summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7170.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7170.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7170.txt')
-rw-r--r--doc/rfc/rfc7170.txt5659
1 files changed, 5659 insertions, 0 deletions
diff --git a/doc/rfc/rfc7170.txt b/doc/rfc/rfc7170.txt
new file mode 100644
index 0000000..6569f6f
--- /dev/null
+++ b/doc/rfc/rfc7170.txt
@@ -0,0 +1,5659 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) H. Zhou
+Request for Comments: 7170 N. Cam-Winget
+Category: Standards Track J. Salowey
+ISSN: 2070-1721 Cisco Systems
+ S. Hanna
+ Infineon Technologies
+ May 2014
+
+
+ Tunnel Extensible Authentication Protocol (TEAP) Version 1
+
+Abstract
+
+ This document defines the Tunnel Extensible Authentication Protocol
+ (TEAP) version 1. TEAP is a tunnel-based EAP method that enables
+ secure communication between a peer and a server by using the
+ Transport Layer Security (TLS) protocol to establish a mutually
+ authenticated tunnel. Within the tunnel, TLV objects are used to
+ convey authentication-related data between the EAP peer and the EAP
+ server.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7170.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 1]
+
+RFC 7170 TEAP May 2014
+
+
+Copyright Notice
+
+ Copyright (c) 2014 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 1.1. Specification Requirements . . . . . . . . . . . . . . . 5
+ 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
+ 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.1. Architectural Model . . . . . . . . . . . . . . . . . . . 7
+ 2.2. Protocol-Layering Model . . . . . . . . . . . . . . . . . 8
+ 3. TEAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.1. Version Negotiation . . . . . . . . . . . . . . . . . . . 9
+ 3.2. TEAP Authentication Phase 1: Tunnel Establishment . . . . 10
+ 3.2.1. TLS Session Resume Using Server State . . . . . . . . 11
+ 3.2.2. TLS Session Resume Using a PAC . . . . . . . . . . . 12
+ 3.2.3. Transition between Abbreviated and Full TLS Handshake 13
+ 3.3. TEAP Authentication Phase 2: Tunneled Authentication . . 14
+ 3.3.1. EAP Sequences . . . . . . . . . . . . . . . . . . . . 14
+ 3.3.2. Optional Password Authentication . . . . . . . . . . 15
+ 3.3.3. Protected Termination and Acknowledged Result
+ Indication . . . . . . . . . . . . . . . . . . . . . 15
+ 3.4. Determining Peer-Id and Server-Id . . . . . . . . . . . . 16
+ 3.5. TEAP Session Identifier . . . . . . . . . . . . . . . . . 17
+ 3.6. Error Handling . . . . . . . . . . . . . . . . . . . . . 17
+ 3.6.1. Outer-Layer Errors . . . . . . . . . . . . . . . . . 18
+ 3.6.2. TLS Layer Errors . . . . . . . . . . . . . . . . . . 18
+ 3.6.3. Phase 2 Errors . . . . . . . . . . . . . . . . . . . 19
+ 3.7. Fragmentation . . . . . . . . . . . . . . . . . . . . . . 19
+ 3.8. Peer Services . . . . . . . . . . . . . . . . . . . . . . 20
+ 3.8.1. PAC Provisioning . . . . . . . . . . . . . . . . . . 21
+ 3.8.2. Certificate Provisioning within the Tunnel . . . . . 22
+ 3.8.3. Server Unauthenticated Provisioning Mode . . . . . . 23
+ 3.8.4. Channel Binding . . . . . . . . . . . . . . . . . . . 23
+
+
+
+
+
+Zhou, et al. Standards Track [Page 2]
+
+RFC 7170 TEAP May 2014
+
+
+ 4. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24
+ 4.1. TEAP Message Format . . . . . . . . . . . . . . . . . . . 24
+ 4.2. TEAP TLV Format and Support . . . . . . . . . . . . . . . 26
+ 4.2.1. General TLV Format . . . . . . . . . . . . . . . . . 28
+ 4.2.2. Authority-ID TLV . . . . . . . . . . . . . . . . . . 29
+ 4.2.3. Identity-Type TLV . . . . . . . . . . . . . . . . . . 30
+ 4.2.4. Result TLV . . . . . . . . . . . . . . . . . . . . . 31
+ 4.2.5. NAK TLV . . . . . . . . . . . . . . . . . . . . . . . 32
+ 4.2.6. Error TLV . . . . . . . . . . . . . . . . . . . . . . 33
+ 4.2.7. Channel-Binding TLV . . . . . . . . . . . . . . . . . 36
+ 4.2.8. Vendor-Specific TLV . . . . . . . . . . . . . . . . . 37
+ 4.2.9. Request-Action TLV . . . . . . . . . . . . . . . . . 38
+ 4.2.10. EAP-Payload TLV . . . . . . . . . . . . . . . . . . . 40
+ 4.2.11. Intermediate-Result TLV . . . . . . . . . . . . . . . 41
+ 4.2.12. PAC TLV Format . . . . . . . . . . . . . . . . . . . 42
+ 4.2.12.1. Formats for PAC Attributes . . . . . . . . . . . 43
+ 4.2.12.2. PAC-Key . . . . . . . . . . . . . . . . . . . . 44
+ 4.2.12.3. PAC-Opaque . . . . . . . . . . . . . . . . . . . 44
+ 4.2.12.4. PAC-Info . . . . . . . . . . . . . . . . . . . . 45
+ 4.2.12.5. PAC-Acknowledgement TLV . . . . . . . . . . . . 47
+ 4.2.12.6. PAC-Type TLV . . . . . . . . . . . . . . . . . . 48
+ 4.2.13. Crypto-Binding TLV . . . . . . . . . . . . . . . . . 48
+ 4.2.14. Basic-Password-Auth-Req TLV . . . . . . . . . . . . . 51
+ 4.2.15. Basic-Password-Auth-Resp TLV . . . . . . . . . . . . 52
+ 4.2.16. PKCS#7 TLV . . . . . . . . . . . . . . . . . . . . . 53
+ 4.2.17. PKCS#10 TLV . . . . . . . . . . . . . . . . . . . . . 54
+ 4.2.18. Trusted-Server-Root TLV . . . . . . . . . . . . . . . 55
+ 4.3. TLV Rules . . . . . . . . . . . . . . . . . . . . . . . . 56
+ 4.3.1. Outer TLVs . . . . . . . . . . . . . . . . . . . . . 57
+ 4.3.2. Inner TLVs . . . . . . . . . . . . . . . . . . . . . 57
+ 5. Cryptographic Calculations . . . . . . . . . . . . . . . . . 58
+ 5.1. TEAP Authentication Phase 1: Key Derivations . . . . . . 58
+ 5.2. Intermediate Compound Key Derivations . . . . . . . . . . 59
+ 5.3. Computing the Compound MAC . . . . . . . . . . . . . . . 61
+ 5.4. EAP Master Session Key Generation . . . . . . . . . . . . 61
+ 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 66
+ 7.1. Mutual Authentication and Integrity Protection . . . . . 67
+ 7.2. Method Negotiation . . . . . . . . . . . . . . . . . . . 67
+ 7.3. Separation of Phase 1 and Phase 2 Servers . . . . . . . . 67
+ 7.4. Mitigation of Known Vulnerabilities and Protocol
+ Deficiencies . . . . . . . . . . . . . . . . . . . . . . 68
+ 7.4.1. User Identity Protection and Verification . . . . . . 69
+ 7.4.2. Dictionary Attack Resistance . . . . . . . . . . . . 70
+ 7.4.3. Protection against Man-in-the-Middle Attacks . . . . 70
+ 7.4.4. PAC Binding to User Identity . . . . . . . . . . . . 71
+
+
+
+
+
+Zhou, et al. Standards Track [Page 3]
+
+RFC 7170 TEAP May 2014
+
+
+ 7.5. Protecting against Forged Cleartext EAP Packets . . . . . 71
+ 7.6. Server Certificate Validation . . . . . . . . . . . . . . 72
+ 7.7. Tunnel PAC Considerations . . . . . . . . . . . . . . . . 72
+ 7.8. Security Claims . . . . . . . . . . . . . . . . . . . . . 73
+ 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 75
+ 9.1. Normative References . . . . . . . . . . . . . . . . . . 75
+ 9.2. Informative References . . . . . . . . . . . . . . . . . 76
+ Appendix A. Evaluation against Tunnel-Based EAP Method
+ Requirements . . . . . . . . . . . . . . . . . . . . 79
+ A.1. Requirement 4.1.1: RFC Compliance . . . . . . . . . . . . 79
+ A.2. Requirement 4.2.1: TLS Requirements . . . . . . . . . . . 79
+ A.3. Requirement 4.2.1.1.1: Ciphersuite Negotiation . . . . . 79
+ A.4. Requirement 4.2.1.1.2: Tunnel Data Protection Algorithms 79
+ A.5. Requirement 4.2.1.1.3: Tunnel Authentication and Key
+ Establishment . . . . . . . . . . . . . . . . . . . . . . 79
+ A.6. Requirement 4.2.1.2: Tunnel Replay Protection . . . . . . 79
+ A.7. Requirement 4.2.1.3: TLS Extensions . . . . . . . . . . . 80
+ A.8. Requirement 4.2.1.4: Peer Identity Privacy . . . . . . . 80
+ A.9. Requirement 4.2.1.5: Session Resumption . . . . . . . . . 80
+ A.10. Requirement 4.2.2: Fragmentation . . . . . . . . . . . . 80
+ A.11. Requirement 4.2.3: Protection of Data External to Tunnel 80
+ A.12. Requirement 4.3.1: Extensible Attribute Types . . . . . . 80
+ A.13. Requirement 4.3.2: Request/Challenge Response Operation . 80
+ A.14. Requirement 4.3.3: Indicating Criticality of Attributes . 80
+ A.15. Requirement 4.3.4: Vendor-Specific Support . . . . . . . 81
+ A.16. Requirement 4.3.5: Result Indication . . . . . . . . . . 81
+ A.17. Requirement 4.3.6: Internationalization of Display
+ Strings . . . . . . . . . . . . . . . . . . . . . . . . . 81
+ A.18. Requirement 4.4: EAP Channel-Binding Requirements . . . . 81
+ A.19. Requirement 4.5.1.1: Confidentiality and Integrity . . . 81
+ A.20. Requirement 4.5.1.2: Authentication of Server . . . . . . 81
+ A.21. Requirement 4.5.1.3: Server Certificate Revocation
+ Checking . . . . . . . . . . . . . . . . . . . . . . . . 81
+ A.22. Requirement 4.5.2: Internationalization . . . . . . . . . 81
+ A.23. Requirement 4.5.3: Metadata . . . . . . . . . . . . . . . 82
+ A.24. Requirement 4.5.4: Password Change . . . . . . . . . . . 82
+ A.25. Requirement 4.6.1: Method Negotiation . . . . . . . . . . 82
+ A.26. Requirement 4.6.2: Chained Methods . . . . . . . . . . . 82
+ A.27. Requirement 4.6.3: Cryptographic Binding with the TLS
+ Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 82
+ A.28. Requirement 4.6.4: Peer-Initiated EAP Authentication . . 82
+ A.29. Requirement 4.6.5: Method Metadata . . . . . . . . . . . 82
+ Appendix B. Major Differences from EAP-FAST . . . . . . . . . . 83
+ Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 83
+ C.1. Successful Authentication . . . . . . . . . . . . . . . . 83
+ C.2. Failed Authentication . . . . . . . . . . . . . . . . . . 85
+ C.3. Full TLS Handshake Using Certificate-Based Ciphersuite . 86
+
+
+
+Zhou, et al. Standards Track [Page 4]
+
+RFC 7170 TEAP May 2014
+
+
+ C.4. Client Authentication during Phase 1 with Identity
+ Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 88
+ C.5. Fragmentation and Reassembly . . . . . . . . . . . . . . 89
+ C.6. Sequence of EAP Methods . . . . . . . . . . . . . . . . . 91
+ C.7. Failed Crypto-Binding . . . . . . . . . . . . . . . . . . 94
+ C.8. Sequence of EAP Method with Vendor-Specific TLV Exchange 95
+ C.9. Peer Requests Inner Method after Server Sends Result TLV 97
+ C.10. Channel Binding . . . . . . . . . . . . . . . . . . . . . 99
+
+1. Introduction
+
+ A tunnel-based Extensible Authentication Protocol (EAP) method is an
+ EAP method that establishes a secure tunnel and executes other EAP
+ methods under the protection of that secure tunnel. A tunnel-based
+ EAP method can be used in any lower-layer protocol that supports EAP
+ authentication. There are several existing tunnel-based EAP methods
+ that use Transport Layer Security (TLS) [RFC5246] to establish the
+ secure tunnel. EAP methods supporting this include Protected EAP
+ (PEAP) [PEAP], EAP Tunneled Transport Layer Security (EAP-TTLS)
+ [RFC5281], and EAP Flexible Authentication via Secure Tunneling (EAP-
+ FAST) [RFC4851]. However, they all are either vendor-specific or
+ informational, and the industry calls for a Standards Track tunnel-
+ based EAP method. [RFC6678] outlines the list of requirements for a
+ standard tunnel-based EAP method.
+
+ Since its introduction, EAP-FAST [RFC4851] has been widely adopted in
+ a variety of devices and platforms. It has been adopted by the EMU
+ working group as the basis for the standard tunnel-based EAP method.
+ This document describes the Tunnel Extensible Authentication Protocol
+ (TEAP) version 1, based on EAP-FAST [RFC4851] with some minor changes
+ to meet the requirements outlined in [RFC6678] for a standard tunnel-
+ based EAP method.
+
+1.1. Specification Requirements
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 5]
+
+RFC 7170 TEAP May 2014
+
+
+1.2. Terminology
+
+ Much of the terminology in this document comes from [RFC3748].
+ Additional terms are defined below:
+
+ Protected Access Credential (PAC)
+
+ Credentials distributed to a peer for future optimized network
+ authentication. The PAC consists of a minimum of two components:
+ a shared secret and an opaque element. The shared secret
+ component contains the pre-shared key between the peer and the
+ authentication server. The opaque part is provided to the peer
+ and is presented to the authentication server when the peer wishes
+ to obtain access to network resources. The opaque element and
+ shared secret are used with TLS stateless session resumption
+ defined in [RFC5077] to establish a protected TLS session. The
+ secret key and opaque part may be distributed using [RFC5077]
+ messages or using TLVs within the TEAP tunnel. Finally, a PAC may
+ optionally include other information that may be useful to the
+ peer.
+
+ Type-Length-Value (TLV)
+
+ The TEAP protocol utilizes objects in TLV format. The TLV format
+ is defined in Section 4.2.
+
+2. Protocol Overview
+
+ TEAP authentication occurs in two phases after the initial EAP
+ Identity request/response exchange. In the first phase, TEAP employs
+ the TLS [RFC5246] handshake to provide an authenticated key exchange
+ and to establish a protected tunnel. Once the tunnel is established,
+ the second phase begins with the peer and server engaging in further
+ conversations to establish the required authentication and
+ authorization policies. TEAP makes use of TLV objects to carry out
+ the inner authentication, results, and other information, such as
+ channel-binding information.
+
+ TEAP makes use of the TLS SessionTicket extension [RFC5077], which
+ supports TLS session resumption without requiring session-specific
+ state stored at the server. In this document, the SessionTicket is
+ referred to as the Protected Access Credential opaque data (or PAC-
+ Opaque). The PAC-Opaque may be distributed through the use of the
+ NewSessionTicket message or through a mechanism that uses TLVs within
+ Phase 2 of TEAP. The secret key used to resume the session in TEAP
+ is referred to as the Protected Access Credential key (or PAC-Key).
+ When the NewSessionTicket message is used to distribute the PAC-
+ Opaque, the PAC-Key is the master secret for the session. If TEAP
+
+
+
+Zhou, et al. Standards Track [Page 6]
+
+RFC 7170 TEAP May 2014
+
+
+ Phase 2 is used to distribute the PAC-Opaque, then the PAC-Key is
+ distributed along with the PAC-Opaque. TEAP implementations MUST
+ support the [RFC5077] mechanism for distributing a PAC-Opaque, and it
+ is RECOMMENDED that implementations support the capability to
+ distribute the ticket and secret key within the TEAP tunnel.
+
+ The TEAP conversation is used to establish or resume an existing
+ session to typically establish network connectivity between a peer
+ and the network. Upon successful execution of TEAP, the EAP peer and
+ EAP server both derive strong session key material that can then be
+ communicated to the network access server (NAS) for use in
+ establishing a link-layer security association.
+
+2.1. Architectural Model
+
+ The network architectural model for TEAP usage is shown below:
+
+ +----------+ +----------+ +----------+ +----------+
+ | | | | | | | Inner |
+ | Peer |<---->| Authen- |<---->| TEAP |<---->| Method |
+ | | | ticator | | server | | server |
+ | | | | | | | |
+ +----------+ +----------+ +----------+ +----------+
+
+ TEAP Architectural Model
+
+ The entities depicted above are logical entities and may or may not
+ correspond to separate network components. For example, the TEAP
+ server and inner method server might be a single entity; the
+ authenticator and TEAP server might be a single entity; or the
+ functions of the authenticator, TEAP server, and inner method server
+ might be combined into a single physical device. For example,
+ typical IEEE 802.11 deployments place the authenticator in an access
+ point (AP) while a RADIUS server may provide the TEAP and inner
+ method server components. The above diagram illustrates the division
+ of labor among entities in a general manner and shows how a
+ distributed system might be constructed; however, actual systems
+ might be realized more simply. The security considerations in
+ Section 7.3 provide an additional discussion of the implications of
+ separating the TEAP server from the inner method server.
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 7]
+
+RFC 7170 TEAP May 2014
+
+
+2.2. Protocol-Layering Model
+
+ TEAP packets are encapsulated within EAP; EAP in turn requires a
+ transport protocol. TEAP packets encapsulate TLS, which is then used
+ to encapsulate user authentication information. Thus, TEAP messaging
+ can be described using a layered model, where each layer encapsulates
+ the layer above it. The following diagram clarifies the relationship
+ between protocols:
+
+ +---------------------------------------------------------------+
+ | Inner EAP Method | Other TLV information |
+ |---------------------------------------------------------------|
+ | TLV Encapsulation (TLVs) |
+ |---------------------------------------------------------------|
+ | TLS | Optional Outer TLVs |
+ |---------------------------------------------------------------|
+ | TEAP |
+ |---------------------------------------------------------------|
+ | EAP |
+ |---------------------------------------------------------------|
+ | Carrier Protocol (EAP over LAN, RADIUS, Diameter, etc.) |
+ +---------------------------------------------------------------+
+
+ Protocol-Layering Model
+
+ The TLV layer is a payload with TLV objects as defined in
+ Section 4.2. The TLV objects are used to carry arbitrary parameters
+ between an EAP peer and an EAP server. All conversations in the TEAP
+ protected tunnel are encapsulated in a TLV layer.
+
+ TEAP packets may include TLVs both inside and outside the TLS tunnel.
+ The term "Outer TLVs" is used to refer to optional TLVs outside the
+ TLS tunnel, which are only allowed in the first two messages in the
+ TEAP protocol. That is the first EAP-server-to-peer message and
+ first peer-to-EAP-server message. If the message is fragmented, the
+ whole set of messages is counted as one message. The term "Inner
+ TLVs" is used to refer to TLVs sent within the TLS tunnel. In TEAP
+ Phase 1, Outer TLVs are used to help establish the TLS tunnel, but no
+ Inner TLVs are used. In Phase 2 of the TEAP conversation, TLS
+ records may encapsulate zero or more Inner TLVs, but no Outer TLVs.
+
+ Methods for encapsulating EAP within carrier protocols are already
+ defined. For example, IEEE 802.1X [IEEE.802-1X.2013] may be used to
+ transport EAP between the peer and the authenticator; RADIUS
+ [RFC3579] or Diameter [RFC4072] may be used to transport EAP between
+ the authenticator and the EAP server.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 8]
+
+RFC 7170 TEAP May 2014
+
+
+3. TEAP Protocol
+
+ The operation of the protocol, including Phase 1 and Phase 2, is the
+ topic of this section. The format of TEAP messages is given in
+ Section 4, and the cryptographic calculations are given in Section 5.
+
+3.1. Version Negotiation
+
+ TEAP packets contain a 3-bit Version field, following the TLS Flags
+ field, which enables future TEAP implementations to be backward
+ compatible with previous versions of the protocol. This
+ specification documents the TEAP version 1 protocol; implementations
+ of this specification MUST use a Version field set to 1.
+
+ Version negotiation proceeds as follows:
+
+ 1. In the first EAP-Request sent with EAP type=TEAP, the EAP server
+ MUST set the Version field to the highest version it supports.
+
+ 2a. If the EAP peer supports this version of the protocol, it
+ responds with an EAP-Response of EAP type=TEAP, including the
+ version number proposed by the TEAP server.
+
+ 2b. If the TEAP peer does not support the proposed version but
+ supports a lower version, it responds with an EAP-Response of
+ EAP type=TEAP and sets the Version field to its highest
+ supported version.
+
+ 2c. If the TEAP peer only supports versions higher than the version
+ proposed by the TEAP server, then use of TEAP will not be
+ possible. In this case, the TEAP peer sends back an EAP-Nak
+ either to negotiate a different EAP type or to indicate no other
+ EAP types are available.
+
+ 3a. If the TEAP server does not support the version number proposed
+ by the TEAP peer, it MUST either terminate the conversation with
+ an EAP Failure or negotiate a new EAP type.
+
+ 3b. If the TEAP server does support the version proposed by the TEAP
+ peer, then the conversation continues using the version proposed
+ by the TEAP peer.
+
+ The version negotiation procedure guarantees that the TEAP peer and
+ server will agree to the latest version supported by both parties.
+ If version negotiation fails, then use of TEAP will not be possible,
+ and another mutually acceptable EAP method will need to be negotiated
+ if authentication is to proceed.
+
+
+
+
+Zhou, et al. Standards Track [Page 9]
+
+RFC 7170 TEAP May 2014
+
+
+ The TEAP version is not protected by TLS and hence can be modified in
+ transit. In order to detect a modification of the TEAP version, the
+ peers MUST exchange the TEAP version number received during version
+ negotiation using the Crypto-Binding TLV described in Section 4.2.13.
+ The receiver of the Crypto-Binding TLV MUST verify that the version
+ received in the Crypto-Binding TLV matches the version sent by the
+ receiver in the TEAP version negotiation. If the Crypto-Binding TLV
+ fails to be validated, then it is a fatal error and is handled as
+ described in Section 3.6.3.
+
+3.2. TEAP Authentication Phase 1: Tunnel Establishment
+
+ TEAP relies on the TLS handshake [RFC5246] to establish an
+ authenticated and protected tunnel. The TLS version offered by the
+ peer and server MUST be TLS version 1.2 [RFC5246] or later. This
+ version of the TEAP implementation MUST support the following TLS
+ ciphersuites:
+
+ TLS_RSA_WITH_AES_128_CBC_SHA [RFC5246]
+
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC5246]
+
+ This version of the TEAP implementation SHOULD support the following
+ TLS ciphersuite:
+
+ TLS_RSA_WITH_AES_256_CBC_SHA [RFC5246]
+
+ Other ciphersuites MAY be supported. It is REQUIRED that anonymous
+ ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA [RFC5246] only
+ be used in the case when the inner authentication method provides
+ mutual authentication, key generation, and resistance to man-in-the-
+ middle and dictionary attacks. TLS ciphersuites that do not provide
+ confidentiality MUST NOT be used. During the TEAP Phase 1
+ conversation, the TEAP endpoints MAY negotiate TLS compression.
+ During TLS tunnel establishment, TLS extensions MAY be used. For
+ instance, the Certificate Status Request extension [RFC6066] and the
+ Multiple Certificate Status Request extension [RFC6961] can be used
+ to leverage a certificate-status protocol such as Online Certificate
+ Status Protocol (OCSP) [RFC6960] to check the validity of server
+ certificates. TLS renegotiation indications defined in RFC 5746
+ [RFC5746] MUST be supported.
+
+ The EAP server initiates the TEAP conversation with an EAP request
+ containing a TEAP/Start packet. This packet includes a set Start (S)
+ bit, the TEAP version as specified in Section 3.1, and an authority
+ identity TLV. The TLS payload in the initial packet is empty. The
+ authority identity TLV (Authority-ID TLV) is used to provide the peer
+ a hint of the server's identity that may be useful in helping the
+
+
+
+Zhou, et al. Standards Track [Page 10]
+
+RFC 7170 TEAP May 2014
+
+
+ peer select the appropriate credential to use. Assuming that the
+ peer supports TEAP, the conversation continues with the peer sending
+ an EAP-Response packet with EAP type of TEAP with the Start (S) bit
+ clear and the version as specified in Section 3.1. This message
+ encapsulates one or more TLS handshake messages. If the TEAP version
+ negotiation is successful, then the TEAP conversation continues until
+ the EAP server and EAP peer are ready to enter Phase 2. When the
+ full TLS handshake is performed, then the first payload of TEAP Phase
+ 2 MAY be sent along with a server-finished handshake message to
+ reduce the number of round trips.
+
+ TEAP implementations MUST support mutual peer authentication during
+ tunnel establishment using the TLS ciphersuites specified in this
+ section. The TEAP peer does not need to authenticate as part of the
+ TLS exchange but can alternatively be authenticated through
+ additional exchanges carried out in Phase 2.
+
+ The TEAP tunnel protects peer identity information exchanged during
+ Phase 2 from disclosure outside the tunnel. Implementations that
+ wish to provide identity privacy for the peer identity need to
+ carefully consider what information is disclosed outside the tunnel
+ prior to Phase 2. TEAP implementations SHOULD support the immediate
+ renegotiation of a TLS session to initiate a new handshake message
+ exchange under the protection of the current ciphersuite. This
+ allows support for protection of the peer's identity when using TLS
+ client authentication. An example of the exchanges using TLS
+ renegotiation to protect privacy is shown in Appendix C.
+
+ The following sections describe resuming a TLS session based on
+ server-side or client-side state.
+
+3.2.1. TLS Session Resume Using Server State
+
+ TEAP session resumption is achieved in the same manner TLS achieves
+ session resume. To support session resumption, the server and peer
+ minimally cache the Session ID, master secret, and ciphersuite. The
+ peer attempts to resume a session by including a valid Session ID
+ from a previous TLS handshake in its ClientHello message. If the
+ server finds a match for the Session ID and is willing to establish a
+ new connection using the specified session state, the server will
+ respond with the same Session ID and proceed with the TEAP Phase 1
+ tunnel establishment based on a TLS abbreviated handshake. After a
+ successful conclusion of the TEAP Phase 1 conversation, the
+ conversation then continues on to Phase 2.
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 11]
+
+RFC 7170 TEAP May 2014
+
+
+3.2.2. TLS Session Resume Using a PAC
+
+ TEAP supports the resumption of sessions based on server state being
+ stored on the client side using the TLS SessionTicket extension
+ techniques described in [RFC5077]. This version of TEAP supports the
+ provisioning of a ticket called a Protected Access Credential (PAC)
+ through the use of the NewSessionTicket handshake described in
+ [RFC5077], as well as provisioning of a PAC inside the protected
+ tunnel. Implementations MUST support the TLS Ticket extension
+ [RFC5077] mechanism for distributing a PAC and may provide additional
+ ways to provision the PAC, such as manual configuration. Since the
+ PAC mentioned here is used for establishing the TLS tunnel, it is
+ more specifically referred to as the Tunnel PAC. The Tunnel PAC is a
+ security credential provided by the EAP server to a peer and
+ comprised of:
+
+ 1. PAC-Key: this is the key used by the peer as the TLS master
+ secret to establish the TEAP Phase 1 tunnel. The PAC-Key is a
+ strong, high-entropy, at minimum 48-octet key and is typically
+ the master secret from a previous TLS session. The PAC-Key is a
+ secret and MUST be treated accordingly. Otherwise, if leaked, it
+ could lead to user credentials being compromised if sent within
+ the tunnel established using the PAC-Key. In the case that a
+ PAC-Key is provisioned to the peer through another means, it MUST
+ have its confidentiality and integrity protected by a mechanism,
+ such as the TEAP Phase 2 tunnel. The PAC-Key MUST be stored
+ securely by the peer.
+
+ 2. PAC-Opaque: this is a variable-length field containing the ticket
+ that is sent to the EAP server during the TEAP Phase 1 tunnel
+ establishment based on [RFC5077]. The PAC-Opaque can only be
+ interpreted by the EAP server to recover the required information
+ for the server to validate the peer's identity and
+ authentication. The PAC-Opaque includes the PAC-Key and other
+ TLS session parameters. It may contain the PAC's peer identity.
+ The PAC-Opaque format and contents are specific to the PAC
+ issuing server. The PAC-Opaque may be presented in the clear, so
+ an attacker MUST NOT be able to gain useful information from the
+ PAC-Opaque itself. The server issuing the PAC-Opaque needs to
+ ensure it is protected with strong cryptographic keys and
+ algorithms. The PAC-Opaque may be distributed using the
+ NewSessionTicket message defined in [RFC5077], or it may be
+ distributed through another mechanism such as the Phase 2 TLVs
+ defined in this document.
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 12]
+
+RFC 7170 TEAP May 2014
+
+
+ 3. PAC-Info: this is an optional variable-length field used to
+ provide, at a minimum, the authority identity of the PAC issuer.
+ Other useful but not mandatory information, such as the PAC-Key
+ lifetime, may also be conveyed by the PAC-issuing server to the
+ peer during PAC provisioning or refreshment. PAC-Info is not
+ included if the NewSessionTicket message is used to provision the
+ PAC.
+
+ The use of the PAC is based on the SessionTicket extension defined in
+ [RFC5077]. The EAP server initiates the TEAP conversation as normal.
+ Upon receiving the Authority-ID TLV from the server, the peer checks
+ to see if it has an existing valid PAC-Key and PAC-Opaque for the
+ server. If it does, then it obtains the PAC-Opaque and puts it in
+ the SessionTicket extension in the ClientHello. It is RECOMMENDED in
+ TEAP that the peer include an empty Session ID in a ClientHello
+ containing a PAC-Opaque. This version of TEAP supports the
+ NewSessionTicket Handshake message as described in [RFC5077] for
+ distribution of a new PAC, as well as the provisioning of PAC inside
+ the protected tunnel. If the PAC-Opaque included in the
+ SessionTicket extension is valid and the EAP server permits the
+ abbreviated TLS handshake, it will select the ciphersuite from
+ information within the PAC-Opaque and finish with the abbreviated TLS
+ handshake. If the server receives a Session ID and a PAC-Opaque in
+ the SessionTicket extension in a ClientHello, it should place the
+ same Session ID in the ServerHello if it is resuming a session based
+ on the PAC-Opaque. The conversation then proceeds as described in
+ [RFC5077] until the handshake completes or a fatal error occurs.
+ After the abbreviated handshake completes, the peer and the server
+ are ready to commence Phase 2.
+
+3.2.3. Transition between Abbreviated and Full TLS Handshake
+
+ If session resumption based on server-side or client-side state
+ fails, the server can gracefully fall back to a full TLS handshake.
+ If the ServerHello received by the peer contains an empty Session ID
+ or a Session ID that is different than in the ClientHello, the server
+ may fall back to a full handshake. The peer can distinguish the
+ server's intent to negotiate a full or abbreviated TLS handshake by
+ checking the next TLS handshake messages in the server response to
+ the ClientHello. If ChangeCipherSpec follows the ServerHello in
+ response to the ClientHello, then the server has accepted the session
+ resumption and intends to negotiate the abbreviated handshake.
+ Otherwise, the server intends to negotiate the full TLS handshake. A
+ peer can request that a new PAC be provisioned after the full TLS
+ handshake and mutual authentication of the peer and the server. A
+ peer SHOULD NOT request that a new PAC be provisioned after the
+ abbreviated handshake, as requesting a new session ticket based on
+ resumed session is not permitted. In order to facilitate the
+
+
+
+Zhou, et al. Standards Track [Page 13]
+
+RFC 7170 TEAP May 2014
+
+
+ fallback to a full handshake, the peer SHOULD include ciphersuites
+ that allow for a full handshake and possibly PAC provisioning so the
+ server can select one of these in case session resumption fails. An
+ example of the transition is shown in Appendix C.
+
+3.3. TEAP Authentication Phase 2: Tunneled Authentication
+
+ The second portion of the TEAP authentication occurs immediately
+ after successful completion of Phase 1. Phase 2 occurs even if both
+ peer and authenticator are authenticated in the Phase 1 TLS
+ negotiation. Phase 2 MUST NOT occur if the Phase 1 TLS handshake
+ fails, as that will compromise the security as the tunnel has not
+ been established successfully. Phase 2 consists of a series of
+ requests and responses encapsulated in TLV objects defined in
+ Section 4.2. Phase 2 MUST always end with a Crypto-Binding TLV
+ exchange described in Section 4.2.13 and a protected termination
+ exchange described in Section 3.3.3. The TLV exchange may include
+ the execution of zero or more EAP methods within the protected tunnel
+ as described in Section 3.3.1. A server MAY proceed directly to the
+ protected termination exchange if it does not wish to request further
+ authentication from the peer. However, the peer and server MUST NOT
+ assume that either will skip inner EAP methods or other TLV
+ exchanges, as the other peer might have a different security policy.
+ The peer may have roamed to a network that requires conformance with
+ a different authentication policy, or the peer may request the server
+ take additional action (e.g., channel binding) through the use of the
+ Request-Action TLV as defined in Section 4.2.9.
+
+3.3.1. EAP Sequences
+
+ EAP [RFC3748] prohibits use of multiple authentication methods within
+ a single EAP conversation in order to limit vulnerabilities to man-
+ in-the-middle attacks. TEAP addresses man-in-the-middle attacks
+ through support for cryptographic protection of the inner EAP
+ exchange and cryptographic binding of the inner authentication
+ method(s) to the protected tunnel. EAP methods are executed serially
+ in a sequence. This version of TEAP does not support initiating
+ multiple EAP methods simultaneously in parallel. The methods need
+ not be distinct. For example, EAP-TLS could be run twice as an inner
+ method, first using machine credentials followed by a second instance
+ using user credentials.
+
+ EAP method messages are carried within EAP-Payload TLVs defined in
+ Section 4.2.10. If more than one method is going to be executed in
+ the tunnel, then upon method completion, the server MUST send an
+ Intermediate-Result TLV indicating the result. The peer MUST respond
+ to the Intermediate-Result TLV indicating its result. If the result
+ indicates success, the Intermediate-Result TLV MUST be accompanied by
+
+
+
+Zhou, et al. Standards Track [Page 14]
+
+RFC 7170 TEAP May 2014
+
+
+ a Crypto-Binding TLV. The Crypto-Binding TLV is further discussed in
+ Sections 4.2.13 and 5.3. The Intermediate-Result TLVs can be
+ included with other TLVs such as EAP-Payload TLVs starting a new EAP
+ conversation or with the Result TLV used in the protected termination
+ exchange.
+
+ If both peer and server indicate success, then the method is
+ considered complete. If either indicates failure, then the method is
+ considered failed. The result of failure of an EAP method does not
+ always imply a failure of the overall authentication. If one
+ authentication method fails, the server may attempt to authenticate
+ the peer with a different method.
+
+3.3.2. Optional Password Authentication
+
+ The use of EAP-FAST-GTC as defined in RFC 5421 [RFC5421] is NOT
+ RECOMMENDED with TEAPv1 because EAP-FAST-GTC is not compliant with
+ EAP-GTC defined in [RFC3748]. Implementations should instead make
+ use of the password authentication TLVs defined in this
+ specification. The authentication server initiates password
+ authentication by sending a Basic-Password-Auth-Req TLV defined in
+ Section 4.2.14. If the peer wishes to participate in password
+ authentication, then it responds with a Basic-Password-Auth-Resp TLV
+ as defined in Section 4.2.15 that contains the username and password.
+ If it does not wish to perform password authentication, then it
+ responds with a NAK TLV indicating the rejection of the Basic-
+ Password-Auth-Req TLV. Upon receiving the response, the server
+ indicates the success or failure of the exchange using an
+ Intermediate-Result TLV. Multiple round trips of password
+ authentication requests and responses MAY be used to support some
+ "housecleaning" functions such as a password or pin change before a
+ user is authenticated.
+
+3.3.3. Protected Termination and Acknowledged Result Indication
+
+ A successful TEAP Phase 2 conversation MUST always end in a
+ successful Crypto-Binding TLV and Result TLV exchange. A TEAP server
+ may initiate the Crypto-Binding TLV and Result TLV exchange without
+ initiating any EAP conversation in TEAP Phase 2. After the final
+ Result TLV exchange, the TLS tunnel is terminated, and a cleartext
+ EAP Success or EAP Failure is sent by the server. Peers implementing
+ TEAP MUST NOT accept a cleartext EAP Success or failure packet prior
+ to the peer and server reaching synchronized protected result
+ indication.
+
+ The Crypto-Binding TLV exchange is used to prove that both the peer
+ and server participated in the tunnel establishment and sequence of
+ authentications. It also provides verification of the TEAP type,
+
+
+
+Zhou, et al. Standards Track [Page 15]
+
+RFC 7170 TEAP May 2014
+
+
+ version negotiated, and Outer TLVs exchanged before the TLS tunnel
+ establishment. The Crypto-Binding TLV MUST be exchanged and verified
+ before the final Result TLV exchange, regardless of whether or not
+ there is an inner EAP method authentication. The Crypto-Binding TLV
+ and Intermediate-Result TLV MUST be included to perform cryptographic
+ binding after each successful EAP method in a sequence of one or more
+ EAP methods. The server may send the final Result TLV along with an
+ Intermediate-Result TLV and a Crypto-Binding TLV to indicate its
+ intention to end the conversation. If the peer requires nothing more
+ from the server, it will respond with a Result TLV indicating success
+ accompanied by a Crypto-Binding TLV and Intermediate-Result TLV if
+ necessary. The server then tears down the tunnel and sends a
+ cleartext EAP Success or EAP Failure.
+
+ If the peer receives a Result TLV indicating success from the server,
+ but its authentication policies are not satisfied (for example, it
+ requires a particular authentication mechanism be run or it wants to
+ request a PAC), it may request further action from the server using
+ the Request-Action TLV. The Request-Action TLV is sent with a Status
+ field indicating what EAP Success/Failure result the peer would
+ expect if the requested action is not granted. The value of the
+ Action field indicates what the peer would like to do next. The
+ format and values for the Request-Action TLV are defined in
+ Section 4.2.9.
+
+ Upon receiving the Request-Action TLV, the server may process the
+ request or ignore it, based on its policy. If the server ignores the
+ request, it proceeds with termination of the tunnel and sends the
+ cleartext EAP Success or Failure message based on the Status field of
+ the peer's Request-Action TLV. If the server honors and processes
+ the request, it continues with the requested action. The
+ conversation completes with a Result TLV exchange. The Result TLV
+ may be included with the TLV that completes the requested action.
+
+ Error handling for Phase 2 is discussed in Section 3.6.3.
+
+3.4. Determining Peer-Id and Server-Id
+
+ The Peer-Id and Server-Id [RFC5247] may be determined based on the
+ types of credentials used during either the TEAP tunnel creation or
+ authentication. In the case of multiple peer authentications, all
+ authenticated peer identities and their corresponding identity types
+ (Section 4.2.3) need to be exported. In the case of multiple server
+ authentications, all authenticated server identities need to be
+ exported.
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 16]
+
+RFC 7170 TEAP May 2014
+
+
+ When X.509 certificates are used for peer authentication, the Peer-Id
+ is determined by the subject and subjectAltName fields in the peer
+ certificate. As noted in [RFC5280]:
+
+ The subject field identifies the entity associated with the public
+ key stored in the subject public key field. The subject name MAY
+ be carried in the subject field and/or the subjectAltName
+ extension. . . . If subject naming information is present only in
+ the subjectAltName extension (e.g., a key bound only to an email
+ address or URI), then the subject name MUST be an empty sequence
+ and the subjectAltName extension MUST be critical.
+
+ Where it is non-empty, the subject field MUST contain an X.500
+ distinguished name (DN).
+
+ If an inner EAP method is run, then the Peer-Id is obtained from the
+ inner method.
+
+ When the server uses an X.509 certificate to establish the TLS
+ tunnel, the Server-Id is determined in a similar fashion as stated
+ above for the Peer-Id, e.g., the subject and subjectAltName fields in
+ the server certificate define the Server-Id.
+
+3.5. TEAP Session Identifier
+
+ The EAP session identifier [RFC5247] is constructed using the tls-
+ unique from the Phase 1 outer tunnel at the beginning of Phase 2 as
+ defined by Section 3.1 of [RFC5929]. The Session-Id is defined as
+ follows:
+
+ Session-Id = teap_type || tls-unique
+
+ where teap_type is the EAP Type assigned to TEAP
+
+ tls-unique = tls-unique from the Phase 1 outer tunnel at the
+ beginning of Phase 2 as defined by Section 3.1 of [RFC5929]
+
+ || means concatenation
+
+3.6. Error Handling
+
+ TEAP uses the error-handling rules summarized below:
+
+ 1. Errors in the outer EAP packet layer are handled as defined in
+ Section 3.6.1.
+
+ 2. Errors in the TLS layer are communicated via TLS alert messages
+ in all phases of TEAP.
+
+
+
+Zhou, et al. Standards Track [Page 17]
+
+RFC 7170 TEAP May 2014
+
+
+ 3. The Intermediate-Result TLVs carry success or failure indications
+ of the individual EAP methods in TEAP Phase 2. Errors within the
+ EAP conversation in Phase 2 are expected to be handled by
+ individual EAP methods.
+
+ 4. Violations of the Inner TLV rules are handled using Result TLVs
+ together with Error TLVs.
+
+ 5. Tunnel-compromised errors (errors caused by a failed or missing
+ Crypto-Binding) are handled using Result TLVs and Error TLVs.
+
+3.6.1. Outer-Layer Errors
+
+ Errors on the TEAP outer-packet layer are handled in the following
+ ways:
+
+ 1. If Outer TLVs are invalid or contain unknown values, they will be
+ ignored.
+
+ 2. The entire TEAP packet will be ignored if other fields (version,
+ length, flags, etc.) are inconsistent with this specification.
+
+3.6.2. TLS Layer Errors
+
+ If the TEAP server detects an error at any point in the TLS handshake
+ or the TLS layer, the server SHOULD send a TEAP request encapsulating
+ a TLS record containing the appropriate TLS alert message rather than
+ immediately terminating the conversation so as to allow the peer to
+ inform the user of the cause of the failure and possibly allow for a
+ restart of the conversation. The peer MUST send a TEAP response to
+ an alert message. The EAP-Response packet sent by the peer may
+ encapsulate a TLS ClientHello handshake message, in which case the
+ TEAP server MAY allow the TEAP conversation to be restarted, or it
+ MAY contain a TEAP response with a zero-length message, in which case
+ the server MUST terminate the conversation with an EAP Failure
+ packet. It is up to the TEAP server whether or not to allow
+ restarts, and, if allowed, how many times the conversation can be
+ restarted. Per TLS [RFC5246], TLS restart is only allowed for non-
+ fatal alerts. A TEAP server implementing restart capability SHOULD
+ impose a limit on the number of restarts, so as to protect against
+ denial-of-service attacks. If the TEAP server does not allow
+ restarts, it MUST terminate the conversation with an EAP Failure
+ packet.
+
+ If the TEAP peer detects an error at any point in the TLS layer, the
+ TEAP peer SHOULD send a TEAP response encapsulating a TLS record
+ containing the appropriate TLS alert message. The server may restart
+ the conversation by sending a TEAP request packet encapsulating the
+
+
+
+Zhou, et al. Standards Track [Page 18]
+
+RFC 7170 TEAP May 2014
+
+
+ TLS HelloRequest handshake message. The peer may allow the TEAP
+ conversation to be restarted, or it may terminate the conversation by
+ sending a TEAP response with a zero-length message.
+
+3.6.3. Phase 2 Errors
+
+ Any time the peer or the server finds a fatal error outside of the
+ TLS layer during Phase 2 TLV processing, it MUST send a Result TLV of
+ failure and an Error TLV with the appropriate error code. For errors
+ involving the processing of the sequence of exchanges, such as a
+ violation of TLV rules (e.g., multiple EAP-Payload TLVs), the error
+ code is Unexpected TLVs Exchanged. For errors involving a tunnel
+ compromise, the error code is Tunnel Compromise Error. Upon sending
+ a Result TLV with a fatal Error TLV, the sender terminates the TLS
+ tunnel. Note that a server will still wait for a message from the
+ peer after it sends a failure; however, the server does not need to
+ process the contents of the response message.
+
+ For the inner method, retransmission is not needed and SHOULD NOT be
+ attempted, as the Outer TLS tunnel can be considered a reliable
+ transport. If there is a non-fatal error handling the inner method,
+ instead of silently dropping the inner method request or response and
+ not responding, the receiving side SHOULD use an Error TLV with error
+ code Inner Method Error to indicate an error processing the current
+ inner method. The side receiving the Error TLV MAY decide to start a
+ new inner method instead or send back a Result TLV to terminate the
+ TEAP authentication session.
+
+ If a server receives a Result TLV of failure with a fatal Error TLV,
+ it MUST send a cleartext EAP Failure. If a peer receives a Result
+ TLV of failure, it MUST respond with a Result TLV indicating failure.
+ If the server has sent a Result TLV of failure, it ignores the peer
+ response, and it MUST send a cleartext EAP Failure.
+
+3.7. Fragmentation
+
+ A single TLS record may be up to 16384 octets in length, but a TLS
+ message may span multiple TLS records, and a TLS certificate message
+ may, in principle, be as long as 16 MB. This is larger than the
+ maximum size for a message on most media types; therefore, it is
+ desirable to support fragmentation. Note that in order to protect
+ against reassembly lockup and denial-of-service attacks, it may be
+ desirable for an implementation to set a maximum size for one such
+ group of TLS messages. Since a typical certificate chain is rarely
+ longer than a few thousand octets, and no other field is likely to be
+ anywhere near as long, a reasonable choice of maximum acceptable
+ message length might be 64 KB. This is still a fairly large message
+ packet size so a TEAP implementation MUST provide its own support for
+
+
+
+Zhou, et al. Standards Track [Page 19]
+
+RFC 7170 TEAP May 2014
+
+
+ fragmentation and reassembly. Section 3.1 of [RFC3748] discusses
+ determining the MTU usable by EAP, and Section 4.3 discusses
+ retransmissions in EAP.
+
+ Since EAP is a lock-step protocol, fragmentation support can be added
+ in a simple manner. In EAP, fragments that are lost or damaged in
+ transit will be retransmitted, and since sequencing information is
+ provided by the Identifier field in EAP, there is no need for a
+ fragment offset field.
+
+ TEAP fragmentation support is provided through the addition of flag
+ bits within the EAP-Response and EAP-Request packets, as well as a
+ Message Length field of four octets. Flags include the Length
+ included (L), More fragments (M), and TEAP Start (S) bits. The L
+ flag is set to indicate the presence of the four-octet Message Length
+ field and MUST be set for the first fragment of a fragmented TLS
+ message or set of messages. It MUST NOT be present for any other
+ message. The M flag is set on all but the last fragment. The S flag
+ is set only within the TEAP start message sent from the EAP server to
+ the peer. The Message Length field is four octets and provides the
+ total length of the message that may be fragmented over the data
+ fields of multiple packets; this simplifies buffer allocation.
+
+ When a TEAP peer receives an EAP-Request packet with the M bit set,
+ it MUST respond with an EAP-Response with EAP Type of TEAP and no
+ data. This serves as a fragment ACK. The EAP server MUST wait until
+ it receives the EAP-Response before sending another fragment. In
+ order to prevent errors in processing of fragments, the EAP server
+ MUST increment the Identifier field for each fragment contained
+ within an EAP-Request, and the peer MUST include this Identifier
+ value in the fragment ACK contained within the EAP-Response.
+ Retransmitted fragments will contain the same Identifier value.
+
+ Similarly, when the TEAP server receives an EAP-Response with the M
+ bit set, it responds with an EAP-Request with EAP Type of TEAP and no
+ data. This serves as a fragment ACK. The EAP peer MUST wait until
+ it receives the EAP-Request before sending another fragment. In
+ order to prevent errors in the processing of fragments, the EAP
+ server MUST increment the Identifier value for each fragment ACK
+ contained within an EAP-Request, and the peer MUST include this
+ Identifier value in the subsequent fragment contained within an EAP-
+ Response.
+
+3.8. Peer Services
+
+ Several TEAP services, including server unauthenticated provisioning,
+ PAC provisioning, certificate provisioning, and channel binding,
+ depend on the peer trusting the TEAP server. Peers MUST authenticate
+
+
+
+Zhou, et al. Standards Track [Page 20]
+
+RFC 7170 TEAP May 2014
+
+
+ the server before these peer services are used. TEAP peer
+ implementations MUST have a configuration where authentication fails
+ if server authentication cannot be achieved. In many cases, the
+ server will want to authenticate the peer before providing these
+ services as well.
+
+ TEAP peers MUST track whether or not server authentication has taken
+ place. Server authentication results if the peer trusts the provided
+ server certificate. Typically, this involves both validating the
+ certificate to a trust anchor and confirming the entity named by the
+ certificate is the intended server. Server authentication also
+ results when the procedures in Section 3.2 are used to resume a
+ session in which the peer and server were previously mutually
+ authenticated. Alternatively, peer services can be used if an inner
+ EAP method providing mutual authentication and an Extended Master
+ Session Key (EMSK) is executed and cryptographic binding with the
+ EMSK Compound Message Authentication Code (MAC) is correctly
+ validated (Section 4.2.13). This is further described in
+ Section 3.8.3.
+
+ An additional complication arises when a tunnel method authenticates
+ multiple parties such as authenticating both the peer machine and the
+ peer user to the EAP server. Depending on how authentication is
+ achieved, only some of these parties may have confidence in it. For
+ example, if a strong shared secret is used to mutually authenticate
+ the user and the EAP server, the machine may not have confidence that
+ the EAP server is the authenticated party if the machine cannot trust
+ the user not to disclose the shared secret to an attacker. In these
+ cases, the parties who participate in the authentication need to be
+ considered when evaluating whether to use peer services.
+
+3.8.1. PAC Provisioning
+
+ To request provisioning of a PAC, a peer sends a PAC TLV as defined
+ in Section 4.2.12 containing a PAC Attribute as defined in
+ Section 4.2.12.1 of PAC-Type set to the appropriate value. The peer
+ MUST successfully authenticate the EAP server and validate the
+ Crypto-Binding TLV as defined in Section 4.2.13 before issuing the
+ request. The peer MUST send separate PAC TLVs for each type of PAC
+ it wants to be provisioned. Multiple PAC TLVs can be sent in the
+ same packet or in different packets. The EAP server will send the
+ PACs after its internal policy has been satisfied, or it MAY ignore
+ the request or request additional authentications if its policy
+ dictates. The server MAY cache the request and provision the PACs
+ requested after all of its internal policies have been satisfied. If
+ a peer receives a PAC with an unknown type, it MUST ignore it.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 21]
+
+RFC 7170 TEAP May 2014
+
+
+ A PAC TLV containing a PAC-Acknowledge attribute MUST be sent by the
+ peer to acknowledge the receipt of the Tunnel PAC. A PAC TLV
+ containing a PAC-Acknowledge attribute MUST NOT be used by the peer
+ to acknowledge the receipt of other types of PACs. If the peer
+ receives a PAC TLV with an unknown attribute, it SHOULD ignore the
+ unknown attribute.
+
+3.8.2. Certificate Provisioning within the Tunnel
+
+ Provisioning of a peer's certificate is supported in TEAP by
+ performing the Simple PKI Request/Response from [RFC5272] using
+ PKCS#10 and PKCS#7 TLVs, respectively. A peer sends the Simple PKI
+ Request using a PKCS#10 CertificateRequest [RFC2986] encoded into the
+ body of a PKCS#10 TLV (see Section 4.2.17). The TEAP server issues a
+ Simple PKI Response using a PKCS#7 [RFC2315] degenerate "Certificates
+ Only" message encoded into the body of a PKCS#7 TLV (see
+ Section 4.2.16), only after an authentication method has run and
+ provided an identity proof on the peer prior to a certificate is
+ being issued.
+
+ In order to provide linking identity and proof-of-possession by
+ including information specific to the current authenticated TLS
+ session within the signed certification request, the peer generating
+ the request SHOULD obtain the tls-unique value from the TLS subsystem
+ as defined in "Channel Bindings for TLS" [RFC5929]. The TEAP peer
+ operations between obtaining the tls_unique value through generation
+ of the Certification Signing Request (CSR) that contains the current
+ tls_unique value and the subsequent verification of this value by the
+ TEAP server are the "phases of the application protocol during which
+ application-layer authentication occurs" that are protected by the
+ synchronization interoperability mechanism described in the
+ interoperability note in "Channel Bindings for TLS" ([RFC5929],
+ Section 3.1). When performing renegotiation, TLS
+ "secure_renegotiation" [RFC5746] MUST be used.
+
+ The tls-unique value is base-64-encoded as specified in Section 4 of
+ [RFC4648], and the resulting string is placed in the certification
+ request challengePassword field ([RFC2985], Section 5.4.1). The
+ challengePassword field is limited to 255 octets (Section 7.4.9 of
+ [RFC5246] indicates that no existing ciphersuite would result in an
+ issue with this limitation). If tls-unique information is not
+ embedded within the certification request, the challengePassword
+ field MUST be empty to indicate that the peer did not include the
+ optional channel-binding information (any value submitted is verified
+ by the server as tls-unique information).
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 22]
+
+RFC 7170 TEAP May 2014
+
+
+ The server SHOULD verify the tls-unique information. This ensures
+ that the authenticated TEAP peer is in possession of the private key
+ used to sign the certification request.
+
+ The Simple PKI Request/Response generation and processing rules of
+ [RFC5272] SHALL apply to TEAP, with the exception of error
+ conditions. In the event of an error, the TEAP server SHOULD respond
+ with an Error TLV using the most descriptive error code possible; it
+ MAY ignore the PKCS#10 request that generated the error.
+
+3.8.3. Server Unauthenticated Provisioning Mode
+
+ In Server Unauthenticated Provisioning Mode, an unauthenticated
+ tunnel is established in Phase 1, and the peer and server negotiate
+ an EAP method in Phase 2 that supports mutual authentication and key
+ derivation that is resistant to attacks such as man-in-the-middle and
+ dictionary attacks. This provisioning mode enables the bootstrapping
+ of peers when the peer lacks the ability to authenticate the server
+ during Phase 1. This includes both cases in which the ciphersuite
+ negotiated does not provide authentication and in which the
+ ciphersuite negotiated provides the authentication but the peer is
+ unable to validate the identity of the server for some reason.
+
+ Upon successful completion of the EAP method in Phase 2, the peer and
+ server exchange a Crypto-Binding TLV to bind the inner method with
+ the outer tunnel and ensure that a man-in-the-middle attack has not
+ been attempted.
+
+ Support for the Server Unauthenticated Provisioning Mode is optional.
+ The ciphersuite TLS_DH_anon_WITH_AES_128_CBC_SHA is RECOMMENDED when
+ using Server Unauthenticated Provisioning Mode, but other anonymous
+ ciphersuites MAY be supported as long as the TLS pre-master secret is
+ generated from contribution from both peers. Phase 2 EAP methods
+ used in Server Unauthenticated Provisioning Mode MUST provide mutual
+ authentication, provide key generation, and be resistant to
+ dictionary attack. Example inner methods include EAP-pwd [RFC5931]
+ and EAP-EKE [RFC6124].
+
+3.8.4. Channel Binding
+
+ [RFC6677] defines EAP channel bindings to solve the "lying NAS" and
+ the "lying provider" problems, using a process in which the EAP peer
+ gives information about the characteristics of the service provided
+ by the authenticator to the Authentication, Authorization, and
+ Accounting (AAA) server protected within the EAP method. This allows
+ the server to verify the authenticator is providing information to
+
+
+
+
+
+Zhou, et al. Standards Track [Page 23]
+
+RFC 7170 TEAP May 2014
+
+
+ the peer that is consistent with the information received from this
+ authenticator as well as the information stored about this
+ authenticator.
+
+ TEAP supports EAP channel binding using the Channel-Binding TLV
+ defined in Section 4.2.7. If the TEAP server wants to request the
+ channel-binding information from the peer, it sends an empty Channel-
+ Binding TLV to indicate the request. The peer responds to the
+ request by sending a Channel-Binding TLV containing a channel-binding
+ message as defined in [RFC6677]. The server validates the channel-
+ binding message and sends back a Channel-Binding TLV with a result
+ code. If the server didn't initiate the channel-binding request and
+ the peer still wants to send the channel-binding information to the
+ server, it can do that by using the Request-Action TLV along with the
+ Channel-Binding TLV. The peer MUST only send channel-binding
+ information after it has successfully authenticated the server and
+ established the protected tunnel.
+
+4. Message Formats
+
+ The following sections describe the message formats used in TEAP.
+ The fields are transmitted from left to right in network byte order.
+
+4.1. TEAP Message Format
+
+ A summary of the TEAP Request/Response packet format is shown below.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Flags | Ver | Message Length :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : Message Length | Outer TLV Length
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : Outer TLV Length | TLS Data...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Outer TLVs...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Code
+
+ The Code field is one octet in length and is defined as follows:
+
+ 1 Request
+
+ 2 Response
+
+
+
+Zhou, et al. Standards Track [Page 24]
+
+RFC 7170 TEAP May 2014
+
+
+ Identifier
+
+ The Identifier field is one octet and aids in matching responses
+ with requests. The Identifier field MUST be changed on each
+ Request packet. The Identifier field in the Response packet MUST
+ match the Identifier field from the corresponding request.
+
+ Length
+
+ The Length field is two octets and indicates the length of the EAP
+ packet including the Code, Identifier, Length, Type, Flags, Ver,
+ Message Length, TLS Data, and Outer TLVs fields. Octets outside
+ the range of the Length field should be treated as Data Link Layer
+ padding and should be ignored on reception.
+
+ Type
+
+ 55 for TEAP
+
+ Flags
+
+ 0 1 2 3 4
+ +-+-+-+-+-+
+ |L M S O R|
+ +-+-+-+-+-+
+
+ L Length included; set to indicate the presence of the four-octet
+ Message Length field. It MUST be present for the first
+ fragment of a fragmented message. It MUST NOT be present for
+ any other message.
+
+ M More fragments; set on all but the last fragment.
+
+ S TEAP start; set in a TEAP Start message sent from the server to
+ the peer.
+
+ O Outer TLV length included; set to indicate the presence of the
+ four-octet Outer TLV Length field. It MUST be present only in
+ the initial request and response messages. If the initial
+ message is fragmented, then it MUST be present only on the
+ first fragment.
+
+ R Reserved (MUST be zero and ignored upon receipt)
+
+ Ver
+
+ This field contains the version of the protocol. This document
+ describes version 1 (001 in binary) of TEAP.
+
+
+
+Zhou, et al. Standards Track [Page 25]
+
+RFC 7170 TEAP May 2014
+
+
+ Message Length
+
+ The Message Length field is four octets and is present only if the
+ L bit is set. This field provides the total length of the message
+ that may be fragmented over the data fields of multiple packets.
+
+ Outer TLV Length
+
+ The Outer TLV Length field is four octets and is present only if
+ the O bit is set. This field provides the total length of the
+ Outer TLVs if present.
+
+ TLS Data
+
+ When the TLS Data field is present, it consists of an encapsulated
+ TLS packet in TLS record format. A TEAP packet with Flags and
+ Version fields, but with zero length TLS Data field, is used to
+ indicate TEAP acknowledgement for either a fragmented message, a
+ TLS Alert message, or a TLS Finished message.
+
+ Outer TLVs
+
+ The Outer TLVs consist of the optional data used to help establish
+ the TLS tunnel in TLV format. They are only allowed in the first
+ two messages in the TEAP protocol. That is the first EAP-server-
+ to-peer message and first peer-to-EAP-server message. The start
+ of the Outer TLVs can be derived from the EAP Length field and
+ Outer TLV Length field.
+
+4.2. TEAP TLV Format and Support
+
+ The TLVs defined here are TLV objects. The TLV objects could be used
+ to carry arbitrary parameters between an EAP peer and EAP server
+ within the protected TLS tunnel.
+
+ The EAP peer may not necessarily implement all the TLVs supported by
+ the EAP server. To allow for interoperability, TLVs are designed to
+ allow an EAP server to discover if a TLV is supported by the EAP peer
+ using the NAK TLV. The mandatory bit in a TLV indicates whether
+ support of the TLV is required. If the peer or server does not
+ support a TLV marked mandatory, then it MUST send a NAK TLV in the
+ response, and all the other TLVs in the message MUST be ignored. If
+ an EAP peer or server finds an unsupported TLV that is marked as
+ optional, it can ignore the unsupported TLV. It MUST NOT send a NAK
+ TLV for a TLV that is not marked mandatory. If all TLVs in a message
+ are marked optional and none are understood by the peer, then a NAK
+ TLV or Result TLV could be sent to the other side in order to
+ continue the conversation.
+
+
+
+Zhou, et al. Standards Track [Page 26]
+
+RFC 7170 TEAP May 2014
+
+
+ Note that a peer or server may support a TLV with the mandatory bit
+ set but may not understand the contents. The appropriate response to
+ a supported TLV with content that is not understood is defined by the
+ individual TLV specification.
+
+ EAP implementations compliant with this specification MUST support
+ TLV exchanges as well as the processing of mandatory/optional
+ settings on the TLV. Implementations conforming to this
+ specification MUST support the following TLVs:
+
+ Authority-ID TLV
+
+ Identity-Type TLV
+
+ Result TLV
+
+ NAK TLV
+
+ Error TLV
+
+ Request-Action TLV
+
+ EAP-Payload TLV
+
+ Intermediate-Result TLV
+
+ Crypto-Binding TLV
+
+ Basic-Password-Auth-Req TLV
+
+ Basic-Password-Auth-Resp TLV
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 27]
+
+RFC 7170 TEAP May 2014
+
+
+4.2.1. General TLV Format
+
+ TLVs are defined as described below. The fields are transmitted from
+ left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 Optional TLV
+
+ 1 Mandatory TLV
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ A 14-bit field, denoting the TLV type. Allocated types include:
+
+ 0 Unassigned
+
+ 1 Authority-ID TLV (Section 4.2.2)
+
+ 2 Identity-Type TLV (Section 4.2.3)
+
+ 3 Result TLV (Section 4.2.4)
+
+ 4 NAK TLV (Section 4.2.5)
+
+ 5 Error TLV (Section 4.2.6)
+
+ 6 Channel-Binding TLV (Section 4.2.7)
+
+ 7 Vendor-Specific TLV (Section 4.2.8)
+
+ 8 Request-Action TLV (Section 4.2.9)
+
+ 9 EAP-Payload TLV (Section 4.2.10)
+
+ 10 Intermediate-Result TLV (Section 4.2.11)
+
+
+
+Zhou, et al. Standards Track [Page 28]
+
+RFC 7170 TEAP May 2014
+
+
+ 11 PAC TLV (Section 4.2.12)
+
+ 12 Crypto-Binding TLV (Section 4.2.13)
+
+ 13 Basic-Password-Auth-Req TLV (Section 4.2.14)
+
+ 14 Basic-Password-Auth-Resp TLV (Section 4.2.15)
+
+ 15 PKCS#7 TLV (Section 4.2.16)
+
+ 16 PKCS#10 TLV (Section 4.2.17)
+
+ 17 Trusted-Server-Root TLV (Section 4.2.18)
+
+ Length
+
+ The length of the Value field in octets.
+
+ Value
+
+ The value of the TLV.
+
+4.2.2. Authority-ID TLV
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ID...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 1 - Authority-ID
+
+ Length
+
+ The Length field is two octets and contains the length of the ID
+ field in octets.
+
+
+
+Zhou, et al. Standards Track [Page 29]
+
+RFC 7170 TEAP May 2014
+
+
+ ID
+
+ Hint of the identity of the server to help the peer to match the
+ credentials available for the server. It should be unique across
+ the deployment.
+
+4.2.3. Identity-Type TLV
+
+ The Identity-Type TLV allows an EAP server to send a hint to help the
+ EAP peer select the right type of identity, for example, user or
+ machine. TEAPv1 implementations MUST support this TLV. Only one
+ Identity-Type TLV SHOULD be present in the TEAP request or response
+ packet. The Identity-Type TLV request MUST come with an EAP-Payload
+ TLV or Basic-Password-Auth-Req TLV. If the EAP peer does have an
+ identity corresponding to the identity type requested, then the peer
+ SHOULD respond with an Identity-Type TLV with the requested type. If
+ the Identity-Type field does not contain one of the known values or
+ if the EAP peer does not have an identity corresponding to the
+ identity type requested, then the peer SHOULD respond with an
+ Identity-Type TLV with the one of available identity types. If the
+ server receives an identity type in the response that does not match
+ the requested type, then the peer does not possess the requested
+ credential type, and the server SHOULD proceed with authentication
+ for the credential type proposed by the peer, proceed with requesting
+ another credential type, or simply apply the network policy based on
+ the configured policy, e.g., sending Result TLV with Failure.
+
+ The Identity-Type TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Identity-Type |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 (Optional)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 2 - Identity-Type TLV
+
+
+
+Zhou, et al. Standards Track [Page 30]
+
+RFC 7170 TEAP May 2014
+
+
+ Length
+
+ 2
+
+ Identity-Type
+
+ The Identity-Type field is two octets. Values include:
+
+ 1 User
+
+ 2 Machine
+
+4.2.4. Result TLV
+
+ The Result TLV provides support for acknowledged success and failure
+ messages for protected termination within TEAP. If the Status field
+ does not contain one of the known values, then the peer or EAP server
+ MUST treat this as a fatal error of Unexpected TLVs Exchanged. The
+ behavior of the Result TLV is further discussed in Sections 3.3.3 and
+ 3.6.3. A Result TLV indicating failure MUST NOT be accompanied by
+ the following TLVs: NAK, EAP-Payload TLV, or Crypto-Binding TLV. The
+ Result TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Status |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 3 - Result TLV
+
+ Length
+
+ 2
+
+
+
+
+
+Zhou, et al. Standards Track [Page 31]
+
+RFC 7170 TEAP May 2014
+
+
+ Status
+
+ The Status field is two octets. Values include:
+
+ 1 Success
+
+ 2 Failure
+
+4.2.5. NAK TLV
+
+ The NAK TLV allows a peer to detect TLVs that are not supported by
+ the other peer. A TEAP packet can contain 0 or more NAK TLVs. A NAK
+ TLV should not be accompanied by other TLVs. A NAK TLV MUST NOT be
+ sent in response to a message containing a Result TLV, instead a
+ Result TLV of failure should be sent indicating failure and an Error
+ TLV of Unexpected TLVs Exchanged. The NAK TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Vendor-Id |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | NAK-Type | TLVs...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 4 - NAK TLV
+
+ Length
+
+ >=6
+
+ Vendor-Id
+
+ The Vendor-Id field is four octets and contains the Vendor-Id of
+ the TLV that was not supported. The high-order octet is 0, and
+ the low-order three octets are the Structure of Management
+
+
+
+Zhou, et al. Standards Track [Page 32]
+
+RFC 7170 TEAP May 2014
+
+
+ Information (SMI) Network Management Private Enterprise Number of
+ the Vendor in network byte order. The Vendor-Id field MUST be
+ zero for TLVs that are not Vendor-Specific TLVs.
+
+ NAK-Type
+
+ The NAK-Type field is two octets. The field contains the type of
+ the TLV that was not supported. A TLV of this type MUST have been
+ included in the previous packet.
+
+ TLVs
+
+ This field contains a list of zero or more TLVs, each of which
+ MUST NOT have the mandatory bit set. These optional TLVs are for
+ future extensibility to communicate why the offending TLV was
+ determined to be unsupported.
+
+4.2.6. Error TLV
+
+ The Error TLV allows an EAP peer or server to indicate errors to the
+ other party. A TEAP packet can contain 0 or more Error TLVs. The
+ Error-Code field describes the type of error. Error codes 1-999
+ represent successful outcomes (informative messages), 1000-1999
+ represent warnings, and 2000-2999 represent fatal errors. A fatal
+ Error TLV MUST be accompanied by a Result TLV indicating failure, and
+ the conversation is terminated as described in Section 3.6.3.
+
+ Many of the error codes below refer to errors in inner method
+ processing that may be retrieved if made available by the inner
+ method. Implementations MUST take care that error messages do not
+ reveal too much information to an attacker. For example, the usage
+ of error message 1031 (User account credentials incorrect) is NOT
+ RECOMMENDED, because it allows an attacker to determine valid
+ usernames by differentiating this response from other responses. It
+ should only be used for troubleshooting purposes.
+
+ The Error TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Error-Code |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 33]
+
+RFC 7170 TEAP May 2014
+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 5 - Error TLV
+
+ Length
+
+ 4
+
+ Error-Code
+
+ The Error-Code field is four octets. Currently defined values for
+ Error-Code include:
+
+ 1 User account expires soon
+
+ 2 User account credential expires soon
+
+ 3 User account authorizations change soon
+
+ 4 Clock skew detected
+
+ 5 Contact administrator
+
+ 6 User account credentials change required
+
+ 1001 Inner Method Error
+
+ 1002 Unspecified authentication infrastructure problem
+
+ 1003 Unspecified authentication failure
+
+ 1004 Unspecified authorization failure
+
+ 1005 User account credentials unavailable
+
+ 1006 User account expired
+
+ 1007 User account locked: try again later
+
+ 1008 User account locked: admin intervention required
+
+
+
+Zhou, et al. Standards Track [Page 34]
+
+RFC 7170 TEAP May 2014
+
+
+ 1009 Authentication infrastructure unavailable
+
+ 1010 Authentication infrastructure not trusted
+
+ 1011 Clock skew too great
+
+ 1012 Invalid inner realm
+
+ 1013 Token out of sync: administrator intervention required
+
+ 1014 Token out of sync: PIN change required
+
+ 1015 Token revoked
+
+ 1016 Tokens exhausted
+
+ 1017 Challenge expired
+
+ 1018 Challenge algorithm mismatch
+
+ 1019 Client certificate not supplied
+
+ 1020 Client certificate rejected
+
+ 1021 Realm mismatch between inner and outer identity
+
+ 1022 Unsupported Algorithm In Certificate Signing Request
+
+ 1023 Unsupported Extension In Certificate Signing Request
+
+ 1024 Bad Identity In Certificate Signing Request
+
+ 1025 Bad Certificate Signing Request
+
+ 1026 Internal CA Error
+
+ 1027 General PKI Error
+
+ 1028 Inner method's channel-binding data required but not
+ supplied
+
+ 1029 Inner method's channel-binding data did not include required
+ information
+
+ 1030 Inner method's channel binding failed
+
+ 1031 User account credentials incorrect [USAGE NOT RECOMMENDED]
+
+
+
+
+Zhou, et al. Standards Track [Page 35]
+
+RFC 7170 TEAP May 2014
+
+
+ 2001 Tunnel Compromise Error
+
+ 2002 Unexpected TLVs Exchanged
+
+4.2.7. Channel-Binding TLV
+
+ The Channel-Binding TLV provides a mechanism for carrying channel-
+ binding data from the peer to the EAP server and a channel-binding
+ response from the EAP server to the peer as described in [RFC6677].
+ TEAPv1 implementations MAY support this TLV, which cannot be
+ responded to with a NAK TLV. If the Channel-Binding data field does
+ not contain one of the known values or if the EAP server does not
+ support this TLV, then the server MUST ignore the value. The
+ Channel-Binding TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Data ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 (Optional)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 6 - Channel-Binding TLV
+
+ Length
+
+ variable
+
+ Data
+
+ The data field contains a channel-binding message as defined in
+ Section 5.3 of [RFC6677].
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 36]
+
+RFC 7170 TEAP May 2014
+
+
+4.2.8. Vendor-Specific TLV
+
+ The Vendor-Specific TLV is available to allow vendors to support
+ their own extended attributes not suitable for general usage. A
+ Vendor-Specific TLV attribute can contain one or more TLVs, referred
+ to as Vendor TLVs. The TLV type of a Vendor-TLV is defined by the
+ vendor. All the Vendor TLVs inside a single Vendor-Specific TLV
+ belong to the same vendor. There can be multiple Vendor-Specific
+ TLVs from different vendors in the same message. Error handling in
+ the Vendor TLV could use the vendor's own specific error-handling
+ mechanism or use the standard TEAP error codes defined.
+
+ Vendor TLVs may be optional or mandatory. Vendor TLVs sent with
+ Result TLVs MUST be marked as optional. If the Vendor-Specific TLV
+ is marked as mandatory, then it is expected that the receiving side
+ needs to recognize the vendor ID, parse all Vendor TLVs within, and
+ deal with error handling within the Vendor-Specific TLV as defined by
+ the vendor.
+
+ The Vendor-Specific TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Vendor-Id |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Vendor TLVs....
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 or 1
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 7 - Vendor-Specific TLV
+
+ Length
+
+ 4 + cumulative length of all included Vendor TLVs
+
+ Vendor-Id
+
+
+
+Zhou, et al. Standards Track [Page 37]
+
+RFC 7170 TEAP May 2014
+
+
+ The Vendor-Id field is four octets and contains the Vendor-Id of
+ the TLV. The high-order octet is 0, and the low-order 3 octets
+ are the SMI Network Management Private Enterprise Number of the
+ Vendor in network byte order.
+
+ Vendor TLVs
+
+ This field is of indefinite length. It contains Vendor-Specific
+ TLVs, in a format defined by the vendor.
+
+4.2.9. Request-Action TLV
+
+ The Request-Action TLV MAY be sent by both the peer and the server in
+ response to a successful or failed Result TLV. It allows the peer or
+ server to request the other side to negotiate additional EAP methods
+ or process TLVs specified in the response packet. The receiving side
+ MUST process this TLV. The processing for the TLV is as follows:
+
+ The receiving entity MAY choose to process any of the TLVs that
+ are included in the message.
+
+ If the receiving entity chooses NOT to process any TLV in the
+ list, then it sends back a Result TLV with the same code in the
+ Status field of the Request-Action TLV.
+
+ If multiple Request-Action TLVs are in the request, the session
+ can continue if any of the TLVs in any Request-Action TLV are
+ processed.
+
+ If multiple Request-Action TLVs are in the request and none of
+ them is processed, then the most fatal status should be used in
+ the Result TLV returned. If a status code in the Request-Action
+ TLV is not understood by the receiving entity, then it should be
+ treated as a fatal error.
+
+ After processing the TLVs or EAP method in the request, another
+ round of Result TLV exchange would occur to synchronize the final
+ status on both sides.
+
+ The peer or the server MAY send multiple Request-Action TLVs to the
+ other side. Two Request-Action TLVs MUST NOT occur in the same TEAP
+ packet if they have the same Status value. The order of processing
+ multiple Request-Action TLVs is implementation dependent. If the
+ receiving side processes the optional (non-fatal) items first, it is
+ possible that the fatal items will disappear at a later time. If the
+ receiving side processes the fatal items first, the communication
+ time will be shorter.
+
+
+
+
+Zhou, et al. Standards Track [Page 38]
+
+RFC 7170 TEAP May 2014
+
+
+ The peer or the server MAY return a new set of Request-Action TLVs
+ after one or more of the requested items has been processed and the
+ other side has signaled it wants to end the EAP conversation.
+
+ The Request-Action TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Status | Action | TLVs....
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-+-+-+-+-+-+-+-+-+-+-+-
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 8 - Request-Action TLV
+
+ Length
+
+ 2 + cumulative length of all included TLVs
+
+ Status
+
+ The Status field is one octet. This indicates the result if the
+ server does not process the action requested by the peer. Values
+ include:
+
+ 1 Success
+
+ 2 Failure
+
+ Action
+
+ The Action field is one octet. Values include:
+
+ 1 Process-TLV
+
+ 2 Negotiate-EAP
+
+
+
+
+Zhou, et al. Standards Track [Page 39]
+
+RFC 7170 TEAP May 2014
+
+
+ TLVs
+
+ This field is of indefinite length. It contains TLVs that the
+ peer wants the server to process.
+
+4.2.10. EAP-Payload TLV
+
+ To allow piggybacking an EAP request or response with other TLVs, the
+ EAP-Payload TLV is defined, which includes an encapsulated EAP packet
+ and a list of optional TLVs. The optional TLVs are provided for
+ future extensibility to provide hints about the current EAP
+ authentication. Only one EAP-Payload TLV is allowed in a message.
+ The EAP-Payload TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | EAP packet...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | TLVs...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 9 - EAP-Payload TLV
+
+ Length
+
+ length of embedded EAP packet + cumulative length of additional
+ TLVs
+
+ EAP packet
+
+ This field contains a complete EAP packet, including the EAP
+ header (Code, Identifier, Length, Type) fields. The length of
+ this field is determined by the Length field of the encapsulated
+ EAP packet.
+
+
+
+
+Zhou, et al. Standards Track [Page 40]
+
+RFC 7170 TEAP May 2014
+
+
+ TLVs
+
+ This (optional) field contains a list of TLVs associated with the
+ EAP packet field. The TLVs MUST NOT have the mandatory bit set.
+ The total length of this field is equal to the Length field of the
+ EAP-Payload TLV, minus the Length field in the EAP header of the
+ EAP packet field.
+
+4.2.11. Intermediate-Result TLV
+
+ The Intermediate-Result TLV provides support for acknowledged
+ intermediate Success and Failure messages between multiple inner EAP
+ methods within EAP. An Intermediate-Result TLV indicating success
+ MUST be accompanied by a Crypto-Binding TLV. The optional TLVs
+ associated with this TLV are provided for future extensibility to
+ provide hints about the current result. The Intermediate-Result TLV
+ is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Status | TLVs...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 10 - Intermediate-Result TLV
+
+ Length
+
+ 2 + cumulative length of the embedded associated TLVs
+
+ Status
+
+ The Status field is two octets. Values include:
+
+ 1 Success
+
+
+
+
+Zhou, et al. Standards Track [Page 41]
+
+RFC 7170 TEAP May 2014
+
+
+ 2 Failure
+
+ TLVs
+
+ This field is of indeterminate length and contains zero or more of
+ the TLVs associated with the Intermediate Result TLV. The TLVs in
+ this field MUST NOT have the mandatory bit set.
+
+4.2.12. PAC TLV Format
+
+ The PAC TLV provides support for provisioning the Protected Access
+ Credential (PAC). The PAC TLV carries the PAC and related
+ information within PAC attribute fields. Additionally, the PAC TLV
+ MAY be used by the peer to request provisioning of a PAC of the type
+ specified in the PAC-Type PAC attribute. The PAC TLV MUST only be
+ used in a protected tunnel providing encryption and integrity
+ protection. A general PAC TLV format is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | PAC Attributes...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 or 1
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 11 - PAC TLV
+
+ Length
+
+ Two octets containing the length of the PAC Attributes field in
+ octets.
+
+ PAC Attributes
+
+ A list of PAC attributes in the TLV format.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 42]
+
+RFC 7170 TEAP May 2014
+
+
+4.2.12.1. Formats for PAC Attributes
+
+ Each PAC attribute in a PAC TLV is formatted as a TLV defined as
+ follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ The Type field is two octets, denoting the attribute type.
+ Allocated types include:
+
+ 1 - PAC-Key
+
+ 2 - PAC-Opaque
+
+ 3 - PAC-Lifetime
+
+ 4 - A-ID
+
+ 5 - I-ID
+
+ 6 - Reserved
+
+ 7 - A-ID-Info
+
+ 8 - PAC-Acknowledgement
+
+ 9 - PAC-Info
+
+ 10 - PAC-Type
+
+ Length
+
+ Two octets containing the length of the Value field in octets.
+
+ Value
+
+ The value of the PAC attribute.
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 43]
+
+RFC 7170 TEAP May 2014
+
+
+4.2.12.2. PAC-Key
+
+ The PAC-Key is a secret key distributed in a PAC attribute of type
+ PAC-Key. The PAC-Key attribute is included within the PAC TLV
+ whenever the server wishes to issue or renew a PAC that is bound to a
+ key such as a Tunnel PAC. The key is a randomly generated octet
+ string that is 48 octets in length. The generator of this key is the
+ issuer of the credential, which is identified by the Authority
+ Identifier (A-ID).
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ Key ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 1 - PAC-Key
+
+ Length
+
+ 2-octet length indicating the length of the key.
+
+ Key
+
+ The value of the PAC-Key.
+
+4.2.12.3. PAC-Opaque
+
+ The PAC-Opaque attribute is included within the PAC TLV whenever the
+ server wishes to issue or renew a PAC.
+
+ The PAC-Opaque is opaque to the peer, and thus the peer MUST NOT
+ attempt to interpret it. A peer that has been issued a PAC-Opaque by
+ a server stores that data and presents it back to the server
+ according to its PAC-Type. The Tunnel PAC is used in the ClientHello
+ SessionTicket extension field defined in [RFC5077]. If a peer has
+ opaque data issued to it by multiple servers, then it stores the data
+ issued by each server separately according to the A-ID. This
+ requirement allows the peer to maintain and use each opaque datum as
+ an independent PAC pairing, with a PAC-Key mapping to a PAC-Opaque
+ identified by the A-ID. As there is a one-to-one correspondence
+ between the PAC-Key and PAC-Opaque, the peer determines the PAC-Key
+
+
+
+Zhou, et al. Standards Track [Page 44]
+
+RFC 7170 TEAP May 2014
+
+
+ and corresponding PAC-Opaque based on the A-ID provided in the
+ TEAP/Start message and the A-ID provided in the PAC-Info when it was
+ provisioned with a PAC-Opaque.
+
+ The PAC-Opaque attribute format is summarized as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 2 - PAC-Opaque
+
+ Length
+
+ The Length field is two octets, which contains the length of the
+ Value field in octets.
+
+ Value
+
+ The Value field contains the actual data for the PAC-Opaque. It
+ is specific to the server implementation.
+
+4.2.12.4. PAC-Info
+
+ The PAC-Info is comprised of a set of PAC attributes as defined in
+ Section 4.2.12.1. The PAC-Info attribute MUST contain the A-ID,
+ A-ID-Info, and PAC-Type attributes. Other attributes MAY be included
+ in the PAC-Info to provide more information to the peer. The
+ PAC-Info attribute MUST NOT contain the PAC-Key, PAC-Acknowledgement,
+ PAC-Info, or PAC-Opaque attributes. The PAC-Info attribute is
+ included within the PAC TLV whenever the server wishes to issue or
+ renew a PAC.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Attributes...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 45]
+
+RFC 7170 TEAP May 2014
+
+
+ Type
+
+ 9 - PAC-Info
+
+ Length
+
+ 2-octet field containing the length of the Attributes field in
+ octets.
+
+ Attributes
+
+ The Attributes field contains a list of PAC attributes. Each
+ mandatory and optional field type is defined as follows:
+
+ 3 - PAC-Lifetime
+
+ This is a 4-octet quantity representing the expiration time of
+ the credential expressed as the number of seconds, excluding
+ leap seconds, after midnight UTC, January 1, 1970. This
+ attribute MAY be provided to the peer as part of the PAC-Info.
+
+ 4 - A-ID
+
+ The A-ID is the identity of the authority that issued the PAC.
+ The A-ID is intended to be unique across all issuing servers to
+ avoid namespace collisions. The A-ID is used by the peer to
+ determine which PAC to employ. The A-ID is treated as an
+ opaque octet string. This attribute MUST be included in the
+ PAC-Info attribute. The A-ID MUST match the Authority-ID the
+ server used to establish the tunnel. One method for generating
+ the A-ID is to use a high-quality random number generator to
+ generate a random number. An alternate method would be to take
+ the hash of the public key or public key certificate belonging
+ to a server represented by the A-ID.
+
+ 5 - I-ID
+
+ Initiator Identifier (I-ID) is the peer identity associated
+ with the credential. This identity is derived from the inner
+ authentication or from the client-side authentication during
+ tunnel establishment if inner authentication is not used. The
+ server employs the I-ID in the TEAP Phase 2 conversation to
+ validate that the same peer identity used to execute TEAP Phase
+ 1 is also used in at minimum one inner authentication in TEAP
+ Phase 2. If the server is enforcing the I-ID validation on the
+ inner authentication, then the I-ID MUST be included in the
+ PAC-Info, to enable the peer to also enforce a unique PAC for
+ each unique user. If the I-ID is missing from the PAC-Info, it
+
+
+
+Zhou, et al. Standards Track [Page 46]
+
+RFC 7170 TEAP May 2014
+
+
+ is assumed that the Tunnel PAC can be used for multiple users
+ and the peer will not enforce the unique-Tunnel-PAC-per-user
+ policy.
+
+ 7 - A-ID-Info
+
+ Authority Identifier Information is intended to provide a user-
+ friendly name for the A-ID. It may contain the enterprise name
+ and server name in a human-readable format. This TLV serves as
+ an aid to the peer to better inform the end user about the
+ A-ID. The name is encoded in UTF-8 [RFC3629] format. This
+ attribute MUST be included in the PAC-Info.
+
+ 10 - PAC-Type
+
+ The PAC-Type is intended to provide the type of PAC. This
+ attribute SHOULD be included in the PAC-Info. If the PAC-Type
+ is not present, then it defaults to a Tunnel PAC (Type 1).
+
+4.2.12.5. PAC-Acknowledgement TLV
+
+ The PAC-Acknowledgement is used to acknowledge the receipt of the
+ Tunnel PAC by the peer. The peer includes the PAC-Acknowledgement
+ TLV in a PAC TLV sent to the server to indicate the result of the
+ processing and storing of a newly provisioned Tunnel PAC. This TLV
+ is only used when Tunnel PAC is provisioned.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Result |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 8 - PAC-Acknowledgement
+
+ Length
+
+ The length of this field is two octets containing a value of 2.
+
+ Result
+
+ The resulting value MUST be one of the following:
+
+ 1 - Success
+
+
+
+Zhou, et al. Standards Track [Page 47]
+
+RFC 7170 TEAP May 2014
+
+
+ 2 - Failure
+
+4.2.12.6. PAC-Type TLV
+
+ The PAC-Type TLV is a TLV intended to specify the PAC-Type. It is
+ included in a PAC TLV sent by the peer to request PAC provisioning
+ from the server. Its format is described below:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | PAC-Type |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 10 - PAC-Type
+
+ Length
+
+ 2-octet field with a value of 2.
+
+ PAC-Type
+
+ This 2-octet field defines the type of PAC being requested or
+ provisioned. The following values are defined:
+
+ 1 - Tunnel PAC
+
+4.2.13. Crypto-Binding TLV
+
+ The Crypto-Binding TLV is used to prove that both the peer and server
+ participated in the tunnel establishment and sequence of
+ authentications. It also provides verification of the TEAP type,
+ version negotiated, and Outer TLVs exchanged before the TLS tunnel
+ establishment.
+
+ The Crypto-Binding TLV MUST be exchanged and verified before the
+ final Result TLV exchange, regardless of whether there is an inner
+ EAP method authentication or not. It MUST be included with the
+ Intermediate-Result TLV to perform cryptographic binding after each
+ successful EAP method in a sequence of EAP methods, before proceeding
+ with another inner EAP method. The Crypto-Binding TLV is valid only
+ if the following checks pass:
+
+ o The Crypto-Binding TLV version is supported.
+
+
+
+Zhou, et al. Standards Track [Page 48]
+
+RFC 7170 TEAP May 2014
+
+
+ o The MAC verifies correctly.
+
+ o The received version in the Crypto-Binding TLV matches the version
+ sent by the receiver during the EAP version negotiation.
+
+ o The subtype is set to the correct value.
+
+ If any of the above checks fails, then the TLV is invalid. An
+ invalid Crypto-Binding TLV is a fatal error and is handled as
+ described in Section 3.6.3
+
+ The Crypto-Binding TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved | Version | Received Ver.| Flags|Sub-Type|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ Nonce ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ EMSK Compound MAC ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ MSK Compound MAC ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ Mandatory, set to one (1)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 12 - Crypto-Binding TLV
+
+ Length
+
+ 76
+
+
+
+Zhou, et al. Standards Track [Page 49]
+
+RFC 7170 TEAP May 2014
+
+
+ Reserved
+
+ Reserved, set to zero (0)
+
+ Version
+
+ The Version field is a single octet, which is set to the version
+ of Crypto-Binding TLV the TEAP method is using. For an
+ implementation compliant with this version of TEAP, the version
+ number MUST be set to one (1).
+
+ Received Ver
+
+ The Received Ver field is a single octet and MUST be set to the
+ TEAP version number received during version negotiation. Note
+ that this field only provides protection against downgrade
+ attacks, where a version of EAP requiring support for this TLV is
+ required on both sides.
+
+ Flags
+
+ The Flags field is four bits. Defined values include
+
+ 1 EMSK Compound MAC is present
+
+ 2 MSK Compound MAC is present
+
+ 3 Both EMSK and MSK Compound MAC are present
+
+ Sub-Type
+
+ The Sub-Type field is four bits. Defined values include
+
+ 0 Binding Request
+
+ 1 Binding Response
+
+ Nonce
+
+ The Nonce field is 32 octets. It contains a 256-bit nonce that is
+ temporally unique, used for Compound MAC key derivation at each
+ end. The nonce in a request MUST have its least significant bit
+ set to zero (0), and the nonce in a response MUST have the same
+ value as the request nonce except the least significant bit MUST
+ be set to one (1).
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 50]
+
+RFC 7170 TEAP May 2014
+
+
+ EMSK Compound MAC
+
+ The EMSK Compound MAC field is 20 octets. This can be the Server
+ MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the
+ MAC is described in Section 5.3.
+
+ MSK Compound MAC
+
+ The MSK Compound MAC field is 20 octets. This can be the Server
+ MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the
+ MAC is described in Section 5.3.
+
+4.2.14. Basic-Password-Auth-Req TLV
+
+ The Basic-Password-Auth-Req TLV is used by the authentication server
+ to request a username and password from the peer. It contains an
+ optional user prompt message for the request. The peer is expected
+ to obtain the username and password and send them in a Basic-
+ Password-Auth-Resp TLV.
+
+ The Basic-Password-Auth-Req TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Prompt ....
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 (Optional)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 13 - Basic-Password-Auth-Req TLV
+
+ Length
+
+ variable
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 51]
+
+RFC 7170 TEAP May 2014
+
+
+ Prompt
+
+ optional user prompt message in UTF-8 [RFC3629] format
+
+4.2.15. Basic-Password-Auth-Resp TLV
+
+ The Basic-Password-Auth-Resp TLV is used by the peer to respond to a
+ Basic-Password-Auth-Req TLV with a username and password. The TLV
+ contains a username and password. The username and password are in
+ UTF-8 [RFC3629] format.
+
+ The Basic-Password-Auth-Resp TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Userlen | Username
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ... Username ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Passlen | Password
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ... Password ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ M
+
+ 0 (Optional)
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 14 - Basic-Password-Auth-Resp TLV
+
+ Length
+
+ variable
+
+ Userlen
+
+ Length of Username field in octets
+
+
+
+
+
+Zhou, et al. Standards Track [Page 52]
+
+RFC 7170 TEAP May 2014
+
+
+ Username
+
+ Username in UTF-8 [RFC3629] format
+
+ Passlen
+
+ Length of Password field in octets
+
+ Password
+
+ Password in UTF-8 [RFC3629] format
+
+4.2.16. PKCS#7 TLV
+
+ The PKCS#7 TLV is used by the EAP server to deliver certificate(s) to
+ the peer. The format consists of a certificate or certificate chain
+ in binary DER encoding [X.690] in a degenerate Certificates Only
+ PKCS#7 SignedData Content as defined in [RFC5652].
+
+ When used in response to a Trusted-Server-Root TLV request from the
+ peer, the EAP server MUST send the PKCS#7 TLV inside a Trusted-
+ Server-Root TLV. When used in response to a PKCS#10 certificate
+ enrollment request from the peer, the EAP server MUST send the PKCS#7
+ TLV without a Trusted-Server-Root TLV. The PKCS#7 TLV is always
+ marked as optional, which cannot be responded to with a NAK TLV.
+ TEAP implementations that support the Trusted-Server-Root TLV or the
+ PKCS#10 TLV MUST support this TLV. Peers MUST NOT assume that the
+ certificates in a PKCS#7 TLV are in any order.
+
+ TEAP servers MAY return self-signed certificates. Peers that handle
+ self-signed certificates or trust anchors MUST NOT implicitly trust
+ these certificates merely due to their presence in the certificate
+ bag. Note: Peers are advised to take great care in deciding whether
+ to use a received certificate as a trust anchor. The authenticated
+ nature of the tunnel in which a PKCS#7 bag is received can provide a
+ level of authenticity to the certificates contained therein. Peers
+ are advised to take into account the implied authority of the EAP
+ server and to constrain the trust it can achieve through the trust
+ anchor received in a PKCS#7 TLV.
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 53]
+
+RFC 7170 TEAP May 2014
+
+
+ The PKCS#7 TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | PKCS#7 Data...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+
+ M
+
+ 0 - Optional TLV
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 15 - PKCS#7 TLV
+
+ Length
+
+ The length of the PKCS#7 Data field.
+
+ PKCS#7 Data
+
+ This field contains the DER-encoded X.509 certificate or
+ certificate chain in a Certificates-Only PKCS#7 SignedData
+ message.
+
+4.2.17. PKCS#10 TLV
+
+ The PKCS#10 TLV is used by the peer to initiate the "simple PKI"
+ Request/Response from [RFC5272]. The format of the request is as
+ specified in Section 6.4 of [RFC4945]. The PKCS#10 TLV is always
+ marked as optional, which cannot be responded to with a NAK TLV.
+
+ The PKCS#10 TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | PKCS#10 Data...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+
+
+
+Zhou, et al. Standards Track [Page 54]
+
+RFC 7170 TEAP May 2014
+
+
+ M
+
+ 0 - Optional TLV
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 16 - PKCS#10 TLV
+
+ Length
+
+ The length of the PKCS#10 Data field.
+
+ PKCS#10 Data
+
+ This field contains the DER-encoded PKCS#10 certificate request.
+
+4.2.18. Trusted-Server-Root TLV
+
+ Trusted-Server-Root TLV facilitates the request and delivery of a
+ trusted server root certificate. The Trusted-Server-Root TLV can be
+ exchanged in regular TEAP authentication mode or provisioning mode.
+ The Trusted-Server-Root TLV is always marked as optional and cannot
+ be responded to with a Negative Acknowledgement (NAK) TLV. The
+ Trusted-Server-Root TLV MUST only be sent as an Inner TLV (inside the
+ protection of the tunnel).
+
+ After the peer has determined that it has successfully authenticated
+ the EAP server and validated the Crypto-Binding TLV, it MAY send one
+ or more Trusted-Server-Root TLVs (marked as optional) to request the
+ trusted server root certificates from the EAP server. The EAP server
+ MAY send one or more root certificates with a Public Key
+ Cryptographic System #7 (PKCS#7) TLV inside the Trusted-Server-Root
+ TLV. The EAP server MAY also choose not to honor the request.
+
+ The Trusted-Server-Root TLV allows the peer to send a request to the
+ EAP server for a list of trusted roots. The server may respond with
+ one or more root certificates in PKCS#7 [RFC2315] format.
+
+ If the EAP server sets the credential format to PKCS#7-Server-
+ Certificate-Root, then the Trusted-Server-Root TLV should contain the
+ root of the certificate chain of the certificate issued to the EAP
+ server packaged in a PKCS#7 TLV. If the server certificate is a
+ self-signed certificate, then the root is the self-signed
+ certificate.
+
+
+
+Zhou, et al. Standards Track [Page 55]
+
+RFC 7170 TEAP May 2014
+
+
+ If the Trusted-Server-Root TLV credential format contains a value
+ unknown to the peer, then the EAP peer should ignore the TLV.
+
+ The Trusted-Server-Root TLV is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|R| TLV Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Credential-Format | Cred TLVs...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+
+ M
+
+ 0 - Optional TLV
+
+ R
+
+ Reserved, set to zero (0)
+
+ TLV Type
+
+ 17 - Trusted-Server-Root TLV
+
+ Length
+
+ >=2 octets
+
+ Credential-Format
+
+ The Credential-Format field is two octets. Values include:
+
+ 1 - PKCS#7-Server-Certificate-Root
+
+ Cred TLVs
+
+ This field is of indefinite length. It contains TLVs associated
+ with the credential format. The peer may leave this field empty
+ when using this TLV to request server trust roots.
+
+4.3. TLV Rules
+
+ To save round trips, multiple TLVs can be sent in a single TEAP
+ packet. However, multiple EAP Payload TLVs, multiple Basic Password
+ Authentication TLVs, or an EAP Payload TLV with a Basic Password
+ Authentication TLV within one single TEAP packet is not supported in
+ this version and MUST NOT be sent. If the peer or EAP server
+
+
+
+Zhou, et al. Standards Track [Page 56]
+
+RFC 7170 TEAP May 2014
+
+
+ receives multiple EAP Payload TLVs, then it MUST terminate the
+ connection with the Result TLV. The order of TLVs in TEAP does not
+ matter, except one should always process the Identity-Type TLV before
+ processing the EAP TLV or Basic Password Authentication TLV as the
+ Identity-Type TLV is a hint to the type of identity that is to be
+ authenticated.
+
+ The following define the meaning of the table entries in the sections
+ below:
+
+ 0 This TLV MUST NOT be present in the message.
+
+ 0+ Zero or more instances of this TLV MAY be present in the
+ message.
+
+ 0-1 Zero or one instance of this TLV MAY be present in the message.
+
+ 1 Exactly one instance of this TLV MUST be present in the
+ message.
+
+4.3.1. Outer TLVs
+
+ The following table provides a guide to which TLVs may be included in
+ the TEAP packet outside the TLS channel, which kind of packets, and
+ in what quantity:
+
+ Request Response Success Failure TLVs
+ 0-1 0 0 0 Authority-ID
+ 0-1 0-1 0 0 Identity-Type
+ 0+ 0+ 0 0 Vendor-Specific
+
+ Outer TLVs MUST be marked as optional. Vendor-TLVs inside Vendor-
+ Specific TLV MUST be marked as optional when included in Outer TLVs.
+ Outer TLVs MUST NOT be included in messages after the first two TEAP
+ messages sent by peer and EAP-server respectively. That is the first
+ EAP-server-to-peer message and first peer-to-EAP-server message. If
+ the message is fragmented, the whole set of messages is counted as
+ one message. If Outer TLVs are included in messages after the first
+ two TEAP messages, they MUST be ignored.
+
+4.3.2. Inner TLVs
+
+ The following table provides a guide to which Inner TLVs may be
+ encapsulated in TLS in TEAP Phase 2, in which kind of packets, and in
+ what quantity. The messages are as follows: Request is a TEAP
+ Request, Response is a TEAP Response, Success is a message containing
+ a successful Result TLV, and Failure is a message containing a failed
+ Result TLV.
+
+
+
+Zhou, et al. Standards Track [Page 57]
+
+RFC 7170 TEAP May 2014
+
+
+ Request Response Success Failure TLVs
+ 0-1 0-1 0 0 Identity-Type
+ 0-1 0-1 1 1 Result
+ 0+ 0+ 0 0 NAK
+ 0+ 0+ 0+ 0+ Error
+ 0-1 0-1 0 0 Channel-Binding
+ 0+ 0+ 0+ 0+ Vendor-Specific
+ 0+ 0+ 0+ 0+ Request-Action
+ 0-1 0-1 0 0 EAP-Payload
+ 0-1 0-1 0-1 0-1 Intermediate-Result
+ 0+ 0+ 0+ 0 PAC TLV
+ 0-1 0-1 0-1 0-1 Crypto-Binding
+ 0-1 0 0 0 Basic-Password-Auth-Req
+ 0 0-1 0 0 Basic-Password-Auth-Resp
+ 0-1 0 0-1 0 PKCS#7
+ 0 0-1 0 0 PKCS#10
+ 0-1 0-1 0-1 0 Trusted-Server-Root
+
+ NOTE: Vendor TLVs (included in Vendor-Specific TLVs) sent with a
+ Result TLV MUST be marked as optional.
+
+5. Cryptographic Calculations
+
+ For key derivation and crypto-binding, TEAP uses the Pseudorandom
+ Function (PRF) and MAC algorithms negotiated in the underlying TLS
+ session. Since these algorithms depend on the TLS version and
+ ciphersuite, TEAP implementations need a mechanism to determine the
+ version and ciphersuite in use for a particular session. The
+ implementation can then use this information to determine which PRF
+ and MAC algorithm to use.
+
+5.1. TEAP Authentication Phase 1: Key Derivations
+
+ With TEAPv1, the TLS master secret is generated as specified in TLS.
+ If a PAC is used, then the master secret is obtained as described in
+ [RFC5077].
+
+ TEAPv1 makes use of the TLS Keying Material Exporters defined in
+ [RFC5705] to derive the session_key_seed. The label used in the
+ derivation is "EXPORTER: teap session key seed". The length of the
+ session key seed material is 40 octets. No context data is used in
+ the export process.
+
+ The session_key_seed is used by the TEAP authentication Phase 2
+ conversation to both cryptographically bind the inner method(s) to
+ the tunnel as well as generate the resulting TEAP session keys. The
+ other TLS keying materials are derived and used as defined in
+ [RFC5246].
+
+
+
+Zhou, et al. Standards Track [Page 58]
+
+RFC 7170 TEAP May 2014
+
+
+5.2. Intermediate Compound Key Derivations
+
+ The session_key_seed derived as part of TEAP Phase 2 is used in TEAP
+ Phase 2 to generate an Intermediate Compound Key (IMCK) used to
+ verify the integrity of the TLS tunnel after each successful inner
+ authentication and in the generation of Master Session Key (MSK) and
+ Extended Master Session Key (EMSK) defined in [RFC3748]. Note that
+ the IMCK MUST be recalculated after each successful inner EAP method.
+
+ The first step in these calculations is the generation of the base
+ compound key, IMCK[n] from the session_key_seed, and any session keys
+ derived from the successful execution of nth inner EAP methods. The
+ inner EAP method(s) may provide Inner Method Session Keys (IMSKs),
+ IMSK1..IMSKn, corresponding to inner method 1 through n.
+
+ If an inner method supports export of an Extended Master Session Key
+ (EMSK), then the IMSK SHOULD be derived from the EMSK as defined in
+ [RFC5295]. The usage label used is "TEAPbindkey@ietf.org", and the
+ length is 64 octets. Optional data parameter is not used in the
+ derivation.
+
+ IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" |
+ "\0" | 64)
+
+ where "|" denotes concatenation, EMSK is the EMSK from the inner
+ method, "TEAPbindkey@ietf.org" consists the ASCII value for the
+ label "TEAPbindkey@ietf.org" (without quotes), "\0" = is a NULL
+ octet (0x00 in hex), length is the 2-octet unsigned integer in
+ network byte order, and TLS-PRF is the PRF negotiated as part of
+ TLS handshake [RFC5246].
+
+ If an inner method does not support export of an Extended Master
+ Session Key (EMSK), then IMSK is the MSK of the inner method. The
+ MSK is truncated at 32 octets if it is longer than 32 octets or
+ padded to a length of 32 octets with zeros if it is less than 32
+ octets.
+
+ However, it's possible that the peer and server sides might not have
+ the same capability to export EMSK. In order to maintain maximum
+ flexibility while prevent downgrading attack, the following mechanism
+ is in place.
+
+ On the sender of the Crypto-Binding TLV side:
+
+ If the EMSK is not available, then the sender computes the Compound
+ MAC using the MSK of the inner method.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 59]
+
+RFC 7170 TEAP May 2014
+
+
+ If the EMSK is available and the sender's policy accepts MSK-based
+ MAC, then the sender computes two Compound MAC values. The first
+ is computed with the EMSK. The second one is computed using the
+ MSK. Both MACs are then sent to the other side.
+
+ If the EMSK is available but the sender's policy does not allow
+ downgrading to MSK-generated MAC, then the sender SHOULD only send
+ EMSK-based MAC.
+
+ On the receiver of the Crypto-Binding TLV side:
+
+ If the EMSK is not available and an MSK-based Compound MAC was
+ sent, then the receiver validates the Compound MAC and sends back
+ an MSK-based Compound MAC response.
+
+ If the EMSK is not available and no MSK-based Compound MAC was
+ sent, then the receiver handles like an invalid Crypto-Binding TLV
+ with a fatal error.
+
+ If the EMSK is available and an EMSK-based Compound MAC was sent,
+ then the receiver validates it and creates a response Compound MAC
+ using the EMSK.
+
+ If the EMSK is available but no EMSK-based Compound MAC was sent
+ and its policy accepts MSK-based MAC, then the receiver validates
+ it using the MSK and, if successful, generates and returns an MSK-
+ based Compound MAC.
+
+ If the EMSK is available but no EMSK Compound MAC was sent and its
+ policy does not accept MSK-based MAC, then the receiver handles
+ like an invalid Crypto-Binding TLV with a fatal error.
+
+ If the ith inner method does not generate an EMSK or MSK, then IMSKi
+ is set to zero (e.g., MSKi = 32 octets of 0x00s). If an inner method
+ fails, then it is not included in this calculation. The derivation
+ of S-IMCK is as follows:
+
+ S-IMCK[0] = session_key_seed
+ For j = 1 to n-1 do
+ IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
+ IMSK[j], 60)
+ S-IMCK[j] = first 40 octets of IMCK[j]
+ CMK[j] = last 20 octets of IMCK[j]
+
+ where TLS-PRF is the PRF negotiated as part of TLS handshake
+ [RFC5246].
+
+
+
+
+
+Zhou, et al. Standards Track [Page 60]
+
+RFC 7170 TEAP May 2014
+
+
+5.3. Computing the Compound MAC
+
+ For authentication methods that generate keying material, further
+ protection against man-in-the-middle attacks is provided through
+ cryptographically binding keying material established by both TEAP
+ Phase 1 and TEAP Phase 2 conversations. After each successful inner
+ EAP authentication, EAP EMSK and/or MSKs are cryptographically
+ combined with key material from TEAP Phase 1 to generate a Compound
+ Session Key (CMK). The CMK is used to calculate the Compound MAC as
+ part of the Crypto-Binding TLV described in Section 4.2.13, which
+ helps provide assurance that the same entities are involved in all
+ communications in TEAP. During the calculation of the Compound MAC,
+ the MAC field is filled with zeros.
+
+ The Compound MAC computation is as follows:
+
+ CMK = CMK[j]
+ Compound-MAC = MAC( CMK, BUFFER )
+
+ where j is the number of the last successfully executed inner EAP
+ method, MAC is the MAC function negotiated in TLS 1.2 [RFC5246], and
+ BUFFER is created after concatenating these fields in the following
+ order:
+
+ 1 The entire Crypto-Binding TLV attribute with both the EMSK and MSK
+ Compound MAC fields zeroed out.
+
+ 2 The EAP Type sent by the other party in the first TEAP message.
+
+ 3 All the Outer TLVs from the first TEAP message sent by EAP server
+ to peer. If a single TEAP message is fragmented into multiple
+ TEAP packets, then the Outer TLVs in all the fragments of that
+ message MUST be included.
+
+ 4 All the Outer TLVs from the first TEAP message sent by the peer to
+ the EAP server. If a single TEAP message is fragmented into
+ multiple TEAP packets, then the Outer TLVs in all the fragments of
+ that message MUST be included.
+
+5.4. EAP Master Session Key Generation
+
+ TEAP authentication assures the Master Session Key (MSK) and Extended
+ Master Session Key (EMSK) output from the EAP method are the result
+ of all authentication conversations by generating an Intermediate
+ Compound Key (IMCK). The IMCK is mutually derived by the peer and
+ the server as described in Section 5.2 by combining the MSKs from
+
+
+
+
+
+Zhou, et al. Standards Track [Page 61]
+
+RFC 7170 TEAP May 2014
+
+
+ inner EAP methods with key material from TEAP Phase 1. The resulting
+ MSK and EMSK are generated as part of the IMCKn key hierarchy as
+ follows:
+
+ MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64)
+ EMSK = TLS-PRF(S-IMCK[j],
+ "Extended Session Key Generating Function", 64)
+
+ where j is the number of the last successfully executed inner EAP
+ method.
+
+ The EMSK is typically only known to the TEAP peer and server and is
+ not provided to a third party. The derivation of additional keys and
+ transportation of these keys to a third party are outside the scope
+ of this document.
+
+ If no EAP methods have been negotiated inside the tunnel or no EAP
+ methods have been successfully completed inside the tunnel, the MSK
+ and EMSK will be generated directly from the session_key_seed meaning
+ S-IMCK = session_key_seed.
+
+6. IANA Considerations
+
+ This section provides guidance to the Internet Assigned Numbers
+ Authority (IANA) regarding registration of values related to the TEAP
+ protocol, in accordance with BCP 26 [RFC5226].
+
+ The EAP Method Type number 55 has been assigned for TEAP.
+
+ The document defines a registry for TEAP TLV types, which may be
+ assigned by Specification Required as defined in [RFC5226].
+ Section 4.2 defines the TLV types that initially populate the
+ registry. A summary of the TEAP TLV types is given below:
+
+ 0 Unassigned
+
+ 1 Authority-ID TLV
+
+ 2 Identity-Type TLV
+
+ 3 Result TLV
+
+ 4 NAK TLV
+
+ 5 Error TLV
+
+ 6 Channel-Binding TLV
+
+
+
+
+Zhou, et al. Standards Track [Page 62]
+
+RFC 7170 TEAP May 2014
+
+
+ 7 Vendor-Specific TLV
+
+ 8 Request-Action TLV
+
+ 9 EAP-Payload TLV
+
+ 10 Intermediate-Result TLV
+
+ 11 PAC TLV
+
+ 12 Crypto-Binding TLV
+
+ 13 Basic-Password-Auth-Req TLV
+
+ 14 Basic-Password-Auth-Resp TLV
+
+ 15 PKCS#7 TLV
+
+ 16 PKCS#10 TLV
+
+ 17 Trusted-Server-Root TLV
+
+ The Identity-Type defined in Section 4.2.3 contains an identity type
+ code that is assigned on a Specification Required basis as defined in
+ [RFC5226]. The initial types defined are:
+
+ 1 User
+
+ 2 Machine
+
+ The Result TLV defined in Section 4.2.4, Request-Action TLV defined
+ in Section 4.2.9, and Intermediate-Result TLV defined in
+ Section 4.2.11 contain a Status code that is assigned on a
+ Specification Required basis as defined in [RFC5226]. The initial
+ types defined are:
+
+ 1 Success
+
+ 2 Failure
+
+ The Error-TLV defined in Section 4.2.6 requires an error code. TEAP
+ Error-TLV error codes are assigned based on a Specification Required
+ basis as defined in [RFC5226]. The initial list of error codes is as
+ follows:
+
+ 1 User account expires soon
+
+ 2 User account credential expires soon
+
+
+
+Zhou, et al. Standards Track [Page 63]
+
+RFC 7170 TEAP May 2014
+
+
+ 3 User account authorizations change soon
+
+ 4 Clock skew detected
+
+ 5 Contact administrator
+
+ 6 User account credentials change required
+
+ 1001 Inner Method Error
+
+ 1002 Unspecified authentication infrastructure problem
+
+ 1003 Unspecified authentication failure
+
+ 1004 Unspecified authorization failure
+
+ 1005 User account credentials unavailable
+
+ 1006 User account expired
+
+ 1007 User account locked: try again later
+
+ 1008 User account locked: admin intervention required
+
+ 1009 Authentication infrastructure unavailable
+
+ 1010 Authentication infrastructure not trusted
+
+ 1011 Clock skew too great
+
+ 1012 Invalid inner realm
+
+ 1013 Token out of sync: administrator intervention required
+
+ 1014 Token out of sync: PIN change required
+
+ 1015 Token revoked
+
+ 1016 Tokens exhausted
+
+ 1017 Challenge expired
+
+ 1018 Challenge algorithm mismatch
+
+ 1019 Client certificate not supplied
+
+ 1020 Client certificate rejected
+
+
+
+
+Zhou, et al. Standards Track [Page 64]
+
+RFC 7170 TEAP May 2014
+
+
+ 1021 Realm mismatch between inner and outer identity
+
+ 1022 Unsupported Algorithm In Certificate Signing Request
+
+ 1023 Unsupported Extension In Certificate Signing Request
+
+ 1024 Bad Identity In Certificate Signing Request
+
+ 1025 Bad Certificate Signing Request
+
+ 1026 Internal CA Error
+
+ 1027 General PKI Error
+
+ 1028 Inner method's channel-binding data required but not supplied
+
+ 1029 Inner method's channel-binding data did not include required
+ information
+
+ 1030 Inner method's channel binding failed
+
+ 1031 User account credentials incorrect [USAGE NOT RECOMMENDED]
+
+ 2001 Tunnel Compromise Error
+
+ 2002 Unexpected TLVs Exchanged
+
+ The Request-Action TLV defined in Section 4.2.9 contains an action
+ code that is assigned on a Specification Required basis as defined in
+ [RFC5226]. The initial actions defined are:
+
+ 1 Process-TLV
+
+ 2 Negotiate-EAP
+
+ The PAC Attribute defined in Section 4.2.12.1 contains a Type code
+ that is assigned on a Specification Required basis as defined in
+ [RFC5226]. The initial types defined are:
+
+ 1 PAC-Key
+
+ 2 PAC-Opaque
+
+ 3 PAC-Lifetime
+
+ 4 A-ID
+
+ 5 I-ID
+
+
+
+Zhou, et al. Standards Track [Page 65]
+
+RFC 7170 TEAP May 2014
+
+
+ 6 Reserved
+
+ 7 A-ID-Info
+
+ 8 PAC-Acknowledgement
+
+ 9 PAC-Info
+
+ 10 PAC-Type
+
+ The PAC-Type defined in Section 4.2.12.6 contains a type code that is
+ assigned on a Specification Required basis as defined in [RFC5226].
+ The initial type defined is:
+
+ 1 Tunnel PAC
+
+ The Trusted-Server-Root TLV defined in Section 4.2.18 contains a
+ Credential-Format code that is assigned on a Specification Required
+ basis as defined in [RFC5226]. The initial type defined is:
+
+ 1 PKCS#7-Server-Certificate-Root
+
+ The various values under the Vendor-Specific TLV are assigned by
+ Private Use and do not need to be assigned by IANA.
+
+ TEAP registers the label "EXPORTER: teap session key seed" in the TLS
+ Exporter Label Registry [RFC5705]. This label is used in derivation
+ as defined in Section 5.1.
+
+ TEAP registers a TEAP binding usage label from the "User Specific
+ Root Keys (USRK) Key Labels" name space defined in [RFC5295] with a
+ value "TEAPbindkey@ietf.org".
+
+7. Security Considerations
+
+ TEAP is designed with a focus on wireless media, where the medium
+ itself is inherent to eavesdropping. Whereas in wired media an
+ attacker would have to gain physical access to the wired medium,
+ wireless media enables anyone to capture information as it is
+ transmitted over the air, enabling passive attacks. Thus, physical
+ security can not be assumed, and security vulnerabilities are far
+ greater. The threat model used for the security evaluation of TEAP
+ is defined in EAP [RFC3748].
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 66]
+
+RFC 7170 TEAP May 2014
+
+
+7.1. Mutual Authentication and Integrity Protection
+
+ As a whole, TEAP provides message and integrity protection by
+ establishing a secure tunnel for protecting the authentication
+ method(s). The confidentiality and integrity protection is defined
+ by TLS and provides the same security strengths afforded by TLS
+ employing a strong entropy shared master secret. The integrity of
+ the key generating authentication methods executed within the TEAP
+ tunnel is verified through the calculation of the Crypto-Binding TLV.
+ This ensures that the tunnel endpoints are the same as the inner
+ method endpoints.
+
+ The Result TLV is protected and conveys the true Success or Failure
+ of TEAP, and it should be used as the indicator of its success or
+ failure respectively. However, as EAP terminates with either a
+ cleartext EAP Success or Failure, a peer will also receive a
+ cleartext EAP Success or Failure. The received cleartext EAP Success
+ or Failure MUST match that received in the Result TLV; the peer
+ SHOULD silently discard those cleartext EAP Success or Failure
+ messages that do not coincide with the status sent in the protected
+ Result TLV.
+
+7.2. Method Negotiation
+
+ As is true for any negotiated EAP protocol, NAK packets used to
+ suggest an alternate authentication method are sent unprotected and,
+ as such, are subject to spoofing. During unprotected EAP method
+ negotiation, NAK packets may be interjected as active attacks to
+ negotiate down to a weaker form of authentication, such as EAP-MD5
+ (which only provides one-way authentication and does not derive a
+ key). Both the peer and server should have a method selection policy
+ that prevents them from negotiating down to weaker methods. Inner
+ method negotiation resists attacks because it is protected by the
+ mutually authenticated TLS tunnel established. Selection of TEAP as
+ an authentication method does not limit the potential inner
+ authentication methods, so TEAP should be selected when available.
+
+ An attacker cannot readily determine the inner EAP method used,
+ except perhaps by traffic analysis. It is also important that peer
+ implementations limit the use of credentials with an unauthenticated
+ or unauthorized server.
+
+7.3. Separation of Phase 1 and Phase 2 Servers
+
+ Separation of the TEAP Phase 1 from the Phase 2 conversation is NOT
+ RECOMMENDED. Allowing the Phase 1 conversation to be terminated at a
+ different server than the Phase 2 conversation can introduce
+ vulnerabilities if there is not a proper trust relationship and
+
+
+
+Zhou, et al. Standards Track [Page 67]
+
+RFC 7170 TEAP May 2014
+
+
+ protection for the protocol between the two servers. Some
+ vulnerabilities include:
+
+ o Loss of identity protection
+
+ o Offline dictionary attacks
+
+ o Lack of policy enforcement
+
+ o Man-in-the-middle attacks (as described in [RFC7029])
+
+ There may be cases where a trust relationship exists between the
+ Phase 1 and Phase 2 servers, such as on a campus or between two
+ offices within the same company, where there is no danger in
+ revealing the inner identity and credentials of the peer to entities
+ between the two servers. In these cases, using a proxy solution
+ without end-to-end protection of TEAP MAY be used. The TEAP
+ encrypting/decrypting gateway MUST, at a minimum, provide support for
+ IPsec, TLS, or similar protection in order to provide confidentiality
+ for the portion of the conversation between the gateway and the EAP
+ server. In addition, separation of the inner and outer method
+ servers allows for crypto-binding based on the inner method MSK to be
+ thwarted as described in [RFC7029]. Implementation and deployment
+ SHOULD adopt various mitigation strategies described in [RFC7029].
+ If the inner method is deriving EMSK, then this threat is mitigated
+ as TEAP utilizes the mutual crypto-binding based on EMSK as described
+ in [RFC7029].
+
+7.4. Mitigation of Known Vulnerabilities and Protocol Deficiencies
+
+ TEAP addresses the known deficiencies and weaknesses in the EAP
+ method. By employing a shared secret between the peer and server to
+ establish a secured tunnel, TEAP enables:
+
+ o Per-packet confidentiality and integrity protection
+
+ o User identity protection
+
+ o Better support for notification messages
+
+ o Protected EAP inner method negotiation
+
+ o Sequencing of EAP methods
+
+ o Strong mutually derived MSKs
+
+ o Acknowledged success/failure indication
+
+
+
+
+Zhou, et al. Standards Track [Page 68]
+
+RFC 7170 TEAP May 2014
+
+
+ o Faster re-authentications through session resumption
+
+ o Mitigation of dictionary attacks
+
+ o Mitigation of man-in-the-middle attacks
+
+ o Mitigation of some denial-of-service attacks
+
+ It should be noted that in TEAP, as in many other authentication
+ protocols, a denial-of-service attack can be mounted by adversaries
+ sending erroneous traffic to disrupt the protocol. This is a problem
+ in many authentication or key agreement protocols and is therefore
+ noted for TEAP as well.
+
+ TEAP was designed with a focus on protected authentication methods
+ that typically rely on weak credentials, such as password-based
+ secrets. To that extent, the TEAP authentication mitigates several
+ vulnerabilities, such as dictionary attacks, by protecting the weak
+ credential-based authentication method. The protection is based on
+ strong cryptographic algorithms in TLS to provide message
+ confidentiality and integrity. The keys derived for the protection
+ relies on strong random challenges provided by both peer and server
+ as well as an established key with strong entropy. Implementations
+ should follow the recommendation in [RFC4086] when generating random
+ numbers.
+
+7.4.1. User Identity Protection and Verification
+
+ The initial identity request response exchange is sent in cleartext
+ outside the protection of TEAP. Typically, the Network Access
+ Identifier (NAI) [RFC4282] in the identity response is useful only
+ for the realm of information that is used to route the authentication
+ requests to the right EAP server. This means that the identity
+ response may contain an anonymous identity and just contain realm
+ information. In other cases, the identity exchange may be eliminated
+ altogether if there are other means for establishing the destination
+ realm of the request. In no case should an intermediary place any
+ trust in the identity information in the identity response since it
+ is unauthenticated and may not have any relevance to the
+ authenticated identity. TEAP implementations should not attempt to
+ compare any identity disclosed in the initial cleartext EAP Identity
+ response packet with those Identities authenticated in Phase 2.
+
+ Identity request/response exchanges sent after the TEAP tunnel is
+ established are protected from modification and eavesdropping by
+ attackers.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 69]
+
+RFC 7170 TEAP May 2014
+
+
+ Note that since TLS client certificates are sent in the clear, if
+ identity protection is required, then it is possible for the TLS
+ authentication to be renegotiated after the first server
+ authentication. To accomplish this, the server will typically not
+ request a certificate in the server_hello; then, after the
+ server_finished message is sent and before TEAP Phase 2, the server
+ MAY send a TLS hello_request. This allows the peer to perform client
+ authentication by sending a client_hello if it wants to or send a
+ no_renegotiation alert to the server indicating that it wants to
+ continue with TEAP Phase 2 instead. Assuming that the peer permits
+ renegotiation by sending a client_hello, then the server will respond
+ with server_hello, certificate, and certificate_request messages.
+ The peer replies with certificate, client_key_exchange, and
+ certificate_verify messages. Since this renegotiation occurs within
+ the encrypted TLS channel, it does not reveal client certificate
+ details. It is possible to perform certificate authentication using
+ an EAP method (for example, EAP-TLS) within the TLS session in TEAP
+ Phase 2 instead of using TLS handshake renegotiation.
+
+7.4.2. Dictionary Attack Resistance
+
+ TEAP was designed with a focus on protected authentication methods
+ that typically rely on weak credentials, such as password-based
+ secrets. TEAP mitigates dictionary attacks by allowing the
+ establishment of a mutually authenticated encrypted TLS tunnel
+ providing confidentiality and integrity to protect the weak
+ credential-based authentication method.
+
+7.4.3. Protection against Man-in-the-Middle Attacks
+
+ Allowing methods to be executed both with and without the protection
+ of a secure tunnel opens up a possibility of a man-in-the-middle
+ attack. To avoid man-in-the-middle attacks it is recommended to
+ always deploy authentication methods with the protection of TEAP.
+ TEAP provides protection from man-in-the-middle attacks even if a
+ deployment chooses to execute inner EAP methods both with and without
+ TEAP protection. TEAP prevents this attack in two ways:
+
+ 1. By using the PAC-Key to mutually authenticate the peer and server
+ during TEAP authentication Phase 1 establishment of a secure
+ tunnel.
+
+ 2. By using the keys generated by the inner authentication method
+ (if the inner methods are key generating) in the crypto-binding
+ exchange and in the generation of the key material exported by
+ the EAP method described in Section 5.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 70]
+
+RFC 7170 TEAP May 2014
+
+
+ TEAP crypto binding does not guarantee man-in-the-middle protection
+ if the client allows a connection to an untrusted server, such as in
+ the case where the client does not properly validate the server's
+ certificate. If the TLS ciphersuite derives the master secret solely
+ from the contribution of secret data from one side of the
+ conversation (such as ciphersuites based on RSA key transport), then
+ an attacker who can convince the client to connect and engage in
+ authentication can impersonate the client to another server even if a
+ strong inner method is executed within the tunnel. If the TLS
+ ciphersuite derives the master secret from the contribution of
+ secrets from both sides of the conversation (such as in ciphersuites
+ based on Diffie-Hellman), then crypto binding can detect an attacker
+ in the conversation if a strong inner method is used.
+
+7.4.4. PAC Binding to User Identity
+
+ A PAC may be bound to a user identity. A compliant implementation of
+ TEAP MUST validate that an identity obtained in the PAC-Opaque field
+ matches at minimum one of the identities provided in the TEAP Phase 2
+ authentication method. This validation provides another binding to
+ ensure that the intended peer (based on identity) has successfully
+ completed the TEAP Phase 1 and proved identity in the Phase 2
+ conversations.
+
+7.5. Protecting against Forged Cleartext EAP Packets
+
+ EAP Success and EAP Failure packets are, in general, sent in
+ cleartext and may be forged by an attacker without detection. Forged
+ EAP Failure packets can be used to attempt to convince an EAP peer to
+ disconnect. Forged EAP Success packets may be used to attempt to
+ convince a peer that authentication has succeeded, even though the
+ authenticator has not authenticated itself to the peer.
+
+ By providing message confidentiality and integrity, TEAP provides
+ protection against these attacks. Once the peer and authentication
+ server (AS) initiate the TEAP authentication Phase 2, compliant TEAP
+ implementations MUST silently discard all cleartext EAP messages,
+ unless both the TEAP peer and server have indicated success or
+ failure using a protected mechanism. Protected mechanisms include
+ the TLS alert mechanism and the protected termination mechanism
+ described in Section 3.3.3.
+
+ The success/failure decisions within the TEAP tunnel indicate the
+ final decision of the TEAP authentication conversation. After a
+ success/failure result has been indicated by a protected mechanism,
+ the TEAP peer can process unprotected EAP Success and EAP Failure
+ messages; however, the peer MUST ignore any unprotected EAP Success
+
+
+
+
+Zhou, et al. Standards Track [Page 71]
+
+RFC 7170 TEAP May 2014
+
+
+ or Failure messages where the result does not match the result of the
+ protected mechanism.
+
+ To abide by [RFC3748], the server sends a cleartext EAP Success or
+ EAP Failure packet to terminate the EAP conversation. However, since
+ EAP Success and EAP Failure packets are not retransmitted, the final
+ packet may be lost. While a TEAP-protected EAP Success or EAP
+ Failure packet should not be a final packet in a TEAP conversation,
+ it may occur based on the conditions stated above, so an EAP peer
+ should not rely upon the unprotected EAP Success and Failure
+ messages.
+
+7.6. Server Certificate Validation
+
+ As part of the TLS negotiation, the server presents a certificate to
+ the peer. The peer SHOULD verify the validity of the EAP server
+ certificate and SHOULD also examine the EAP server name presented in
+ the certificate in order to determine whether the EAP server can be
+ trusted. When performing server certificate validation,
+ implementations MUST provide support for the rules in [RFC5280] for
+ validating certificates against a known trust anchor. In addition,
+ implementations MUST support matching the realm portion of the peer's
+ NAI against a SubjectAltName of type dNSName within the server
+ certificate. However, in certain deployments, this might not be
+ turned on. Please note that in the case where the EAP authentication
+ is remote, the EAP server will not reside on the same machine as the
+ authenticator, and therefore, the name in the EAP server's
+ certificate cannot be expected to match that of the intended
+ destination. In this case, a more appropriate test might be whether
+ the EAP server's certificate is signed by a certification authority
+ (CA) controlling the intended domain and whether the authenticator
+ can be authorized by a server in that domain.
+
+7.7. Tunnel PAC Considerations
+
+ Since the Tunnel PAC is stored by the peer, special care should be
+ given to the overall security of the peer. The Tunnel PAC MUST be
+ securely stored by the peer to prevent theft or forgery of any of the
+ Tunnel PAC components. In particular, the peer MUST securely store
+ the PAC-Key and protect it from disclosure or modification.
+ Disclosure of the PAC-Key enables an attacker to establish the TEAP
+ tunnel; however, disclosure of the PAC-Key does not reveal the peer
+ or server identity or compromise any other peer's PAC credentials.
+ Modification of the PAC-Key or PAC-Opaque components of the Tunnel
+ PAC may also lead to denial of service as the tunnel establishment
+ will fail. The PAC-Opaque component is the effective TLS ticket
+ extension used to establish the tunnel using the techniques of
+ [RFC5077]. Thus, the security considerations defined by [RFC5077]
+
+
+
+Zhou, et al. Standards Track [Page 72]
+
+RFC 7170 TEAP May 2014
+
+
+ also apply to the PAC-Opaque. The PAC-Info may contain information
+ about the Tunnel PAC such as the identity of the PAC issuer and the
+ Tunnel PAC lifetime for use in the management of the Tunnel PAC. The
+ PAC-Info should be securely stored by the peer to protect it from
+ disclosure and modification.
+
+7.8. Security Claims
+
+ This section provides the needed security claim requirement for EAP
+ [RFC3748].
+
+ Auth. mechanism: Certificate-based, shared-secret-based, and
+ various tunneled authentication mechanisms.
+
+ Ciphersuite negotiation: Yes
+
+ Mutual authentication: Yes
+
+ Integrity protection: Yes. Any method executed within the TEAP
+ tunnel is integrity protected. The
+ cleartext EAP headers outside the tunnel are
+ not integrity protected.
+
+ Replay protection: Yes
+
+ Confidentiality: Yes
+
+ Key derivation: Yes
+
+ Key strength: See Note 1 below.
+
+ Dictionary attack prot.: Yes
+
+ Fast reconnect: Yes
+
+ Cryptographic binding: Yes
+
+ Session independence: Yes
+
+ Fragmentation: Yes
+
+ Key Hierarchy: Yes
+
+ Channel binding: Yes
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 73]
+
+RFC 7170 TEAP May 2014
+
+
+ Notes
+
+ 1. BCP 86 [RFC3766] offers advice on appropriate key sizes. The
+ National Institute for Standards and Technology (NIST) also
+ offers advice on appropriate key sizes in [NIST-SP-800-57].
+ [RFC3766], Section 5 advises use of the following required RSA or
+ DH (Diffie-Hellman) module and DSA (Digital Signature Algorithm)
+ subgroup size in bits for a given level of attack resistance in
+ bits. Based on the table below, a 2048-bit RSA key is required
+ to provide 112-bit equivalent key strength:
+
+ Attack Resistance RSA or DH Modulus DSA subgroup
+ (bits) size (bits) size (bits)
+ ----------------- ----------------- ------------
+ 70 947 129
+ 80 1228 148
+ 90 1553 167
+ 100 1926 186
+ 150 4575 284
+ 200 8719 383
+ 250 14596 482
+
+8. Acknowledgements
+
+ This specification is based on EAP-FAST [RFC4851], which included the
+ ideas and efforts of Nancy Cam-Winget, David McGrew, Joe Salowey, Hao
+ Zhou, Pad Jakkahalli, Mark Krischer, Doug Smith, and Glen Zorn of
+ Cisco Systems, Inc.
+
+ The TLV processing was inspired from work on the Protected Extensible
+ Authentication Protocol version 2 (PEAPv2) with Ashwin Palekar, Dan
+ Smith, Sean Turner, and Simon Josefsson.
+
+ The method for linking identity and proof-of-possession by placing
+ the tls-unique value in the challengePassword field of the CSR as
+ described in Section 3.8.2 was inspired by the technique described in
+ "Enrollment over Secure Transport" [RFC7030].
+
+ Helpful review comments were provided by Russ Housley, Jari Arkko,
+ Ilan Frenkel, Jeremy Steiglitz, Dan Harkins, Sam Hartman, Jim Schaad,
+ Barry Leiba, Stephen Farrell, Chris Lonvick, and Josh Howlett.
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 74]
+
+RFC 7170 TEAP May 2014
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
+ Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
+ 3748, June 2004.
+
+ [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
+ "Transport Layer Security (TLS) Session Resumption without
+ Server-Side State", RFC 5077, January 2008.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246, August 2008.
+
+ [RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri,
+ "Specification for the Derivation of Root Keys from an
+ Extended Master Session Key (EMSK)", RFC 5295, August
+ 2008.
+
+ [RFC5705] Rescorla, E., "Keying Material Exporters for Transport
+ Layer Security (TLS)", RFC 5705, March 2010.
+
+ [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
+ "Transport Layer Security (TLS) Renegotiation Indication
+ Extension", RFC 5746, February 2010.
+
+ [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
+ for TLS", RFC 5929, July 2010.
+
+ [RFC6677] Hartman, S., Clancy, T., and K. Hoeper, "Channel-Binding
+ Support for Extensible Authentication Protocol (EAP)
+ Methods", RFC 6677, July 2012.
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 75]
+
+RFC 7170 TEAP May 2014
+
+
+9.2. Informative References
+
+ [IEEE.802-1X.2013]
+ IEEE, "Local and Metropolitan Area Networks: Port-Based
+ Network Access Control", IEEE Standard 802.1X, December
+ 2013.
+
+ [NIST-SP-800-57]
+ National Institute of Standards and Technology,
+ "Recommendation for Key Management", NIST Special
+ Publication 800-57, July 2012.
+
+ [PEAP] Microsoft Corporation, "[MS-PEAP]: Protected Extensible
+ Authentication Protocol (PEAP)", February 2014.
+
+ [RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
+ Version 1.5", RFC 2315, March 1998.
+
+ [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
+ Classes and Attribute Types Version 2.0", RFC 2985,
+ November 2000.
+
+ [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
+ Request Syntax Specification Version 1.7", RFC 2986,
+ November 2000.
+
+ [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
+ Dial In User Service) Support For Extensible
+ Authentication Protocol (EAP)", RFC 3579, September 2003.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", STD 63, RFC 3629, November 2003.
+
+ [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
+ Public Keys Used For Exchanging Symmetric Keys", BCP 86,
+ RFC 3766, April 2004.
+
+ [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible
+ Authentication Protocol (EAP) Method Requirements for
+ Wireless LANs", RFC 4017, March 2005.
+
+ [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
+ Authentication Protocol (EAP) Application", RFC 4072,
+ August 2005.
+
+ [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+
+
+
+Zhou, et al. Standards Track [Page 76]
+
+RFC 7170 TEAP May 2014
+
+
+ [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
+ Network Access Identifier", RFC 4282, December 2005.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, October 2006.
+
+ [RFC4851] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "The
+ Flexible Authentication via Secure Tunneling Extensible
+ Authentication Protocol Method (EAP-FAST)", RFC 4851, May
+ 2007.
+
+ [RFC4945] Korver, B., "The Internet IP Security PKI Profile of IKEv1
+ /ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007.
+
+ [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication,
+ Authorization, and Accounting (AAA) Key Management", BCP
+ 132, RFC 4962, July 2007.
+
+ [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible
+ Authentication Protocol (EAP) Key Management Framework",
+ RFC 5247, August 2008.
+
+ [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
+ (CMC)", RFC 5272, June 2008.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, May 2008.
+
+ [RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication
+ Protocol Tunneled Transport Layer Security Authenticated
+ Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.
+
+ [RFC5421] Cam-Winget, N. and H. Zhou, "Basic Password Exchange
+ within the Flexible Authentication via Secure Tunneling
+ Extensible Authentication Protocol (EAP-FAST)", RFC 5421,
+ March 2009.
+
+ [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
+ RFC 5652, September 2009.
+
+ [RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication
+ Protocol (EAP) Authentication Using Only a Password", RFC
+ 5931, August 2010.
+
+ [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
+ Extension Definitions", RFC 6066, January 2011.
+
+
+
+Zhou, et al. Standards Track [Page 77]
+
+RFC 7170 TEAP May 2014
+
+
+ [RFC6124] Sheffer, Y., Zorn, G., Tschofenig, H., and S. Fluhrer, "An
+ EAP Authentication Method Based on the Encrypted Key
+ Exchange (EKE) Protocol", RFC 6124, February 2011.
+
+ [RFC6678] Hoeper, K., Hanna, S., Zhou, H., and J. Salowey,
+ "Requirements for a Tunnel-Based Extensible Authentication
+ Protocol (EAP) Method", RFC 6678, July 2012.
+
+ [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A.,
+ Galperin, S., and C. Adams, "X.509 Internet Public Key
+ Infrastructure Online Certificate Status Protocol - OCSP",
+ RFC 6960, June 2013.
+
+ [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS)
+ Multiple Certificate Status Request Extension", RFC 6961,
+ June 2013.
+
+ [RFC7029] Hartman, S., Wasserman, M., and D. Zhang, "Extensible
+ Authentication Protocol (EAP) Mutual Cryptographic
+ Binding", RFC 7029, October 2013.
+
+ [RFC7030] Pritikin, M., Yee, P., and D. Harkins, "Enrollment over
+ Secure Transport", RFC 7030, October 2013.
+
+ [X.690] ITU-T, "ASN.1 encoding rules: Specification of Basic
+ Encoding Rules (BER), Canonical Encoding Rules (CER) and
+ Distinguished Encoding Rules (DER)", ITU-T Recommendation
+ X.690, November 2008.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 78]
+
+RFC 7170 TEAP May 2014
+
+
+Appendix A. Evaluation against Tunnel-Based EAP Method Requirements
+
+ This section evaluates all tunnel-based EAP method requirements
+ described in [RFC6678] against TEAP version 1.
+
+A.1. Requirement 4.1.1: RFC Compliance
+
+ TEAPv1 meets this requirement by being compliant with RFC 3748
+ [RFC3748], RFC 4017 [RFC4017], RFC 5247 [RFC5247], and RFC 4962
+ [RFC4962]. It is also compliant with the "cryptographic algorithm
+ agility" requirement by leveraging TLS 1.2 for all cryptographic
+ algorithm negotiation.
+
+A.2. Requirement 4.2.1: TLS Requirements
+
+ TEAPv1 meets this requirement by mandating TLS version 1.2 support as
+ defined in Section 3.2.
+
+A.3. Requirement 4.2.1.1.1: Ciphersuite Negotiation
+
+ TEAPv1 meets this requirement by using TLS to provide protected
+ ciphersuite negotiation.
+
+A.4. Requirement 4.2.1.1.2: Tunnel Data Protection Algorithms
+
+ TEAPv1 meets this requirement by mandating
+ TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory-to-implement ciphersuite
+ as defined in Section 3.2.
+
+A.5. Requirement 4.2.1.1.3: Tunnel Authentication and Key Establishment
+
+ TEAPv1 meets this requirement by mandating
+ TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory-to-implement ciphersuite
+ that provides certificate-based authentication of the server and is
+ approved by NIST. The mandatory-to-implement ciphersuites only
+ include ciphersuites that use strong cryptographic algorithms. They
+ do not include ciphersuites providing mutually anonymous
+ authentication or static Diffie-Hellman ciphersuites as defined in
+ Section 3.2.
+
+A.6. Requirement 4.2.1.2: Tunnel Replay Protection
+
+ TEAPv1 meets this requirement by using TLS to provide sufficient
+ replay protection.
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 79]
+
+RFC 7170 TEAP May 2014
+
+
+A.7. Requirement 4.2.1.3: TLS Extensions
+
+ TEAPv1 meets this requirement by allowing TLS extensions, such as TLS
+ Certificate Status Request extension [RFC6066] and SessionTicket
+ extension [RFC5077], to be used during TLS tunnel establishment.
+
+A.8. Requirement 4.2.1.4: Peer Identity Privacy
+
+ TEAPv1 meets this requirement by establishment of the TLS tunnel and
+ protection identities specific to the inner method. In addition, the
+ peer certificate can be sent confidentially (i.e., encrypted).
+
+A.9. Requirement 4.2.1.5: Session Resumption
+
+ TEAPv1 meets this requirement by mandating support of TLS session
+ resumption as defined in Section 3.2.1 and TLS session resume using a
+ PAC as defined in Section 3.2.2 .
+
+A.10. Requirement 4.2.2: Fragmentation
+
+ TEAPv1 meets this requirement by leveraging fragmentation support
+ provided by TLS as defined in Section 3.7.
+
+A.11. Requirement 4.2.3: Protection of Data External to Tunnel
+
+ TEAPv1 meets this requirement by including the TEAP version number
+ received in the computation of the Crypto-Binding TLV as defined in
+ Section 4.2.13.
+
+A.12. Requirement 4.3.1: Extensible Attribute Types
+
+ TEAPv1 meets this requirement by using an extensible TLV data layer
+ inside the tunnel as defined in Section 4.2.
+
+A.13. Requirement 4.3.2: Request/Challenge Response Operation
+
+ TEAPv1 meets this requirement by allowing multiple TLVs to be sent in
+ a single EAP request or response packet, while maintaining the half-
+ duplex operation typical of EAP.
+
+A.14. Requirement 4.3.3: Indicating Criticality of Attributes
+
+ TEAPv1 meets this requirement by having a mandatory bit in each TLV
+ to indicate whether it is mandatory to support or not as defined in
+ Section 4.2.
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 80]
+
+RFC 7170 TEAP May 2014
+
+
+A.15. Requirement 4.3.4: Vendor-Specific Support
+
+ TEAPv1 meets this requirement by having a Vendor-Specific TLV to
+ allow vendors to define their own attributes as defined in
+ Section 4.2.8.
+
+A.16. Requirement 4.3.5: Result Indication
+
+ TEAPv1 meets this requirement by having a Result TLV to exchange the
+ final result of the EAP authentication so both the peer and server
+ have a synchronized state as defined in Section 4.2.4.
+
+A.17. Requirement 4.3.6: Internationalization of Display Strings
+
+ TEAPv1 meets this requirement by supporting UTF-8 format in the
+ Basic-Password-Auth-Req TLV as defined in Section 4.2.14 and the
+ Basic-Password-Auth-Resp TLV as defined in Section 4.2.15.
+
+A.18. Requirement 4.4: EAP Channel-Binding Requirements
+
+ TEAPv1 meets this requirement by having a Channel-Binding TLV to
+ exchange the EAP channel-binding data as defined in Section 4.2.7.
+
+A.19. Requirement 4.5.1.1: Confidentiality and Integrity
+
+ TEAPv1 meets this requirement by running the password authentication
+ inside a protected TLS tunnel.
+
+A.20. Requirement 4.5.1.2: Authentication of Server
+
+ TEAPv1 meets this requirement by mandating authentication of the
+ server before establishment of the protected TLS and then running
+ inner password authentication as defined in Section 3.2.
+
+A.21. Requirement 4.5.1.3: Server Certificate Revocation Checking
+
+ TEAPv1 meets this requirement by supporting TLS Certificate Status
+ Request extension [RFC6066] during tunnel establishment.
+
+A.22. Requirement 4.5.2: Internationalization
+
+ TEAPv1 meets this requirement by supporting UTF-8 format in Basic-
+ Password-Auth-Req TLV as defined in Section 4.2.14 and Basic-
+ Password-Auth-Resp TLV as defined in Section 4.2.15.
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 81]
+
+RFC 7170 TEAP May 2014
+
+
+A.23. Requirement 4.5.3: Metadata
+
+ TEAPv1 meets this requirement by supporting Identity-Type TLV as
+ defined in Section 4.2.3 to indicate whether the authentication is
+ for a user or a machine.
+
+A.24. Requirement 4.5.4: Password Change
+
+ TEAPv1 meets this requirement by supporting multiple Basic-Password-
+ Auth-Req TLV and Basic-Password-Auth-Resp TLV exchanges within a
+ single EAP authentication, which allows "housekeeping"" functions
+ such as password change.
+
+A.25. Requirement 4.6.1: Method Negotiation
+
+ TEAPv1 meets this requirement by supporting inner EAP method
+ negotiation within the protected TLS tunnel.
+
+A.26. Requirement 4.6.2: Chained Methods
+
+ TEAPv1 meets this requirement by supporting inner EAP method chaining
+ within protected TLS tunnels as defined in Section 3.3.1.
+
+A.27. Requirement 4.6.3: Cryptographic Binding with the TLS Tunnel
+
+ TEAPv1 meets this requirement by supporting cryptographic binding of
+ the inner EAP method keys with the keys derived from the TLS tunnel
+ as defined in Section 4.2.13.
+
+A.28. Requirement 4.6.4: Peer-Initiated EAP Authentication
+
+ TEAPv1 meets this requirement by supporting the Request-Action TLV as
+ defined in Section 4.2.9 to allow a peer to initiate another inner
+ EAP method.
+
+A.29. Requirement 4.6.5: Method Metadata
+
+ TEAPv1 meets this requirement by supporting the Identity-Type TLV as
+ defined in Section 4.2.3 to indicate whether the authentication is
+ for a user or a machine.
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 82]
+
+RFC 7170 TEAP May 2014
+
+
+Appendix B. Major Differences from EAP-FAST
+
+ This document is a new standard tunnel EAP method based on revision
+ of EAP-FAST version 1 [RFC4851] that contains improved flexibility,
+ particularly for negotiation of cryptographic algorithms. The major
+ changes are:
+
+ 1. The EAP method name has been changed from EAP-FAST to TEAP; this
+ change thus requires that a new EAP Type be assigned.
+
+ 2. This version of TEAP MUST support TLS 1.2 [RFC5246].
+
+ 3. The key derivation now makes use of TLS keying material exporters
+ [RFC5705] and the PRF and hash function negotiated in TLS. This
+ is to simplify implementation and better support cryptographic
+ algorithm agility.
+
+ 4. TEAP is in full conformance with TLS ticket extension [RFC5077]
+ as described in Section 3.2.2.
+
+ 5. Support is provided for passing optional Outer TLVs in the first
+ two message exchanges, in addition to the Authority-ID TLV data
+ in EAP-FAST.
+
+ 6. Basic password authentication on the TLV level has been added in
+ addition to the existing inner EAP method.
+
+ 7. Additional TLV types have been defined to support EAP channel
+ binding and metadata. They are the Identity-Type TLV and
+ Channel-Binding TLVs, defined in Section 4.2.
+
+Appendix C. Examples
+
+C.1. Successful Authentication
+
+ The following exchanges show a successful TEAP authentication with
+ basic password authentication and optional PAC refreshment. The
+ conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/
+ Identity
+ EAP-Response/
+ Identity (MyID1) ->
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 83]
+
+RFC 7170 TEAP May 2014
+
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello with
+ PAC-Opaque in SessionTicket extension)->
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ (TLS change_cipher_spec,
+ TLS finished)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1 ->
+ (TLS change_cipher_spec,
+ TLS finished)
+
+ TLS channel established
+ (messages sent within the TLS channel)
+
+ <- Basic-Password-Auth-Req TLV, Challenge
+
+ Basic-Password-Auth-Resp TLV, Response with both
+ username and password) ->
+
+ optional additional exchanges (new pin mode,
+ password change, etc.) ...
+
+ <- Crypto-Binding TLV (Request),
+ Result TLV (Success),
+ (Optional PAC TLV)
+
+ Crypto-Binding TLV(Response),
+ Result TLV (Success),
+ (PAC-Acknowledgement TLV) ->
+
+ TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Success
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 84]
+
+RFC 7170 TEAP May 2014
+
+
+C.2. Failed Authentication
+
+ The following exchanges show a failed TEAP authentication due to
+ wrong user credentials. The conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/Identity
+
+ EAP-Response/
+ Identity (MyID1) ->
+
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello with
+ PAC-Opaque in SessionTicket extension)->
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ (TLS change_cipher_spec,
+ TLS finished)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1 ->
+ (TLS change_cipher_spec,
+ TLS finished)
+
+ TLS channel established
+ (messages sent within the TLS channel)
+
+ <- Basic-Password-Auth-Req TLV, Challenge
+
+ Basic-Password-Auth-Resp TLV, Response with both
+ username and password) ->
+
+ <- Result TLV (Failure)
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 85]
+
+RFC 7170 TEAP May 2014
+
+
+ Result TLV (Failure) ->
+
+ TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Failure
+
+C.3. Full TLS Handshake Using Certificate-Based Ciphersuite
+
+ In the case within TEAP Phase 1 where an abbreviated TLS handshake is
+ tried, fails, and falls back to the certificate-based full TLS
+ handshake, the conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/Identity
+ EAP-Response/
+ Identity (MyID1) ->
+
+ // Identity sent in the clear. May be a hint to help route
+ the authentication request to EAP server, instead of the
+ full user identity.
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello with
+ PAC-Opaque in SessionTicket extension)->
+
+ // Peer sends PAC-Opaque of Tunnel PAC along with a list of
+ ciphersuites supported. If the server rejects the PAC-
+ Opaque, it falls through to the full TLS handshake.
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done)
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 86]
+
+RFC 7170 TEAP May 2014
+
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ ([TLS certificate,]
+ TLS client_key_exchange,
+ [TLS certificate_verify,]
+ TLS change_cipher_spec,
+ TLS finished) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec,
+ TLS finished,
+ EAP-Payload-TLV[EAP-Request/
+ Identity])
+
+ // TLS channel established
+ (messages sent within the TLS channel)
+
+ // First EAP Payload TLV is piggybacked to the TLS Finished as
+ Application Data and protected by the TLS tunnel.
+
+ EAP-Payload-TLV
+ [EAP-Response/Identity (MyID2)]->
+
+ // identity protected by TLS.
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X] ->
+
+ // Method X exchanges followed by Protected Termination
+
+ <- Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Request),
+ Result TLV (Success)
+
+ Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Response),
+ Result-TLV (Success) ->
+
+ // TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Success
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 87]
+
+RFC 7170 TEAP May 2014
+
+
+C.4. Client Authentication during Phase 1 with Identity Privacy
+
+ In the case where a certificate-based TLS handshake occurs within
+ TEAP Phase 1 and client certificate authentication and identity
+ privacy is desired (and therefore TLS renegotiation is being used to
+ transmit the peer credentials in the protected TLS tunnel), the
+ conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/Identity
+ EAP-Response/
+ Identity (MyID1) ->
+
+ // Identity sent in the clear. May be a hint to help route
+ the authentication request to EAP server, instead of the
+ full user identity.
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello)->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done)
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_key_exchange,
+ TLS change_cipher_spec,
+ TLS finished) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec,
+ TLS finished,
+ EAP-Payload-TLV[EAP-Request/
+ Identity])
+
+ // TLS channel established
+ (EAP Payload messages sent within the TLS channel)
+
+ // peer sends TLS client_hello to request TLS renegotiation
+
+
+
+
+Zhou, et al. Standards Track [Page 88]
+
+RFC 7170 TEAP May 2014
+
+
+ TLS client_hello ->
+
+ <- TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done
+ [TLS certificate,]
+ TLS client_key_exchange,
+ [TLS certificate_verify,]
+ TLS change_cipher_spec,
+ TLS finished ->
+
+ <- TLS change_cipher_spec,
+ TLS finished,
+ Crypto-Binding TLV (Request),
+ Result TLV (Success)
+
+ Crypto-Binding TLV (Response),
+ Result-TLV (Success)) ->
+
+ //TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Success
+
+C.5. Fragmentation and Reassembly
+
+ In the case where TEAP fragmentation is required, the conversation
+ will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/
+ Identity
+ EAP-Response/
+ Identity (MyID) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello)->
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 89]
+
+RFC 7170 TEAP May 2014
+
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done)
+ (Fragment 1: L, M bits set)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1 ->
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (Fragment 2: M bit set)
+ EAP-Response/
+ EAP-Type=TEAP, V=1 ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (Fragment 3)
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ ([TLS certificate,]
+ TLS client_key_exchange,
+ [TLS certificate_verify,]
+ TLS change_cipher_spec,
+ TLS finished)
+ (Fragment 1: L, M bits set)->
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (Fragment 2)->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec,
+ TLS finished,
+ [EAP-Payload-TLV[
+ EAP-Request/Identity]])
+
+ // TLS channel established
+ (messages sent within the TLS channel)
+
+ // First EAP Payload TLV is piggybacked to the TLS Finished as
+ Application Data and protected by the TLS tunnel.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 90]
+
+RFC 7170 TEAP May 2014
+
+
+ EAP-Payload-TLV
+ [EAP-Response/Identity (MyID2)]->
+
+ // identity protected by TLS.
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X] ->
+
+ // Method X exchanges followed by Protected Termination
+
+ <- Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Request),
+ Result TLV (Success)
+
+ Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Response),
+ Result-TLV (Success) ->
+
+ // TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Success
+
+C.6. Sequence of EAP Methods
+
+ When TEAP is negotiated with a sequence of EAP method X followed by
+ method Y, the conversation will occur as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/
+ Identity
+ EAP-Response/
+ Identity (MyID1) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello)->
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 91]
+
+RFC 7170 TEAP May 2014
+
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done)
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ ([TLS certificate,]
+ TLS client_key_exchange,
+ [TLS certificate_verify,]
+ TLS change_cipher_spec,
+ TLS finished) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec,
+ TLS finished,
+ Identity-Type TLV,
+ EAP-Payload-TLV[
+ EAP-Request/Identity])
+
+ // TLS channel established
+ (messages sent within the TLS channel)
+
+ // First EAP Payload TLV is piggybacked to the TLS Finished as
+ Application Data and protected by the TLS tunnel
+
+ Identity_Type TLV
+ EAP-Payload-TLV
+ [EAP-Response/Identity] ->
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X] ->
+
+ // Optional additional X Method exchanges...
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X]->
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 92]
+
+RFC 7170 TEAP May 2014
+
+
+ <- Intermediate Result TLV (Success),
+ Crypto-Binding TLV (Request),
+ Identity-Type TLV,
+ EAP Payload TLV [EAP-Type=Y],
+
+ // Next EAP conversation started after successful completion
+ of previous method X. The Intermediate-Result and Crypto-
+ Binding TLVs are sent in next packet to minimize round
+ trips. In this example, an identity request is not sent
+ before negotiating EAP-Type=Y.
+
+ // Compound MAC calculated using keys generated from
+ EAP method X and the TLS tunnel.
+
+ Intermediate Result TLV (Success),
+ Crypto-Binding TLV (Response),
+ EAP-Payload-TLV [EAP-Type=Y] ->
+
+ // Optional additional Y Method exchanges...
+
+ <- EAP Payload TLV [
+ EAP-Type=Y]
+
+ EAP Payload TLV
+ [EAP-Type=Y] ->
+
+ <- Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Request),
+ Result TLV (Success)
+
+ Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Response),
+ Result-TLV (Success) ->
+
+ // Compound MAC calculated using keys generated from EAP
+ methods X and Y and the TLS tunnel. Compound keys are
+ generated using keys generated from EAP methods X and Y
+ and the TLS tunnel.
+
+ // TLS channel torn down (messages sent in cleartext)
+
+ <- EAP-Success
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 93]
+
+RFC 7170 TEAP May 2014
+
+
+C.7. Failed Crypto-Binding
+
+ The following exchanges show a failed crypto-binding validation. The
+ conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/
+ Identity
+ EAP-Response/
+ Identity (MyID1) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello without
+ PAC-Opaque in SessionTicket extension)->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS Server Key Exchange
+ TLS Server Hello Done)
+ EAP-Response/
+ EAP-Type=TEAP, V=1 ->
+ (TLS Client Key Exchange
+ TLS change_cipher_spec,
+ TLS finished)
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec
+ TLS finished)
+ EAP-Payload-TLV[
+ EAP-Request/Identity])
+
+ // TLS channel established
+ (messages sent within the TLS channel)
+
+ // First EAP Payload TLV is piggybacked to the TLS Finished as
+ Application Data and protected by the TLS tunnel.
+
+ EAP-Payload TLV/
+ EAP Identity Response ->
+
+ <- EAP Payload TLV, EAP-Request,
+ (EAP-MSCHAPV2, Challenge)
+
+
+
+
+Zhou, et al. Standards Track [Page 94]
+
+RFC 7170 TEAP May 2014
+
+
+ EAP Payload TLV, EAP-Response,
+ (EAP-MSCHAPV2, Response) ->
+
+ <- EAP Payload TLV, EAP-Request,
+ (EAP-MSCHAPV2, Success Request)
+
+ EAP Payload TLV, EAP-Response,
+ (EAP-MSCHAPV2, Success Response) ->
+
+ <- Intermediate-Result-TLV (Success),
+ Crypto-Binding TLV (Request),
+ Result TLV (Success)
+
+ Intermediate-Result-TLV (Success),
+ Result TLV (Failure)
+ Error TLV with
+ (Error Code = 2001) ->
+
+ // TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Failure
+
+C.8. Sequence of EAP Method with Vendor-Specific TLV Exchange
+
+ When TEAP is negotiated with a sequence of EAP methods followed by a
+ Vendor-Specific TLV exchange, the conversation will occur as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/
+ Identity
+ EAP-Response/
+ Identity (MyID1) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello)->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done)
+
+
+
+Zhou, et al. Standards Track [Page 95]
+
+RFC 7170 TEAP May 2014
+
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ ([TLS certificate,]
+ TLS client_key_exchange,
+ [TLS certificate_verify,]
+ TLS change_cipher_spec,
+ TLS finished) ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec,
+ TLS finished,
+ EAP-Payload-TLV[
+ EAP-Request/Identity])
+
+ // TLS channel established
+ (messages sent within the TLS channel)
+
+ // First EAP Payload TLV is piggybacked to the TLS Finished as
+ Application Data and protected by the TLS tunnel.
+
+ EAP-Payload-TLV
+ [EAP-Response/Identity] ->
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X] ->
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X]->
+
+ <- Intermediate Result TLV (Success),
+ Crypto-Binding TLV (Request),
+ Vendor-Specific TLV,
+
+ // Vendor-Specific TLV exchange started after successful
+ completion of previous method X. The Intermediate-Result
+ and Crypto-Binding TLVs are sent with Vendor-Specific TLV
+ in next packet to minimize round trips.
+
+ // Compound MAC calculated using keys generated from
+ EAP method X and the TLS tunnel.
+
+
+
+
+
+Zhou, et al. Standards Track [Page 96]
+
+RFC 7170 TEAP May 2014
+
+
+ Intermediate Result TLV (Success),
+ Crypto-Binding TLV (Response),
+ Vendor-Specific TLV ->
+
+ // Optional additional Vendor-Specific TLV exchanges...
+
+ <- Vendor-Specific TLV
+
+ Vendor-Specific TLV ->
+ <- Result TLV (Success)
+
+ Result-TLV (Success) ->
+
+ // TLS channel torn down (messages sent in cleartext)
+
+ <- EAP-Success
+
+C.9. Peer Requests Inner Method after Server Sends Result TLV
+
+ In the case where the peer is authenticated during Phase 1 and the
+ server sends back a Result TLV but the peer wants to request another
+ inner method, the conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/Identity
+ EAP-Response/
+ Identity (MyID1) ->
+
+ // Identity sent in the clear. May be a hint to help route
+ the authentication request to EAP server, instead of the
+ full user identity.
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello)->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ TLS certificate,
+ [TLS server_key_exchange,]
+ [TLS certificate_request,]
+ TLS server_hello_done)
+
+
+
+
+
+Zhou, et al. Standards Track [Page 97]
+
+RFC 7170 TEAP May 2014
+
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ [TLS certificate,]
+ TLS client_key_exchange,
+ [TLS certificate_verify,]
+ TLS change_cipher_spec,
+ TLS finished ->
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS change_cipher_spec,
+ TLS finished,
+ Crypto-Binding TLV (Request),
+ Result TLV (Success))
+
+ // TLS channel established
+ (TLV Payload messages sent within the TLS channel)
+
+ Crypto-Binding TLV(Response),
+ Request-Action TLV
+ (Status=Failure, Action=Negotiate-EAP)->
+
+ <- EAP-Payload-TLV
+ [EAP-Request/Identity]
+
+ EAP-Payload-TLV
+ [EAP-Response/Identity] ->
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X] ->
+
+ <- EAP-Payload-TLV
+ [EAP-Request/EAP-Type=X]
+
+ EAP-Payload-TLV
+ [EAP-Response/EAP-Type=X]->
+
+ <- Intermediate Result TLV (Success),
+ Crypto-Binding TLV (Request),
+ Result TLV (Success)
+
+ Intermediate Result TLV (Success),
+ Crypto-Binding TLV (Response),
+ Result-TLV (Success)) ->
+
+
+
+
+
+Zhou, et al. Standards Track [Page 98]
+
+RFC 7170 TEAP May 2014
+
+
+ // TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Success
+
+C.10. Channel Binding
+
+ The following exchanges show a successful TEAP authentication with
+ basic password authentication and channel binding using a Request-
+ Action TLV. The conversation will appear as follows:
+
+ Authenticating Peer Authenticator
+ ------------------- -------------
+ <- EAP-Request/
+ Identity
+ EAP-Response/
+ Identity (MyID1) ->
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TEAP Start, S bit set, Authority-ID)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1
+ (TLS client_hello with
+ PAC-Opaque in SessionTicket extension)->
+
+ <- EAP-Request/
+ EAP-Type=TEAP, V=1
+ (TLS server_hello,
+ (TLS change_cipher_spec,
+ TLS finished)
+
+ EAP-Response/
+ EAP-Type=TEAP, V=1 ->
+ (TLS change_cipher_spec,
+ TLS finished)
+
+ TLS channel established
+ (messages sent within the TLS channel)
+
+ <- Basic-Password-Auth-Req TLV, Challenge
+
+ Basic-Password-Auth-Resp TLV, Response with both
+ username and password) ->
+
+ optional additional exchanges (new pin mode,
+ password change, etc.) ...
+
+
+
+Zhou, et al. Standards Track [Page 99]
+
+RFC 7170 TEAP May 2014
+
+
+ <- Crypto-Binding TLV (Request),
+ Result TLV (Success),
+
+ Crypto-Binding TLV(Response),
+ Request-Action TLV
+ (Status=Failure, Action=Process-TLV,
+ TLV=Channel-Binding TLV)->
+
+ <- Channel-Binding TLV (Response),
+ Result TLV (Success),
+
+ Result-TLV (Success) ->
+
+ TLS channel torn down
+ (messages sent in cleartext)
+
+ <- EAP-Success
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 100]
+
+RFC 7170 TEAP May 2014
+
+
+Authors' Addresses
+
+ Hao Zhou
+ Cisco Systems
+ 4125 Highlander Parkway
+ Richfield, OH 44286
+ US
+
+ EMail: hzhou@cisco.com
+
+
+ Nancy Cam-Winget
+ Cisco Systems
+ 3625 Cisco Way
+ San Jose, CA 95134
+ US
+
+ EMail: ncamwing@cisco.com
+
+
+ Joseph Salowey
+ Cisco Systems
+ 2901 3rd Ave
+ Seattle, WA 98121
+ US
+
+ EMail: jsalowey@cisco.com
+
+
+ Stephen Hanna
+ Infineon Technologies
+ 79 Parsons Street
+ Brighton, MA 02135
+ US
+
+ EMail: steve.hanna@infineon.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhou, et al. Standards Track [Page 101]
+