diff options
Diffstat (limited to 'doc/rfc/rfc4763.txt')
-rw-r--r-- | doc/rfc/rfc4763.txt | 2579 |
1 files changed, 2579 insertions, 0 deletions
diff --git a/doc/rfc/rfc4763.txt b/doc/rfc/rfc4763.txt new file mode 100644 index 0000000..a72db85 --- /dev/null +++ b/doc/rfc/rfc4763.txt @@ -0,0 +1,2579 @@ + + + + + + +Network Working Group M. Vanderveen +Request for Comments: 4763 H. Soliman +Category: Informational Qualcomm Flarion Technologies + November 2006 + + + Extensible Authentication Protocol Method for + Shared-secret Authentication and Key Establishment (EAP-SAKE) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The IETF Trust (2006). + +IESG Note + + This RFC is not a candidate for any level of Internet Standard. The + IETF disclaims any knowledge of the fitness of this RFC for any + purpose and in particular notes that the decision to publish is not + based on IETF review for such things as security, congestion control, + or inappropriate interaction with deployed protocols. The RFC Editor + has chosen to publish this document at its discretion. Readers of + this document should exercise caution in evaluating its value for + implementation and deployment. See RFC 3932 for more information. + +Abstract + + This document specifies an Extensible Authentication Protocol (EAP) + mechanism for Shared-secret Authentication and Key Establishment + (SAKE). This RFC is published as documentation for the IANA + assignment of an EAP Type for a vendor's EAP method per RFC 3748. + The specification has passed Designated Expert review for this IANA + assignment. + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 1] + +RFC 4763 EAP-SAKE November 2006 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. Terminology .....................................................3 + 3. Protocol Description ............................................4 + 3.1. Overview and Motivation of EAP-SAKE ........................4 + 3.2. Protocol Operation .........................................5 + 3.2.1. Successful Exchange .................................5 + 3.2.2. Authentication Failure ..............................7 + 3.2.3. Identity Management ................................11 + 3.2.4. Obtaining Peer Identity ............................11 + 3.2.5. Key Hierarchy ......................................13 + 3.2.6. Key Derivation .....................................15 + 3.2.7. Ciphersuite Negotiation ............................17 + 3.2.8. Message Integrity and Encryption ...................17 + 3.2.9. Fragmentation ......................................21 + 3.2.10. Error Cases .......................................21 + 3.3. Message Formats ...........................................22 + 3.3.1. Message Format Summary .............................22 + 3.3.2. Attribute Format ...................................23 + 3.3.3. Use of AT_ENCR_DATA Attribute ......................25 + 3.3.4. EAP.Request/SAKE/Challenge Format ..................26 + 3.3.5. EAP.Response/SAKE/Challenge Format .................28 + 3.3.6. EAP.Request/SAKE/Confirm Format ....................30 + 3.3.7. EAP.Response/SAKE/Confirm Format ...................32 + 3.3.8. EAP.Response/SAKE/Auth-Reject Format ...............33 + 3.3.9. EAP.Request/SAKE/Identity Format ...................34 + 3.3.10. EAP.Response/SAKE/Identity Format .................36 + 3.3.11. Other EAP Messages Formats ........................37 + 4. IANA Considerations ............................................37 + 5. Security Considerations ........................................38 + 5.1. Denial-of-Service Attacks .................................38 + 5.2. Root Secret Considerations ................................38 + 5.3. Mutual Authentication .....................................39 + 5.4. Integrity Protection ......................................39 + 5.5. Replay Protection .........................................39 + 5.6. Confidentiality ...........................................40 + 5.7. Key Derivation, Strength ..................................40 + 5.8. Dictionary Attacks ........................................41 + 5.9. Man-in-the-Middle Attacks .................................41 + 5.10. Result Indication Protection .............................41 + 5.11. Cryptographic Separation of Keys .........................41 + 5.12. Session Independence .....................................41 + 5.13. Identity Protection ......................................42 + 5.14. Channel Binding ..........................................42 + 5.15. Ciphersuite Negotiation ..................................42 + 5.16. Random Number Generation .................................43 + 6. Security Claims ................................................43 + + + +Vanderveen & Soliman Informational [Page 2] + +RFC 4763 EAP-SAKE November 2006 + + + 7. Acknowledgements ...............................................44 + 8. References .....................................................44 + 8.1. Normative References ......................................44 + 8.2. Informative References ....................................45 + +1. Introduction + + The Extensible Authentication Protocol (EAP), described in [EAP], + provides a standard mechanism for support of multiple authentication + methods. EAP is also used within IEEE 802 networks through the IEEE + 802.11i [IEEE802.11i] framework. + + EAP supports several authentication schemes, including smart cards, + Kerberos, Public Key, One Time Passwords, TLS, and others. This + document defines an authentication scheme, called the EAP-SAKE. + EAP-SAKE supports mutual authentication and session key derivation, + based on a static pre-shared secret data. This RFC is published as + documentation for the IANA assignment of an EAP Type for a vendor's + EAP method per RFC 3748. The specification has passed Designated + Expert review for this IANA assignment. + +2. Terminology + + In this document, several words are used to signify the requirements + of the specification. These words are often capitalized. The key + words "MUST", "MUST NOT", "REQUIRED", "MUST", "MUST NOT", "SHOULD", + "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document + are to be interpreted as described in BCP 14 [KEYWORDS]. + + In addition to the terms used in [EAP], this document frequently uses + the following terms and abbreviations: + + MIC Message Integrity Check + + SMS SAKE Master Secret + + NAI Network Access Identifier + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 3] + +RFC 4763 EAP-SAKE November 2006 + + +3. Protocol Description + +3.1. Overview and Motivation of EAP-SAKE + + The EAP-SAKE authentication protocol is a native EAP authentication + method. That is, a stand-alone version of EAP-SAKE outside of EAP is + not defined. EAP-SAKE is designed to enable mutual authentication, + based on pre-shared keys and well-known public cryptographic + algorithms. This method is ideal for subscription-based public + access networks, e.g., cellular networks. + + EAP-SAKE assumes a long-term or pre-shared secret known only to the + Peer and the Server. This pre-shared secret is called the Root + Secret. The Root Secret consists of a 16-byte part Root-Secret-A, + and 16-byte part Root-Secret-B. The Root-Secret-A secret is reserved + for use local to the EAP-SAKE method, i.e., to mutually authenticate + the EAP Peer and EAP Server. The Root-Secret-B secret is used to + derive other quantities such as the Master Session Key (MSK) and + Extended Master Session Key (EMSK). Root-Secret-B and Root-Secret-A + MUST be cryptographically separate. + + When a Backend Authentication Server is used, the Server typically + communicates with the Authenticator using an AAA protocol. The AAA + communications are outside the scope of this document. + + Some of the advantages of EAP-SAKE are as follows: + + o It is based on well-established Bellare-Rogaway mutual + authentication protocol. + + o It supports key derivation for local EAP method use and for export + to other third parties to use them independently of EAP. + + o It employs only two request/response exchanges. + + o It relies on the (corrected) IEEE 802.11i function for key + derivation and message integrity. This way a device implementing a + lower-layer secure association protocol compliant with IEEE 802.11i + standard will not need additional cryptographic code. + + o Its encryption algorithm is securely negotiated (with no extra + messages), yet encryption use is optional. + + o Keys used for authentication and those used for encryption are + cryptographically separate. + + o User identity anonymity can be optionally supported. + + + + +Vanderveen & Soliman Informational [Page 4] + +RFC 4763 EAP-SAKE November 2006 + + + o No synchronization (e.g., of counters) needed between server and + peer. + + o There is no one-time key pre-processing step. + +3.2. Protocol Operation + + EAP-SAKE uses four messages consisting of two EAP request/response + exchanges. The EAP.Success and EAP.Failure messages shown in the + figures are not part of the EAP-SAKE method. As a convention, method + attributes are named AT_XX, where XX is the name of the parameter the + attribute value is set to. + +3.2.1. Successful Exchange + + A successful EAP-SAKE authentication exchange is depicted in Figure + 1. The following steps take place: + + Peer Server + | | + | EAP.Request/SAKE/Challenge | + | (AT_RAND_S, AT_SERVERID) | + 1 |<---------------------------------------------------------| + | | + | EAP.Response/SAKE/Challenge | + | (AT_RAND_P, AT_PEERID, AT_SPI_P, AT_MIC_P) | + 2 |--------------------------------------------------------->| + | | + | EAP.Request/SAKE/Confirm | + | (AT_SPI_S, AT_ENCR_DATA, AT_MIC_S)| + 3 |<---------------------------------------------------------| + | | + | EAP.Response/SAKE/Confirm | + | (AT_MIC_P) | + 4 |--------------------------------------------------------->| + | | + | | + | EAP-Success | + 5 |<---------------------------------------------------------| + | | + + Figure 1. EAP-SAKE Authentication Procedure (with ciphersuite + negotiation) + + 1. The EAP server sends the first message of the EAP-SAKE exchange. + This message is an EAP.Request message of type SAKE and subtype + Challenge. The EAP.Request/SAKE/Challenge message contains the + attributes: AT_RAND_S, whose value is a nonce freshly generated + + + +Vanderveen & Soliman Informational [Page 5] + +RFC 4763 EAP-SAKE November 2006 + + + by the Server; and AT_SERVERID, which carries an identifier of + the Server (a fully qualified domain name, such as the realm of + the user NAI [NAI]). The AT_SERVERID attribute is OPTIONAL but + SHOULD be included in this message. The purpose of the + AT_SERVERID is to aid the Peer in selecting the correct security + association (i.e., Root-Secret, PEERID, and SERVERID) to use + during this EAP phase. + + 2. The Peer responds by sending an EAP.Response message of type SAKE + and subtype Challenge. The EAP.Response/SAKE/Challenge message + contains the attributes: AT_RAND_P, which carries a nonce freshly + generated by the Peer; AT_PEERID, which carries a Peer + identifier; AT_SPI_P, which carries a list of one or more + ciphersuites supported by the Peer; and AT_MIC_P, containing a + message integrity check. The AT_SPI_P and AT_PEERID attributes + are OPTIONAL. The AT_PEERID attribute SHOULD be included, in + order to cover the case of multi-homed hosts. A supported + ciphersuite is represented by a value local to the EAP-SAKE + method, or "Security Parameter Index", see section 3.2.8.3. The + Peer uses both nonces, along with the Root-Secret-A key, to + derive a SAKE Master Secret (SMS) and Temporary EAP Keys (TEKs), + which also include the TEK-Auth and TEK-Cipher keys. The MIC_P + value is computed based on both nonces RAND_S and RAND_P, and the + entire EAP packet, using the key TEK-Auth, see Section 3.2.6. + + 3. Upon receipt of the EAP.Response/SAKE/Challenge message, the + Server uses both nonces RAND_S and RAND_P, along with the Root- + Secret-A key, to compute the SMS and TEK in exactly the same way + the Peer did. Following that, the Server computes the Peer's + MIC_P in exactly the same way the Peer did. The Server then + compares the computed MIC_P with the MIC_P it received from the + Peer. If they match, the Server considers the Peer + authenticated. If encryption is needed, the Server selects the + strongest ciphersuite from the Peer's ciphersuite list SPI_P, or + a suitable ciphersuite if the Peer did not include the AT_SPI_P + attribute. The Server sends an EAP.Request message of type SAKE + and subtype Confirm, containing the attributes: AT_SPI_S, + carrying the ciphersuite chosen by the Server; AT_ENCR_DATA, + containing encrypted data; and AT_MIC_S, carrying a message + integrity check. The AT_SPI_S and AT_ENCR_DATA are OPTIONAL + attributes, included if confidentiality and/or user identity + anonymity is desired. Other OPTIONAL attributes that MAY be + included are AT_NEXT_TMPID, and AT_MSK_LIFE. As before, the + MIC_S value is computed using both nonces RAND_S and RAND_P, and + the entire EAP packet, using the key TEK-Auth. + + + + + + +Vanderveen & Soliman Informational [Page 6] + +RFC 4763 EAP-SAKE November 2006 + + + 4. If the Peer receives the EAP.Request/SAKE/Confirm message + indicating successful authentication by the Server, the Peer + computes the MIC_S in the same manner as the Server did. The + Peer then compares the received MIC_S with the MIC_S it computed. + If they match, the Peer considers the Server authenticated, and + it sends an EAP.Response message of type SAKE and subtype + Confirm, with the attribute AT_MIC_P containing a message + integrity check, computed in the same manner as before. + + 5. After a successful EAP-SAKE exchange, the Server concludes the + EAP conversation by sending an EAP.Success message to the Peer. + + All EAP-SAKE messages contain a Session ID, which is chosen by the + Server, sent in the first message, and replicated in subsequent + messages until an EAP.Success or EAP.Failure is sent. Upon receipt + of an EAP-SAKE message, both Peer and Server MUST check the format of + the message to ensure that it is well-formed and contains a valid + Session ID. + + Note that the Session ID is introduced mainly for replay protection + purposes, as it helps uniquely identify a session between a Peer and + a Server. In most cases, there is a one-to-one relationship between + the Session ID and the Peer/Server pair. + + The parameters used by the EAP-SAKE method are summarized in the + table below: + + Name Length (bytes) Description + ---------+---------------+------------- + RAND_P 16 Peer nonce + RAND_S 16 Server nonce + MIC_P 16 Peer MIC + MIC_S 16 Server MIC + SPI_P variable Peer ciphersuite preference(s) + SPI_S variable Server chosen ciphersuite + PEERID variable Peer identifier + SERVERID variable Server identifier (FQDN) + +3.2.2. Authentication Failure + + If the Authenticator receives an EAP.Failure message from the Server, + the Authenticator MUST terminate the connection with the Peer + immediately. + + The Server considers the Peer to have failed authentication if either + of the two received MIC_P values does not match the computed MIC_P. + + + + + +Vanderveen & Soliman Informational [Page 7] + +RFC 4763 EAP-SAKE November 2006 + + + The Server SHOULD deny authorization for a Peer that does not + advertise any of the ciphersuites that are considered acceptable + (e.g., by local system policy) and send an EAP.Failure message. + + In case of authentication failure, the Server MUST send an + EAP.Failure message to the Peer as in Figure 2. The following steps + take place: + + Peer Server + | | + | EAP.Request/SAKE/Challenge | + | (AT_RAND_S, AT_SERVERID) | + 1 |<---------------------------------------------------------| + | | + | EAP.Response/SAKE/Challenge | + | (AT_RAND_P, AT_PEERID, AT_SPI_P, AT_MIC_P) | + 2 |--------------------------------------------------------->| + | | + | +-------------------------------------------+ + | | Server finds MIC_P invalid. | + | +-------------------------------------------+ + | | + | EAP-Failure | + 3 |<---------------------------------------------------------| + + Figure 2. EAP-SAKE Authentication Procedure, Peer Fails + Authentication + + 1. As in step 1 of Figure 1. + + 2. As in step 2 of Figure 1. + + 3. Upon receipt of the EAP.Response/SAKE/Challenge message, the + Server uses both nonces RAND_S and RAND_P, along with the Root- + Secret-A key, to compute the SMS and TEK in exactly the same way + the Peer did. Following that, the Server computes the Peer's MIC + in exactly the same way the Peer did. The Server then compares + the computed MIC_P with the MIC_P it received from the Peer. + Since they do not match, the Server considers the Peer to have + failed authentication and sends an EAP.Failure message back to + the Peer. + + + + + + + + + + +Vanderveen & Soliman Informational [Page 8] + +RFC 4763 EAP-SAKE November 2006 + + + If the AT_SPI_S attribute does not contain one of the SPI values that + the Peer listed in the previous message, or if the Peer did not + include an AT_SPI_P attribute yet does not accept the ciphersuite the + Server has chosen, then the Peer SHOULD silently discard this + message. Alternatively, the Peer MAY send a SAKE/Auth-Reject message + back to the Server; in response to this message, the Server MUST send + an EAP.Failure message to the Peer. + + The AT_SPI_S attribute MUST be included if encryption is to be used. + The Server knows whether or not encryption is to be used, as it is + usually the Server that needs to protect some data intended for the + Peer (e.g., temporary ID, group keys, etc). If the Peer receives an + AT_SPI_S attribute yet there is no AT_ENCR_DATA attribute, the Peer + SHOULD process the message and skip the AT_SPI_S attribute. + + The Peer considers the Server to have failed authentication if the + received and the computed MIC_S values do not match. In this case, + the Peer MUST send to the Server an EAP.Response message of type SAKE + and subtype Auth-Reject, indicating an authentication failure. In + this case, the Server MUST send an EAP.Failure message to the Peer as + in Figure 3. The following steps take place: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 9] + +RFC 4763 EAP-SAKE November 2006 + + + Peer Server + | | + | EAP.Request/SAKE/Challenge | + | (AT_RAND_S, AT_SERVERID) | + 1 |<---------------------------------------------------------| + | | + | EAP.Response/SAKE/Challenge | + | (AT_RAND_P, AT_PEERID, AT_SPI_P, AT_MIC_P) | + 2 |--------------------------------------------------------->| + | | + | EAP.Request/SAKE/Confirm | + | (AT_SPI_S, AT_ENCR_DATA, AT_MIC_S)| + 3 |<---------------------------------------------------------| + | | + +-----------------------------------------------+ | + | Peer finds MIC_S invalid. | | + +-----------------------------------------------+ | + | | + | EAP.Response/SAKE/Auth-Reject | + 4 |--------------------------------------------------------->| + | | + | EAP-Failure | + 5 |<---------------------------------------------------------| + | | + + Figure 3. EAP-SAKE Authentication Procedure, Server Fails + Authentication + + 1. As in step 1 of Figure 1. + + 2. As in step 2 of Figure 1. + + 3. As in step 3 of Figure 1. + + 4. The Peer receives a EAP.Request/SAKE/Confirm message indicating + successful authentication by the Server. The Peer computes the + MIC_S in the same manner as the Server did. The Peer then + compares the received MIC_S with the MIC_S it computed. Since + they do not match, the Peer considers the Server to have failed + authentication. In this case, the Peer responds with an + EAP.Response message of type SAKE and subtype Auth-Reject, + indicating authentication failure. + + 5. Upon receipt of a EAP.Response/SAKE/Auth-Reject message, the + Server sends an EAP.Failure message back to the Peer. + + + + + + +Vanderveen & Soliman Informational [Page 10] + +RFC 4763 EAP-SAKE November 2006 + + +3.2.3. Identity Management + + It may be advisable to assign a temporary identifier (TempID) to a + Peer when user anonymity is desired. The TempID is delivered to the + Peer in the EAP.Request/SAKE/Confirm message. The TempID follows the + format of any NAI [NAI] and is generated by the EAP Server that + engages in the EAP-SAKE authentication task with the Peer. EAP + servers SHOULD be configurable with TempID spaces that can be + distinguished from the permanent identity space. For instance, a + specific realm could be assigned for TempIDs (e.g., tmp.example.biz). + + A TempID is not assigned an explicit lifetime. The TempID is valid + until the Server requests the permanent identifier, or the Peer + triggers the start of a new EAP session by sending in its permanent + identifier. A Peer MUST be able to trigger an EAP session at any + time using its permanent identifier. A new TempID assigned during a + successful EAP session MUST replace the existing TempID for future + transactions between the Peer and the Server. + + Note that the delivery of a TempID does not imply that the Server + considers the Peer authenticated; the Server still has to check the + MIC in the EAP.Response/SAKE/Confirm message. In case the EAP phase + ends with an EAP.Failure message, then the Server and the Peer MUST + consider the TempID that was just delivered as invalid. Hence, the + Peer MUST NOT use this TempID the next time it tries to authenticate + with the Server. + +3.2.4. Obtaining Peer Identity + + The types of identities that a Peer may possess are permanent and + temporary identities, referred to as PermID and TempID, respectively. + A PermID can be an NAI associated with the Root Secret, and is long- + lived. A TempID is an identifier generated through the EAP method + and that the Peer can use to identify itself during subsequent EAP + sessions with the Server. The purpose of the TempID is to allow for + user anonymity support. The use of TempIDs is optional in the EAP- + SAKE method. + + The Server MAY request the Peer ID via the EAP.Request/SAKE/Identity + message, as shown in Figure 4. This case may happen if, for example, + the Server wishes to initiate an EAP-SAKE session for a Peer it does + not have a subscriber identifier for. The following steps take + place: + + + + + + + + +Vanderveen & Soliman Informational [Page 11] + +RFC 4763 EAP-SAKE November 2006 + + + Peer Server + | | + | +---------------------------------+ + | | Server wishes to initiate | + | | an EAP-SAKE session | + | | | + | +---------------------------------+ + | | + | EAP.Request/SAKE/Identity | + | (AT_ANY_ID_REQ, AT_SERVERID) | + 1 |<---------------------------------------------------------| + | | + | EAP.Response/SAKE/Identity | + | (AT_PEERID) | + 2 |--------------------------------------------------------->| + | | + +--------------------------------------------------------------+ + | If identity found, normal EAP-SAKE authentication follows. | + +--------------------------------------------------------------+ + + Figure 4. Server Requests Peer Identity + + 1. The Server sends an EAP.Request message of type SAKE and subtype + Identity, with the attribute AT_ANY_ID_REQ, indicating a request + for any Peer identifier. + + 2. The Peer constructs an EAP.Response message of type SAKE and + subtype Identity, with the attribute AT_PEER_ID containing any + Peer identifier (PermID or TempID). + + If the Server cannot find the Peer identity reported in the + EAP.Response/SAKE/Identity message, or if it does not recognize the + format of the Peer identifier, the Server MAY send an EAP.Failure + message to the Peer. + + If the Server is unable to look up a Peer by its TempID, or if policy + dictates that the Peer should now use its permanent id, then the + Server may specifically ask for the permanent identifier, as in + Figure 5. The following steps occur: + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 12] + +RFC 4763 EAP-SAKE November 2006 + + + Peer Server + | | + | +---------------------------------+ + 1 | | Server obtains TempID but | + | | requires PermID | + | +---------------------------------+ + | | + | EAP.Request/SAKE/Identity | + | (AT_PERM_ID_REQ, AT_SERVERID) | + 2 |<---------------------------------------------------------| + | | + | EAP.Response/SAKE/Identity | + | (AT_PEERID) | + 3 |--------------------------------------------------------->| + | | + | +---------------------------------+ + | | Server finds and uses | + | | Peer PermID to start a | + | | EAP-SAKE authentication phase | + | +---------------------------------+ + | + +---------------------------------------------------------------+ + | Normal EAP-SAKE authentication follows. | + +---------------------------------------------------------------+ + + Figure 5. Server Is Given a TempID as Peer Identity; Server + Requires a PermID + + 1. The Peer (or the Authenticator on behalf of the Peer) sends an + EAP.Request message of type Identity and includes the TempID. + + 2. The Server requires a PermID instead, so it sends an EAP.Request + message of type SAKE and subtype Identity with attributes + AT_PERM_ID_REQ and AT_SERVERID. + + 3. The Peer sends an EAP.Response message of type SAKE and subtype + Identity containing the attribute AT_PEERID carrying the Peer + PermID. + +3.2.5. Key Hierarchy + + EAP-SAKE uses a three-level key hierarchy. + + Level 1 contains the pre-shared secret called Root Secret. This is a + 32-byte high-entropy string partitioned into the Root-Secret-A part + (16 bytes) and the Root-Secret-B part (16 bytes). + + + + + +Vanderveen & Soliman Informational [Page 13] + +RFC 4763 EAP-SAKE November 2006 + + + Level 2 contains the key derivation key called the SAKE Master Secret + (SMS). SMS-A is derived from the Root-Secret-A key and the Peer and + Server nonces using the EAP-SAKE Key-Derivation Function (KDF), and + similarly for SMS-B. The SMS is known only to the Peer and Server + and is not made known to other parties. + + Level 3 contains session keys, such as Transient EAP Keys (TEK), + Master Session Key (MSK), and Extended MSK (EMSK). TEKs are keys for + use local to the EAP method only. They are derived from the SMS-A + and the nonces using the EAP-SAKE KDF. They are partitioned into a + 16-byte TEK-Auth, used to compute the MICs, and a 16-byte TEK-Cipher, + used to encrypt selected attributes. Since the SMS is fresh, so are + the derived TEKs. + + +--------------------+ +--------------------+ + | Root-Secret-A | | Root-Secret-B | + | (pre-shared secret)| | (pre-shared secret)| + +--------------------+ +--------------------+ + | | + V V + +-------------------+ +--------------------+ + | SAKE Master Secret|<---RAND_S------------->| SAKE Master Secret | + | (SMS-A) | | | (SMS-B) | + | |<-------]---RAND_P----->| | + +-------------------+ | | +--------------------+ + | | | | + V | | V + +--------------------+ | | +--------------------+ + | Transient EAP Keys |<------+-----+-------->| Session Keys: | + | TEK-Auth,TEK-Cipher|<------------+-------->| MSK, EMSK | + +--------------------+ +--------------------+ + + Figure 6. Key Hierarchy for the EAP-SAKE Method + + On another branch of level 3 of the key hierarchy are the MSK and + EMSK, each mandated to be 64 bytes long. They are derived from the + SMS-B and the nonces using the EAP-SAKE KDF. Again, since the SMS is + fresh, so are the derived MSK/EMSK. The MSK is meant to be exported + and relayed to other parties. The EMSK is reserved for future use, + such as derivation of application-specific keys, and is not shared + with other parties. + + + + + + + + + + +Vanderveen & Soliman Informational [Page 14] + +RFC 4763 EAP-SAKE November 2006 + + + The EAP-SAKE key material is summarized in the table below. + + =================================================================== + Key Size Scope Lifetime Use + (bytes) + =================================================================== + Root-Secret-A 16 Peer, Server Device Derive TEK + -------------------------------------------------------------------- + Root-Secret-B 16 Peer, Server Device Derive MSK, EMSK + -------------------------------------------------------------------- + TEK-Auth 16 Peer, Server MSK Life Compute MICs + -------------------------------------------------------------------- + TEK-Cipher 16 Peer, Server MSK Life Encrypt attribute + -------------------------------------------------------------------- + MSK 64 Peer, Server, MSK Life Derive keys for + Authenticator lower-layer use + -------------------------------------------------------------------- + EMSK 64 Peer, Server MSK Life Reserved + -------------------------------------------------------------------- + + A key name format is not provided in this version. + + Since this version of EAP-SAKE does not support fast re- + authentication, the lifetime of the TEKs is to extend only until the + next EAP mutual authentication. The MSK lifetime dictates when the + next mutual authentication is to take place. The Server MAY convey + the MSK lifetime to the Peer in the AT_MSK_LIFE attribute. Note that + EAP-SAKE does not support key lifetime negotiation. + + The EAP-SAKE Method-Id is the contents of the RAND_S field from the + AT_RAND_S attribute, followed by the contents of the RAND_P field in + the AT_RAND_P attribute. + +3.2.6. Key Derivation + +3.2.6.1. Key-Derivation Function + + For the rest of this document, KDF-X denotes the EAP-SAKE Key- + Derivation Function whose output is X bytes. This function is the + pseudo-random function of [IEEE802.11i]. + + The function takes three strings of bytes of arbitrary lengths: a + Key, a Label, and a Msg, and outputs a string Out of length X bytes + as follows: + + Out = KDF-X (Key, Label, Msg) + + + + + +Vanderveen & Soliman Informational [Page 15] + +RFC 4763 EAP-SAKE November 2006 + + + The KDF is a keyed hash function with key "Key" and operating on + input "Label | Msg". The convention followed herein is that + concatenation is denoted by |, FLOOR denotes the floor function, and + [x...y] denotes bytes x through y. + + The label is an ASCII character string. It is included in the exact + form it is given without a length byte or trailing null character. + + Below, "Length" denotes a single unsigned octet with values between 0 + and 255 (bytes). The following functions are defined (see [HMAC], + [SHA1]): + + H-SHA1(Key, Label, Msg, Length) := HMAC-SHA1(Key, Label|Y|Msg|Length) + where Y := 0x00 + KDF-16(Key, Label, Msg) := KDF(Key, Label, Msg, 16) + KDF-32(Key, Label, Msg) := KDF(Key, Label, Msg, 32) + KDF-128(Key, Label, Msg) := KDF(Key, Label, Msg, 128) + + KDF(Key, Label, Msg, Length) + R := [] ;; null string + for i := 0 to FLOOR(Length/20)-1 do + R := R | H-SHA1(Key, Label, Msg, i) + return R[0...(Length-1)] + +3.2.6.2. Transient EAP Keys Derivation + + The Peer and Server derive the SMS and then the TEK as follows: + + SMS-A = KDF-16 (Root-Secret-A, "SAKE Master Secret A", RAND_P|RAND_S) + TEK = KDF-32 (SMS-A, "Transient EAP Key", RAND_S | RAND_P) + TEK-Auth = TEK[0...15] + TEK-Cipher = TEK[16...31] + +3.2.6.3. Extended/Master Session Key Derivation + + The Peer and the Server derive the MSK/EMSK, as follows: + + SMS-B = KDF-16 (Root-Secret-B, "SAKE Master Secret B", RAND_P|RAND_S) + Session-Key-Block=KDF-128(SMS-B, "Master Session Key", RAND_S|RAND_P) + MSK = Session-Key-Block[0...63] + EMSK = Session-Key-Block[64...127] + + The derivation above affords the required cryptographic separation + between the MSK and EMSK. That is, knowledge of the EMSK does not + immediately lead to knowledge of the MSK, nor does knowledge of the + MSK immediately lead to knowledge of the EMSK. + + + + + +Vanderveen & Soliman Informational [Page 16] + +RFC 4763 EAP-SAKE November 2006 + + +3.2.7. Ciphersuite Negotiation + + A ciphersuite is identified by a numeric value called the Security + Parameter Index (SPI). The SPI is used here in the EAP-SAKE method + in order to negotiate a ciphersuite between the Peer and the Server + for EAP data protection only. Obviously, this ciphersuite can only + be used late in the EAP conversation, after it has been agreed upon + by both the Peer and the Server. + + The EAP method may or may not need to use this ciphersuite, since + attribute encryption is optional. For example, if the temporary + identifier needs to be delivered to the Peer and needs to be + encrypted, then the negotiated ciphersuite will be used for this + task. If there are no attributes that need encryption as they are + passed to the Peer, then this ciphersuite is never used. + + As with most other methods employing ciphersuite negotiation, the + following exchange is employed: the Peer sends an ordered list of one + or more supported ciphersuites, starting with the most preferred one, + in a field SPI_P. The Server then sends back the one ciphersuite + chosen in a field SPI_S. The Server SHOULD choose the strongest + ciphersuite supported by both of them. + + Ciphersuite negotiation for data protection is achieved via SAKE + Signaling as follows. In the EAP.Response/SAKE/Challenge, the Peer + sends a list of supported ciphersuites, SPI_P, and protects that with + a MIC. In the EAP.Request/SAKE/Confirm, the Server sends one + selected ciphersuite, SPI_S, and signs that with a MIC. Finally, the + Peer confirms the selected ciphersuite and readiness to use it in a + signed EAP.Response/SAKE/Confirm message. The negotiation is secure + because of the Message Integrity Checks that cover the entire EAP + message. + +3.2.8. Message Integrity and Encryption + + This section specifies the EAP/SAKE attributes used for message + integrity and attribute encryption: AT_MIC_S, AT_MIC_P, AT_IV, + AT_ENCR_DATA, and AT_PADDING. Only the AT_MIC_S and AT_MIC_P are + mandatory to use during the EAP-SAKE exchange. + + Because the TEKs necessary for protection of the attributes and for + message authentication are derived using the nonces RAND_S and + RAND_P, the AT_MIC_S and AT_MIC_P attributes can only be used in the + EAP.Response/SAKE/Challenge message and any messages sent thereafter. + + + + + + + +Vanderveen & Soliman Informational [Page 17] + +RFC 4763 EAP-SAKE November 2006 + + +3.2.8.1. The AT_MIC_S and AT_MIC_P Attributes + + The AT_MIC_S and AT_MIC_P attributes are used for EAP-SAKE message + integrity. The AT_MIC_S attribute MUST be included in all EAP-SAKE + packets that the Server sends whenever key material (TEK) has been + derived. That is, the AT_MIC_S attribute MUST be included in the + EAP.Request/SAKE/Confirm message. The AT_MIC_S MUST NOT be included + in EAP.Request/SAKE/Challenge messages, or EAP.Request/SAKE/Identity + messages. + + The AT_MIC_P attribute MUST be included in all EAP-SAKE packets the + Peer sends whenever key material (TEK) has been derived. That is, + the AT_MIC_P attribute MUST be included in the + EAP.Response/SAKE/Challenge and EAP.Response/SAKE/Confirm messages. + + The AT_MIC_P attribute MUST NOT be included in the + EAP.Response/SAKE/Auth-Reject message since the Peer has not + confirmed that it has the same TEK as the Server. + + Messages that do not meet the conditions specified above MUST be + silently discarded upon reception. + + The value field of the AT_MIC_S and AT_MIC_P attributes contain a + message integrity check (MIC). The MIC is calculated over the entire + EAP packet, prepended with the Server nonce and identifier and the + Peer nonce and identifier. The value field of the MIC attribute is + set to zero when calculating the MIC. Including the Server and Peer + nonces and identifiers aids in detecting replay and man-in-the-middle + attacks. + + The Peer computes its MIC as follows: + + MIC_P = KDF-16 (TEK-Auth, "Peer MIC", RAND_S | RAND_P | + PEERID | 0x00 | SERVERID | 0x00 | <EAP-packet>), + + while the Server computes its MIC as + + MIC_S = KDF-16 (TEK-Auth, "Server MIC", RAND_P |RAND_S | + SERVERID | 0x00 | PEERID | 0x00 | <EAP-packet>). + + Here, <EAP-packet> denotes the entire EAP packet, used as a string of + bytes, the MIC value field set to zero. 0x00 denotes a single octet + value used to delimit SERVERID and PEERID. The PEERID and SERVERID, + respectively, are the ones carried in the corresponding attributes in + the SAKE/Challenge messages. + + + + + + +Vanderveen & Soliman Informational [Page 18] + +RFC 4763 EAP-SAKE November 2006 + + + In case the SAKE/Challenge exchange was preceded by an + EAP.Request/SAKE/Identity message containing the AT_SERVERID + Attribute, then the SERVERID value in the MIC_P and MIC_S computation + MUST be set to the value of this attribute. + + If the AT_SERVERID was not included in either the SAKE/Challenge + message or the SAKE/Identity message, then the value of the SERVERID + used in the computation of MIC_P and MIC_S MUST be empty. If the + AT_PEERID was not included in the SAKE/Challenge message, and there + was no EAP.Response/SAKE/Identity message preceding the + SAKE/Challenge messages, then the value of the PEERID used in the + computation of MIC_P and MIC_S MUST be empty. + + The Server and Peer identity are included in the computation of the + signed responses so that the Peer and Server can verify each other's + identities, and the possession of a common secret, the TEK-Auth. + However, since the AT_SERVERID is not explicitly signed with a MIC by + the Server, EAP-SAKE does not claim channel binding. + +3.2.8.2. The AT_IV, AT_ENCR_DATA, and AT_PADDING Attributes + + The AT_IV and AT_ENCR_DATA attributes can be used to transmit + encrypted information between the Server and the Peer. The value + field of AT_IV contains an initialization vector (IV) if one is + required by the encryption algorithm used. It is not mandatory that + the AT_IV attribute be included whenever the AT_ENCR_DATA attribute + is. + + However, the AT_IV attribute MUST NOT be included unless the + AT_ENCR_DATA is included. Messages that do not meet this condition + MUST be silently discarded. + + Attributes can be encrypted only after a ciphersuite has been agreed + on, i.e., in any message starting with the Server's + EAP.Request/SAKE/Confirm message. The attributes MUST be encrypted + using algorithms corresponding to the SPI value specified by the + AT_SPI_S attribute. The attributes MUST be encrypted using the TEK- + Cipher key, whose derivation is specified in Section 3.2.6.2. + + If an IV is required by the encryption algorithm, then the sender of + the AT_IV attribute MUST NOT reuse the IV value from previous EAP- + SAKE packets. The sender MUST choose a new value for each AT_IV + attribute. The sender SHOULD use a good random number generator to + generate the initialization vector (see [RFC4086] for guidelines). + + + + + + + +Vanderveen & Soliman Informational [Page 19] + +RFC 4763 EAP-SAKE November 2006 + + + The value field of the AT_ENCR_DATA attribute consists of bytes + encrypted using the ciphersuite specified in the AT_SPI_S attribute. + The encryption key is the TEK-Cipher, and the plaintext consists of + one or more concatenated EAP-SAKE attributes. + + The default encryption algorithm, as described in Section 3.2.8.3, + requires the length of the plaintext to be a multiple of 16 bytes. + The sender MAY need to include the AT_PADDING attribute as the last + attribute within the value field of the AT_ENCR_DATA attribute. The + length of the padding is chosen so that the length of the value field + of the AT_ENCR_DATA attribute becomes a multiple of 16 bytes. The + AT_PADDING attribute SHOULD NOT be included if the total length of + other attributes present within the AT_ENCR_DATA attribute is a + multiple of 16 bytes. The length of the AT_PADDING attribute + includes the Attribute Type and Attribute Length fields. The actual + pad bytes in the value field are set to zero (0x00) on sending. The + recipient of the message MUST verify that the pad bytes are zero + after decryption and MUST silently discard the message otherwise. + + The MIC computed on the entire EAP message can be used to obviate the + need for special integrity protection or message authentication of + the encrypted attributes. + + An example of the AT_ENCR_DATA attribute is shown in Section 3.3.3. + +3.2.8.3. Security Parameter Index (SPI) Considerations + + An SPI value is a variable-length string identifying at least an + encryption algorithm and possibly a "security association". EAP-SAKE + does not mandate the format of the SPI; it only mandates that the + default encryption algorithm be supported if encryption is supported. + That is, if an implementation compliant with this document supports + encryption, then it MUST support the AES-CBC cipher. + + The default encryption algorithm AES-CBC involves the AES block + cipher [AES] in the Cipher-Block-Chaining (CBC) mode of operation + [CBC]. + + The Peer in the EAP-SAKE method can send up to four SPI values in its + SPI_P field. Because the length of the AT_SPI_P and AT_SPI_S + attributes must each be a multiple of 2 bytes, the sender pads the + value field with zero bytes when necessary (the AT_PADDING attribute + is not used here). For example, the value field of the AT_SPI_S + contains one byte with the chosen SPI, followed by one byte of zeros. + + + + + + + +Vanderveen & Soliman Informational [Page 20] + +RFC 4763 EAP-SAKE November 2006 + + +3.2.9. Fragmentation + + The EAP-SAKE method does not require fragmentation, as the messages + do not get excessively long. That is, EAP packets are well within + the limit of the maximum transmission unit of other layers (link, + network). The only variable fields are those carrying NAIs, which + are limited by their length field to 256 bytes. + +3.2.10. Error Cases + + Malformed messages: As a general rule, if a Peer or Server receives + an EAP-SAKE packet that contains an error, the implementation SHOULD + silently discard this packet, not change state, and not send any EAP + messages to the other party. Examples of such errors include a + missing mandatory attribute, an attribute that is not allowed in this + type of message, and unrecognized subtypes or attributes. + + Non-matching Session Id: If a Peer or Server receives an EAP-SAKE + packet with a Session Id field not matching the Session Id from the + previous packet in this session, that entity SHOULD silently discard + this packet (not applicable for the first message of an EAP-SAKE + session). + + Peer Authorization Failure: It may be possible that a Peer is not + authorized for services, such as when the terminal device is reported + stolen. In that case, the Server SHOULD send an EAP.Failure message. + + Unexpected EAP.Success: A Server MUST NOT send an EAP-Success message + before the SAKE/Challenge and SAKE/Confirm rounds. The Peer MUST + silently discard any EAP.Success packets before the Peer has + successfully authenticated the Server via the + EAP.Response/SAKE/Confirm packet. + + The Peer and Server SHOULD log all error cases. + + + + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 21] + +RFC 4763 EAP-SAKE November 2006 + + +3.3. Message Formats + +3.3.1. Message Format Summary + + A summary of the EAP packet format [EAP] is shown below for + convenience. The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + 1 - Request + + 2 - Response + + Identifier + + The identifier field is one octet and aids in matching responses + with requests. + + Length + + The Length field is two octets and indicates the number of octets + in an EAP message including the Code, Identifier, Length, Type, + and Data fields. + + Type + + To be assigned. + + Version + + The EAP-SAKE method as described herein is version 2. + + Session ID + + The Session ID is a 1-byte random number that MUST be freshly + generated by the Server that must match all EAP messages in a + particular EAP conversation. + + + + + + +Vanderveen & Soliman Informational [Page 22] + +RFC 4763 EAP-SAKE November 2006 + + + Subtype + + EAP-SAKE subtype: SAKE/Challenge, SAKE/Confirm, SAKE/Auth-Reject, + and SAKE/Identity. All messages of type "EAP-SAKE" that are not + of these subtypes MUST silently discarded. + + Message Name Subtype Value (decimal) + ============================================= + SAKE/Challenge 1 + SAKE/Confirm 2 + SAKE/Auth-Reject 3 + SAKE/Identity 4 + +3.3.2. Attribute Format + + The EAP-SAKE attributes that are part of the EAP-SAKE packet follow + the Type-Length-Value format with 1-byte Type, 1-byte Length, and + variable-length Value (up to 255 bytes). The Length field is in + octets and includes the length of the Type and Length fields. The + EAP-SAKE attribute format is as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 1-byte unsigned integer; see Table below. + + Length + + The total number of octets in the attribute, including Type and + Length. + + Value + + Attribute-specific. + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 23] + +RFC 4763 EAP-SAKE November 2006 + + + The following attribute types are allocated. + + ----------------------------------------------------------------- + Attr. Name Length + (bytes) Skippable Description + ----------------------------------------------------------------- + AT_RAND_S 18 No Server Nonce RAND_S + AT_RAND_P 18 No Peer Nonce RAND_P + AT_MIC_S 10 No Server MIC + AT_MIC_P 10 No Peer MIC + AT_SERVERID variable No Server FQDN + AT_PEERID variable No Peer NAI (tmp, perm) + AT_SPI_S variable No Server chosen SPI SPI_S + AT_SPI_P variable No Peer SPI list SPI_P + AT_ANY_ID_REQ 4 No Requires any Peer Id (tmp, perm) + AT_PERM_ID_REQ 4 No Requires Peer's permanent Id/NAI + AT_ENCR_DATA Variable Yes Contains encrypted attributes + AT_IV Variable Yes IV for encrypted attributes + AT_PADDING 2 to 18 Yes Padding for encrypted attributes + AT_NEXT_TMPID variable Yes TempID for next EAP-SAKE phase + + AT_MSK_LIFE 6 Yes MSK Lifetime in seconds + ----------------------------------------------------------------- + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 24] + +RFC 4763 EAP-SAKE November 2006 + + +3.3.3. Use of AT_ENCR_DATA Attribute + + An example of the AT_ENCR_DATA attribute, as used in the + EAP.Request/SAKE/Confirm message, is shown below: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_IV | Length = 18 | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + | Initialization Vector | + | | + | |-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | |AT_ENCR_DATA | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+}e + | AT_NEXT_TMPID | Length | |}n + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |}c + | |}r + . Peer TempID |}y + . |}p + . |}t + | |}e + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+}d + | AT_MIC_S | Length = 10 | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | MIC_S | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + | |AT_PADDING | Length=2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + + + + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 25] + +RFC 4763 EAP-SAKE November 2006 + + +3.3.4. EAP.Request/SAKE/Challenge Format + + The format of the EAP.Request/SAKE/Challenge packet is shown below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_RAND_S | Length = 18 | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + | RAND_S | + | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + | | AT_SERVERID | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + : : + | Server ID | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 1 for Request + + Identifier + + A random number. See [EAP]. + + Length + + The length of the entire EAP packet in octets. + + Type + + EAP-SAKE + + Version + + 2 + + + + + +Vanderveen & Soliman Informational [Page 26] + +RFC 4763 EAP-SAKE November 2006 + + + Session ID + + A random number chosen by the server to identify this EAP-Session. + + Subtype + + 1 for SAKE/Challenge + + AT_RAND_S + + The value field of this attribute contains the Server nonce RAND_S + parameter. The RAND_S attribute MUST be present in + EAP.Request/SAKE/Challenge. + + AT_SERVERID + + The value field of this attribute contains the Server identifier + (e.g., a non-null terminated string). The AT_SERVERID attribute + SHOULD be present in EAP.Request/SAKE Challenge. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 27] + +RFC 4763 EAP-SAKE November 2006 + + +3.3.5. EAP.Response/SAKE/Challenge Format + + The format of the EAP.Response/SAKE/Challenge packet is shown below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_RAND_P | Length = 18 | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + | RAND_P | + | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + | | AT_PEERID | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + : Peer NAI : + | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + | | AT_SPI_P | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | SPIP | AT_MIC_P | Length = 18 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | MIC_P | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 2 for Response + + Identifier + + A number that MUST match the Identifier field from the + corresponding Request. + + Length + + The length of the entire EAP packet in octets. + + + + +Vanderveen & Soliman Informational [Page 28] + +RFC 4763 EAP-SAKE November 2006 + + + Type + + EAP-SAKE + + Version + + 2 + + Session ID + + A number matching all other EAP messages in this EAP session. + + Subtype + + 1 for SAKE/Challenge + + AT_RAND_P + + The value field of this attribute contains the Peer nonce RAND_P + parameter. The AT_RAND_P attribute MUST be present in the + EAP.Response/SAKE/Challenge. + + AT_PEERID + + The value field of this attribute contains the NAI of the Peer. + The Peer identity follows the same Network Access Identifier + format that is used in EAP.Response/Identity, i.e., including the + NAI realm portion. The identity is the permanent identity, or a + temporary identity. The identity does not include any terminating + null characters. The AT_PEERID attribute is optional in the + EAP.Response/SAKE/Challenge. + + AT_SPI_P + + The value field of this attribute contains the Peer's ciphersuite + list SPI_P parameter. The AT_SPI_P attribute is optional in the + EAP.Response/SAKE/Challenge. + + AT_MIC_P + + The value field of this attribute contains the Peer MIC_P + parameter. The AT_MIC_P attribute MUST be present in the + EAP.Response/SAKE/Challenge. + + + + + + + + +Vanderveen & Soliman Informational [Page 29] + +RFC 4763 EAP-SAKE November 2006 + + +3.3.6. EAP.Request/SAKE/Confirm Format + + The format of the EAP.Request/SAKE/Confirm packet is shown below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_SPI_S | Length | SPI_S | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_IV | Length | Initialization Vector ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : + | | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | AT_ENCR_DATA | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Encrypted Data... | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_MSK_LIFE | Length=6 | MSK Lifetime... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | AT_MIC_S | Length=18 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | MIC_S | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 1 for Request + + Identifier + + A random number. See [EAP]. + + Length + + The length of the entire EAP packet in octets. + + + + +Vanderveen & Soliman Informational [Page 30] + +RFC 4763 EAP-SAKE November 2006 + + + Type + + EAP-SAKE + + Version + + 2 + + Session ID + + A number matching all other EAP messages in this EAP session. + + Subtype + + 2 for SAKE Confirm + + AT_SPI_S + + The value field of this attribute contains the Server chosen + ciphersuite SPI_S parameter. The AT_SPI_S attribute is optional + in the EAP.Request/SAKE/Confirm. + + AT_IV + + This attribute is optional to use in this message. The value + field of this attribute contains the Initialization Vector that is + used with the encrypted data following. + + AT_ENCR_DATA + + This attribute is optional to use in this message. The encrypted + data, if present, may contain an attribute AT_NEXT_TMPID, + containing the NAI the Peer should use in the next EAP + authentication. + + AT_MSK_LIFE + + This attribute is optional to use in this message. The value + field of this attribute contains the MSK Lifetime in seconds. + + AT_MIC_S + + The value field of this attribute contains the Server MIC_S + parameter. The AT_MIC_S attribute MUST be present in the + EAP.Request/SAKE/Confirm. + + + + + + +Vanderveen & Soliman Informational [Page 31] + +RFC 4763 EAP-SAKE November 2006 + + +3.3.7. EAP.Response/SAKE/Confirm Format + + The format of the EAP.Response/SAKE/Confirm packet is shown below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_MIC_P | Length = 18 | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | MIC_P | + | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | AT_PADDING | Length = 2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 2 for Response + + Identifier + + A number that MUST match the Identifier field from the + corresponding Request. + + Length + + The length of the entire EAP packet in octets. + + Type + + EAP-SAKE + + Version + + 2 + + Session ID + + A number matching all other EAP messages in this EAP session. + + + + + + +Vanderveen & Soliman Informational [Page 32] + +RFC 4763 EAP-SAKE November 2006 + + + Subtype + + 2 for SAKE Confirm + + AT_MIC_P + + The value field of this attribute contains the Peer's MIC_P + parameter. The AT_MIC_P attribute MUST be present in the + EAP.Response/SAKE/Confirm. + + AT_PADDING + + The value field is set to zero. Added to achieve 32-bit alignment + of the EAP-SAKE packet. + +3.3.8. EAP.Response/SAKE/Auth-Reject Format + + The format of the EAP.Response/SAKE/Auth-Reject packet is shown + below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=3 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 2 for Response + + Identifier + + A number that MUST match the Identifier field from the + corresponding Request. + + Length + + The length of the entire EAP packet in octets. + + Type + + EAP-SAKE + + + + + +Vanderveen & Soliman Informational [Page 33] + +RFC 4763 EAP-SAKE November 2006 + + + Version + + 2 + + Session ID + + A number matching all other EAP messages in this EAP session. + + Subtype + + 3 for SAKE/Auth-Reject + +3.3.9. EAP.Request/SAKE/Identity Format + + The format of the EAP.Request/SAKE/Identity is shown below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |AT_PERM_ID_REQ | Length = 4 | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |AT_ANY_ID_REQ | Length = 4 | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |AT_SERVERID | Length | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : + | Server ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 1 for Request + + Identifier + + A random number. See [EAP]. + + Length + + The length of the entire EAP packet in octets. + + + + + + +Vanderveen & Soliman Informational [Page 34] + +RFC 4763 EAP-SAKE November 2006 + + + Type + + EAP-SAKE + + Version + + 2 + + Session ID + + A number matching all other EAP messages in this EAP session. + + Subtype + + 4 for SAKE/Identity + + AT_PERM_ID_REQ + + The AT_PERM_ID_REQ attribute is optional, to be included in cases + where the Server requires the Peer to give its permanent + identifier (i.e., PermID). The AT_PERM_ID_REQ MUST NOT be + included if the AT_ANY_ID_REQ attribute is included. The value + field only contains two reserved bytes, which are set to zero on + sending and ignored on reception. + + AT_ANY_ID_REQ + + The AT_ANY_ID_REQ attribute is optional, to be included in cases + where the Server requires the Peer to send any identifier (e.g., + PermID, TempID). The AT_ANY_ID_REQ MUST NOT be included if + AT_PERM_ID_REQ is included. The value field only contains two + reserved bytes, which are set to zero on sending and ignored on + reception. One of the AT_PERM_ID_REQ and AT_ANY_ID_REQ MUST be + included. + + AT_SERVERID + + The value field of this attribute contains the identifier/realm of + the Server. The AT_SERVERID attribute is optional but RECOMMENDED + to include in the EAP.Request/SAKE/Identity. + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 35] + +RFC 4763 EAP-SAKE November 2006 + + +3.3.10. EAP.Response/SAKE/Identity Format + + The format of the EAP.Response/SAKE/Identity is shown below: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Type=EAP-SAKE | Version=2 | Session ID | Subtype=4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AT_PEERID | Length | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : + | Peer NAI | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The semantics of the fields is described below: + + Code + + 2 for Response + + Identifier + + A number that MUST match the Identifier field from the + corresponding Request. + + Length + + The length of the entire EAP packet. + + Type + + EAP-SAKE + + Version + + 2 + + Session ID + + A number matching all other EAP messages in this EAP session. + + Subtype + + 4 for SAKE/Identity + + + + + +Vanderveen & Soliman Informational [Page 36] + +RFC 4763 EAP-SAKE November 2006 + + + AT_PEERID + + The value field of this attribute contains the NAI of the Peer. + The AT_PEERID attribute MUST be present in + EAP.Response/SAKE/Identity. + +3.3.11. Other EAP Messages Formats + + The format of the EAP.Request/Identity and EAP.Response/Identity + packets is described in [EAP]. The user ID (e.g., NAI) SHOULD be + present in this packet. + + The format of the EAP-Success and EAP-Failure packet is also shown in + [EAP]. + +4. IANA Considerations + + IANA allocated a new EAP Type for EAP-SAKE. + + EAP-SAKE messages include an 8-bit Subtype field. The Subtype is a + new numbering space for which IANA administration is required. The + following subtypes are specified in this memo: + + SAKE/Challenge.................1 + SAKE/Confirm...................2 + SAKE/Auth-Reject...............3 + SAKE/Identity..................4 + + The Subtype-specific data is composed of attributes, which have an + 8-bit type number. Attributes numbered within the range 0 through + 127 are called non-skippable attributes, and attributes within the + range of 128 through 255 are called skippable attributes. The EAP- + SAKE attribute type number is a new numbering space for which IANA + administration is required. The following attribute types are + specified: + + AT_RAND_S.......................................1 + AT_RAND_P.......................................2 + AT_MIC_S........................................3 + AT_MIC_P........................................4 + AT_SERVERID.....................................5 + AT_PEERID.......................................6 + AT_SPI_S........................................7 + AT_SPI_P........................................8 + AT_ANY_ID_REQ...................................9 + AT_PERM_ID_REQ.................................10 + + + + + +Vanderveen & Soliman Informational [Page 37] + +RFC 4763 EAP-SAKE November 2006 + + + AT_ENCR_DATA..................................128 + AT_IV.........................................129 + AT_PADDING....................................130 + AT_NEXT_TMPID.................................131 + AT_MSK_LIFE...................................132 + + All requests for value assignment from the two number spaces + described in this memo require proper documentation, according to the + "Specification Required" policy described in [IANA]. + + All assignments of values from the two number spaces described in + this memo require IETF consensus. + +5. Security Considerations + + The EAP specification [EAP] describes the security vulnerabilities of + EAP, which does not include its method-specific security mechanisms. + This section discusses the claimed security properties of the EAP- + SAKE method, along with vulnerabilities and security recommendations. + +5.1. Denial-of-Service Attacks + + Since EAP-SAKE is not a tunneling method, the + EAP.Response/SAKE/Auth-Reject, EAP.Success, and EAP.Failure packets + are not integrity or replay protected. This makes it possible for an + attacker to spoof such messages. Note that EAP.Response/SAKE/Auth- + Reject cannot be protected with a MIC since an authentication failure + indicates that the Server and Peer do not agree on a common key. + + Most importantly, an attacker cannot cause a Peer to accept an + EAP.Success packet as indication that the Server considers the mutual + authentication to have been achieved. This is because a Peer does + not accept EAP.Success packets before it has authenticated the Server + or after it has considered the Server to have failed authentication. + +5.2. Root Secret Considerations + + If the Root Secret is known to any party other than the Server and + Peer, then the mutual authentication and key establishment using + EAP-SAKE is compromised. + + EAP-SAKE does not address how the Root Secret is generated or + distributed to the Server and Peer. It is RECOMMENDED that the + entropy of the Root Secret be maximized. The Root Secret SHOULD be + machine-generated. + + + + + + +Vanderveen & Soliman Informational [Page 38] + +RFC 4763 EAP-SAKE November 2006 + + + If the Root Secret is derived from a low-entropy, guessable quantity + such as a human-selected password, then the EAP-SAKE key derivation + is subject to on-line and off-line dictionary attacks. To help + identify whether such a password has been compromised, + implementations SHOULD keep a log of the number of EAP-SAKE messages + received with invalid MIC fields. In these cases, a procedure for + updating the Root Secret securely SHOULD be in place. + +5.3. Mutual Authentication + + Mutual authentication is accomplished via the SAKE/Challenge and + SAKE/Confirm messages. The EAP.Request/SAKE/Challenge contains the + Server nonce RAND_S; the EAP.Response/SAKE/Challenge contains the + Peer nonce RAND_P, along with the Peer MIC (MIC_P); and the + EAP.Request/SAKE/Confirm contains the Server MIC (MIC_S). Both MICs + (MIC_S and MIC_P) are computed using both nonces RAND_S and RAND_P + and are keyed by the TEK, a shared secret derived from the Root + Secret. The Server considers the Peer authenticated if the MIC_P it + computes matches the one that the Peer sends. Similarly, the Peer + considers the Server authenticated if the MIC_S it computes matches + the one that the Server sends. The way the MICs are computed + involves a keyed one-way hash function, which makes it + computationally hard for an attacker to produce the correct MIC + without knowledge of the shared secret. + +5.4. Integrity Protection + + Integrity protection of EAP-SAKE messages is accomplished through the + use of the Message Integrity Checks (MIC), which are present in every + message as soon as a common shared secret (TEK) is available, i.e., + any message after the EAP.Request/SAKE/Challenge. An adversary + cannot modify any of the MIC-protected messages without causing the + recipient to encounter a MIC failure. The extent of the integrity + protection is commensurate with the security of the KDF used to + derive the MIC, the length and entropy of the shared secret used by + the KDF, and the length of the MIC. + +5.5. Replay Protection + + The first message of most session establishment protocols, such as + EAP-SAKE, is subject to replay. A replayed + EAP.Request/SAKE/Challenge message results in the Peer sending an + EAP.Response/SAKE/Challenge message back, which contains a MIC that + was computed using the attacker's chosen nonce. This poses a minimal + risk to the compromise of the TEK-Auth key, and this EAP Session + cannot proceed successfully as the Peer will find the Server's MIC + invalid. + + + + +Vanderveen & Soliman Informational [Page 39] + +RFC 4763 EAP-SAKE November 2006 + + + Replay protection is achieved via the RAND_S and RAND_P values, + together with the Session ID field, which are included in the + calculation of the MIC present in each packet subsequent to the EAP- + SAKE/Challenge request packet. The Session ID MUST be generated anew + by the Server for each EAP session. Session Ids also aid in + identification of possible multiple EAP sessions between a Peer and a + Server. Within the same session, messages can be replayed by an + attacker, but the state machine SHOULD be able to handle these cases. + Note that a replay within a session is indistinguishable to a + recipient from a network malfunction (e.g., message was first lost + and then re-transmitted, so the recipient thinks it is a duplicate + message). + + Replay protection between EAP sessions and within an EAP session is + also accomplished via the MIC, which covers not only the entire EAP + packet (including the Session ID) but also the nonces RAND_S and + RAND_P. Thus, the recipient of an EAP message can be assured that + the message it just received is the one just sent by the other Peer + and not a replay, since it contains a valid MIC of the recipient's + nonce and the other Peer nonce. As before, the extent of replay + protection is commensurate with the security of the KDF used to + derive the MIC, the length and entropy of the shared secret used by + the KDF, and the length of the MIC. + +5.6. Confidentiality + + Confidentiality of EAP-SAKE attributes is supported through the use + of the AT_ENCR_DATA and AT_IV attributes. A ciphersuite is + negotiated securely (see Section 3.2.7) and can be used to encrypt + any attributes as needed. The default ciphersuite contains a strong + cipher based on AES. + +5.7. Key Derivation, Strength + + EAP-SAKE derives a Master Key (for EAP use) and Master Session Key, + as well as other lower-level keys, such as TEKs. Some of the lower- + level keys may or may not be used. The strength (entropy) of all + these keys is at most the strength of the Root Secret. + + The entropy of the MSK and of the EMSK, assuming that the Server and + Peer 128-bit nonces are generated using good random number + generators, is at most 256-bits. + + + + + + + + + +Vanderveen & Soliman Informational [Page 40] + +RFC 4763 EAP-SAKE November 2006 + + +5.8. Dictionary Attacks + + Dictionary attacks are not feasible to mount on the EAP-SAKE method + because passwords are not used. Instead, the Root Secret is + machine-generated. This does not necessarily pose provisioning + problems. + +5.9. Man-in-the-Middle Attacks + + Resistance to man-in-the-middle attacks is provided through the + integrity protection that each EAP message carries (i.e., Message + Integrity Check field) as soon as a common key for this EAP session + has been derived through mutual authentication. As before, the + extent of this resistance is commensurate with the strength of the + MIC itself. Man-in-the-middle attacks associated with the use of any + EAP method within a tunneling or sequencing protocol are beyond the + scope of this document. + +5.10. Result Indication Protection + + EAP-SAKE provides result indication protection in that it provides + result indications, integrity protection, and replay protection. The + Server indicates that it has successfully authenticated the Peer by + sending the EAP.Request/SAKE/Confirm message, which is integrity and + replay protected. The Peer indicates that it has successfully + authenticated the Server by sending the EAP.Response/SAKE/Confirm + message, which is also integrity and replay protected. + +5.11. Cryptographic Separation of Keys + + The TEKs used to protect EAP-SAKE packets (TEK-Auth, TEK-Cipher), the + Master Session Key, and the Extended Master Session Key are + cryptographically separate. Information about any of these keys does + not lead to information about any other keys. We also note that it + is infeasible to calculate the Root Secret from any or all of the + TEKs, the MSK, or the EMSK. + +5.12. Session Independence + + Within each EAP-SAKE session, fresh keying material is generated. + The keying material exported by this method from two independent + EAP-SAKE sessions is cryptographically separate, as explained below. + + Both the Server and the Peer SHOULD generate fresh random numbers + (i.e., nonces) for the EAP-SAKE exchange. If either entity re-uses a + random number from a previous session, then the fact that the other + does use a freshly generated random number implies that the TEKs, + MSK, and EMSK derived within this session are cryptographically + + + +Vanderveen & Soliman Informational [Page 41] + +RFC 4763 EAP-SAKE November 2006 + + + separate from the corresponding keys derived in the previous + exchange. + + Therefore, compromise of MSK or EMSK on one exchange does not + compromise the MSK and EMSK of previous or subsequent exchanges + between a Peer and a Server. + +5.13. Identity Protection + + As seen from Section 3.2.3., the Server may assign a temporary NAI to + a Peer in order to achieve user anonymity. This identifier may be + used by the Peer the next time it engages in an EAP-SAKE + authentication phase with the Server. The TempID is protected by + sending it encrypted, within an AT_ENCR_DATA attribute, and signed by + the Server with a MIC. Thus, an eavesdropper cannot link the + original PermID that the Peer first sends (e.g., on power-up) to any + subsequent TempID values sent in the clear to the Server. + + The Server and Peer MAY be configured such that only TempID + identities are exchanged after one initial EAP-SAKE phase that uses + the Peer permanent identity. In this case, in order to achieve + maximum identity protection, the TempID SHOULD be stored in non- + volatile memory in the Peer and Server. Thus, compliance with this + document does not preclude or mandate Peer identity protection across + the lifetime of the Peer. + +5.14. Channel Binding + + The Server identifier and Peer identifier MAY be sent in the + SAKE/Challenge messages. However, since there is no established + authentication key at the time of the first message, the Server + identifier is not integrity-protected here. + + All subsequent EAP-SAKE messages exchanged during a successful EAP- + SAKE phase are integrity-protected, as they contain a Message + Integrity Check (MIC). The MIC is computed over the EAP message and + also over the Server and Peer identities. In that, both EAP + endpoints can verify the identity of the other party. + +5.15. Ciphersuite Negotiation + + EAP-SAKE does not support negotiation of the ciphersuite used to + integrity-protect the EAP conversation. However, negotiation of a + ciphersuite for data protection is supported. This ciphersuite + negotiation is protected in order to minimize the risk of down- + negotiation or man-in-the-middle attacks. + + + + + +Vanderveen & Soliman Informational [Page 42] + +RFC 4763 EAP-SAKE November 2006 + + + This negotiation is secure because of the Message Integrity Checks + (MICs) that cover the entire EAP messages used for ciphersuite + negotiation (see Section 3.2.7.). The extent of the security of the + negotiation is commensurate with the security of the KDF used to + derive the MICs, the length and entropy of the shared secret used by + the KDF, and the length of the MICs. + +5.16. Random Number Generation + + EAP-SAKE supports key derivation from a 32-byte Root Secret. The + entropy of all other keys derived from it is reduced somewhat through + the use of keyed hash functions (e.g. KDF). Thus, assuming + optimistically that the effective key strength of the Root Secret is + 32 bytes, the effective key strengths of the derived keys is at most + the effective key strength of the Root Secret quantities they are + derived from: EMSK, at most 16 bytes; MSK, at most 16 bytes. + +6. Security Claims + + This section provides the security claims as required by [EAP]. + + [a] Mechanism: EAP-SAKE is a challenge/response authentication and + key establishment mechanism based on a symmetric pre-shared + secret. + + [b] Security claims. EAP-SAKE provides: + + Mutual authentication (Section 5.3) + + Integrity protection (Section 5.4) + + Replay protection (Section 5.5) + + Confidentiality (optional, Section 5.6 and Section 5.13) + + Key derivation (Section 5.7) + + Dictionary attack protection (Section 5.8) + + Protected result indication of successful authentication from + Server and from Peer (Section 5.10) + + Session independence (Section 5.12) + + [c] Key strength. EAP-SAKE supports key derivation with 256-bit + effective key strength (Section 5.7) + + [d] Description of key hierarchy: see Section 3.2.5. + + + +Vanderveen & Soliman Informational [Page 43] + +RFC 4763 EAP-SAKE November 2006 + + + [e] Indication of vulnerabilities: EAP-Make does not provide: + + Fast reconnect + + Fragmentation + + Channel binding + + Cryptographic binding + +7. Acknowledgements + + Thanks to R. Dynarski for his helpful comments. + +8. References + +8.1. Normative References + + [AES] National Institute of Standards and Technology, + "Federal Information Processing Standards (FIPS) + Publication 197, Advanced Encryption Standard (AES)", + November 2001. http://csrc.nist.gov/publications/ + fips/fips197/fips-197.pdf + + [CBC] National Institute of Standards and Technology, NIST + Special Publication 800-38A, "Recommendation for Block + Cipher Modes of Operation - Methods and Techniques", + December 2001. http://csrc.nist.gov/publications/ + drafts/Draft-NIST_SP800-38D_Public_Comment.pdf + + [EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and + H. Levkowetz, "Extensible Authentication Protocol + (EAP)", RFC 3748, June 2004. + + [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + February 1997. + + [IANA] Narten, T. and H. Alvestrand, "Guidelines for Writing + an IANA Considerations Section in RFCs", BCP 26, RFC + 2434, October 1998. + + [IEEE802.11i] "IEEE Standard for Information Technology- + Telecommunications and Information Exchange between + Systems - LAN/MAN Specific Requirements - Part 11: + Wireless Medium Access Control (MAC) and physical + layer (PHY) specifications: Amendment 6: Medium Access + Control (MAC) Security Enhancements", June 2004. + + + +Vanderveen & Soliman Informational [Page 44] + +RFC 4763 EAP-SAKE November 2006 + + + [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [SHA1] National Institute of Standards and Technology, U.S. + Department of Commerce, Federal Information Processing + Standard (FIPS) Publication 180-1, "Secure Hash + Standard", April 1995. + +8.2. Informative References + + [NAI] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The + Network Access Identifier", RFC 4282, December 2005. + + [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC + 4086, June 2005. + +Authors' Addresses + + Michaela Vanderveen + Qualcomm Flarion Technologies + 135 Rte. 202/206 South + Bedminster, NJ 07921 + USA + + EMail: mvandervn@yahoo.com + + + Hesham Soliman + Qualcomm Flarion Technologies + 135 Rte. 202/206 South + Bedminster, NJ 07921 + USA + + EMail: solimanhs@gmail.com + + + + + + + + + + + + + + + + +Vanderveen & Soliman Informational [Page 45] + +RFC 4763 EAP-SAKE November 2006 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78 and at www.rfc-editor.org/copyright.html, and + except as set forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST, + AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT + THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY + IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR + PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + +Vanderveen & Soliman Informational [Page 46] + |