryptographic community. + + + + + + + +Bersani & Tschofenig Experimental [Page 24] + +RFC 4764 EAP-PSK January 2007 + + + EAX was mainly chosen because: + + o It strongly relies on OMAC in its design and OMAC1, a variant of + OMAC, had already been chosen in EAP-PSK for the authentication + part (please remember that OMAC1 and CMAC are analogous). + + o Its design is simple. + + o It enjoys a security proof. + + o It is free of any Intellectual Property Rights claims. + +4. EAP-PSK Message Flows + + EAP-PSK may consist of two different types of message flows: + + o The "standard authentication", which is: + + * Mandatory to implement. + + * Fully specified in this document. + + * The simpler type of message flow, which is expected to be used + most frequently. + + o The "extended authentication", which is: + + * Optional to implement (i.e., there are no mandatory + extensions). + + * Partly specified in this document since it depends on + extensions and none are currently specified, let alone in this + document. + + * The type of message flow that should be used when extensions of + EAP-PSK are needed by more sophisticated usage scenarios and + are available. + + EAP-PSK introduces the concept of a session to facilitate its + analysis and provide a cleaner interface to other layers. A session + is a particular instance of an EAP-PSK dialog between two parties. + This session is identified by a session identifier. + + In the first EAP-PSK message, the EAP server asserts its identity. + Given that the EAP-Request/Identity and EAP-Response/Identity may not + be assumed to have occurred prior to this sending and that the + response included in EAP-Response/Identity (if this EAP Identity + exchange takes place) may not contain the actual NAI the peer shall + + + +Bersani & Tschofenig Experimental [Page 25] + +RFC 4764 EAP-PSK January 2007 + + + use with EAP-PSK, this means that an EAP server implementing EAP-PSK + must use the same EAP server NAI for all EAP-PSK dialogs with any EAP + peer implementing EAP-PSK. + +4.1. EAP-PSK Standard Authentication + + EAP-PSK standard authentication is comprised of four messages, i.e., + two round-trips; see Figure 9. + + peer server + | Flags||RAND_S||ID_S | + |<---------------------------------------------------------| + | | + | Flags||RAND_S||RAND_P||MAC_P||ID_P | + |--------------------------------------------------------->| + | | + | Flags||RAND_S||MAC_S||PCHANNEL_S_0 | + |<---------------------------------------------------------| + | | + | Flags||RAND_S||PCHANNEL_P_1 | + |--------------------------------------------------------->| + | | + + Figure 9: EAP-PSK Standard Authentication + + o The first message is sent by the server to the peer to: + + * Send a 16-byte random challenge (RAND_S). RAND_S was called RA + in Section 3.2 + + * State its identity (ID_S). ID_S was denoted by A in + Section 3.2. + + o The second message is sent by the peer to the server to: + + * Send another 16-byte random challenge (RAND_P). RAND_P was + called RB in Section 3.2 + + * State its identity (ID_P). ID_P was denoted by B in + Section 3.2. + + * Authenticate to the server by proving that it is able to + compute a particular MAC (MAC_P), which is a function of the + two challenges and AK: + MAC_P = CMAC-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P) + + + + + + +Bersani & Tschofenig Experimental [Page 26] + +RFC 4764 EAP-PSK January 2007 + + + o The third message is sent by the server to the peer to: + + * Authenticate to the peer by proving that it is able to compute + another MAC (MAC_S), which is a function of the peer's + challenge and AK: + MAC_S = CMAC-AES-128(AK, ID_S||RAND_P) + + * Set up the protected channel (P_CHANNEL_S_0) to: + + + Confirm that it has derived session keys (at least the TEK). + + + Give a protected result indication of the authentication. + + o The fourth message is sent by the peer to the server to finish the + setup of the protected channel (P_CHANNEL_P_1) to: + + * Confirm that it has derived session keys (at least the TEK). + + * Give a protected result indication of the authentication. + + The PCHANNEL_S_0 and PCHANNEL_P_1 fields of the third and fourth EAP- + PSK messages contain a MAC-computed thanks to TEK that protects the + integrity of the messages. For a detailed list of the fields of the + messages that are integrity protected, please refer to Section 3.3. + + All EAP-PSK messages include a sort of header, which is comprised of + two fields: + + o Flags, a 1-byte field that is currently only used to number EAP- + PSK messages. + + o RAND_S, a 16-byte challenge sent by the server that is used as a + session identifier. + + This standard message flow could be comprised of only three messages, + like AKEP2, were it not the request/response nature of EAP that + prevents the third message to be the last one. Since the fourth + message is mandatory, EAP-PSK chose to take advantage of this and set + up a protected channel. + + The standard message flow also includes a statement by the peer of + its identity, in addition to the EAP-Response/Identity it may have + sent. This behavior follows Section 5.1 of [3], which recommends + that the EAP-Response/Identity be used primarily for routing purposes + and selecting which EAP method to use, and therefore that EAP methods + include a method-specific mechanism for obtaining the identity, so + that they do not have to rely on the Identity Response. + + + + +Bersani & Tschofenig Experimental [Page 27] + +RFC 4764 EAP-PSK January 2007 + + + When a party receives an EAP-PSK message, it checks that the message + is syntactically valid in accordance with the message formats defined + in Section 5. If the message is syntactically incorrect, then it is + silently discarded. Then it checks the cryptographic validity of + this message, i.e., it checks the MAC(s) as follows: + + o If the received message is the first EAP-PSK message, there is no + MAC to check as none is included in message 1. + + o If the received message is the second EAP-PSK message, the + validity of MAC_P is checked. + + o If the received message is the third EAP-PSK message, the validity + of MAC_S is checked and then the validity of the Tag included in + P_CHANNEL_S_0 is checked. The validity checks must be done in + this order to avoid unnecessarily deriving TEK, MSK, and EMSK in + case MAC_S is invalid, meaning that mutual authentication has + failed. Indeed, TEK is used to verify the validity of the Tag + included in P_CHANNEL_S_0. + + o If the received message is the fourth EAP-PSK message, the + validity of the Tag included in P_CHANNEL_P_1 is checked. + + If a validity check fails, the message is silently discarded. There + can be a counter to track the number of silently discarded messages + Section 8.8. If there is an encrypted payload in the message + (namely, in the PCHANNEL attribute), then the encrypted payload is + decrypted. Then, if the decrypted payload is syntactically + incorrect, the message is silently discarded. + +4.2. EAP-PSK Extended Authentication + + To remain simple and yet be extensible to meet future requirements, + EAP-PSK provides an extension mechanism within its protected channel: + the payload of the protected channel may contain an optional + extension field (EXT). + + Figure 10 presents the message sequence for EAP-PSK extended + authentication. + + Extended authentication MUST be supported, i.e., any EAP-PSK + implementation MUST support sending and reception of an EXT attribute + according to rules of operation described in Section 6. Yet, + although support of the EXT field is mandatory, there is no mandatory + extension type to support. This means that if a server engages in + EAP-PSK extended authentication, as only the server can start + extended authentication per Section 6, a peer will recognize the + attempt to start extended authentication through its EXT support. If + + + +Bersani & Tschofenig Experimental [Page 28] + +RFC 4764 EAP-PSK January 2007 + + + the peer does not support the particular extension type used by the + server, the peer will still be able to conclude the EAP-PSK dialog. + + The mandatory support of the EXT field is dictated: + + o To guarantee a robust behavior in the future where some peers + might support some extensions and others not. All peers will thus + be able to understand that an extended authentication is being + attempted and indicate whether or not they support the extension + that is tried. + + o To ensure that all implementations will indeed be extensible. + + No extension is currently defined. + + At most, one extension may be run within a single EAP-PSK dialog: + there can neither be sequences of extensions nor interleaved + extensions. However, extensions may take a variable number of round- + trips to complete. + + Only the server can start an extension and, if it does so, it must + start it in the first payload it sends over the protected channel. + + peer server + | Flags||RAND_S||ID_S | + |<---------------------------------------------------------| + | | + | Flags||RAND_S||RAND_P||MAC_P||ID_P | + |--------------------------------------------------------->| + | | + | Flags||RAND_S||MAC_S||PCHANNEL_S_0(EXT) | + |<---------------------------------------------------------| + | | + | Flags||RAND_S||PCHANNEL_P_1(EXT) | + |--------------------------------------------------------->| + | | + . . + . . + . . + | Flags||RAND_S||PCHANNEL_S_2i(EXT) | + |<---------------------------------------------------------| + | | + | Flags||RAND_S||PCHANNEL_P_2i+1(EXT) | + |--------------------------------------------------------->| + | | + + Figure 10: EAP-PSK Extended Authentication + + + + +Bersani & Tschofenig Experimental [Page 29] + +RFC 4764 EAP-PSK January 2007 + + + Please refer to Section 6 for more details on how extended + authentication works. + + The PCHANNEL_S_2j and PCHANNEL_P_2j+1 fields of the EAP-PSK messages + (where j varies from 0 to i) contain a MAC-computed thanks to TEK + that protects the integrity of the messages. For a detailed list of + the fields of the messages that are integrity protected, please refer + to Section 3.3. + + When a party receives an EAP-PSK message, it checks that the message + is syntactically valid in accordance with the message formats defined + in Section 5. If the message is syntactically incorrect, then it is + silently discarded. Then it checks the cryptographic validity of + this message, i.e., it checks the MAC(s) as follows: + + o If the received message is the first EAP-PSK message, there is no + MAC to check as none is included in message 1. + + o If the received message is the second EAP-PSK message, the + validity of MAC_P is checked. + + o If the received message is the third EAP-PSK message, the validity + of MAC_S is checked and then the validity of the Tag included in + P_CHANNEL_S_0 is checked. The validity checks must be done in + this order to avoid unnecessarily deriving TEK, MSK, and EMSK in + case MAC_S is invalid, meaning that mutual authentication has + failed. Indeed, TEK is used to verify the validity of the Tag + included in P_CHANNEL_S_0. + + o If the received message is the fourth EAP-PSK message, the + validity of the Tag included in P_CHANNEL_P_1 is checked. + + o If the received message is an EAP-PSK message different from the + first four ones, then validity of the Tag included in P_CHANNEL is + checked. + + If a validity check fails, the message is silently discarded. There + can be a counter to track the number of silently discarded messages + Section 8.8. If there is an encrypted payload in the message (namely + in the PCHANNEL attribute), then the encrypted payload is decrypted. + Then, if the decrypted payload is syntactically incorrect, the + message is silently discarded. + + + + + + + + + +Bersani & Tschofenig Experimental [Page 30] + +RFC 4764 EAP-PSK January 2007 + + +5. EAP-PSK Message Format + + For the sake of simplicity, EAP-PSK uses a fixed message format. + There are four different types of EAP-PSK messages: + + o The first EAP-PSK message, which is sent by the server to the + peer. + + o The second EAP-PSK message, which is sent by the peer to the + server. + + o The third EAP-PSK message, which is sent by the server to the + peer. + + o The fourth EAP-PSK message, which is sent by the peer to the + server. This is also the type of message that the peer further + sends to the server in case of an extended authentication. This + is also essentially the type of message that the server further + sends to the peer in case of an extended authentication: the only + slight modification that occurs in this last case is the setting + of the EAP Code to 1 instead of 2 in the other cases. + + For the sake of clarity, the whole EAP packet that encapsulates the + EAP-PSK message (i.e., the EAP-PSK message plus its EAP headers) is + depicted in Figures 11, 13, 14, and 18. + + + + + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 31] + +RFC 4764 EAP-PSK January 2007 + + +5.1. EAP-PSK First Message + + The first EAP-PSK message is sent by the server to the peer. It has + the format presented in Figure 11. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code=1 | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type EAP-PSK | Flags | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + + + + | RAND_S | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + : : + : ID_S : + : : + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 11: EAP-PSK First Message + + Since IANA has allocated EAP method type 47 for EAP-PSK, Type EAP-PSK + for the first EAP-PSK message as well as any other EAP-PSK message + MUST be 47. + + The first EAP-PSK message consists of: + + o A 1-byte Flags field + + o A 16-byte random number: RAND_S + + o A variable length field that conveys the server's NAI: ID_S. The + length of this field is deduced from the EAP length field. The + length of this NAI must not exceed 966 bytes. This restriction + aims at avoiding fragmentation issues (see Section 8.11). + + The Flags field has the format presented in Figure 12. + + + + + + +Bersani & Tschofenig Experimental [Page 32] + +RFC 4764 EAP-PSK January 2007 + + + 0 + 0 1 2 3 4 5 6 7 8 + +-+-+-+-+-+-+-+-+ + | T | Reserved | + +-+-+-+-+-+-+-+-+ + + Figure 12: EAP-PSK Flags Field + + The Flags field is comprised of two subfields: + + o A 2-bit T subfield, which indicates the type of EAP-PSK message: + + * T=0 for the first EAP-PSK message presented in Section 5.1. + + * T=1 for the second EAP-PSK message presented in Section 5.2. + + * T=2 for the third EAP-PSK message presented in Section 5.3. + + * T=3 for the fourth EAP-PSK message presented in Section 5.4 and + the subsequent EAP-PSK messages that may be exchanged during + extended authentication. + + o A 6-bit Reserved subfield that is set to zero on transmission and + ignored on reception. + + The PCHANNEL Nonce field N (see Section 5.3) is used to distinguish + between the different EAP-PSK messages that may be exchanged during + extended authentication that all have T set to 3, i.e., the fourth + EAP-PSK message and possibly the next ones. + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 33] + +RFC 4764 EAP-PSK January 2007 + + +5.2. EAP-PSK Second Message + + The second EAP-PSK message is sent by the peer to the server. It has + the format presented in Figure 13. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code=2 | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type EAP-PSK | Flags | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + + + + | RAND_S | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + + + + | RAND_P | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+ + + | | + + + + | MAC_P | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+ + + : ID_P : + : : + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 13: EAP-PSK Second Message + + + + + + + + +Bersani & Tschofenig Experimental [Page 34] + +RFC 4764 EAP-PSK January 2007 + + + It consists of: + + o A 1-byte Flags field + + o The 16-byte random number sent by the server in the first EAP-PSK + message (RAND_S) that serves as a session identifier + + o A 16-byte random number: RAND_P + + o A 16-byte MAC: MAC_P + + o A variable length field that conveys the peer's NAI: ID_P. The + length of this field is deduced from the EAP length field. The + length of this NAI must not exceed 966 bytes. This restriction + aims at avoiding fragmentation issues (see Section 8.11). + + The Flags field format is presented in Figure 12. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 35] + +RFC 4764 EAP-PSK January 2007 + + +5.3. EAP-PSK Third Message + + The third EAP-PSK message is sent by the server to the peer. It has + the format presented in Figure 14. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code=1 | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type EAP-PSK | Flags | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + + + + | RAND_S | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + + + + | MAC_S | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+ + + : PCHANNEL : + : : + : : + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 14: EAP-PSK Third Message + + It consists of: + + o A 1-byte Flags field + + o The 16-byte random number sent by the server in the first EAP-PSK + message (RAND_S) that is used as a session identifier + + o A 16-byte MAC: MAC_S + + o A variable length field that constitutes the protected channel: + PCHANNEL + + + +Bersani & Tschofenig Experimental [Page 36] + +RFC 4764 EAP-PSK January 2007 + + + The Flags field format is presented in Figure 12. + + If there is no extension, i.e., if the authentication is standard, + the PCHANNEL field consists of: + + o A 4-byte Nonce N (see Section 3.3). + + o A 16-byte Tag (see Section 3.3). + + o A 2-bit result indication flag R. + + o A 1-bit extension flag E, which is set to 0. + + o A 5-bit Reserved field, which is set to zero on emission and + ignored on reception. + + R, E, and Reserved are sent encrypted by the protected channel (see + Section 3.3). + + If there is no extension, PCHANNEL has the format presented in + Figure 15 (where R, E, and Reserved are presented in the clear for + the sake of clarity, although in reality they are sent encrypted). + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Nonce | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + + + | Tag | + + + + | | + + + + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | R |0| Reserved| + +-+-+-+-+-+-+-+-+ + + Figure 15: The PCHANNEL Field with E=0 + + If there is an extension, i.e., if the authentication is extended, + the PCHANNEL field consists of: + + o A 4-byte Nonce N (see Section 3.3). + + o A 16-byte Tag (see Section 3.3). + + + + +Bersani & Tschofenig Experimental [Page 37] + +RFC 4764 EAP-PSK January 2007 + + + o A 2-bit result indication flag R. + + o A 1-bit extension flag E, which is set to 1. + + o A 5-bit Reserved field, which is set to zero on emission and + ignored on reception. + + o A variable length EXT field. + + R, E, Reserved, and EXT are sent encrypted by the protected channel + (see Section 3.3). + + If there is an extension, PCHANNEL has the format presented in + Figure 16 where R, E, Reserved and EXT are presented in the clear for + the sake of clarity, although in reality they are sent encrypted). + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Nonce | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + + + | Tag | + + + + | | + + + + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | R |1| Reserved| | + +-+-+-+-+-+-+-+-+ + + : EXT : + : : + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 16: The PCHANNEL Field with E=1 + + This EXT field is split in two subfields: + + o The EXT_Type subfield, which indicates the type of the extension + + o The EXT_Payload subfield, which consists of the payload of the + extension. The EXT_Payload length is derived from the EAP Length + field. EXT_Payload must have a bit length that is a multiple of 8 + bits and must not exceed 960 bytes. The latter restriction aims + + + + +Bersani & Tschofenig Experimental [Page 38] + +RFC 4764 EAP-PSK January 2007 + + + at avoiding fragmentation issues (see Section 8.11), whereas the + former comes from the EAP length being specified in bytes. + + The format of the EXT field is presented in Figure 17. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | EXT_Type | | + +-+-+-+-+-+-+-+-+ + + : EXT_Payload : + : : + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 17: The EXT Field + +5.4. EAP-PSK Fourth Message + + The fourth EAP-PSK message is sent by the peer to the server. It has + the format presented in Figure 18. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code=2 | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type EAP-PSK | Flags | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + + + + | RAND_S | + + + + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + : : + : PCHANNEL : + : : + : : + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 18: EAP-PSK Fourth Message + + + + +Bersani & Tschofenig Experimental [Page 39] + +RFC 4764 EAP-PSK January 2007 + + + It consists of: + + o A 1-byte Flags field + + o The 16-byte random number sent by the server in the first EAP-PSK + message (RAND_S) that is used as a session identifier + + o A variable length field that constitutes the protected channel: + PCHANNEL + + The Flags field format is presented in Figure 12. + + The PCHANNEL field has the following structure, which was already + described in Section 5.3. + + If there is no extension, i.e., if the authentication is standard, + the PCHANNEL field consists of: + + o A 4-byte Nonce N (see Section 3.3). + + o A 16-byte Tag (see Section 3.3). + + o A 2-bit result indication flag R. + + o A 1-bit extension flag E, which is set to 0. + + o A 5-bit Reserved field, which is set to zero on emission and + ignored on reception. + + R, E, and Reserved are sent encrypted by the protected channel (see + Section 3.3). + + If there is no extension, PCHANNEL has the format presented in + Figure 15. + + If there is an extension, i.e., if the authentication is extended, + the PCHANNEL field consists of: + + o A 4-byte Nonce N (see Section 3.3). + + o A 16-byte Tag (see Section 3.3). + + o A 2-bit result indication flag R. + + o A 1-bit extension flag E, which is set to 1. + + o A 5-bit Reserved field, which is set to zero on emission and + ignored on reception. + + + +Bersani & Tschofenig Experimental [Page 40] + +RFC 4764 EAP-PSK January 2007 + + + o A variable length EXT field. + + R, E, Reserved, and EXT are sent encrypted by the protected channel + (see Section 3.3). + + If there is an extension, PCHANNEL has the format presented in + Figure 16. + + This EXT field is split in two subfields: + + o The EXT_Type subfield, which indicates the type of the extension + + o The EXT_Payload subfield, which consists of the payload of the + extension. The EXT_Payload length is derived from the EAP Length + field. EXT_Payload must have a bit length that is a multiple of 8 + bits and must not exceed 960 bytes. The latter restriction aims + at avoiding fragmentation issues (see Section 8.11). + + The format of the EXT field is presented in Figure 17. + +6. Rules of Operation for the EAP-PSK Protected Channel + + In this section, the rules of operation of the EAP-PSK protected + channel are presented: + + o How protected result indications are implemented. + + o How an extended authentication works in details. + +6.1. Protected Result Indications + + The R flag of the PCHANNEL field in the third and fourth types of + EAP-PSK messages is used to provide result indications. + + Since this 2-bit flag is communicated over the protected channel, it + is: + + o Encrypted so that only the peer and the server can know its value. + + o Integrity-protected so that it cannot be modified by an attacker + without the peer or the server detecting this modification. + + o Protected against replays. + + This 2-bit R flag can take the following values: + + o 01 to mean CONT + + + + +Bersani & Tschofenig Experimental [Page 41] + +RFC 4764 EAP-PSK January 2007 + + + o 10 to mean DONE_SUCCESS + + o 11 to mean DONE_FAILURE + + The peer and the server each remember some information about both the + values of R that they have sent and the values of R they have + received. It is the conjunction of both sent and received R values + that indicate the success or the failure of the EAP-PSK dialog. + + In the case of a standard authentication, the following values of R + should be exchanged: + + o Either the server sends a DONE_SUCCESS in the PCHANNEL of the + third EAP-PSK message, to which the peer replies with a + DONE_SUCCESS in the PCHANNEL of the fourth EAP-PSK message, which + successfully ends the EAP-PSK dialog. + + o Or the server sends a DONE_FAILURE in the PCHANNEL of the third + EAP-PSK message, to which the peer replies with a DONE_FAILURE in + the PCHANNEL of the fourth EAP-PSK message, which unsuccessfully + ends the EAP-PSK dialog. + + In the case of an extended authentication, more complex exchanges may + occur, which is why the CONT value was introduced. + + The rules of operation for each value that R may take are detailed + below. + +6.1.1. CONT + + The server and the peer each initialize the values of R they intend + to send and receive as CONT. + + Here CONT stands for "Continue". It indicates that the EAP-PSK + dialog is not yet successful and that the party sending it wants to + continue the dialog to try and reach success. + + Indeed, although the peer and the server must have successfully + authenticated each other, thanks to MAC_P and MAC_S, before they + start communicating over the protected channel, the EAP-PSK dialog + may not yet be deemed successful after this mutual authentication + because of authorization issues. For instance, a prepaid customer of + a wireless Hot-Spot might have successfully authenticated but has to + refill its account, e.g., with a credit card transaction over the + protected channel, before it is authorized. + + + + + + +Bersani & Tschofenig Experimental [Page 42] + +RFC 4764 EAP-PSK January 2007 + + +6.1.2. DONE_SUCCESS + + DONE_SUCCESS indicates that the party that sent it deems the EAP-PSK + dialog successful and therefore proposes to end this dialog. + + Once the server has sent a DONE_SUCCESS, it must keep sending this + value for R. + + The peer must first receive a DONE_SUCCESS from the server before it + is allowed to send a DONE_SUCCESS. + + After the peer has received a DONE_SUCCESS from the server, it may: + + o Send a CONT to the server if it has not reached success on its + side. The server that receives a CONT should continue the EAP-PSK + dialog (see Section 8.2 for some discussion on the security + implications of this). + + o Send a DONE_SUCCESS to the server, which will end the EAP-PSK + dialog with success. + + o Send a DONE_FAILURE to the server, which will end the EAP-PSK + dialog with failure. + +6.1.3. DONE_FAILURE + + DONE_FAILURE indicates that the party that sent it deems the EAP-PSK + dialog unsuccessful and proposes to end this dialog because nothing + will make it change its mind. + + If the server is the first to send a DONE_FAILURE, then the peer that + receives this DONE_FAILURE must reply with a DONE_FAILURE and fail, + which ends the EAP-PSK dialog. + + If the peer is the first to send a DONE_FAILURE, then the server that + receives this DONE_FAILURE must immediately end this EAP-PSK dialog + without sending any further EAP-PSK message, and fail. + +6.2. Extended Authentication + + An extended authentication can only be started by the server. + + Exactly one extension (identified by the EXT_Type subfield of the EXT + field) must be run during an EAP-PSK extended authentication dialog. + + The extension is run over the protected channel: it can assume + confidentiality, integrity, and replay protection. + + + + +Bersani & Tschofenig Experimental [Page 43] + +RFC 4764 EAP-PSK January 2007 + + + To start an extended authentication, the server sets the PCHANNEL E + flag to 1 and includes the EXT_Payload of the extension it has + chosen. + + Since EAP-PSK does not provide fragmentation, the extension must not + send an EXT_Payload larger than 960 bytes, which corresponds to the + 1020-byte EAP MTU that may minimally be assumed (see [3]). + + Moreover, an extension must not send an empty EXT_Payload (because + this has a particular meaning for EAP-PSK; see below). + + When the peer receives the third EAP-PSK message with the E flag set + to 1, it checks whether it is able to process the proposed extension. + + If the peer is not able to process the proposed extension, i.e., it + does not recognize the EXT_Type of the proposed extension, it sets + E=1 in its reply (the fourth EAP-PSK message) and include an EXT + field of the same EXT_Type but with an empty EXT_Payload. + + Depending on the values taken by the R flags, the EAP-PSK dialog may: + + o End + + * If the peer's policy mandates that it fails in the case of an + unrecognized extension, it sends a DONE_FAILURE in the fourth + EAP-PSK message. + + * If the server has sent a DONE_SUCCESS in the third EAP-PSK + message, and the peer's policy authorizes it to succeed even if + the extension is not recognized, the peer sends a DONE_SUCCESS. + + o Continue for exactly one round-trip; namely, in case the server + has sent a CONT in the third EAP-PSK message and the peer's policy + authorizes it to succeed even if the extension is not recognized, + the peer replies with a CONT in the fourth EAP-PSK message. The + server must then, depending on its policy, send either a + DONE_SUCCESS or a DONE_FAILURE to the peer in the fifth EAP-PSK + message. If the server sent a DONE_SUCCESS in the fifth EAP-PSK + message, the peer must send a DONE_SUCCESS in the sixth EAP-PSK + message. All these messages must have the E flag set to 1 with an + EXT field with the EXT_Type of the extension that was proposed and + an empty EXT_Payload (this behavior was chosen to simplify + implementations). + + If the peer is able to process the proposed extension, then it does + so. In this case, the extension must be aware of the R values sent + and received and able to propose to update them. All the subsequent + messages exchanged between the peer and the server must have the E + + + +Bersani & Tschofenig Experimental [Page 44] + +RFC 4764 EAP-PSK January 2007 + + + flag set to 1 with an EXT field of the EXT_Type of the extension that + was proposed and a non-empty EXT_Payload. + +7. IANA Considerations + + This section provides guidance to the IANA regarding registration of + values related to the EAP-PSK protocol, in accordance with [6]. + + The following terms are used here with the meanings defined in [6]: + "name space" and "registration". + + The following policies are used here with the meanings defined in + [6]: "Expert Review" and "Specification Required". + + This document introduces one new Internet Assigned Numbers Authority + (IANA) consideration: there is one name space in EAP-PSK that + requires registration: the EXT_Type values (see Section 5.3 and + Section 5.4). + + For registration requests where a Designated Expert should be + consulted, the responsible IETF Area Director should appoint the + Designated Expert. The intention is that any allocation will be + accompanied by a published RFC. But in order to allow for the + allocation of values prior to the RFC being approved for publication, + the Designated Expert can approve allocations once it seems clear + that an RFC will be published. The Designated Expert will post a + request to the EAP WG mailing list (or a successor designated by the + Area Director) for comment and review, including an Internet-Draft. + Before a period of 30 days has passed, the Designated Expert will + either approve or deny the registration request and publish a notice + of the decision to the EAP WG mailing list or its successor, as well + as informing IANA. A denial notice must be justified by an + explanation and, in the cases where it is possible, concrete + suggestions on how the request can be modified so as to become + acceptable. + +7.1. Allocation of an EAP-Request/Response Type for EAP-PSK + + IANA allocated a new EAP Type for EAP-PSK. + +7.2. Allocation of EXT Type Numbers + + EAP-PSK is not intended as a general-purpose protocol, and + allocations of EXT_Type should not be made for purposes unrelated to + authentication, authorization, and accounting. + + EXT_Type numbers have a range from 1 to 255. + + + + +Bersani & Tschofenig Experimental [Page 45] + +RFC 4764 EAP-PSK January 2007 + + + EXT_Type 255 has been allocated for Experimental use. + + EXT_Type 1-254 may be allocated on the advice of a Designated Expert, + with Specification Required. + +8. Security Considerations + + [3] highlights several attacks that are possible against EAP, as EAP + does not provide any robust security mechanism. + + This section discusses the claimed security properties of EAP-PSK as + well as vulnerabilities and security recommendations in the threat + model of [3]. + +8.1. Mutual Authentication + + EAP-PSK provides mutual authentication. + + The server believes that the peer is authentic because it can + calculate a valid MAC and the peer believes that the server is + authentic because it can calculate another valid MAC. + + The authentication protocol that inspired EAP-PSK, AKEP2, enjoys a + security proof in the provable security paradigm; see [14]. + + The MAC algorithm used in the instantiation of AKEP2 within EAP-PSK, + CMAC, also enjoys a security proof in the provable security paradigm; + see [29]. A tag length of 16 bytes for CMAC is currently deemed + appropriate by the cryptographic community for entity authentication. + + The underlying block cipher used, AES-128, is widely believed to be a + secure block cipher. + + Finally, the key used for mutual authentication, AK, is only used for + that purpose, which makes this part cryptographically independent of + the other parts of the protocol. + + EAP-PSK provides mutual authentication if it is based on a pairwise + PSK of sufficient strength. If the PSK is not pairwise or not + sufficiently strong, then it does not provide authentication. In + this way, EAP-PSK is no different than other authentication protocols + based on Pre-Shared Keys. + + + + + + + + + +Bersani & Tschofenig Experimental [Page 46] + +RFC 4764 EAP-PSK January 2007 + + +8.2. Protected Result Indications + + EAP-PSK provides protected result indications thanks to its 2-bit R + flag (see Section 6.1). This 2-bit R flag is protected because it is + encrypted and integrity protected by the EAX mode of operation; see + Section 3.3. + + Care may be taken against Byzantine failures, that is to say, for + instance, when a peer tries to force a server to engage in a never- + ending conversation. This could, for example, be done by a peer that + keeps sending a CONT after it has received a DONE_SUCCESS from the + server. A policy may limit the number of rounds in an EAP-PSK + extended authentication to mitigate this threat, which is outside our + threat model. + + It should also be noted that the cryptographic protection of the + result indications does not prevent message deletion. + + For instance, let us consider a scenario in which: + + o A server sends a DONE_SUCCESS to a peer. + + o The peer replies with a DONE_SUCCESS. + + In the case that the last message from the peer is intercepted, and + an EAP Success is sent to the peer before any retransmission from the + server reaches it, or the retransmissions from the server are also + deleted, the peer will believe that it has successfully authenticated + to the server while the server will fail. + + This behavior is well known (see, e.g., [23]) and in a sense + unavoidable. There is a trade-off between efficiency and the "level" + of information sharing that is attainable. EAP-PSK specified a + single round-trip of DONE_SUCCESS because it is believed that: + + o If there is an adversary capable of disrupting the communication + channel, it can do so whenever it wants (be it after 1 or 10 + round-trips or even during data communication). + + o Other layers/applications will generally start by doing a specific + key exchange and confirmation procedure using the keys derived by + EAP-PSK. This is typically done by IEEE 802.11i "four-way + handshake". In case the error is not detected by EAP-PSK, it + should be detected then (please note, however, that it is bad + practice to rely on an external mechanism to ensure + synchronization, unless this is an explicit property of the + external mechanism). + + + + +Bersani & Tschofenig Experimental [Page 47] + +RFC 4764 EAP-PSK January 2007 + + +8.3. Integrity Protection + + EAP-PSK provides integrity protection thanks to the Tag of its + protected channel (see Section 3.3). + + EAP-PSK provides integrity protection if it is based on a pairwise + PSK of sufficient strength. If the PSK is not pairwise or not + sufficiently strong, then it does not provide authentication. In + this way, it is no different than other authentication protocols + based on Pre-Shared Keys. + +8.4. Replay Protection + + EAP-PSK provides replay protection of its mutual authentication part + thanks to the use of random numbers RAND_S and RAND_P. Since RAND_S + is 128 bits long, one expects to have to record 2**64 (i.e., + approximately 1.84*10**19) EAP-PSK successful authentications before + an authentication can be replayed. Hence, EAP-PSK provides replay + protection of its mutual authentication part as long as RAND_S and + RAND_P are chosen at random; randomness is critical for security. + + EAP-PSK provides replay protection during the conversation of the + protected channel thanks to the Nonce N of its protected channel (see + Section 3.3). This nonce is initialized to 0 by the server and + monotonically incremented by one by the party that receives a valid + EAP-PSK message. For instance, after receiving from the server a + valid EAP-PSK message with Nonce set to x, the peer will answer with + an EAP-PSK message with Nonce set to x+1 and wait for an EAP-PSK + message with Nonce set to x+2. A retransmission of the server's + message with Nonce set to x would cause the peer EAP layer to resend + the message in which Nonce was set to x+1, which would be transparent + to the EAP-PSK layer. + + The EAP peer must check that the Nonce is indeed initialized to 0 by + the server. + +8.5. Reflection Attacks + + EAP-PSK provides protection against reflection attacks in case of an + extended authentication because: + + o It integrity protects the EAP header (which contains the + indication Request/Response. + + o It includes two separate spaces for the Nonces: the EAP server + only receives messages with odd nonces, whereas the EAP peer only + receives messages with even nonces. + + + + +Bersani & Tschofenig Experimental [Page 48] + +RFC 4764 EAP-PSK January 2007 + + +8.6. Dictionary Attacks + + Because EAP-PSK is not a password protocol, it is not vulnerable to + dictionary attacks. + + Indeed, the PSK used by EAP-PSK must not be derived from a password. + Derivation of the PSK from a password may lead to dictionary attacks. + + However, using a 16-byte PSK has: + + o Ergonomic impacts: some people may find it cumbersome to manually + provision a 16-byte PSK. + + o Deployment impacts: some people may want to reuse existing + credential databases that contain passwords and not PSKs. + + Because people will probably not heed the warning not to use + passwords, guidance to derive a PSK from a password is provided in + Appendix A. The method proposed in Appendix A only tries to make + dictionary attacks harder. It does not eliminate them. + + However, it does not cause a fatal error if passwords are used + instead of PSKs: people rarely use password-derived certificates, so + why should they do so for shared keys? + +8.7. Key Derivation + + EAP-PSK supports key derivation. + + The key hierarchy is specified in Section 2.1. + + The mechanism used for key derivation is the modified counter mode. + + The instantiation of the modified counter in EAP-PSK complies with + the conditions stated in [5] so that the security proof for this mode + holds. + + The underlying block cipher used, AES-128, is widely believed to be a + secure block cipher. + + A first key derivation occurs to calculate AK and KDK from the PSK: + it is called the key setup (see Section 3.1). It uses the PSK as the + key to the modified counter mode. Thus, AK and KDK are believed to + be cryptographically separated and computable only to those who have + knowledge of the PSK. + + + + + + +Bersani & Tschofenig Experimental [Page 49] + +RFC 4764 EAP-PSK January 2007 + + + A second key derivation occurs to derive session keys, namely, the + TEK, MSK, and EMSK (see Section 3.2). It uses KDK as the key to the + modified counter mode. + + The protocol design explicitly assumes that neither AK nor KDK are + shared beyond the two parties utilizing them. AK loses its efficacy + to mutually authenticate the peer and server with each other when it + is shared. Similarly, the derived TEK, MSK, and EMSK lose their + value when KDK is shared with a third party. + + It should be emphasized that the peer has control of the session keys + derived by EAP-PSK. In particular, it can easily choose the random + number it sends in EAP-PSK so that one of the nine derived 16-byte + key blocks (see Section 2.1) takes a pre-specified value. + + It was chosen not to prevent this control of the session keys by the + peer because: + + o Preventing it would have added some complexity to the protocol + (typically, the inclusion of a one-way mode of operation of AES in + the key derivation part). + + o It is believed that the peer won't try to force the server to use + some pre-specified value for the session keys. Such an attack is + outside the threat model and seems to have little value compared + to a peer sharing its PSK. + + However, this is not the behavior recommended by EAP in Section 7.10 + of [3]. + + Since deriving the session keys requires some cryptographic + computations, it is recommended that the session keys be derived only + once authentication has succeeded (i.e., once the server has + successfully verified MAC_P for the server side, and once the peer + has successfully verified MAC_S for the peer side). + + It is recommended to take great care in implementations, so that + derived keys are not made available if the EAP-PSK dialog fails + (e.g., ends with DONE_FAILURE). + + The TEK must not be made available to anyone except to the current + EAP-PSK dialog. + + + + + + + + + +Bersani & Tschofenig Experimental [Page 50] + +RFC 4764 EAP-PSK January 2007 + + +8.8. Denial-of-Service Resistance + + Denial of Service (DoS) resistance has not been a design goal for + EAP-PSK. + + It is, however, believed that EAP-PSK does not provide any obvious + and avoidable venue for such attacks. + + It is worth noting that the server has to do a cryptographic + calculation and maintain some state when it engages in an EAP-PSK + conversation, namely, generate and remember the 16-byte RAND_S. + However, this should not lead to resource exhaustion as this state + and the associated computation are fairly lightweight. + + Please note that both the peer and the server must commit to their + RAND_S and RAND_P to protect their partners from flooding attacks. + + It is recommended that EAP-PSK not allow EAP notifications to be + interleaved in its dialog to prevent potential DoS attacks. Indeed, + since EAP notifications are not integrity protected, they can easily + be spoofed by an attacker. Such an attacker could force a peer that + allows EAP notifications to engage in a discussion that would delay + his or her authentication or result in the peer taking unexpected + actions (e.g., in case a notification is used to prompt the peer to + do some "bad" action). + + It is up to the implementation of EAP-PSK or to the peer and the + server to specify the maximum number of failed cryptographic checks + that are allowed. For instance, does the reception of a bogus MAC_P + in the second EAP-PSK message cause a fatal error or is it discarded + to continue waiting for the valid response of the valid peer? There + is a trade-off between possibly allowing multiple tentative forgeries + and allowing a direct DoS (in case the first error is fatal). + + For the sake of simplicity and denial-of-service resilience, EAP-PSK + has chosen not to include any error messages. Hence, an "invalid" + EAP-PSK message is silently discarded. Although this makes + interoperability testing and debugging harder, this leads to simpler + implementations and does not open any venue for denial-of-service + attacks. + +8.9. Session Independence + + Thanks to its key derivation mechanisms, EAP-PSK provides session + independence: passive attacks (such as capture of the EAP + conversation) or active attacks (including compromise of the MSK or + EMSK) do not enable compromise of subsequent or prior MSKs or EMSKs. + + + + +Bersani & Tschofenig Experimental [Page 51] + +RFC 4764 EAP-PSK January 2007 + + + The assumption that RAND_P and RAND_S are random is central for the + security of EAP-PSK in general and session independence in + particular. + +8.10. Exposition of the PSK + + EAP-PSK does not provide Perfect Forward Secrecy. Compromise of the + PSK leads to compromise of recorded past sessions. + + Compromise of the PSK enables the attacker to impersonate the peer + and the server: compromise of the PSK leads to "full" compromise of + future sessions. + + EAP-PSK provides no protection against a legitimate peer sharing its + PSK with a third party. Such protection may be provided by + appropriate repositories for the PSK, whose choice is outside the + scope of this document. The PSK used by EAP-PSK must only be shared + between two parties: the peer and the server. In particular, this + PSK must not be shared by a group of peers communicating with the + same server. + + The PSK used by EAP-PSK must be cryptographically separated from keys + used by other protocols, otherwise the security of EAP-PSK may be + compromised. It is a rule of thumb in cryptography to use different + keys for different applications. + +8.11. Fragmentation + + EAP-PSK does not support fragmentation and reassembly. + + Indeed, the largest EAP-PSK frame is at most 1015 bytes long, + because: + + o The maximum length for the peer NAI identity used in EAP-PSK is + 966 bytes (see Section 5.2). This should not be a limitation in + practice (see Section 2.2 of [2] for more considerations on NAI + length). + + o The maximum length for the EXT_Payload field used in EAP-PSK is + 960 bytes (see Section 5.3 and Section 5.4). + + Per Section 3.1 of [3], the lower layers over which EAP may be run + are assumed to have an EAP MTU of 1020 bytes or greater. Since the + EAP header is 5 bytes long, supporting fragmentation for EAP-PSK is + unnecessary. + + Extensions that require sending a payload larger than 960 bytes + should provide their own fragmentation and reassembly mechanism. + + + +Bersani & Tschofenig Experimental [Page 52] + +RFC 4764 EAP-PSK January 2007 + + +8.12. Channel Binding + + EAP-PSK does not provide channel binding as this feature is still + very much a work in progress (see [13]). + + However, it should be easy to add it to EAP-PSK as an extension (see + Section 4.2). + +8.13. Fast Reconnect + + EAP-PSK does not provide any fast reconnect capability. + + Indeed, as noted, for instance, in [15], mutual authentication + (without counters or timestamps) requires three exchanges, thus four + exchanges in EAP since any EAP-Request must be answered to by an EAP- + Response. + + Since this minimum bound is already reached in EAP-PSK standard + authentication, there is no way the number of round-trips used within + EAP-PSK can be reduced without using timestamps or counters. + Timestamps and counters were deliberately avoided for the sake of + simplicity and security (e.g., synchronization issues). + +8.14. Identity Protection + + Since it was chosen to restrict to a single cryptographic primitive + from symmetric cryptography, namely, the block cipher AES-128, it + appears that it is not possible to provide "reasonable" identity + protection without failing to meet the simplicity goal. + + Hereafter is an informal discussion of what is meant by identity + protection and the rationale behind the requirement of identity + protection. For some complementary discussion, refer to [37]. + + Identity protection basically means preventing the disclosure of the + identities of the communicating parties over the network, which is + quite contradictory to authentication. There are two levels of + identity protection: protection against passive attackers and + protection against active eavesdroppers. + + As explained in [37], "a common example [for identity protection] is + the case of mobile devices wishing to prevent an attacker from + correlating their (changing) location with the logical identity of + the device (or user)". + + If only symmetric cryptography is used, only a weak form of identity + protection may be offered, namely, pseudonym management. In other + words, the peer and the server agree on pseudonyms that they use to + + + +Bersani & Tschofenig Experimental [Page 53] + +RFC 4764 EAP-PSK January 2007 + + + identify each other and usually change them periodically, possibly in + a protected way so that an attacker cannot learn new pseudonyms + before they are used. + + With pseudonym management, there is a trade-off between allowing for + pseudonym resynchronization (thanks to a permanent identity) and + being vulnerable to active attacks (in which the attacker forges + messages simulating a pseudonym desynchronization). + + Indeed, a protocol using time-varying pseudonyms may want to + anticipate "desynchronization" situations such as, for instance, when + the peer believes that its current pseudonym is "pseudo1@bigco.com" + whereas the server believes this peer will use the pseudonym + "pseudo2@bigco.com" (which is the pseudonym the server has sent to + update "pseudo1@bigco.com"). + + Because pseudonym management adds complexity to the protocol and + implies this unsatisfactory trade-off, it was decided not to include + this feature in EAP-PSK. + + However, EAP-PSK may trivially provide some protection when the + concern is to avoid the "real-life" identity of the user being + "discovered". For instance, let us take the example of user John Doe + that roams and connects to a Hot-Spot owned and operated by Wireless + Internet Service Provider (WISP) BAD. Suppose this user + authenticates to his home WISP (WISP GOOD) with an EAP method under + an identity (e.g., "john.doe@wispgood.com") that allows WISP BAD (or + an attacker) to recover his "real-life" identity, i.e., John Doe. An + example drawback of this is when a competitor of John Doe's WISP + wants to win John Doe as a new customer by sending him some special + targeted advertisement. + + EAP-PSK can very simply thwart this attack, merely by avoiding to + provide John Doe with an NAI that allows easy recovery of his real- + life identity. It is believed that when an NAI that is not + correlated to a real-life identity is used, no valuable information + leaks because of the EAP method. + + Indeed, the identity of the WISP used by a peer has to be disclosed + anyway in the realm portion of its NAI to allow AAA routing. + Moreover, the Medium Access Control Address of the peer's Network + Interface Card can generally be used to track the peer as efficiently + as a fixed NAI. + + + + + + + + +Bersani & Tschofenig Experimental [Page 54] + +RFC 4764 EAP-PSK January 2007 + + + It is worth noting that the server systematically discloses its + identity, which may allow probing attacks. This may not be a problem + as the identity of the server is not supposed to remain secret. On + the contrary, users tend to want to know to whom they will be talking + in order to choose the right network to attach to. + +8.15. Protected Ciphersuite Negotiation + + EAP-PSK does not allow negotiating ciphersuites. Hence, it is not + vulnerable to negotiation attacks and does not implement protected + ciphersuite negotiation. + +8.16. Confidentiality + + Although EAP-PSK provides confidentiality in its protected channel, + it cannot claim to do so as per Section 7.2.1 of [3]: "A method + making this claim must support identity protection". + +8.17. Cryptographic Binding + + Since EAP-PSK is not intended to be tunneled within another protocol + that omits peer authentication, it does not implement cryptographic + binding. + +8.18. Implementation of EAP-PSK + + To really provide security, not only must a protocol be well thought- + out and correctly specified, but its implementation must take special + care. + + For instance, implementing cryptographic algorithms requires special + skills since cryptographic software is vulnerable not only to + classical attacks (e.g., buffer overflow or missing checks) but also + to some special cryptographic attacks (e.g., side channels attacks + like timing ones; see [36]). In particular, care must be taken to + avoid such attacks in EAX implementation; please refer to [4] for a + note on this point. + + An EAP-PSK implementation should use a good source of randomness to + generate the random numbers required in the protocol. Please refer + to [20] for more information on generating random numbers for + security applications. + + Handling sensitive material (namely, keying material such as the PSK, + AK, KDK, etc.) should be done in a secure way (see, for instance, + [19] for guidance on secure deletion). + + + + + +Bersani & Tschofenig Experimental [Page 55] + +RFC 4764 EAP-PSK January 2007 + + + The specification of a repository for the PSK that EAP-PSK uses is + outside the scope of this document. In particular, nothing prevents + one from storing this PSK on a tamper-resistant device such as a + smart card rather than having it memorized or written down on a sheet + of paper. The choice of the PSK repository may have important + security impacts. + +9. Security Claims + + This section provides the security claims required by [3]. + + [a] Mechanism. EAP-PSK is based on symmetric cryptography (AES-128) + and uses a 16-byte Pre-Shared Key (PSK). + + [b] Security claims. EAP-PSK provides: + + * Mutual authentication (see Section 8.1) + + * Integrity protection (see Section 8.3) + + * Replay protection (see Section 8.4) + + * Key derivation (see Section 8.7) + + * Dictionary attack resistance (see Section 8.6) + + * Session independence (see Section 8.9) + + [c] Key strength. EAP-PSK provides a 16-byte effective key + strength. + + [d] Description of key hierarchy. Please see Section 2.1. + + [e] Indication of vulnerabilities. EAP-PSK does not provide: + + * Identity protection (see Section 8.14) + + * Confidentiality (see Section 8.16) + + * Fast reconnect (see Section 8.13) + + * Fragmentation (see Section 8.11) + + * Cryptographic binding (see Section 8.17) + + * Protected ciphersuite negotiation (see Section 8.15) + + * Perfect Forward Secrecy (see Section 8.10) + + + +Bersani & Tschofenig Experimental [Page 56] + +RFC 4764 EAP-PSK January 2007 + + + * Key agreement: the session key is chosen by the peer (see + Section 8.7) + + * Channel binding (see Section 8.12) + +10. Acknowledgments + + This EAP method has been inspired by EAP-Archie and EAP-SIM. Many + thanks to their respective authors: Jesse Walker (extra thanks to + Jesse Walker for his thorough and challenging expert review of EAP- + PSK), Russ Housley, Henry Haverinen, and Joseph Salowey. + + Thanks to + + o Henri Gilbert for some interesting discussions on the + cryptographic parts of EAP-PSK. + + o Aurelien Magniez for his valuable feedback on network aspects of + EAP-PSK, his curiosity and rigor that led to numerous + improvements, and his help in the first implementation of EAP-PSK + under Microsoft Windows and Freeradius. + + o Thomas Otto for his valuable feedback on EAP-PSK and the + implementation of the first version of EAP-PSK under Xsupplicant. + + o Nancy Cam-Winget for some exchanges on EAP-PSK. + + o Jari Arkko and Bernard Aboba, the beloved EAP WG chairs, for the + work they stimulate. + + Finally, thanks to Vir Z., who has brought a permanent and + outstanding though discreet contribution to this protocol. + +11. References + +11.1. Normative References + + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network + Access Identifier", RFC 4282, December 2005. + + [3] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. + Levkowetz, "Extensible Authentication Protocol (EAP)", + RFC 3748, June 2004. + + + + + +Bersani & Tschofenig Experimental [Page 57] + +RFC 4764 EAP-PSK January 2007 + + + [4] Bellare, M., Rogaway, P., and D. Wagner, "The EAX mode of + operation", FSE 04, Springer-Verlag LNCS 3017, 2004. + + [5] Gilbert, H., "The Security of One-Block-to-Many Modes of + Operation", FSE 03, Springer-Verlag LNCS 2287, 2003. + + [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, + October 1998. + + [7] National Institute of Standards and Technology, "Specification + for the Advanced Encryption Standard (AES)", Federal + Information Processing Standards (FIPS) 197, November 2001. + + [8] National Institute of Standards and Technology, "Recommendation + for Block Cipher Modes of Operation: The CMAC Mode for + Authentication", Special Publication (SP) 800-38B, May 2005. + +11.2. Informative References + + [9] Aboba, B., Simon, D., Eronen, P., and H. Levkowetz,"Extensible + Authentication Protocol (EAP) Key Management Framework", Work + in Progress, October 2006. + + [10] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., + Shiino, H., Zorn, G., Dommety, G., Perkins, C., Patil, B., + Mitton, D., Manning, S., Beadles, M., Walsh, P., Chen, X., + Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim, B., + Hirschman, B., Hsu, R., Xu, Y., Campell, E., Baba, S., and E. + Jaques, "Criteria for Evaluating AAA Protocols for work + Access", RFC 2989, November 2000. + + [11] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol", + RFC 2716, October 1999. + + [12] Arkko, J. and H. Haverinen, "Extensible Authentication Protocol + Method for 3rd Generation Authentication and Key Agreement + (EAP-AKA)", RFC 4187, January 2006. + + [13] Arkko, J. and P. Eronen, "Authenticated Service Information for + the Extensible Authentication Protocol (EAP)", Work in + Progress, October 2005. + + [14] Bellare, M. and P. Rogaway, "Entity Authentication and Key + Distribution", CRYPTO 93, Springer-Verlag LNCS 773, 1994. + + + + + + +Bersani & Tschofenig Experimental [Page 58] + +RFC 4764 EAP-PSK January 2007 + + + [15] Bellare, M., Pointcheval, D., and P. Rogaway, "Authenticated + Key Exchange Secure Against Dictionary attacks", EUROCRYPT 00, + Springer-Verlag LNCS 1807, 2000. + + [16] Bersani, F., "EAP shared key methods: a tentative synthesis of + those proposed so far", Work in Progress, April 2004. + + [17] Bradner, S., "The Internet Standards Process -- Revision 3", + BCP 9, RFC 2026, October 1996. + + [18] Carlson, J., Aboba, B., and H. Haverinen, "EAP SRP-SHA1 + Authentication Protocol", Work in Progress, July 2001. + + [19] Department of Defense of the United States, "National + Industrial Security Program Operating Manual", DoD 5220-22M, + January 1995. + + [20] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + [21] Funk, P. and S. Blake-Wilson, "EAP Tunneled TLS Authentication + Protocol (EAP-TTLS)", Work in Progress, July 2004. + + [22] Haller, N., Metz, C., Nesser, P., and M. Straw, "A One-Time + Password System", RFC 2289, February 1998. + + [23] Halpern, J. and Y. Moses, "Knowledge and common knowledge in a + distributed environment", Journal of the ACM 37:3, 1990. + + [24] Haverinen, H. and J. Salowey, "Extensible Authentication + Protocol Method for Global System for Mobile Communications + (GSM) Subscriber Identity Modules (EAP-SIM)", RFC 4186, + January 2006. + + [25] Huitema, C., Postel, J., and S. Crocker, "Not All RFCs are + Standards", RFC 1796, April 1995. + + [26] Institute of Electrical and Electronics Engineers, "Local and + Metropolitan Area Networks: Port-Based Network Access Control", + IEEE Standard 802.1X, September 2001. + + [27] Institute of Electrical and Electronics Engineers, "Approved + Draft Supplement to Standard for Telecommunications and + Information Exchange Between Systems-LAN/MAN Specific + Requirements - Part 11: Wireless LAN Medium Access Control + (MAC) and Physical Layer (PHY) Specifications: Specification + for Enhanced Security", IEEE 802.11i-2004, 2004. + + + + +Bersani & Tschofenig Experimental [Page 59] + +RFC 4764 EAP-PSK January 2007 + + + [28] Institute of Electrical and Electronics Engineers, "Standard + for Telecommunications and Information Exchange Between Systems + - LAN/MAN Specific Requirements - Part 11: Wireless LAN Medium + Access Control (MAC) and Physical Layer (PHY) Specifications", + IEEE Standard 802.11, 1999. + + [29] Iwata, T. and K. Kurosawa, "OMAC: One-Key CBC MAC", FSE 03, + Springer-Verlag LNCS 2887, 2003. + + [30] Jablon, D., "The SPEKE Password-Based Key Agreement Methods", + Work in Progress, November 2002. + + [31] Josefsson, S., "The EAP SecurID(r) Mechanism", Work in + Progress, February 2002. + + [32] Josefsson, S., Palekar, A., Simon, D., and G. Zorn, "Protected + EAP Protocol (PEAP) Version 2", Work in Progress, October 2004. + + [33] Kaliski, B., "PKCS #5: Password-Based Cryptography + Specification Version 2.0", RFC 2898, September 2000. + + [34] Kamath, V. and A. Palekar, "Microsoft EAP CHAP Extensions", + Work in Progress, April 2004. + + [35] Kent, S., "IP Authentication Header", RFC 4302, December 2005 + + [36] Kocher, P., "Timing Attacks on Implementations of Diffie- + Hellman, RSA, DSS, and Other Systems", CRYPTO 96, Springer- + Verlag LNCS 1109, 1996. + + [37] Krawczyk, H., "SIGMA: the `SIGn-and-MAc' Approach to + Authenticated Diffie-Hellman and its Use in the IKE Protocols", + CRYPTO 03, Springer-Verlag LNCS 2729, June 2003. + + [38] MacNally, C., "Cisco LEAP protocol description", + September 2001, available from + <http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt>. + + [39] Metz, C., "OTP Extended Responses", RFC 2243, November 1997. + + [40] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook of + Applied Cryptography", CRC Press , 1996. + + [41] National Institute of Standards and Technology, "Password + Usage", Federal Information Processing Standards (FIPS) 112, + May 1985. + + + + + +Bersani & Tschofenig Experimental [Page 60] + +RFC 4764 EAP-PSK January 2007 + + + [42] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "The + Flexible Authentication via Secure Tunneling Extensible + Authentication Protocol Method (EAP-FAST)", Work in Progress, + October 2006. + + [43] Schneier, B., Mudge, and D. Wagner, "Cryptanalysis of + Microsoft's PPTP Authentication Extensions (MS-CHAPv2)", + CQRE 99, Springer-Verlag LNCS 1740, October 1999. + + [44] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, + RFC 1661, July 1994. + + [45] Simpson, W., "PPP Challenge Handshake Authentication Protocol + (CHAP)", RFC 1994, August 1996. + + [46] Tschofenig, H., Kroeselberg, D., Pashalidis, A., Ohba, Y., and + F. Bersani, "EAP IKEv2 Method", Work in Progress, October 2006. + + [47] Walker, J. and R. Housley, "The EAP Archie Protocol", Work in + Progress, June 2003. + + [48] Wi-Fi Alliance, "Wi-Fi Protected Access, version 2.0", + April 2003. + + [49] Wright, J., "Weaknesses in LEAP Challenge/Response", Defcon 03, + August 2003. + + [50] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites for + Transport Layer Security (TLS)", RFC 4279, December 2005. + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 61] + +RFC 4764 EAP-PSK January 2007 + + +Appendix A. Generation of the PSK from a Password - Discouraged + + It is formally discouraged to use a password to generate the PSK, + since this opens the door to exhaustive search or dictionary attacks, + two attacks that would not otherwise be possible. + + EAP-PSK only provides a 16-byte key strength when a 16-byte PSK is + drawn at random from the set of all possible 16-byte strings. + + However, as people will probably do this anyway, guidance is provided + hereafter to generate the PSK from a password. + + For some hints on how passwords should be selected, please refer to + [41]. + + The technique presented herein is drawn from [33]. It is intended to + try to mitigate the risks associated with password usage in + cryptography, typically dictionary attacks. + + If the binary representation of the password is strictly fewer than + 16 bytes long (which by the way means that the chosen password is + probably weak because it is too short), then it is padded to 16 bytes + with zeroes as its high-order bits. + + If the binary representation of the password is strictly more than 16 + bytes long, then it is hashed down to exactly 16 bytes using the + Matyas-Meyer-Oseas hash (please refer to [40] for a description of + this hash. Using the notation of Figure 9.3 of [40], g is the + identity function and E is AES-128 in our construction.) with + IV=0x0123456789ABCDEFFEDCBA9876543210 (this value has been + arbitrarily selected). + + We now assume that we have a 16-byte number derived from the initial + password (that can be the password itself if its binary + representation is exactly 16 bytes long). We shall call this number + P16. + + Following the notations used in [33], the PSK is derived thanks to + PBKDF2 instantiated with: + + o P16 as P + + o The first 96 bits of the XOR of the peer and server NAIs as Salt + (zero-padded in the high-order bits if necessary). + + o 5000 as c + + o 16 as dkLen + + + +Bersani & Tschofenig Experimental [Page 62] + +RFC 4764 EAP-PSK January 2007 + + + Although this gives better protection than nothing, this derivation + does not stricto sensu protect against dictionary attacks. It only + makes dictionary precomputation harder. + +Authors' Addresses + + Florent Bersani + France Telecom R&D + 38, rue du General Leclerc + Issy-Les-Moulineaux 92794 Cedex 9 + FR + + EMail: bersani_florent@yahoo.fr + + + Hannes Tschofenig + Siemens Networks GmbH & Co KG + Otto-Hahn-Ring 6 + Munich 81739 + GE + + EMail: Hannes.Tschofenig@siemens.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Bersani & Tschofenig Experimental [Page 63] + +RFC 4764 EAP-PSK January 2007 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2007). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78 and at www.rfc-editor.org/copyright.html, and + except as set forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Bersani & Tschofenig Experimental [Page 64] + |