summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4017.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc4017.txt')
-rw-r--r--doc/rfc/rfc4017.txt619
1 files changed, 619 insertions, 0 deletions
diff --git a/doc/rfc/rfc4017.txt b/doc/rfc/rfc4017.txt
new file mode 100644
index 0000000..63197b2
--- /dev/null
+++ b/doc/rfc/rfc4017.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group D. Stanley
+Request for Comments: 4017 Agere Systems
+Category: Informational J. Walker
+ Intel Corporation
+ B. Aboba
+ Microsoft Corporation
+ March 2005
+
+
+ Extensible Authentication Protocol (EAP) Method Requirements
+ for Wireless LANs
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2005).
+
+Abstract
+
+ The IEEE 802.11i MAC Security Enhancements Amendment makes use of
+ IEEE 802.1X, which in turn relies on the Extensible Authentication
+ Protocol (EAP). This document defines requirements for EAP methods
+ used in IEEE 802.11 wireless LAN deployments. The material in this
+ document has been approved by IEEE 802.11 and is being presented as
+ an IETF RFC for informational purposes.
+
+Table of Contents
+
+ 1. Introduction ................................................. 2
+ 1.1. Requirements Specification ............................. 2
+ 1.2. Terminology ............................................ 2
+ 2. Method Requirements .......................................... 3
+ 2.1. Credential Types ....................................... 3
+ 2.2. Mandatory Requirements ................................. 4
+ 2.3. Recommended Requirements ............................... 5
+ 2.4. Optional Features ...................................... 5
+ 2.5. Non-compliant EAP Authentication Methods ............... 5
+ 3. Security Considerations ...................................... 6
+ 4. References ................................................... 8
+ Acknowledgments .................................................. 9
+ Authors' Addresses ............................................... 10
+ Full Copyright Statement ......................................... 11
+
+
+
+
+Stanley, et al. Informational [Page 1]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+1. Introduction
+
+ The IEEE 802.11i MAC Security Enhancements Amendment [IEEE802.11i]
+ makes use of IEEE 802.1X [IEEE802.1X], which in turn relies on the
+ Extensible Authentication Protocol (EAP), defined in [RFC3748].
+
+ Today, deployments of IEEE 802.11 wireless LANs are based on EAP and
+ use several EAP methods, including EAP-TLS [RFC2716], EAP-TTLS
+ [TTLS], PEAP [PEAP], and EAP-SIM [EAPSIM]. These methods support
+ authentication credentials that include digital certificates, user-
+ names and passwords, secure tokens, and SIM secrets.
+
+ This document defines requirements for EAP methods used in IEEE
+ 802.11 wireless LAN deployments. EAP methods claiming conformance to
+ the IEEE 802.11 EAP method requirements for wireless LANs must
+ complete IETF last call review.
+
+1.1. Requirements Specification
+
+ In this document, several words are used to signify the requirements
+ of the specification. The key words "MUST", "MUST NOT", "REQUIRED",
+ "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
+ and "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+ An EAP authentication method is not compliant with this specification
+ if it fails to satisfy one or more of the MUST or MUST NOT
+ requirements. An EAP authentication method that satisfies all the
+ MUST, MUST NOT, SHOULD, and SHOULD NOT requirements is said to be
+ "unconditionally compliant"; one that satisfies all the MUST and MUST
+ NOT requirements but not all the SHOULD or SHOULD NOT requirements is
+ said to be "conditionally compliant".
+
+1.2. Terminology
+
+ authenticator
+ The end of the link initiating EAP authentication. The term
+ authenticator is used in [IEEE802.1X], and authenticator has the
+ same meaning in this document.
+
+ peer
+ The end of the link that responds to the authenticator. In
+ [IEEE802.1X], this end is known as the supplicant.
+
+ Supplicant
+ The end of the link that responds to the authenticator in
+ [IEEE802.1X].
+
+
+
+
+Stanley, et al. Informational [Page 2]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+ backend authentication server
+ A backend authentication server is an entity that provides an
+ authentication service to an authenticator. When used, this
+ server typically executes EAP methods for the authenticator. This
+ terminology is also used in [IEEE802.1X].
+
+ EAP server
+ The entity that terminates the EAP authentication method with the
+ peer. In the case where no backend authentication server is used,
+ the EAP server is part of the authenticator. In the case where
+ the authenticator operates in pass-through mode, the EAP server is
+ located on the backend authentication server.
+
+ Master Session Key (MSK)
+ Keying material that is derived between the EAP peer and server
+ and exported by the EAP method. The MSK is at least 64 octets in
+ length. In existing implementations, an AAA server acting as an
+ EAP server transports the MSK to the authenticator.
+
+ Extended Master Session Key (EMSK)
+ Additional keying material derived between the EAP client and
+ server that is exported by the EAP method. The EMSK is at least
+ 64 octets in length. The EMSK is not shared with the
+ authenticator or any other third party. The EMSK is reserved for
+ future uses that are not yet defined.
+
+ 4-Way Handshake
+ A pairwise Authentication and Key Management Protocol (AKMP)
+ defined in [IEEE802.11i], which confirms mutual possession of a
+ Pairwise Master Key by two parties and distributes a Group Key.
+
+2. Method Requirements
+
+2.1. Credential Types
+
+ The IEEE 802.11i MAC Security Enhancements Amendment requires that
+ EAP authentication methods be available. Wireless LAN deployments
+ are expected to use different credential types, including digital
+ certificates, user-names and passwords, existing secure tokens, and
+ mobile network credentials (GSM and UMTS secrets). Other credential
+ types that may be used include public/private key (without
+ necessarily requiring certificates) and asymmetric credential support
+ (such as password on one side, public/private key on the other).
+
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 3]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+2.2. Mandatory Requirements
+
+ EAP authentication methods suitable for use in wireless LAN
+ authentication MUST satisfy the following criteria:
+
+ [1] Generation of symmetric keying material. This corresponds to
+ the "Key derivation" security claim defined in [RFC3748],
+ Section 7.2.1.
+
+ [2] Key strength. An EAP method suitable for use with IEEE 802.11
+ MUST be capable of generating keying material with 128-bits of
+ effective key strength, as defined in [RFC3748], Section 7.2.1.
+ As noted in [RFC3748], Section 7.10, an EAP method supporting
+ key derivation MUST export a Master Session Key (MSK) of at
+ least 64 octets, and an Extended Master Session Key (EMSK) of at
+ least 64 octets.
+
+ [3] Mutual authentication support. This corresponds to the "Mutual
+ authentication" security claim defined in [RFC3748], Section
+ 7.2.1.
+
+ [4] Shared state equivalence. The shared EAP method state of the
+ EAP peer and server must be equivalent when the EAP method is
+ successfully completed on both sides. This includes the
+ internal state of the authentication protocol but not the state
+ external to the EAP method, such as the negotiation occurring
+ prior to initiation of the EAP method. The exact state
+ attributes that are shared may vary from method to method, but
+ typically include the method version number, the credentials
+ presented and accepted by both parties, the cryptographic keys
+ shared, and the EAP method specific attributes negotiated, such
+ as ciphersuites and limitations of usage on all protocol state.
+ Both parties must be able to distinguish this instance of the
+ protocol from all other instances of the protocol, and they must
+ share the same view regarding which state attributes are public
+ and which are private to the two parties alone. The server must
+ obtain the authenticated peer name, and the peer must obtain the
+ authenticated server name (if the authenticated server name is
+ available).
+
+ [5] Resistance to dictionary attacks. This corresponds to the
+ "Dictionary attack resistance" security claim defined in
+ [RFC3748], Section 7.2.1.
+
+ [6] Protection against man-in-the-middle attacks. This corresponds
+ to the "Cryptographic binding", "Integrity protection", "Replay
+ protection", and "Session independence" security claims defined
+ in [RFC3748], Section 7.2.1.
+
+
+
+Stanley, et al. Informational [Page 4]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+ [7] Protected ciphersuite negotiation. If the method negotiates the
+ ciphersuite used to protect the EAP conversation, then it MUST
+ support the "Protected ciphersuite negotiation" security claim
+ defined in [RFC3748], Section 7.2.1.
+
+2.3. Recommended Requirements
+
+ EAP authentication methods used for wireless LAN authentication
+ SHOULD support the following features:
+
+ [8] Fragmentation. This implies support for the "Fragmentation"
+ claim defined in [RFC3748], Section 7.2.1. [RFC3748], Section
+ 3.1 states: "EAP methods can assume a minimum EAP MTU of 1020
+ octets, in the absence of other information. EAP methods SHOULD
+ include support for fragmentation and reassembly if their
+ payloads can be larger than this minimum EAP MTU."
+
+ [9] End-user identity hiding. This corresponds to the
+ "Confidentiality" security claim defined in [RFC3748], Section
+ 7.2.1.
+
+2.4. Optional Features
+
+ EAP authentication methods used for wireless LAN authentication MAY
+ support the following features:
+
+ [10] Channel binding. This corresponds to the "Channel binding"
+ security claim defined in [RFC3748], Section 7.2.1.
+
+ [11] Fast reconnect. This corresponds to the "Fast reconnect"
+ security claim defined in [RFC3748], Section 7.2.1.
+
+2.5. Non-compliant EAP Authentication Methods
+
+ EAP-MD5-Challenge (the current mandatory-to-implement EAP
+ authentication method), is defined in [RFC3748], Section 5.4. As
+ defined in [RFC3748], EAP-MD5-Challenge, One-Time Password (Section
+ 5.5), and Generic Token Card (Section 5.6) are non-compliant with the
+ requirements specified in this document. As noted in [RFC3748],
+ these methods do not support any of the mandatory requirements
+ defined in Section 2.2, including key derivation and mutual
+ authentication. In addition, these methods do not support any of the
+ recommended features defined in Section 2.3 or any of the optional
+ features defined in Section 2.4.
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 5]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+3. Security Considerations
+
+ Within [IEEE802.11i], EAP is used for both authentication and key
+ exchange between the EAP peer and server. Given that wireless local
+ area networks provide ready access to an attacker within range, EAP
+ usage within [IEEE802.11i] is subject to the threats outlined in
+ [RFC3748], Section 7.1. Security considerations relating to EAP are
+ discussed in [RFC3748], Sections 7; where an authentication server is
+ utilized, the security considerations described in [RFC3579], Section
+ 4, will apply.
+
+ The system security properties required to address the threats
+ described in [RFC3748], Section 7.1, are noted in [Housley56]. In
+ the material below, the requirements articulated in [Housley56] are
+ listed, along with the corresponding recommendations.
+
+ Algorithm independence
+ Requirement: "Wherever cryptographic algorithms are chosen, the
+ algorithms must be negotiable, in order to provide resilience
+ against compromise of a particular cryptographic algorithm."
+
+ This issue is addressed by mandatory requirement [7] in Section
+ 2.2. Algorithm independence is one of the EAP invariants
+ described in [KEYFRAME].
+
+ Strong, fresh session keys
+ Requirement: "Session keys must be demonstrated to be strong and
+ fresh in all circumstances, while at the same time retaining
+ algorithm independence."
+
+ Key strength is addressed by mandatory requirement [2] in Section
+ 2.2. Recommendations for ensuring the Freshness of keys derived
+ by EAP methods are discussed in [RFC3748], Section 7.10.
+
+ Replay protection
+ Requirement: "All protocol exchanges must be replay protected."
+
+ This is addressed by mandatory requirement [6] in Section 2.2.
+
+ Authentication
+ Requirements: "All parties need to be authenticated. The
+ confidentiality of the authenticator must be maintained. No
+ plaintext passwords are allowed."
+
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 6]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+ Mutual authentication is required as part of mandatory requirement
+ [3] in Section 2.2. Identity protection is a recommended
+ capability, described in requirement [9] in Section 2.3. EAP does
+ not support plaintext passwords, as noted in [RFC3748], Section
+ 7.14.
+
+ Authorization
+ Requirement: "EAP peer and authenticator authorization must be
+ performed."
+
+ Authorization issues are discussed in [RFC3748], Sections 1.2 and
+ 7.16. Authentication, Authorization, and Accounting (AAA)
+ protocols such as RADIUS [RFC2865][RFC3579] may be used to enable
+ authorization of EAP peers by a central authority. AAA
+ authorization issues are discussed in [RFC3579], Sections 2.6.3
+ and 4.3.7.
+
+ Session keys
+ Requirement: "Confidentiality of session keys must be maintained."
+
+ Issues relating to Key Derivation are described in [RFC3748],
+ Section 7.10, as well as in [KEYFRAME].
+
+ Ciphersuite negotiation
+ Requirement: "The selection of the "best" ciphersuite must be
+ securely confirmed."
+
+ This is addressed in mandatory requirement [7] in Section 2.2.
+
+ Unique naming
+ Requirement: "Session keys must be uniquely named."
+
+ Key naming issues are addressed in [KEYFRAME].
+
+ Domino effect
+ Requirement: "Compromise of a single authenticator cannot
+ compromise any other part of the system, including session keys
+ and long-term secrets."
+
+ This issue is addressed by mandatory requirement [6] in Section
+ 2.2.
+
+ Key binding
+ Requirement: "The key must be bound to the appropriate context."
+
+ This issue is addressed in optional requirement [10] in Section
+ 2.4. Channel binding is also discussed in Section 7.15 of
+ [RFC3748] and Section 4.3.7 of [RFC3579].
+
+
+
+Stanley, et al. Informational [Page 7]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+4. References
+
+4.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote
+ Authentication Dial In User Service) Support For
+ Extensible Authentication Protocol (EAP)", RFC 3579,
+ September 2003.
+
+ [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
+ H. Levkowetz, "Extensible Authentication Protocol
+ (EAP)", RFC 3748, June 2004.
+
+ [802.11] Information technology - Telecommunications and
+ information exchange between systems - Local and
+ metropolitan area networks - Specific Requirements Part
+ 11: Wireless LAN Medium Access Control (MAC) and
+ Physical Layer (PHY) Specifications, IEEE Std. 802.11-
+ 2003, 2003.
+
+ [IEEE802.1X] IEEE Standards for Local and Metropolitan Area
+ Networks: Port based Network Access Control, IEEE Std
+ 802.1X-2004, December 2004.
+
+ [IEEE802.11i] Institute of Electrical and Electronics Engineers,
+ "Supplement to Standard for Telecommunications and
+ Information Exchange Between Systems - LAN/MAN Specific
+ Requirements - Part 11: Wireless LAN Medium Access
+ Control (MAC) and Physical Layer (PHY) Specifications:
+ Specification for Enhanced Security", IEEE 802.11i,
+ July 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 8]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+4.2. Informative References
+
+ [Housley56] Housley, R., "Key Management in AAA", Presentation to
+ the AAA WG at IETF 56,
+ http://www.ietf.org/proceedings/03mar/slides/aaa-
+ 5/index.html, March 2003.
+
+ [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication
+ Protocol", RFC 2716, October 1999.
+
+ [PEAP] Palekar, A., et al., "Protected EAP Protocol (PEAP)",
+ Work in Progress, July 2004.
+
+ [TTLS] Funk, P. and S. Blake-Wilson, "EAP Tunneled TLS
+ Authentication Protocol (EAP-TTLS)", Work in Progress,
+ August 2004.
+
+ [EAPSIM] Haverinen, H. and J. Salowey, "EAP SIM Authentication",
+ Work in Progress, April 2004.
+
+ [KEYFRAME] Aboba, B., et al., "EAP Key Management Framework", Work
+ in Progress, July 2004.
+
+Acknowledgements
+
+ The authors would like to acknowledge contributions to this document
+ from members of the IEEE 802.11i Task Group, including Russ Housley
+ of Vigil Security, David Nelson of Enterasys Networks and Clint
+ Chaplin of Symbol Technologies, as well as members of the EAP WG
+ including Joe Salowey of Cisco Systems, Pasi Eronen of Nokia, Jari
+ Arkko of Ericsson, and Florent Bersani of France Telecom.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 9]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+Authors' Addresses
+
+ Dorothy Stanley
+ Agere Systems
+ 2000 North Naperville Rd.
+ Naperville, IL 60566
+
+ Phone: +1 630 979 1572
+ EMail: dstanley@agere.com
+
+
+ Jesse R. Walker
+ Intel Corporation
+ 2111 N.E. 25th Avenue
+ Hillsboro, OR 97214
+
+ EMail: jesse.walker@intel.com
+
+
+ Bernard Aboba
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ Phone: +1 425 818 4011
+ Fax: +1 425 936 7329
+ EMail: bernarda@microsoft.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 10]
+
+RFC 4017 EAP Method Requirements for Wireless LANs March 2005
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2005).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Stanley, et al. Informational [Page 11]
+