summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5247.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5247.txt')
-rw-r--r--doc/rfc/rfc5247.txt4427
1 files changed, 4427 insertions, 0 deletions
diff --git a/doc/rfc/rfc5247.txt b/doc/rfc/rfc5247.txt
new file mode 100644
index 0000000..f5ed788
--- /dev/null
+++ b/doc/rfc/rfc5247.txt
@@ -0,0 +1,4427 @@
+
+
+
+
+
+
+Network Working Group B. Aboba
+Request for Comments: 5247 D. Simon
+Updates: 3748 Microsoft Corporation
+Category: Standards Track P. Eronen
+ Nokia
+ August 2008
+
+
+ Extensible Authentication Protocol (EAP) Key Management Framework
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ The Extensible Authentication Protocol (EAP), defined in RFC 3748,
+ enables extensible network access authentication. This document
+ specifies the EAP key hierarchy and provides a framework for the
+ transport and usage of keying material and parameters generated by
+ EAP authentication algorithms, known as "methods". It also provides
+ a detailed system-level security analysis, describing the conditions
+ under which the key management guidelines described in RFC 4962 can
+ be satisfied.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 1]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Requirements Language ......................................3
+ 1.2. Terminology ................................................3
+ 1.3. Overview ...................................................7
+ 1.4. EAP Key Hierarchy .........................................10
+ 1.5. Security Goals ............................................15
+ 1.6. EAP Invariants ............................................16
+ 2. Lower-Layer Operation ..........................................20
+ 2.1. Transient Session Keys ....................................20
+ 2.2. Authenticator and Peer Architecture .......................22
+ 2.3. Authenticator Identification ..............................23
+ 2.4. Peer Identification .......................................27
+ 2.5. Server Identification .....................................29
+ 3. Security Association Management ................................31
+ 3.1. Secure Association Protocol ...............................32
+ 3.2. Key Scope .................................................35
+ 3.3. Parent-Child Relationships ................................35
+ 3.4. Local Key Lifetimes .......................................37
+ 3.5. Exported and Calculated Key Lifetimes .....................37
+ 3.6. Key Cache Synchronization .................................40
+ 3.7. Key Strength ..............................................40
+ 3.8. Key Wrap ..................................................41
+ 4. Handoff Vulnerabilities ........................................41
+ 4.1. EAP Pre-Authentication ....................................43
+ 4.2. Proactive Key Distribution ................................44
+ 4.3. AAA Bypass ................................................46
+ 5. Security Considerations ........................................50
+ 5.1. Peer and Authenticator Compromise .........................51
+ 5.2. Cryptographic Negotiation .................................53
+ 5.3. Confidentiality and Authentication ........................54
+ 5.4. Key Binding ...............................................59
+ 5.5. Authorization .............................................60
+ 5.6. Replay Protection .........................................63
+ 5.7. Key Freshness .............................................64
+ 5.8. Key Scope Limitation ......................................66
+ 5.9. Key Naming ................................................66
+ 5.10. Denial-of-Service Attacks ................................67
+ 6. References .....................................................68
+ 6.1. Normative References ......................................68
+ 6.2. Informative References ....................................68
+ Acknowledgments ...................................................74
+ Appendix A - Exported Parameters in Existing Methods ..............75
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 2]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+1. Introduction
+
+ The Extensible Authentication Protocol (EAP), defined in [RFC3748],
+ was designed to enable extensible authentication for network access
+ in situations in which the Internet Protocol (IP) protocol is not
+ available. Originally developed for use with Point-to-Point Protocol
+ (PPP) [RFC1661], it has subsequently also been applied to IEEE 802
+ wired networks [IEEE-802.1X], Internet Key Exchange Protocol version
+ 2 (IKEv2) [RFC4306], and wireless networks such as [IEEE-802.11] and
+ [IEEE-802.16e].
+
+ EAP is a two-party protocol spoken between the EAP peer and server.
+ Within EAP, keying material is generated by EAP authentication
+ algorithms, known as "methods". Part of this keying material can be
+ used by EAP methods themselves, and part of this material can be
+ exported. In addition to the export of keying material, EAP methods
+ can also export associated parameters such as authenticated peer and
+ server identities and a unique EAP conversation identifier, and can
+ import and export lower-layer parameters known as "channel binding
+ parameters", or simply "channel bindings".
+
+ This document specifies the EAP key hierarchy and provides a
+ framework for the transport and usage of keying material and
+ parameters generated by EAP methods. It also provides a detailed
+ security analysis, describing the conditions under which the
+ requirements described in "Guidance for Authentication,
+ Authorization, and Accounting (AAA) Key Management" [RFC4962] can be
+ satisfied.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+1.2. Terminology
+
+ The terms "Cryptographic binding", "Cryptographic separation", "Key
+ strength" and "Mutual authentication" are defined in [RFC3748] and
+ are used with the same meaning in this document, which also
+ frequently uses the following terms:
+
+ 4-Way Handshake
+ A pairwise Authentication and Key Management Protocol (AKMP)
+ defined in [IEEE-802.11], which confirms mutual possession of a
+ Pairwise Master Key by two parties and distributes a Group Key.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 3]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ AAA Authentication, Authorization, and Accounting
+ AAA protocols with EAP support include "RADIUS Support for EAP"
+ [RFC3579] and "Diameter EAP Application" [RFC4072]. In this
+ document, the terms "AAA server" and "backend authentication
+ server" are used interchangeably.
+
+ AAA-Key
+ The term AAA-Key is synonymous with Master Session Key (MSK).
+ Since multiple keys can be transported by AAA, the term is
+ potentially confusing and is not used in this document.
+
+ Authenticator
+ The entity initiating EAP authentication.
+
+ Backend Authentication Server
+ A backend authentication server is an entity that provides an
+ authentication service to an authenticator. When used, this
+ server typically executes EAP methods for the authenticator. This
+ terminology is also used in [IEEE-802.1X].
+
+ Channel Binding
+ A secure mechanism for ensuring that a subset of the parameters
+ transmitted by the authenticator (such as authenticator
+ identifiers and properties) are agreed upon by the EAP peer and
+ server. It is expected that the parameters are also securely
+ agreed upon by the EAP peer and authenticator via the lower layer
+ if the authenticator advertised the parameters.
+
+ Derived Keying Material
+ Keys derived from EAP keying material, such as Transient Session
+ Keys (TSKs).
+
+ EAP Keying Material
+ Keys derived by an EAP method; this includes exported keying
+ material (MSK, Extended MSK (EMSK), Initialization Vector (IV)) as
+ well as local keying material such as Transient EAP Keys (TEKs).
+
+ EAP Pre-Authentication
+ The use of EAP to pre-establish EAP keying material on an
+ authenticator prior to arrival of the peer at the access network
+ managed by that authenticator.
+
+ EAP Re-Authentication
+ EAP authentication between an EAP peer and a server with whom the
+ EAP peer shares valid unexpired EAP keying material.
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 4]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ EAP Server
+ The entity that terminates the EAP authentication method with the
+ peer. In the case where no backend authentication server is used,
+ the EAP server is part of the authenticator. In the case where
+ the authenticator operates in pass-through mode, the EAP server is
+ located on the backend authentication server.
+
+ Exported Keying Material
+ The EAP Master Session Key (MSK), Extended Master Session Key
+ (EMSK), and Initialization Vector (IV).
+
+ Extended Master Session Key (EMSK)
+ Additional keying material derived between the peer and server
+ that is exported by the EAP method. The EMSK is at least 64
+ octets in length and is never shared with a third party. The EMSK
+ MUST be at least as long as the MSK in size.
+
+ Initialization Vector (IV)
+ A quantity of at least 64 octets, suitable for use in an
+ initialization vector field, that is derived between the peer and
+ EAP server. Since the IV is a known value in methods such as
+ EAP-TLS (Transport Layer Security) [RFC5216], it cannot be used by
+ itself for computation of any quantity that needs to remain
+ secret. As a result, its use has been deprecated and it is
+ OPTIONAL for EAP methods to generate it. However, when it is
+ generated, it MUST be unpredictable.
+
+ Keying Material
+ Unless otherwise qualified, the term "keying material" refers to
+ EAP keying material as well as derived keying material.
+
+ Key Scope
+ The parties to whom a key is available.
+
+ Key Wrap
+ The encryption of one symmetric cryptographic key in another. The
+ algorithm used for the encryption is called a key wrap algorithm
+ or a key encryption algorithm. The key used in the encryption
+ process is called a key-encryption key (KEK).
+
+ Long-Term Credential
+ EAP methods frequently make use of long-term secrets in order to
+ enable authentication between the peer and server. In the case of
+ a method based on pre-shared key authentication, the long-term
+ credential is the pre-shared key. In the case of a
+ public-key-based method, the long-term credential is the
+ corresponding private key.
+
+
+
+
+Aboba, et al. Standards Track [Page 5]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Lower Layer
+ The lower layer is responsible for carrying EAP frames between the
+ peer and authenticator.
+
+ Lower-Layer Identity
+ A name used to identify the EAP peer and authenticator within the
+ lower layer.
+
+ Master Session Key (MSK)
+ Keying material that is derived between the EAP peer and server
+ and exported by the EAP method. The MSK is at least 64 octets in
+ length.
+
+ Network Access Server (NAS)
+ A device that provides an access service for a user to a network.
+
+ Pairwise Master Key (PMK)
+ Lower layers use the MSK in a lower-layer dependent manner. For
+ instance, in IEEE 802.11 [IEEE-802.11], Octets 0-31 of the MSK are
+ known as the Pairwise Master Key (PMK); the Temporal Key Integrity
+ Protocol (TKIP) and Advanced Encryption Standard Counter Mode with
+ CBC-MAC Protocol (AES CCMP) ciphersuites derive their Transient
+ Session Keys (TSKs) solely from the PMK, whereas the Wired
+ Equivalent Privacy (WEP) ciphersuite, as noted in "IEEE 802.1X
+ RADIUS Usage Guidelines" [RFC3580], derives its TSKs from both
+ halves of the MSK. In [IEEE-802.16e], the MSK is truncated to 20
+ octets for PMK and 20 octets for PMK2.
+
+ Peer
+ The entity that responds to the authenticator. In [IEEE-802.1X],
+ this entity is known as the Supplicant.
+
+ Security Association
+ A set of policies and cryptographic state used to protect
+ information. Elements of a security association include
+ cryptographic keys, negotiated ciphersuites and other parameters,
+ counters, sequence spaces, authorization attributes, etc.
+
+ Secure Association Protocol
+ An exchange that occurs between the EAP peer and authenticator in
+ order to manage security associations derived from EAP exchanges.
+ The protocol establishes unicast and (optionally) multicast
+ security associations, which include symmetric keys and a context
+ for the use of the keys. An example of a Secure Association
+ Protocol is the 4-way handshake defined within [IEEE-802.11].
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 6]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Session-Id
+ The EAP Session-Id uniquely identifies an EAP authentication
+ exchange between an EAP peer (as identified by the Peer-Id(s)) and
+ server (as identified by the Server-Id(s)). For more information,
+ see Section 1.4.
+
+ Transient EAP Keys (TEKs)
+ Session keys that are used to establish a protected channel
+ between the EAP peer and server during the EAP authentication
+ exchange. The TEKs are appropriate for use with the ciphersuite
+ negotiated between EAP peer and server for use in protecting the
+ EAP conversation. The TEKs are stored locally by the EAP method
+ and are not exported. Note that the ciphersuite used to set up
+ the protected channel between the EAP peer and server during EAP
+ authentication is unrelated to the ciphersuite used to
+ subsequently protect data sent between the EAP peer and
+ authenticator.
+
+ Transient Session Keys (TSKs)
+ Keys used to protect data exchanged after EAP authentication has
+ successfully completed using the ciphersuite negotiated between
+ the EAP peer and authenticator.
+
+1.3. Overview
+
+ Where EAP key derivation is supported, the conversation typically
+ takes place in three phases:
+
+ Phase 0: Discovery
+ Phase 1: Authentication
+ 1a: EAP authentication
+ 1b: AAA Key Transport (optional)
+ Phase 2: Secure Association Protocol
+ 2a: Unicast Secure Association
+ 2b: Multicast Secure Association (optional)
+
+ Of these phases, phase 0, 1b, and 2 are handled external to EAP.
+ phases 0 and 2 are handled by the lower-layer protocol, and phase 1b
+ is typically handled by a AAA protocol.
+
+ In the discovery phase (phase 0), peers locate authenticators and
+ discover their capabilities. A peer can locate an authenticator
+ providing access to a particular network, or a peer can locate an
+ authenticator behind a bridge with which it desires to establish a
+ Secure Association. Discovery can occur manually or automatically,
+ depending on the lower layer over which EAP runs.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 7]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ The authentication phase (phase 1) can begin once the peer and
+ authenticator discover each other. This phase, if it occurs, always
+ includes EAP authentication (phase 1a). Where the chosen EAP method
+ supports key derivation, in phase 1a, EAP keying material is derived
+ on both the peer and the EAP server.
+
+ An additional step (phase 1b) is needed in deployments that include a
+ backend authentication server, in order to transport keying material
+ from the backend authentication server to the authenticator. In
+ order to obey the principle of mode independence (see Section 1.6.1),
+ where a backend authentication server is present, all keying material
+ needed by the lower layer is transported from the EAP server to the
+ authenticator. Since existing TSK derivation and transport
+ techniques depend solely on the MSK, in existing implementations,
+ this is the only keying material replicated in the AAA key transport
+ phase 1b.
+
+ Successful completion of EAP authentication and key derivation by a
+ peer and EAP server does not necessarily imply that the peer is
+ committed to joining the network associated with an EAP server.
+ Rather, this commitment is implied by the creation of a security
+ association between the EAP peer and authenticator, as part of the
+ Secure Association Protocol (phase 2). The Secure Association
+ Protocol exchange (phase 2) occurs between the peer and authenticator
+ in order to manage the creation and deletion of unicast (phase 2a)
+ and multicast (phase 2b) security associations between the peer and
+ authenticator. The conversation between the parties is shown in
+ Figure 1.
+
+ EAP peer Authenticator Auth. Server
+ -------- ------------- ------------
+ |<----------------------------->| |
+ | Discovery (phase 0) | |
+ |<----------------------------->|<----------------------------->|
+ | EAP auth (phase 1a) | AAA pass-through (optional) |
+ | | |
+ | |<----------------------------->|
+ | | AAA Key transport |
+ | | (optional; phase 1b) |
+ |<----------------------------->| |
+ | Unicast Secure association | |
+ | (phase 2a) | |
+ | | |
+ |<----------------------------->| |
+ | Multicast Secure association | |
+ | (optional; phase 2b) | |
+ | | |
+
+
+
+
+Aboba, et al. Standards Track [Page 8]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Figure 1: Conversation Overview
+
+1.3.1. Examples
+
+ Existing EAP lower layers implement phase 0, 2a, and 2b in different
+ ways:
+
+ PPP
+ The Point-to-Point Protocol (PPP), defined in [RFC1661], does not
+ support discovery, nor does it include a Secure Association
+ Protocol.
+
+ PPPoE
+ PPP over Ethernet (PPPoE), defined in [RFC2516], includes support
+ for a Discovery stage (phase 0). In this step, the EAP peer sends
+ a PPPoE Active Discovery Initiation (PADI) packet to the broadcast
+ address, indicating the service it is requesting. The Access
+ Concentrator replies with a PPPoE Active Discovery Offer (PADO)
+ packet containing its name, the service name, and an indication of
+ the services offered by the concentrator. The discovery phase is
+ not secured. PPPoE, like PPP, does not include a Secure
+ Association Protocol.
+
+ IKEv2
+ Internet Key Exchange v2 (IKEv2), defined in [RFC4306], includes
+ support for EAP and handles the establishment of unicast security
+ associations (phase 2a). However, the establishment of multicast
+ security associations (phase 2b) typically does not involve EAP
+ and needs to be handled by a group key management protocol such as
+ Group Domain of Interpretation (GDOI) [RFC3547], Group Secure
+ Association Key Management Protocol (GSAKMP) [RFC4535], Multimedia
+ Internet KEYing (MIKEY) [RFC3830], or Group Key Distribution
+ Protocol (GKDP) [GKDP]. Several mechanisms have been proposed for
+ the discovery of IPsec security gateways. [RFC2230] discusses the
+ use of Key eXchange (KX) Resource Records (RRs) for IPsec gateway
+ discovery; while KX RRs are supported by many Domain Name Service
+ (DNS) server implementations, they have not yet been widely
+ deployed. Alternatively, DNS SRV RRs [RFC2782] can be used for
+ this purpose. Where DNS is used for gateway location, DNS
+ security mechanisms such as DNS Security (DNSSEC) ([RFC4033],
+ [RFC4035]), TSIG [RFC2845], and Simple Secure Dynamic Update
+ [RFC3007] are available.
+
+ IEEE 802.11
+ IEEE 802.11, defined in [IEEE-802.11], handles discovery via the
+ Beacon and Probe Request/Response mechanisms. IEEE 802.11 Access
+ Points (APs) periodically announce their Service Set Identifiers
+ (SSIDs) as well as capabilities using Beacon frames. Stations can
+
+
+
+Aboba, et al. Standards Track [Page 9]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ query for APs by sending a Probe Request. Neither Beacon nor
+ Probe Request/Response frames are secured. The 4-way handshake
+ defined in [IEEE-802.11] enables the derivation of unicast (phase
+ 2a) and multicast/broadcast (phase 2b) secure associations. Since
+ the group key exchange transports a group key from the AP to the
+ station, two 4-way handshakes can be needed in order to support
+ peer-to-peer communications. A proof of the security of the IEEE
+ 802.11 4-way handshake, when used with EAP-TLS, is provided in
+ [He].
+
+ IEEE 802.1X
+ IEEE 802.1X-2004, defined in [IEEE-802.1X], does not support
+ discovery (phase 0), nor does it provide for derivation of unicast
+ or multicast secure associations.
+
+1.4. EAP Key Hierarchy
+
+ As illustrated in Figure 2, the EAP method key derivation has, at the
+ root, the long-term credential utilized by the selected EAP method.
+ If authentication is based on a pre-shared key, the parties store the
+ EAP method to be used and the pre-shared key. The EAP server also
+ stores the peer's identity as well as additional information. This
+ information is typically used outside of the EAP method to determine
+ whether to grant access to a service. The peer stores information
+ necessary to choose which secret to use for which service.
+
+ If authentication is based on proof of possession of the private key
+ corresponding to the public key contained within a certificate, the
+ parties store the EAP method to be used and the trust anchors used to
+ validate the certificates. The EAP server also stores the peer's
+ identity, and the peer stores information necessary to choose which
+ certificate to use for which service. Based on the long-term
+ credential established between the peer and the server, methods
+ derive two types of EAP keying material:
+
+ (a) Keying material calculated locally by the EAP method but not
+ exported, such as the Transient EAP Keys (TEKs).
+
+ (b) Keying material exported by the EAP method: Master Session Key
+ (MSK), Extended Master Session Key (EMSK), Initialization
+ Vector (IV).
+
+ As noted in [RFC3748] Section 7.10:
+
+ In order to provide keying material for use in a subsequently
+ negotiated ciphersuite, an EAP method supporting key derivation
+ MUST export a Master Session Key (MSK) of at least 64 octets, and
+ an Extended Master Session Key (EMSK) of at least 64 octets.
+
+
+
+Aboba, et al. Standards Track [Page 10]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ EAP methods also MAY export the IV; however, the use of the IV is
+ deprecated. The EMSK MUST NOT be provided to an entity outside the
+ EAP server or peer, nor is it permitted to pass any quantity to an
+ entity outside the EAP server or peer from which the EMSK could be
+ computed without breaking some cryptographic assumption, such as
+ inverting a one-way function.
+
+ EAP methods supporting key derivation and mutual authentication
+ SHOULD export a method-specific EAP conversation identifier known as
+ the Session-Id, as well as one or more method-specific peer
+ identifiers (Peer-Id(s)) and MAY export one or more method-specific
+ server identifiers (Server-Id(s)). EAP methods MAY also support the
+ import and export of channel binding parameters. EAP method
+ specifications developed after the publication of this document MUST
+ define the Peer-Id, Server-Id, and Session-Id. The Peer-Id(s) and
+ Server-Id(s), when provided, identify the entities involved in
+ generating EAP keying material. For existing EAP methods, the
+ Peer-Id, Server-Id, and Session-Id are defined in Appendix A.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 11]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+
+| | ^
+| EAP Method | |
+| | |
+| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | |
+| | | | | | |
+| | EAP Method Key |<->| Long-Term | | |
+| | Derivation | | Credential | | |
+| | | | | | |
+| | | +-+-+-+-+-+-+-+ | Local to |
+| | | | EAP |
+| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Method |
+| | | | | |
+| | | | | |
+| | | | | |
+| | | | | |
+| | +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | |
+| | | TEK | |MSK, EMSK | |IV | | |
+| | |Derivation | |Derivation | |Derivation | | |
+| | | | | | |(Deprecated) | | |
+| | +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | |
+| | ^ | | | |
+| | | | | | V
++-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+ ---+
+ | | | | ^
+ | | | | Exported |
+ | Peer-Id(s), | channel | MSK (64+B) | IV (64B) by |
+ | Server-Id(s), | bindings | EMSK (64+B) | (Optional) EAP |
+ | Session-Id | & Result | | Method |
+ V V V V V
+
+ Figure 2: EAP Method Parameter Import/Export
+
+ Peer-Id
+
+ If an EAP method that generates keys authenticates one or more
+ method-specific peer identities, those identities are exported by
+ the method as the Peer-Id(s). It is possible for more than one
+ Peer-Id to be exported by an EAP method. Not all EAP methods
+ provide a method-specific peer identity; where this is not
+ defined, the Peer-Id is the null string. In EAP methods that do
+ not support key generation, the Peer-Id MUST be the null string.
+ Where an EAP method that derives keys does not provide a Peer-Id,
+ the EAP server will not authenticate the identity of the EAP peer
+ with which it derived keying material.
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 12]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Server-Id
+
+ If an EAP method that generates keys authenticates one or more
+ method-specific server identities, those identities are exported
+ by the method as the Server-Id(s). It is possible for more than
+ one Server-Id to be exported by an EAP method. Not all EAP
+ methods provide a method-specific server identity; where this is
+ not defined, the Server-Id is the null string. If the EAP method
+ does not generate keying material, the Server-Id MUST be the null
+ string. Where an EAP method that derives keys does not provide a
+ Server-Id, the EAP peer will not authenticate the identity of the
+ EAP server with which it derived EAP keying material.
+
+ Session-Id
+
+ The Session-Id uniquely identifies an EAP session between an EAP
+ peer (as identified by the Peer-Id) and server (as identified by
+ the Server-Id). Where non-expanded EAP Type Codes are used (EAP
+ Type Code not equal to 254), the EAP Session-Id is the
+ concatenation of the single octet EAP Type Code and a temporally
+ unique identifier obtained from the method (known as the
+ Method-Id):
+
+
+ Session-Id = Type-Code || Method-Id
+
+ Where expanded EAP Type Codes are used, the EAP Session-Id
+ consists of the Expanded Type Code (including the Type, Vendor-Id
+ (in network byte order) and Vendor-Type fields (in network byte
+ order) defined in [RFC3748] Section 5.7), concatenated with a
+ temporally unique identifier obtained from the method (Method-Id):
+
+ Session-Id = 0xFE || Vendor-Id || Vendor-Type || Method-Id
+
+ The Method-Id is typically constructed from nonces or counters
+ used within the EAP method exchange. The inclusion of the Type
+ Code or Expanded Type Code in the EAP Session-Id ensures that each
+ EAP method has a distinct Session-Id space. Since an EAP session
+ is not bound to a particular authenticator or specific ports on
+ the peer and authenticator, the authenticator port or identity are
+ not included in the Session-Id.
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 13]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Channel Binding
+
+ Channel binding is the process by which lower-layer parameters are
+ verified for consistency between the EAP peer and server. In
+ order to avoid introducing media dependencies, EAP methods that
+ transport channel binding parameters MUST treat this data as
+ opaque octets. See Section 5.3.3 for further discussion.
+
+1.4.1. Key Naming
+
+ Each key created within the EAP key management framework has a name
+ (a unique identifier), as well as a scope (the parties to whom the
+ key is available). The scope of exported keying material and TEKs is
+ defined by the authenticated method-specific peer identities
+ (Peer-Id(s)) and the authenticated server identities (Server-Id(s)),
+ where available.
+
+ MSK and EMSK Names
+ The MSK and EMSK are exported by the EAP peer and EAP server,
+ and MUST be named using the EAP Session-Id and a binary or
+ textual indication of the EAP keying material being referred to.
+
+ PMK Name
+ This document does not specify a naming scheme for the Pairwise
+ Master Key (PMK). The PMK is only identified by the name of the
+ key from which it is derived.
+
+ Note: IEEE 802.11 names the PMK for the purposes of being able
+ to refer to it in the Secure Association Protocol; the PMK name
+ (known as the PMKID) is based on a hash of the PMK itself as
+ well as some other parameters (see [IEEE-802.11] Section
+ 8.5.1.2).
+
+ TEK Name
+ Transient EAP Keys (TEKs) MAY be named; their naming is
+ specified in the EAP method specification.
+
+ TSK Name
+ Transient Session Keys (TSKs) are typically named. Their naming
+ is specified in the lower layer so that the correct set of TSKs
+ can be identified for processing a given packet.
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 14]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+1.5. Security Goals
+
+ The goal of the EAP conversation is to derive fresh session keys
+ between the EAP peer and authenticator that are known only to those
+ parties, and for both the EAP peer and authenticator to demonstrate
+ that they are authorized to perform their roles either by each other
+ or by a trusted third party (the backend authentication server).
+
+ Completion of an EAP method exchange (phase 1a) supporting key
+ derivation results in the derivation of EAP keying material (MSK,
+ EMSK, TEKs) known only to the EAP peer (identified by the Peer-Id(s))
+ and EAP server (identified by the Server-Id(s)). Both the EAP peer
+ and EAP server know this keying material to be fresh. The Peer-Id
+ and Server-Id are discussed in Sections 1.4, 2.4, and 2.5 as well as
+ in Appendix A. Key freshness is discussed in Sections 3.4, 3.5, and
+ 5.7.
+
+ Completion of the AAA exchange (phase 1b) results in the transport of
+ keying material from the EAP server (identified by the Server-Id(s))
+ to the EAP authenticator (identified by the NAS-Identifier) without
+ disclosure to any other party. Both the EAP server and EAP
+ authenticator know this keying material to be fresh. Disclosure
+ issues are discussed in Sections 3.8 and 5.3; security properties of
+ AAA protocols are discussed in Sections 5.1 - 5.9.
+
+ The backend authentication server is trusted to transport keying
+ material only to the authenticator that was established with the
+ peer, and it is trusted to transport that keying material to no other
+ parties. In many systems, EAP keying material established by the EAP
+ peer and EAP server are combined with publicly available data to
+ derive other keys. The backend authentication server is trusted to
+ refrain from deriving these same keys or acting as a
+ man-in-the-middle even though it has access to the keying material
+ that is needed to do so.
+
+ The authenticator is also a trusted party. The authenticator is
+ trusted not to distribute keying material provided by the backend
+ authentication server to any other parties. If the authenticator
+ uses a key derivation function to derive additional keying material,
+ the authenticator is trusted to distribute the derived keying
+ material only to the appropriate party that is known to the peer, and
+ no other party. When this approach is used, care must be taken to
+ ensure that the resulting key management system meets all of the
+ principles in [RFC4962], confirming that keys used to protect data
+ are to be known only by the peer and authenticator.
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 15]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Completion of the Secure Association Protocol (phase 2) results in
+ the derivation or transport of Transient Session Keys (TSKs) known
+ only to the EAP peer (identified by the Peer-Id(s)) and authenticator
+ (identified by the NAS-Identifier). Both the EAP peer and
+ authenticator know the TSKs to be fresh. Both the EAP peer and
+ authenticator demonstrate that they are authorized to perform their
+ roles. Authorization issues are discussed in Sections 4.3.2 and 5.5;
+ security properties of Secure Association Protocols are discussed in
+ Section 3.1.
+
+1.6. EAP Invariants
+
+ Certain basic characteristics, known as "EAP Invariants", hold true
+ for EAP implementations:
+
+ Mode independence
+ Media independence
+ Method independence
+ Ciphersuite independence
+
+1.6.1. Mode Independence
+
+ EAP is typically deployed to support extensible network access
+ authentication in situations where a peer desires network access via
+ one or more authenticators. Where authenticators are deployed
+ standalone, the EAP conversation occurs between the peer and
+ authenticator, and the authenticator locally implements one or more
+ EAP methods. However, when utilized in "pass-through" mode, EAP
+ enables the deployment of new authentication methods without
+ requiring the development of new code on the authenticator.
+
+ While the authenticator can implement some EAP methods locally and
+ use those methods to authenticate local users, it can at the same
+ time act as a pass-through for other users and methods, forwarding
+ EAP packets back and forth between the backend authentication server
+ and the peer. This is accomplished by encapsulating EAP packets
+ within the Authentication, Authorization, and Accounting (AAA)
+ protocol spoken between the authenticator and backend authentication
+ server. AAA protocols supporting EAP include RADIUS [RFC3579] and
+ Diameter [RFC4072].
+
+ It is a fundamental property of EAP that at the EAP method layer, the
+ conversation between the EAP peer and server is unaffected by whether
+ the EAP authenticator is operating in "pass-through" mode. EAP
+ methods operate identically in all aspects, including key derivation
+ and parameter import/export, regardless of whether or not the
+ authenticator is operating as a pass-through.
+
+
+
+
+Aboba, et al. Standards Track [Page 16]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ The successful completion of an EAP method that supports key
+ derivation results in the export of EAP keying material and
+ parameters on the EAP peer and server. Even though the EAP peer or
+ server can import channel binding parameters that can include the
+ identity of the EAP authenticator, this information is treated as
+ opaque octets. As a result, within EAP, the only relevant identities
+ are the Peer-Id(s) and Server-Id(s). Channel binding parameters are
+ only interpreted by the lower layer.
+
+ Within EAP, the primary function of the AAA protocol is to maintain
+ the principle of mode independence. As far as the EAP peer is
+ concerned, its conversation with the EAP authenticator, and all
+ consequences of that conversation, are identical, regardless of the
+ authenticator mode of operation.
+
+1.6.2. Media Independence
+
+ One of the goals of EAP is to allow EAP methods to function on any
+ lower layer meeting the criteria outlined in [RFC3748] Section 3.1.
+ For example, as described in [RFC3748], EAP authentication can be run
+ over PPP [RFC1661], IEEE 802 wired networks [IEEE-802.1X], and
+ wireless networks such as 802.11 [IEEE-802.11] and 802.16
+ [IEEE-802.16e].
+
+ In order to maintain media independence, it is necessary for EAP to
+ avoid consideration of media-specific elements. For example, EAP
+ methods cannot be assumed to have knowledge of the lower layer over
+ which they are transported, and cannot be restricted to identifiers
+ associated with a particular usage environment (e.g., Medium Access
+ Control (MAC) addresses).
+
+ Note that media independence can be retained within EAP methods that
+ support channel binding or method-specific identification. An EAP
+ method need not be aware of the content of an identifier in order to
+ use it. This enables an EAP method to use media-specific identifiers
+ such as MAC addresses without compromising media independence.
+ Channel binding parameters are treated as opaque octets by EAP
+ methods so that handling them does not require media-specific
+ knowledge.
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 17]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+1.6.3. Method Independence
+
+ By enabling pass-through, authenticators can support any method
+ implemented on the peer and server, not just locally implemented
+ methods. This allows the authenticator to avoid having to implement
+ the EAP methods configured for use by peers. In fact, since a
+ pass-through authenticator need not implement any EAP methods at all,
+ it cannot be assumed to support any EAP method-specific code. As
+ noted in [RFC3748] Section 2.3:
+
+ Compliant pass-through authenticator implementations MUST by
+ default forward EAP packets of any Type.
+
+ This is useful where there is no single EAP method that is both
+ mandatory to implement and offers acceptable security for the media
+ in use. For example, the [RFC3748] mandatory-to-implement EAP method
+ (MD5-Challenge) does not provide dictionary attack resistance, mutual
+ authentication, or key derivation, and as a result, is not
+ appropriate for use in Wireless Local Area Network (WLAN)
+ authentication [RFC4017]. However, despite this, it is possible for
+ the peer and authenticator to interoperate as long as a suitable EAP
+ method is supported both on the EAP peer and server.
+
+1.6.4. Ciphersuite Independence
+
+ Ciphersuite Independence is a requirement for media independence.
+ Since lower-layer ciphersuites vary between media, media independence
+ requires that exported EAP keying material be large enough (with
+ sufficient entropy) to handle any ciphersuite.
+
+ While EAP methods can negotiate the ciphersuite used in protection of
+ the EAP conversation, the ciphersuite used for the protection of the
+ data exchanged after EAP authentication has completed is negotiated
+ between the peer and authenticator within the lower layer, outside of
+ EAP.
+
+ For example, within PPP, the ciphersuite is negotiated within the
+ Encryption Control Protocol (ECP) defined in [RFC1968], after EAP
+ authentication is completed. Within [IEEE-802.11], the AP
+ ciphersuites are advertised in the Beacon and Probe Responses prior
+ to EAP authentication and are securely verified during a 4-way
+ handshake exchange.
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 18]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Since the ciphersuites used to protect data depend on the lower
+ layer, requiring that EAP methods have knowledge of lower-layer
+ ciphersuites would compromise the principle of media independence.
+ As a result, methods export EAP keying material that is ciphersuite
+ independent. Since ciphersuite negotiation occurs in the lower
+ layer, there is no need for lower-layer ciphersuite negotiation
+ within EAP.
+
+ In order to allow a ciphersuite to be usable within the EAP keying
+ framework, the ciphersuite specification needs to describe how TSKs
+ suitable for use with the ciphersuite are derived from exported EAP
+ keying material. To maintain method independence, algorithms for
+ deriving TSKs MUST NOT depend on the EAP method, although algorithms
+ for TEK derivation MAY be specific to the EAP method.
+
+ Advantages of ciphersuite-independence include:
+
+ Reduced update requirements
+ Ciphersuite independence enables EAP methods to be used with new
+ ciphersuites without requiring the methods to be updated. If
+ EAP methods were to specify how to derive transient session keys
+ for each ciphersuite, they would need to be updated each time a
+ new ciphersuite is developed. In addition, backend
+ authentication servers might not be usable with all EAP-capable
+ authenticators, since the backend authentication server would
+ also need to be updated each time support for a new ciphersuite
+ is added to the authenticator.
+
+ Reduced EAP method complexity
+ Ciphersuite independence enables EAP methods to avoid having to
+ include ciphersuite-specific code. Requiring each EAP method to
+ include ciphersuite-specific code for transient session key
+ derivation would increase method complexity and result in
+ duplicated effort.
+
+ Simplified configuration
+ Ciphersuite independence enables EAP method implementations on
+ the peer and server to avoid having to configure
+ ciphersuite-specific parameters. The ciphersuite is negotiated
+ between the peer and authenticator outside of EAP. Where the
+ authenticator operates in "pass-through" mode, the EAP server is
+ not a party to this negotiation, nor is it involved in the data
+ flow between the EAP peer and authenticator. As a result, the
+ EAP server does not have knowledge of the ciphersuites and
+ negotiation policies implemented by the peer and authenticator,
+ nor is it aware of the ciphersuite negotiated between them. For
+ example, since Encryption Control Protocol (ECP) negotiation
+ occurs after authentication, when run over PPP, the EAP peer and
+
+
+
+Aboba, et al. Standards Track [Page 19]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ server cannot anticipate the negotiated ciphersuite, and
+ therefore, this information cannot be provided to the EAP
+ method.
+
+2. Lower-Layer Operation
+
+ On completion of EAP authentication, EAP keying material and
+ parameters exported by the EAP method are provided to the lower layer
+ and AAA layer (if present). These include the Master Session Key
+ (MSK), Extended Master Session Key (EMSK), Peer-Id(s), Server-Id(s),
+ and Session-Id. The Initialization Vector (IV) is deprecated, but
+ might be provided.
+
+ In order to preserve the security of EAP keying material derived
+ within methods, lower layers MUST NOT export keys passed down by EAP
+ methods. This implies that EAP keying material passed down to a
+ lower layer is for the exclusive use of that lower layer and MUST NOT
+ be used within another lower layer. This prevents compromise of one
+ lower layer from compromising other applications using EAP keying
+ material.
+
+ EAP keying material provided to a lower layer MUST NOT be transported
+ to another entity. For example, EAP keying material passed down to
+ the EAP peer lower layer MUST NOT leave the peer; EAP keying
+ material passed down or transported to the EAP authenticator lower
+ layer MUST NOT leave the authenticator.
+
+ On the EAP server, keying material and parameters requested by and
+ passed down to the AAA layer MAY be replicated to the AAA layer on
+ the authenticator (with the exception of the EMSK). On the
+ authenticator, the AAA layer provides the replicated keying material
+ and parameters to the lower layer over which the EAP authentication
+ conversation took place. This enables mode independence to be
+ maintained.
+
+ The EAP layer, as well as the peer and authenticator layers, MUST NOT
+ modify or cache keying material or parameters (including channel
+ bindings) passing in either direction between the EAP method layer
+ and the lower layer or AAA layer.
+
+2.1. Transient Session Keys
+
+ Where explicitly supported by the lower layer, lower layers MAY cache
+ keying material, including exported EAP keying material and/or TSKs;
+ the structure of this key cache is defined by the lower layer. So as
+ to enable interoperability, new lower-layer specifications MUST
+ describe key caching behavior. Unless explicitly specified by the
+ lower layer, the EAP peer, server, and authenticator MUST assume that
+
+
+
+Aboba, et al. Standards Track [Page 20]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ peers and authenticators do not cache keying material. Existing EAP
+ lower layers and AAA layers handle the generation of transient
+ session keys and caching of EAP keying material in different ways:
+
+ IEEE 802.1X-2004
+ When used with wired networks, IEEE 802.1X-2004 [IEEE-802.1X]
+ does not support link-layer ciphersuites, and as a result, it
+ does not provide for the generation of TSKs or caching of EAP
+ keying material and parameters. Once EAP authentication
+ completes, it is assumed that EAP keying material and parameters
+ are discarded; on IEEE 802 wired networks, there is no
+ subsequent Secure Association Protocol exchange. Perfect
+ Forward Secrecy (PFS) is only possible if the negotiated EAP
+ method supports this.
+
+ PPP
+ PPP, defined in [RFC1661], does not include support for a Secure
+ Association Protocol, nor does it support caching of EAP keying
+ material or parameters. PPP ciphersuites derive their TSKs
+ directly from the MSK, as described in [RFC2716] Section 3.5.
+ This is NOT RECOMMENDED, since if PPP were to support caching of
+ EAP keying material, this could result in TSK reuse. As a
+ result, once the PPP session is terminated, EAP keying material
+ and parameters MUST be discarded. Since caching of EAP keying
+ material is not permitted within PPP, there is no way to handle
+ TSK re-key without EAP re-authentication. Perfect Forward
+ Secrecy (PFS) is only possible if the negotiated EAP method
+ supports this.
+
+ IKEv2
+ IKEv2, defined in [RFC4306], only uses the MSK for
+ authentication purposes and not key derivation. The EMSK, IV,
+ Peer-Id, Server-Id or Session-Id are not used. As a result, the
+ TSKs derived by IKEv2 are cryptographically independent of the
+ EAP keying material and re-key of IPsec SAs can be handled
+ without requiring EAP re-authentication. Within IKEv2, it is
+ possible to negotiate PFS, regardless of which EAP method is
+ negotiated. IKEv2 as specified in [RFC4306] does not cache EAP
+ keying material or parameters; once IKEv2 authentication
+ completes, it is assumed that EAP keying material and parameters
+ are discarded. The Session-Timeout Attribute is therefore
+ interpreted as a limit on the VPN session time, rather than an
+ indication of the MSK key lifetime.
+
+ IEEE 802.11
+ IEEE 802.11 enables caching of the MSK, but not the EMSK, IV,
+ Peer-Id, Server-Id, or Session-Id. More details about the
+ structure of the cache are available in [IEEE-802.11]. In IEEE
+
+
+
+Aboba, et al. Standards Track [Page 21]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ 802.11, TSKs are derived from the MSK using a Secure Association
+ Protocol known as the 4-way handshake, which includes a nonce
+ exchange. This guarantees TSK freshness even if the MSK is
+ reused. The 4-way handshake also enables TSK re-key without EAP
+ re-authentication. PFS is only possible within IEEE 802.11 if
+ caching is not enabled and the negotiated EAP method supports
+ PFS.
+
+ IEEE 802.16e
+ IEEE 802.16e, defined in [IEEE-802.16e], supports caching of the
+ MSK, but not the EMSK, IV, Peer-Id, Server-Id, or Session-Id.
+ IEEE 802.16e supports a Secure Association Protocol in which
+ TSKs are chosen by the authenticator without any contribution by
+ the peer. The TSKs are encrypted, authenticated, and integrity
+ protected using the MSK and are transported from the
+ authenticator to the peer. TSK re-key is possible without EAP
+ re-authentication. PFS is not possible even if the negotiated
+ EAP method supports it.
+
+ AAA
+ Existing implementations and specifications for RADIUS/EAP
+ [RFC3579] or Diameter EAP [RFC4072] do not support caching of
+ keying material or parameters. In existing AAA clients, proxy
+ and server implementations, exported EAP keying material (MSK,
+ EMSK, and IV), as well as parameters and derived keys are not
+ cached and MUST be presumed lost after the AAA exchange
+ completes.
+
+ In order to avoid key reuse, the AAA layer MUST delete
+ transported keys once they are sent. The AAA layer MUST NOT
+ retain keys that it has previously sent. For example, a AAA
+ layer that has transported the MSK MUST delete it, and keys MUST
+ NOT be derived from the MSK from that point forward.
+
+2.2. Authenticator and Peer Architecture
+
+ This specification does not impose constraints on the architecture of
+ the EAP authenticator or peer. For example, any of the authenticator
+ architectures described in [RFC4118] can be used. As a result, lower
+ layers need to identify EAP peers and authenticators unambiguously,
+ without incorporating implicit assumptions about peer and
+ authenticator architectures.
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 22]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ For example, it is possible for multiple base stations and a
+ "controller" (e.g., WLAN switch) to comprise a single EAP
+ authenticator. In such a situation, the "base station identity" is
+ irrelevant to the EAP method conversation, except perhaps as an
+ opaque blob to be used in channel binding. Many base stations can
+ share the same authenticator identity. An EAP authenticator or peer:
+
+ (a) can contain one or more physical or logical ports;
+ (b) can advertise itself as one or more "virtual" authenticators
+ or peers;
+ (c) can utilize multiple CPUs;
+ (d) can support clustering services for load balancing or
+ failover.
+
+ Both the EAP peer and authenticator can have more than one physical
+ or logical port. A peer can simultaneously access the network via
+ multiple authenticators, or via multiple physical or logical ports on
+ a given authenticator. Similarly, an authenticator can offer network
+ access to multiple peers, each via a separate physical or logical
+ port. When a single physical authenticator advertises itself as
+ multiple virtual authenticators, it is possible for a single physical
+ port to belong to multiple virtual authenticators.
+
+ An authenticator can be configured to communicate with more than one
+ EAP server, each of which is configured to communicate with a subset
+ of the authenticators. The situation is illustrated in Figure 3.
+
+2.3. Authenticator Identification
+
+ The EAP method conversation is between the EAP peer and server. The
+ authenticator identity, if considered at all by the EAP method, is
+ treated as an opaque blob for the purpose of channel binding (see
+ Section 5.3.3). However, the authenticator identity is important in
+ two other exchanges - the AAA protocol exchange and the Secure
+ Association Protocol conversation.
+
+ The AAA conversation is between the EAP authenticator and the backend
+ authentication server. From the point of view of the backend
+ authentication server, keying material and parameters are transported
+ to the EAP authenticator identified by the NAS-Identifier Attribute.
+ Since an EAP authenticator MUST NOT share EAP keying material or
+ parameters with another party, if the EAP peer or backend
+ authentication server detects use of EAP keying material and
+ parameters outside the scope defined by the NAS-Identifier, the
+ keying material MUST be considered compromised.
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 23]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ The Secure Association Protocol conversation is between the peer and
+ the authenticator. For lower layers that support key caching, it is
+ particularly important for the EAP peer, authenticator, and backend
+ server to have a consistent view of the usage scope of the
+ transported keying material. In order to enable this, it is
+ RECOMMENDED that the Secure Association Protocol explicitly
+ communicate the usage scope of the EAP keying material passed down to
+ the lower layer, rather than implicitly assuming that this is defined
+ by the authenticator and peer endpoint addresses.
+
+ +-+-+-+-+
+ | EAP |
+ | Peer |
+ +-+-+-+-+
+ | | | Peer Ports
+ / | \
+ / | \
+ / | \
+ / | \
+ / | \
+ / | \
+ / | \
+ / | \ Authenticator
+ | | | | | | | | | Ports
+ +-+-+-+-+ +-+-+-+-+ +-+-+-+-+
+ | | | | | |
+ | Auth1 | | Auth2 | | Auth3 |
+ | | | | | |
+ +-+-+-+-+ +-+-+-+-+ +-+-+-+-+
+ \ | \ |
+ \ | \ |
+ \ | \ |
+ EAP over AAA \ | \ |
+ (optional) \ | \ |
+ \ | \ |
+ \ | \ |
+ \ | \ |
+ +-+-+-+-+-+ +-+-+-+-+-+ Backend
+ | EAP | | EAP | Authentication
+ | Server1 | | Server2 | Servers
+ +-+-+-+-+-+ +-+-+-+-+-+
+
+ Figure 3: Relationship between EAP Peer, Authenticator, and Server
+
+ Since an authenticator can have multiple ports, the scope of the
+ authenticator key cache cannot be described by a single endpoint
+ address. Similarly, where a peer can have multiple ports and sharing
+ of EAP keying material and parameters between peer ports of the same
+
+
+
+Aboba, et al. Standards Track [Page 24]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ link type is allowed, the extent of the peer key cache cannot be
+ communicated by using a single endpoint address. Instead, it is
+ RECOMMENDED that the EAP peer and authenticator consistently identify
+ themselves utilizing explicit identifiers, rather than endpoint
+ addresses or port identifiers.
+
+ AAA protocols such as RADIUS [RFC3579] and Diameter [RFC4072] provide
+ a mechanism for the identification of AAA clients; since the EAP
+ authenticator and AAA client MUST be co-resident, this mechanism is
+ applicable to the identification of EAP authenticators.
+
+ RADIUS [RFC2865] requires that an Access-Request packet contain one
+ or more of the NAS-Identifier, NAS-IP-Address, and NAS-IPv6-Address
+ attributes. Since a NAS can have more than one IP address, the
+ NAS-Identifier Attribute is RECOMMENDED for explicit identification
+ of the authenticator, both within the AAA protocol exchange and the
+ Secure Association Protocol conversation.
+
+ Problems that can arise where the peer and authenticator implicitly
+ identify themselves using endpoint addresses include the following:
+
+ (a) It is possible that the peer will not be able to determine which
+ authenticator ports are associated with which authenticators.
+ As a result, the EAP peer will be unable to utilize the
+ authenticator key cache in an efficient way, and will also be
+ unable to determine whether EAP keying material has been shared
+ outside its authorized scope, and therefore needs to be
+ considered compromised.
+
+ (b) It is possible that the authenticator will not be able to
+ determine which peer ports are associated with which peers,
+ preventing the peer from communicating with it utilizing
+ multiple peer ports.
+
+ (c) It is possible that the peer will not be able to determine with
+ which virtual authenticator it is communicating. For example,
+ multiple virtual authenticators can share a MAC address, but
+ utilize different NAS-Identifiers.
+
+ (d) It is possible that the authenticator will not be able to
+ determine with which virtual peer it is communicating. Multiple
+ virtual peers can share a MAC address, but utilize different
+ Peer-Ids.
+
+ (e) It is possible that the EAP peer and server will not be able to
+ verify the authenticator identity via channel binding.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 25]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ For example, problems (a), (c), and (e) occur in [IEEE-802.11], which
+ utilizes peer and authenticator MAC addresses within the 4-way
+ handshake. Problems (b) and (d) do not occur since [IEEE-802.11]
+ only allows a virtual peer to utilize a single port.
+
+ The following steps enable lower-layer identities to be securely
+ verified by all parties:
+
+ (f) Specify the lower-layer parameters used to identify the
+ authenticator and peer. As noted earlier, endpoint or port
+ identifiers are not recommended for identification of the
+ authenticator or peer when it is possible for them to have
+ multiple ports.
+
+ (g) Communicate the lower-layer identities between the peer and
+ authenticator within phase 0. This allows the peer and
+ authenticator to determine the key scope if a key cache is
+ utilized.
+
+ (h) Communicate the lower-layer authenticator identity between the
+ authenticator and backend authentication server within the NAS-
+ Identifier Attribute.
+
+ (i) Include the lower-layer identities within channel bindings (if
+ supported) in phase 1a, ensuring that they are communicated
+ between the EAP peer and server.
+
+ (j) Support the integrity-protected exchange of identities within
+ phase 2a.
+
+ (k) Utilize the advertised lower-layer identities to enable the peer
+ and authenticator to verify that keys are maintained within the
+ advertised scope.
+
+2.3.1. Virtual Authenticators
+
+ When a single physical authenticator advertises itself as multiple
+ virtual authenticators, if the virtual authenticators do not maintain
+ logically separate key caches, then by authenticating to one virtual
+ authenticator, the peer can gain access to the other virtual
+ authenticators sharing a key cache.
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 26]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ For example, where a physical authenticator implements "Guest" and
+ "Corporate Intranet" virtual authenticators, an attacker acting as a
+ peer could authenticate with the "Guest" virtual authenticator and
+ derive EAP keying material. If the "Guest" and "Corporate Intranet"
+ virtual authenticators share a key cache, then the peer can utilize
+ the EAP keying material derived for the "Guest" network to obtain
+ access to the "Corporate Intranet" network.
+
+ The following steps can be taken to mitigate this vulnerability:
+
+ (a) Authenticators are REQUIRED to cache associated authorizations
+ along with EAP keying material and parameters and to apply
+ authorizations to the peer on each network access, regardless of
+ which virtual authenticator is being accessed. This ensures
+ that an attacker cannot obtain elevated privileges even where
+ the key cache is shared between virtual authenticators, and a
+ peer obtains access to one virtual authenticator utilizing a key
+ cache entry created for use with another virtual authenticator.
+
+ (b) It is RECOMMENDED that physical authenticators maintain separate
+ key caches for each virtual authenticator. This ensures that a
+ cache entry created for use with one virtual authenticator
+ cannot be used for access to another virtual authenticator.
+ Since a key cache entry can no longer be shared between virtual
+ authentications, this step provides protection beyond that
+ offered in (a). This is valuable in situations where
+ authorizations are not used to enforce access limitations. For
+ example, where access is limited using a filter installed on a
+ router rather than using authorizations provided to the
+ authenticator, a peer can gain unauthorized access to resources
+ by exploiting a shared key cache entry.
+
+ (c) It is RECOMMENDED that each virtual authenticator identify
+ itself consistently to the peer and to the backend
+ authentication server, so as to enable the peer to verify the
+ authenticator identity via channel binding (see Section 5.3.3).
+
+ (d) It is RECOMMENDED that each virtual authenticator identify
+ itself distinctly, in order to enable the peer and backend
+ authentication server to tell them apart. For example, this can
+ be accomplished by utilizing a distinct value of the NAS-
+ Identifier Attribute.
+
+2.4. Peer Identification
+
+ As described in [RFC3748] Section 7.3, the peer identity provided in
+ the EAP-Response/Identity can be different from the peer identities
+ authenticated by the EAP method. For example, the identity provided
+
+
+
+Aboba, et al. Standards Track [Page 27]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ in the EAP-Response/Identity can be a privacy identifier as described
+ in "The Network Access Identifier" [RFC4282] Section 2. As noted in
+ [RFC4284], it is also possible to utilize a Network Access Identifier
+ (NAI) for the purposes of source routing; an NAI utilized for source
+ routing is said to be "decorated" as described in [RFC4282] Section
+ 2.7.
+
+ When the EAP peer provides the Network Access Identity (NAI) within
+ the EAP-Response/Identity, as described in [RFC3579], the
+ authenticator copies the NAI included in the EAP-Response/Identity
+ into the User-Name Attribute included within the Access-Request. As
+ the Access-Request is forwarded toward the backend authentication
+ server, AAA proxies remove decoration from the NAI included in the
+ User-Name Attribute; the NAI included within the
+ EAP-Response/Identity encapsulated in the Access-Request remains
+ unchanged. As a result, when the Access-Request arrives at the
+ backend authentication server, the EAP-Response/Identity can differ
+ from the User-Name Attribute (which can have some or all of the
+ decoration removed). In the absence of a Peer-Id, the backend
+ authentication server SHOULD use the contents of the User-Name
+ Attribute, rather than the EAP-Response/Identity, as the peer
+ identity.
+
+ It is possible for more than one Peer-Id to be exported by an EAP
+ method. For example, a peer certificate can contain more than one
+ peer identity; in a tunnel method, peer identities can be
+ authenticated within both an outer and inner exchange, and these
+ identities could be different in type and contents. For example, an
+ outer exchange could provide a Peer-Id in the form of a Relative
+ Distinguished Name (RDN), whereas an inner exchange could identify
+ the peer via its NAI or MAC address. Where EAP keying material is
+ determined solely from the outer exchange, only the outer Peer-Id(s)
+ are exported; where the EAP keying material is determined from both
+ the inner and outer exchanges, then both the inner and outer
+ Peer-Id(s) are exported by the tunnel method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 28]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+2.5. Server Identification
+
+ It is possible for more than one Server-Id to be exported by an EAP
+ method. For example, a server certificate can contain more than one
+ server identity; in a tunnel method, server identities could be
+ authenticated within both an outer and inner exchange, and these
+ identities could be different in type and contents. For example, an
+ outer exchange could provide a Server-Id in the form of an IP
+ address, whereas an inner exchange could identify the server via its
+ Fully-Qualified Domain Name (FQDN) or hostname. Where EAP keying
+ material is determined solely from the outer exchange, only the outer
+ Server-Id(s) are exported by the EAP method; where the EAP keying
+ material is determined from both the inner and outer exchanges, then
+ both the inner and outer Server-Id(s) are exported by the EAP method.
+
+ As shown in Figure 3, an authenticator can be configured to
+ communicate with multiple EAP servers; the EAP server that an
+ authenticator communicates with can vary according to configuration
+ and network and server availability. While the EAP peer can assume
+ that all EAP servers within a realm have access to the credentials
+ necessary to validate an authentication attempt, it cannot assume
+ that all EAP servers share persistent state.
+
+ Authenticators can be configured with different primary or secondary
+ EAP servers, in order to balance the load. Also, the authenticator
+ can dynamically determine the EAP server to which requests will be
+ sent; in the event of a communication failure, the authenticator can
+ fail over to another EAP server. For example, in Figure 3,
+ Authenticator2 can be initially configured with EAP server1 as its
+ primary backend authentication server, and EAP server2 as the backup,
+ but if EAP server1 becomes unavailable, EAP server2 can become the
+ primary server.
+
+ In general, the EAP peer cannot direct an authentication attempt to a
+ particular EAP server within a realm, this decision is made by AAA
+ clients, nor can the peer determine with which EAP server it will be
+ communicating, prior to the start of the EAP method conversation.
+ The Server-Id is not included in the EAP-Request/Identity, and since
+ the EAP server may be determined dynamically, it typically is not
+ possible for the authenticator to advertise the Server-Id during the
+ discovery phase. Some EAP methods do not export the Server-Id so
+ that it is possible that the EAP peer will not learn with which
+ server it was conversing after the EAP conversation completes
+ successfully.
+
+ As a result, an EAP peer, on connecting to a new authenticator or
+ reconnecting to the same authenticator, can find itself communicating
+ with a different EAP server. Fast reconnect, defined in [RFC3748]
+
+
+
+Aboba, et al. Standards Track [Page 29]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Section 7.2, can fail if the EAP server with which the peer
+ communicates is not the same one with which it initially established
+ a security association. For example, an EAP peer attempting an
+ EAP-TLS session resume can find that the new EAP-TLS server will not
+ have access to the TLS Master Key identified by the TLS Session-Id,
+ and therefore the session resumption attempt will fail, requiring
+ completion of a full EAP-TLS exchange.
+
+ EAP methods that export the Server-Id MUST authenticate the server.
+ However, not all EAP methods supporting mutual authentication provide
+ a non-null Server-Id; some methods only enable the EAP peer to verify
+ that the EAP server possesses a long-term secret, but do not provide
+ the identity of the EAP server. In this case, the EAP peer will know
+ that an authenticator has been authorized by an EAP server, but will
+ not confirm the identity of the EAP server. Where the EAP method
+ does not provide a Server-Id, the peer cannot identify the EAP server
+ with which it generated keying material. This can make it difficult
+ for the EAP peer to identify the location of a key possessed by that
+ EAP server.
+
+ As noted in [RFC5216] Section 5.2, EAP methods supporting
+ authentication using server certificates can determine the Server-Id
+ from the subject or subjectAltName fields in the server certificate.
+ Validating the EAP server identity can help the EAP peer to decide
+ whether a specific EAP server is authorized. In some cases, such as
+ where the certificate extensions defined in [RFC4334] are included in
+ the server certificate, it can even be possible for the peer to
+ verify some channel binding parameters from the server certificate.
+
+ It is possible for problems to arise in situations where the EAP
+ server identifies itself differently to the EAP peer and
+ authenticator. For example, it is possible that the Server-Id
+ exported by EAP methods will not be identical to the Fully Qualified
+ Domain Name (FQDN) of the backend authentication server. Where
+ certificate-based authentication is used within RADIUS or Diameter,
+ it is possible that the subjectAltName used in the backend
+ authentication server certificate will not be identical to the
+ Server-Id or backend authentication server FQDN. This is not
+ normally an issue in EAP, as the authenticator will be unaware of the
+ identities used between the EAP peer and server. However, this can
+ be an issue for key caching, if the authenticator is expected to
+ locate a backend authentication server corresponding to a Server-Id
+ provided by an EAP peer.
+
+ Where the backend authentication server FQDN differs from the
+ subjectAltName in the backend authentication server certificate, it
+ is possible that the AAA client will not be able to determine whether
+ it is talking to the correct backend authentication server. Where
+
+
+
+Aboba, et al. Standards Track [Page 30]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ the Server-Id and backend authentication server FQDN differ, it is
+ possible that the combination of the key scope (Peer-Id(s), Server-
+ Id(s)) and EAP conversation identifier (Session-Id) will not be
+ sufficient to determine where the key resides. For example, the
+ authenticator can identify backend authentication servers by their IP
+ address (as occurs in RADIUS), or using a Fully Qualified Domain Name
+ (as in Diameter). If the Server-Id does not correspond to the IP
+ address or FQDN of a known backend authentication server, then it may
+ not be possible to locate which backend authentication server
+ possesses the key.
+
+3. Security Association Management
+
+ EAP, as defined in [RFC3748], supports key derivation, but does not
+ provide for the management of lower-layer security associations.
+ Missing functionality includes:
+
+ (a) Security Association negotiation. EAP does not negotiate
+ lower-layer unicast or multicast security associations,
+ including cryptographic algorithms or traffic profiles. EAP
+ methods only negotiate cryptographic algorithms for their own
+ use, not for the underlying lower layers. EAP also does not
+ negotiate the traffic profiles to be protected with the
+ negotiated ciphersuites; in some cases the traffic to be
+ protected can have lower-layer source and destination addresses
+ different from the lower-layer peer or authenticator addresses.
+
+ (b) Re-key. EAP does not support the re-keying of exported EAP
+ keying material without EAP re-authentication, although EAP
+ methods can support "fast reconnect" as defined in [RFC3748]
+ Section 7.2.1.
+
+ (c) Key delete/install semantics. EAP does not synchronize
+ installation or deletion of keying material on the EAP peer and
+ authenticator.
+
+ (d) Lifetime negotiation. EAP does not support lifetime negotiation
+ for exported EAP keying material, and existing EAP methods also
+ do not support key lifetime negotiation.
+
+ (e) Guaranteed TSK freshness. Without a post-EAP handshake, TSKs
+ can be reused if EAP keying material is cached.
+
+ These deficiencies are typically addressed via a post-EAP handshake
+ known as the Secure Association Protocol.
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 31]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+3.1. Secure Association Protocol
+
+ Since neither EAP nor EAP methods provide for establishment of
+ lower-layer security associations, it is RECOMMENDED that these
+ facilities be provided within the Secure Association Protocol,
+ including:
+
+ (a) Entity Naming. A basic feature of a Secure Association Protocol
+ is the explicit naming of the parties engaged in the exchange.
+ Without explicit identification, the parties engaged in the
+ exchange are not identified and the scope of the EAP keying
+ parameters negotiated during the EAP exchange is undefined.
+
+ (b) Mutual proof of possession of EAP keying material. During the
+ Secure Association Protocol, the EAP peer and authenticator MUST
+ demonstrate possession of the keying material transported
+ between the backend authentication server and authenticator
+ (e.g., MSK), in order to demonstrate that the peer and
+ authenticator have been authorized. Since mutual proof of
+ possession is not the same as mutual authentication, the peer
+ cannot verify authenticator assertions (including the
+ authenticator identity) as a result of this exchange.
+ Authenticator identity verification is discussed in Section 2.3.
+
+ (c) Secure capabilities negotiation. In order to protect against
+ spoofing during the discovery phase, ensure selection of the
+ "best" ciphersuite, and protect against forging of negotiated
+ security parameters, the Secure Association Protocol MUST
+ support secure capabilities negotiation. This includes the
+ secure negotiation of usage modes, session parameters (such as
+ security association identifiers (SAIDs) and key lifetimes),
+ ciphersuites and required filters, including confirmation of
+ security-relevant capabilities discovered during phase 0. The
+ Secure Association Protocol MUST support integrity and replay
+ protection of all capability negotiation messages.
+
+ (d) Key naming and selection. Where key caching is supported, it is
+ possible for the EAP peer and authenticator to share more than
+ one key of a given type. As a result, the Secure Association
+ Protocol MUST explicitly name the keys used in the proof of
+ possession exchange, so as to prevent confusion when more than
+ one set of keying material could potentially be used as the
+ basis for the exchange. Use of the key naming mechanism
+ described in Section 1.4.1 is RECOMMENDED.
+
+ In order to support the correct processing of phase 2 security
+ associations, the Secure Association (phase 2) protocol MUST
+ support the naming of phase 2 security associations and
+
+
+
+Aboba, et al. Standards Track [Page 32]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ associated transient session keys so that the correct set of
+ transient session keys can be identified for processing a given
+ packet. The phase 2 Secure Association Protocol also MUST
+ support transient session key activation and SHOULD support
+ deletion so that establishment and re-establishment of transient
+ session keys can be synchronized between the parties.
+
+ (e) Generation of fresh transient session keys (TSKs). Where the
+ lower layer supports caching of keying material, the EAP peer
+ lower layer can initiate a new session using keying material
+ that was derived in a previous session. Were the TSKs to be
+ derived solely from a portion of the exported EAP keying
+ material, this would result in reuse of the session keys that
+ could expose the underlying ciphersuite to attack.
+
+ In lower layers where caching of keying material is supported,
+ the Secure Association Protocol phase is REQUIRED, and MUST
+ support the derivation of fresh unicast and multicast TSKs, even
+ when the transported keying material provided by the backend
+ authentication server is not fresh. This is typically supported
+ via the exchange of nonces or counters, which are then mixed
+ with the keying material in order to generate fresh unicast
+ (phase 2a) and possibly multicast (phase 2b) session keys. By
+ not using exported EAP keying material directly to protect data,
+ the Secure Association Protocol protects it against compromise.
+
+ (f) Key lifetime management. This includes explicit key lifetime
+ negotiation or seamless re-key. EAP does not support the
+ re-keying of EAP keying material without re-authentication, and
+ existing EAP methods do not support key lifetime negotiation.
+ As a result, the Secure Association Protocol MAY handle the
+ re-key and determination of the key lifetime. Where key caching
+ is supported, secure negotiation of key lifetimes is
+ RECOMMENDED. Lower layers that support re-key, but not key
+ caching, may not require key lifetime negotiation. For example,
+ a difference between IKEv1 [RFC2409] and IKEv2 [RFC4306] is that
+ in IKEv1 SA lifetimes were negotiated; in IKEv2, each end of the
+ SA is responsible for enforcing its own lifetime policy on the
+ SA and re-keying the SA when necessary.
+
+ (g) Key state resynchronization. It is possible for the peer or
+ authenticator to reboot or reclaim resources, clearing portions
+ or all of the key cache. Therefore, key lifetime negotiation
+ cannot guarantee that the key cache will remain synchronized,
+ and it may not be possible for the peer to determine before
+ attempting to use a key whether it exists within the
+ authenticator cache. It is therefore RECOMMENDED for the EAP
+ lower layer to provide a mechanism for key state
+
+
+
+Aboba, et al. Standards Track [Page 33]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ resynchronization, either via the SAP or using a lower layer
+ indication (see [RFC3748] Section 3.4). Where the peer and
+ authenticator do not jointly possess a key with which to protect
+ the resynchronization exchange, secure resynchronization is not
+ possible, and alternatives (such as an initiation of EAP
+ re-authentication after expiration of a timer) are needed to
+ ensure timely resynchronization.
+
+ (h) Key scope synchronization. To support key scope determination,
+ the Secure Association Protocol SHOULD provide a mechanism by
+ which the peer can determine the scope of the key cache on each
+ authenticator and by which the authenticator can determine the
+ scope of the key cache on a peer. This includes negotiation of
+ restrictions on key usage.
+
+ (i) Traffic profile negotiation. The traffic to be protected by a
+ lower-layer security association will not necessarily have the
+ same lower-layer source or destination address as the EAP peer
+ and authenticator, and it is possible for the peer and
+ authenticator to negotiate multiple security associations, each
+ with a different traffic profile. Where this is the case, the
+ profile of protected traffic SHOULD be explicitly negotiated.
+ For example, in IKEv2 it is possible for an Initiator and
+ Responder to utilize EAP for authentication, then negotiate a
+ Tunnel Mode Security Association (SA), which permits passing of
+ traffic originating from hosts other than the Initiator and
+ Responder. Similarly, in IEEE 802.16e, a Subscriber Station
+ (SS) can forward traffic to the Base Station (BS), which
+ originates from the Local Area Network (LAN) to which it is
+ attached. To enable this, Security Associations within IEEE
+ 802.16e are identified by the Connection Identifier (CID), not
+ by the EAP peer and authenticator MAC addresses. In both IKEv2
+ and IEEE 802.16e, multiple security associations can exist
+ between the EAP peer and authenticator, each with their own
+ traffic profile and quality of service parameters.
+
+ (j) Direct operation. Since the phase 2 Secure Association Protocol
+ is concerned with the establishment of security associations
+ between the EAP peer and authenticator, including the derivation
+ of transient session keys, only those parties have "a need to
+ know" the transient session keys. The Secure Association
+ Protocol MUST operate directly between the peer and
+ authenticator and MUST NOT be passed-through to the backend
+ authentication server or include additional parties.
+
+ (k) Bi-directional operation. While some ciphersuites only require
+ a single set of transient session keys to protect traffic in
+ both directions, other ciphersuites require a unique set of
+
+
+
+Aboba, et al. Standards Track [Page 34]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ transient session keys in each direction. The phase 2 Secure
+ Association Protocol SHOULD provide for the derivation of
+ unicast and multicast keys in each direction, so as not to
+ require two separate phase 2 exchanges in order to create a
+ bi-directional phase 2 security association. See [RFC3748]
+ Section 2.4 for more discussion.
+
+3.2. Key Scope
+
+ Absent explicit specification within the lower layer, after the
+ completion of phase 1b, transported keying material, and parameters
+ are bound to the EAP peer and authenticator, but are not bound to a
+ specific peer or authenticator port.
+
+ While EAP keying material passed down to the lower layer is not
+ intrinsically bound to particular authenticator and peer ports, TSKs
+ MAY be bound to particular authenticator and peer ports by the Secure
+ Association Protocol. However, a lower layer MAY also permit TSKs to
+ be used on multiple peer and/or authenticator ports, provided that
+ TSK freshness is guaranteed (such as by keeping replay counter state
+ within the authenticator).
+
+ In order to further limit the key scope, the following measures are
+ suggested:
+
+ (a) The lower layer MAY specify additional restrictions on key
+ usage, such as limiting the use of EAP keying material and
+ parameters on the EAP peer to the port over which the EAP
+ conversation was conducted.
+
+ (b) The backend authentication server and authenticator MAY
+ implement additional attributes in order to further restrict the
+ scope of keying material. For example, in IEEE 802.11, the
+ backend authentication server can provide the authenticator with
+ a list of authorized Called or Calling-Station-Ids and/or SSIDs
+ for which keying material is valid.
+
+ (c) Where the backend authentication server provides attributes
+ restricting the key scope, it is RECOMMENDED that restrictions
+ be securely communicated by the authenticator to the peer. This
+ can be accomplished using the Secure Association Protocol, but
+ also can be accomplished via the EAP method or the lower layer.
+
+3.3. Parent-Child Relationships
+
+ When an EAP re-authentication takes place, new EAP keying material is
+ exported by the EAP method. In EAP lower layers where EAP
+ re-authentication eventually results in TSK replacement, the maximum
+
+
+
+Aboba, et al. Standards Track [Page 35]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ lifetime of derived keying material (including TSKs) can be less than
+ or equal to that of EAP keying material (MSK/EMSK), but it cannot be
+ greater.
+
+ Where TSKs are derived from or are wrapped by exported EAP keying
+ material, compromise of that exported EAP keying material implies
+ compromise of TSKs. Therefore, if EAP keying material is considered
+ stale, not only SHOULD EAP re-authentication be initiated, but also
+ replacement of child keys, including TSKs.
+
+ Where EAP keying material is used only for entity authentication but
+ not for TSK derivation (as in IKEv2), compromise of exported EAP
+ keying material does not imply compromise of the TSKs. Nevertheless,
+ the compromise of EAP keying material could enable an attacker to
+ impersonate an authenticator, so that EAP re-authentication and TSK
+ re-key are RECOMMENDED.
+
+ With respect to IKEv2, Section 5.2 of [RFC4718], "IKEv2
+ Clarifications and Implementation Guidelines", states:
+
+ Rekeying the IKE_SA and reauthentication are different concepts in
+ IKEv2. Rekeying the IKE_SA establishes new keys for the IKE_SA
+ and resets the Message ID counters, but it does not authenticate
+ the parties again (no AUTH or EAP payloads are involved)... This
+ means that reauthentication also establishes new keys for the
+ IKE_SA and CHILD_SAs. Therefore while rekeying can be performed
+ more often than reauthentication, the situation where
+ "authentication lifetime" is shorter than "key lifetime" does not
+ make sense.
+
+ Child keys that are used frequently (such as TSKs that are used for
+ traffic protection) can expire sooner than the exported EAP keying
+ material on which they are dependent, so that it is advantageous to
+ support re-key of child keys prior to EAP re-authentication. Note
+ that deletion of the MSK/EMSK does not necessarily imply deletion of
+ TSKs or child keys.
+
+ Failure to mutually prove possession of exported EAP keying material
+ during the Secure Association Protocol exchange need not be grounds
+ for deletion of keying material by both parties; rate-limiting Secure
+ Association Protocol exchanges could be used to prevent a brute force
+ attack.
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 36]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+3.4. Local Key Lifetimes
+
+ The Transient EAP Keys (TEKs) are session keys used to protect the
+ EAP conversation. The TEKs are internal to the EAP method and are
+ not exported. TEKs are typically created during an EAP conversation,
+ used until the end of the conversation and then discarded. However,
+ methods can re-key TEKs during an EAP conversation.
+
+ When using TEKs within an EAP conversation or across conversations,
+ it is necessary to ensure that replay protection and key separation
+ requirements are fulfilled. For instance, if a replay counter is
+ used, TEK re-key MUST occur prior to wrapping of the counter.
+ Similarly, TSKs MUST remain cryptographically separate from TEKs
+ despite TEK re-keying or caching. This prevents TEK compromise from
+ leading directly to compromise of the TSKs and vice versa.
+
+ EAP methods MAY cache local EAP keying material (TEKs) that can
+ persist for multiple EAP conversations when fast reconnect is used
+ [RFC3748]. For example, EAP methods based on TLS (such as EAP-TLS
+ [RFC5216]) derive and cache the TLS Master Secret, typically for
+ substantial time periods. The lifetime of other local EAP keying
+ material calculated within the EAP method is defined by the method.
+ Note that in general, when using fast reconnect, there is no
+ guarantee that the original long-term credentials are still in the
+ possession of the peer. For instance, a smart-card holding the
+ private key for EAP-TLS may have been removed. EAP servers SHOULD
+ also verify that the long-term credentials are still valid, such as
+ by checking that certificate used in the original authentication has
+ not yet expired.
+
+3.5. Exported and Calculated Key Lifetimes
+
+ The following mechanisms are available for communicating the lifetime
+ of keying material between the EAP peer, server, and authenticator:
+
+ AAA protocols (backend authentication server and authenticator)
+ Lower-layer mechanisms (authenticator and peer)
+ EAP method-specific negotiation (peer and server)
+
+ Where the EAP method does not support the negotiation of the lifetime
+ of exported EAP keying material, and a key lifetime negotiation
+ mechanism is not provided by the lower layer, it is possible that
+ there will not be a way for the peer to learn the lifetime of keying
+ material. This can leave the peer uncertain of how long the
+ authenticator will maintain keying material within the key cache. In
+ this case the lifetime of keying material can be managed as a system
+ parameter on the peer and authenticator; a default lifetime of 8
+ hours is RECOMMENDED.
+
+
+
+Aboba, et al. Standards Track [Page 37]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+3.5.1. AAA Protocols
+
+ AAA protocols such as RADIUS [RFC2865] and Diameter [RFC4072] can be
+ used to communicate the maximum key lifetime from the backend
+ authentication server to the authenticator.
+
+ The Session-Timeout Attribute is defined for RADIUS in [RFC2865] and
+ for Diameter in [RFC4005]. Where EAP is used for authentication,
+ [RFC3580] Section 3.17, indicates that a Session-Timeout Attribute
+ sent in an Access-Accept along with a Termination-Action value of
+ RADIUS-Request specifies the maximum number of seconds of service
+ provided prior to EAP re-authentication.
+
+ However, there is also a need to be able to specify the maximum
+ lifetime of cached keying material. Where EAP pre-authentication is
+ supported, cached keying material can be pre-established on the
+ authenticator prior to session start and will remain there until
+ expiration. EAP lower layers supporting caching of keying material
+ MAY also persist that material after the end of a session, enabling
+ the peer to subsequently resume communication utilizing the cached
+ keying material. In these situations it can be desirable for the
+ backend authentication server to specify the maximum lifetime of
+ cached keying material.
+
+ To accomplish this, [IEEE-802.11] overloads the Session-Timeout
+ Attribute, assuming that it represents the maximum time after which
+ transported keying material will expire on the authenticator,
+ regardless of whether transported keying material is cached.
+
+ An IEEE 802.11 authenticator receiving transported keying material is
+ expected to initialize a timer to the Session-Timeout value, and once
+ the timer expires, the transported keying material expires. Whether
+ this results in session termination or EAP re-authentication is
+ controlled by the value of the Termination-Action Attribute. Where
+ EAP re-authentication occurs, the transported keying material is
+ replaced, and with it, new calculated keys are put in place. Where
+ session termination occurs, transported and derived keying material
+ is deleted.
+
+ Overloading the Session-Timeout Attribute is problematic in
+ situations where it is necessary to control the maximum session time
+ and key lifetime independently. For example, it might be desirable
+ to limit the lifetime of cached keying material to 5 minutes while
+ permitting a user once authenticated to remain connected for up to an
+ hour without re-authenticating. As a result, in the future,
+ additional attributes can be specified to control the lifetime of
+ cached keys; these attributes MAY modify the meaning of the
+ Session-Timeout Attribute in specific circumstances.
+
+
+
+Aboba, et al. Standards Track [Page 38]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Since the TSK lifetime is often determined by authenticator
+ resources, and the backend authentication server has no insight into
+ the TSK derivation process by the principle of ciphersuite
+ independence, it is not appropriate for the backend authentication
+ server to manage any aspect of the TSK derivation process, including
+ the TSK lifetime.
+
+3.5.2. Lower-Layer Mechanisms
+
+ Lower-layer mechanisms can be used to enable the lifetime of keying
+ material to be negotiated between the peer and authenticator. This
+ can be accomplished either using the Secure Association Protocol or
+ within the lower-layer transport.
+
+ Where TSKs are established as the result of a Secure Association
+ Protocol exchange, it is RECOMMENDED that the Secure Association
+ Protocol include support for TSK re-key. Where the TSK is taken
+ directly from the MSK, there is no need to manage the TSK lifetime as
+ a separate parameter, since the TSK lifetime and MSK lifetime are
+ identical.
+
+3.5.3. EAP Method-Specific Negotiation
+
+ As noted in [RFC3748] Section 7.10:
+
+ In order to provide keying material for use in a subsequently
+ negotiated ciphersuite, an EAP method supporting key derivation
+ MUST export a Master Session Key (MSK) of at least 64 octets, and
+ an Extended Master Session Key (EMSK) of at least 64 octets. EAP
+ Methods deriving keys MUST provide for mutual authentication
+ between the EAP peer and the EAP Server.
+
+ However, EAP does not itself support the negotiation of lifetimes for
+ exported EAP keying material such as the MSK, EMSK, and IV.
+
+ While EAP itself does not support lifetime negotiation, it would be
+ possible to specify methods that do. However, systems that rely on
+ key lifetime negotiation within EAP methods would only function with
+ these methods. Also, there is no guarantee that the key lifetime
+ negotiated within the EAP method would be compatible with backend
+ authentication server policy. In the interest of method independence
+ and compatibility with backend authentication server implementations,
+ management of the lifetime of keying material SHOULD NOT be provided
+ within EAP methods.
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 39]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+3.6. Key Cache Synchronization
+
+ Key lifetime negotiation alone cannot guarantee key cache
+ synchronization. Even where a lower-layer exchange is run
+ immediately after EAP in order to determine the lifetime of keying
+ material, it is still possible for the authenticator to purge all or
+ part of the key cache prematurely (e.g., due to reboot or need to
+ reclaim memory).
+
+ The lower layer can utilize the Discovery phase 0 to improve key
+ cache synchronization. For example, if the authenticator manages the
+ key cache by deleting the oldest key first, the relative creation
+ time of the last key to be deleted could be advertised within the
+ Discovery phase, enabling the peer to determine whether keying
+ material had been prematurely expired from the authenticator key
+ cache.
+
+3.7. Key Strength
+
+ As noted in Section 2.1, EAP lower layers determine TSKs in different
+ ways. Where exported EAP keying material is utilized in the
+ derivation, encryption or authentication of TSKs, it is possible for
+ EAP key generation to represent the weakest link.
+
+ In order to ensure that methods produce EAP keying material of an
+ appropriate symmetric key strength, it is RECOMMENDED that EAP
+ methods utilizing public key cryptography choose a public key that
+ has a cryptographic strength providing the required level of attack
+ resistance. This is typically provided by configuring EAP methods,
+ since there is no coordination between the lower layer and EAP method
+ with respect to minimum required symmetric key strength.
+
+ Section 5 of BCP 86 [RFC3766] offers advice on the required RSA or DH
+ module and DSA subgroup size in bits, for a given level of attack
+ resistance in bits. The National Institute for Standards and
+ Technology (NIST) also offers advice on appropriate key sizes in
+ [SP800-57].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 40]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+3.8. Key Wrap
+
+ The key wrap specified in [RFC2548], which is based on an MD5-based
+ stream cipher, has known problems, as described in [RFC3579] Section
+ 4.3. RADIUS uses the shared secret for multiple purposes, including
+ per-packet authentication and attribute hiding, considerable
+ information is exposed about the shared secret with each packet.
+ This exposes the shared secret to dictionary attacks. MD5 is used
+ both to compute the RADIUS Response Authenticator and the
+ Message-Authenticator Attribute, and concerns exist relating to the
+ security of this hash [MD5Collision].
+
+ As discussed in [RFC3579] Section 4.3, the security vulnerabilities
+ of RADIUS are extensive, and therefore development of an alternative
+ key wrap technique based on the RADIUS shared secret would not
+ substantially improve security. As a result, [RFC3579] Section 4.2
+ recommends running RADIUS over IPsec. The same approach is taken in
+ Diameter EAP [RFC4072], which in Section 4.1.3 defines the
+ EAP-Master-Session-Key Attribute-Value Pair (AVP) in clear-text, to
+ be protected by IPsec or TLS.
+
+4. Handoff Vulnerabilities
+
+ A handoff occurs when an EAP peer moves to a new authenticator.
+ Several mechanisms have been proposed for reducing handoff latency
+ within networks utilizing EAP. These include:
+
+ EAP pre-authentication
+ In EAP pre-authentication, an EAP peer pre-establishes EAP keying
+ material with an authenticator prior to arrival. EAP
+ pre-authentication only affects the timing of EAP authentication,
+ but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b)
+ exchanges; Discovery (phase 0) and Secure Association Protocol
+ (phase 2) exchanges occur as described in Section 1.3. As a
+ result, the primary benefit is to enable EAP authentication to be
+ removed from the handoff critical path, thereby reducing latency.
+ Use of EAP pre-authentication within IEEE 802.11 is described in
+ [IEEE-802.11] and [8021XPreAuth].
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 41]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Proactive key distribution
+ In proactive key distribution, keying material and authorizations
+ are transported from the backend authentication server to a
+ candidate authenticator in advance of a handoff. As a result, EAP
+ (phase 1a) is not needed, but the Discovery (phase 0), and Secure
+ Association Protocol exchanges (phase 2) are still necessary.
+ Within the AAA exchange (phase 1b), authorization and key
+ distribution functions are typically supported, but not
+ authentication. Proactive key distribution is described in
+ [MishraPro], [IEEE-03-084], and [HANDOFF].
+
+ Key caching
+ Caching of EAP keying material enables an EAP peer to re-attach to
+ an authenticator without requiring EAP (phase 1a) or AAA (phase
+ 1b) exchanges. However, Discovery (phase 0) and Secure
+ Association Protocol (phase 2) exchanges are still needed. Use of
+ key caching within IEEE 802.11 is described in [IEEE-802.11].
+
+ Context transfer
+ In context transfer schemes, keying material and authorizations
+ are transferred between a previous authenticator and a new
+ authenticator. This can occur in response to a handoff request by
+ the EAP peer, or in advance, as in proactive key distribution. As
+ a result, EAP (phase 1a) is eliminated, but not the Discovery
+ (phase 0) or Secure Association Protocol exchanges (phase 2). If
+ a secure channel can be established between the new and previous
+ authenticator without assistance from the backend authentication
+ server, then the AAA exchange (phase 1b) can be eliminated;
+ otherwise, it is still needed, although it can be shortened.
+ Context transfer protocols are described in [IEEE-802.11F] (now
+ deprecated) and "Context Transfer Protocol (CXTP)" [RFC4067].
+ "Fast Authentication Methods for Handovers between IEEE 802.11
+ Wireless LANs" [Bargh] analyzes fast handoff techniques, including
+ context transfer mechanisms.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 42]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Token distribution
+ In token distribution schemes, the EAP peer is provided with a
+ credential, subsequently enabling it to authenticate with one or
+ more additional authenticators. During the subsequent
+ authentications, EAP (phase 1a) is eliminated or shortened; the
+ Discovery (phase 0) and Secure Association Protocol exchanges
+ (phase 2) still occur, although the latter can be shortened. If
+ the token includes authorizations and can be validated by an
+ authenticator without assistance from the backend authentication
+ server, then the AAA exchange (phase 1b) can be eliminated;
+ otherwise, it is still needed, although it can be shortened.
+ Token-based schemes, initially proposed in early versions of IEEE
+ 802.11i [IEEE-802.11i], are described in [Token], [Tokenk], and
+ [SHORT-TERM].
+
+ The sections that follow discuss the security vulnerabilities
+ introduced by the above schemes.
+
+4.1. EAP Pre-Authentication
+
+ EAP pre-authentication differs from a normal EAP conversation
+ primarily with respect to the lower-layer encapsulation. For
+ example, in [IEEE-802.11], EAP pre-authentication frames utilize a
+ distinct Ethertype, but otherwise conforms to the encapsulation
+ described in [IEEE-802.1X]. As a result, an EAP pre-authentication
+ conversation differs little from the model described in Section 1.3,
+ other than the introduction of a delay between phase 1 and phase 2.
+
+ EAP pre-authentication relies on lower-layer mechanisms for discovery
+ of candidate authenticators. Where discovery can provide information
+ on candidate authenticators outside the immediate listening range,
+ and the peer can determine whether it already possesses valid EAP
+ keying material with candidate authenticators, the peer can avoid
+ unnecessary EAP pre-authentications and can establish EAP keying
+ material well in advance, regardless of the coverage overlap between
+ authenticators. However, if the peer can only discover candidate
+ authenticators within listening range and cannot determine whether it
+ can reuse existing EAP keying material, then it is possible that the
+ peer will not be able to complete EAP pre-authentication prior to
+ connectivity loss or that it can pre-authenticate multiple times with
+ the same authenticator, increasing backend authentication server
+ load.
+
+ Since a peer can complete EAP pre-authentication with an
+ authenticator without eventually attaching to it, it is possible that
+ phase 2 will not occur. In this case, an Accounting-Request
+ signifying the start of service will not be sent, or will only be
+ sent with a substantial delay after the completion of authentication.
+
+
+
+Aboba, et al. Standards Track [Page 43]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ As noted in "IEEE 802.1X RADIUS Usage Guidelines" [RFC3580], the AAA
+ exchange resulting from EAP pre-authentication differs little from an
+ ordinary exchange described in "RADIUS Support for EAP" [RFC3579].
+ For example, since in IEEE 802.11 [IEEE-802.11] an Association
+ exchange does not occur prior to EAP pre-authentication, the SSID is
+ not known by the authenticator at authentication time, so that an
+ Access-Request cannot include the SSID within the Called-Station-Id
+ attribute as described in [RFC3580] Section 3.20.
+
+ Since only the absence of an SSID in the Called-Station-Id attribute
+ distinguishes an EAP pre-authentication attempt, if the authenticator
+ does not always include the SSID for a normal EAP authentication
+ attempt, it is possible that the backend authentication server will
+ not be able to determine whether a session constitutes an EAP
+ pre-authentication attempt, potentially resulting in authorization or
+ accounting problems. Where the number of simultaneous sessions is
+ limited, the backend authentication server can refuse to authorize a
+ valid EAP pre-authentication attempt or can enable the peer to engage
+ in more simultaneous sessions than they are authorized for. Where
+ EAP pre-authentication occurs with an authenticator which the peer
+ never attaches to, it is possible that the backend accounting server
+ will not be able to determine whether the absence of an
+ Accounting-Request was due to packet loss or a session that never
+ started.
+
+ In order to enable pre-authentication requests to be handled more
+ reliably, it is RECOMMENDED that AAA protocols explicitly identify
+ EAP pre-authentication. In order to suppress unnecessary EAP
+ pre-authentication exchanges, it is RECOMMENDED that authenticators
+ unambiguously identify themselves as described in Section 2.3.
+
+4.2. Proactive Key Distribution
+
+ In proactive key distribution schemes, the backend authentication
+ server transports keying material and authorizations to an
+ authenticator in advance of the arrival of the peer. The
+ authenticators selected to receive the transported key material are
+ selected based on past patterns of peer movement between
+ authenticators known as the "neighbor graph". In order to reduce
+ handoff latency, proactive key distribution schemes typically only
+ demonstrate proof of possession of transported keying material
+ between the EAP peer and authenticator. During a handoff, the
+ backend authentication server is not provided with proof that the
+ peer successfully authenticated to an authenticator; instead, the
+ authenticator generates a stream of accounting messages without a
+ corresponding set of authentication exchanges. As described in
+ [MishraPro], knowledge of the neighbor graph can be established via
+ static configuration or analysis of authentication exchanges. In
+
+
+
+Aboba, et al. Standards Track [Page 44]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ order to prevent corruption of the neighbor graph, new neighbor graph
+ entries can only be created as the result of a successful EAP
+ exchange, and accounting packets with no corresponding authentication
+ exchange need to be verified to correspond to neighbor graph entries
+ (e.g., corresponding to handoffs between neighbors).
+
+ In order to prevent compromise of one authenticator from resulting in
+ compromise of other authenticators, cryptographic separation needs to
+ be maintained between the keying material transported to each
+ authenticator. However, even where cryptographic separation is
+ maintained, an attacker compromising an authenticator can still
+ disrupt the operation of other authenticators. As noted in [RFC3579]
+ Section 4.3.7, in the absence of spoofing detection within the AAA
+ infrastructure, it is possible for EAP authenticators to impersonate
+ each other. By forging NAS identification attributes within
+ authentication messages, an attacker compromising one authenticator
+ could corrupt the neighbor graph, tricking the backend authentication
+ server into transporting keying material to arbitrary authenticators.
+ While this would not enable recovery of EAP keying material without
+ breaking fundamental cryptographic assumptions, it could enable
+ subsequent fraudulent accounting messages, or allow an attacker to
+ disrupt service by increasing load on the backend authentication
+ server or thrashing the authenticator key cache.
+
+ Since proactive key distribution requires the distribution of derived
+ keying material to candidate authenticators, the effectiveness of
+ this scheme depends on the ability of backend authentication server
+ to anticipate the movement of the EAP peer. Since proactive key
+ distribution relies on backend authentication server knowledge of the
+ neighbor graph, it is most applicable to intra-domain handoff
+ scenarios. However, in inter-domain handoff, where there can be many
+ authenticators, peers can frequently connect to authenticators that
+ have not been previously encountered, making it difficult for the
+ backend authentication server to derive a complete neighbor graph.
+
+ Since proactive key distribution schemes typically require
+ introduction of server-initiated messages as described in [RFC5176]
+ and [HANDOFF], security issues described in [RFC5176] Section 6 are
+ applicable, including authorization (Section 6.1) and replay
+ detection (Section 6.3) problems.
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 45]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+4.3. AAA Bypass
+
+ Fast handoff techniques that enable elimination of the AAA exchange
+ (phase 1b) differ fundamentally from typical network access scenarios
+ (dial-up, wired LAN, etc.) that include user authentication as well
+ as authorization for the offered service. Where the AAA exchange
+ (phase 1b) is omitted, authorizations and keying material are not
+ provided by the backend authentication server, and as a result, they
+ need to be supplied by other means. This section describes some of
+ the implications.
+
+4.3.1. Key Transport
+
+ Where transported keying material is not supplied by the backend
+ authentication server, it needs to be provided by another party
+ authorized to access that keying material. As noted in Section 1.5,
+ only the EAP peer, authenticator, and server are authorized to
+ possess transported keying material. Since EAP peers do not trust
+ each other, if the backend authentication server does not supply
+ transported keying material to a new authenticator, it can only be
+ provided by a previous authenticator.
+
+ As noted in Section 1.5, the goal of the EAP conversation is to
+ derive session keys known only to the peer and the authenticator. If
+ keying material is replicated between a previous authenticator and a
+ new authenticator, then the previous authenticator can possess
+ session keys used between the peer and new authenticator. Also, the
+ new authenticator can possess session keys used between the peer and
+ the previous authenticator.
+
+ If a one-way function is used to derive the keying material to be
+ transported to the new authenticator, then the new authenticator
+ cannot possess previous session keys without breaking a fundamental
+ cryptographic assumption.
+
+4.3.2. Authorization
+
+ As a part of the authentication process, the backend authentication
+ server determines the user's authorization profile and transmits the
+ authorizations to the authenticator along with the transported keying
+ material. Typically, the profile is determined based on the user
+ identity, but a certificate presented by the user can also provide
+ authorization information.
+
+ The backend authentication server is responsible for making a user
+ authorization decision, which requires answering the following
+ questions:
+
+
+
+
+Aboba, et al. Standards Track [Page 46]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ (a) Is this a legitimate user of this network?
+
+ (b) Is the user allowed to access this network?
+
+ (c) Is the user permitted to access this network on this day and at
+ this time?
+
+ (d) Is the user within the concurrent session limit?
+
+ (e) Are there any fraud, credit limit, or other concerns that could
+ lead to access denial?
+
+ (f) If access is to be granted, what are the service parameters
+ (mandatory tunneling, bandwidth, filters, and so on) to be
+ provisioned for the user?
+
+ While the authorization decision is, in principle, simple, the
+ distributed decision making process can add complexity. Where
+ brokers or proxies are involved, all of the AAA entities in the chain
+ from the authenticator to the home backend authentication server are
+ involved in the decision. For example, a broker can deny access even
+ if the home backend authentication server would allow it, or a proxy
+ can add authorizations (e.g., bandwidth limits).
+
+ Decisions can be based on static policy definitions and profiles as
+ well as dynamic state (e.g., time of day or concurrent session
+ limits). In addition to the Accept/Reject decisions made by AAA
+ entities, service parameters or constraints can be communicated to
+ the authenticator.
+
+ The criteria for Accept/Reject decisions or the reasons for choosing
+ particular authorizations are typically not communicated to the
+ authenticator, only the final result is. As a result, the
+ authenticator has no way to know on what the decision was based. Was
+ a set of authorization parameters sent because this service is always
+ provided to the user, or was the decision based on the time of day
+ and the capabilities of the authenticator?
+
+4.3.3. Correctness
+
+ When the AAA exchange (phase 1b) is bypassed, several challenges
+ arise in ensuring correct authorization:
+
+ Theft of service
+ Bypassing the AAA exchange (phase 1b) SHOULD NOT enable a user to
+ extend their network access or gain access to services they are
+ not entitled to.
+
+
+
+
+Aboba, et al. Standards Track [Page 47]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Consideration of network-wide state
+ Handoff techniques SHOULD NOT render the backend authentication
+ server incapable of keeping track of network-wide state. For
+ example, a backend authentication server can need to keep track of
+ simultaneous user sessions.
+
+ Elevation of privilege
+ Backend authentication servers often perform conditional
+ evaluation, in which the authorizations returned in an
+ Access-Accept message are contingent on the authenticator or on
+ dynamic state such as the time of day. In this situation,
+ bypassing the AAA exchange could enable unauthorized access unless
+ the restrictions are explicitly encoded within the authorizations
+ provided by the backend authentication server.
+
+ A handoff mechanism that provides proper authorization is said to be
+ "correct". One condition for correctness is as follows:
+
+ For a handoff to be "correct" it MUST establish on the new
+ authenticator the same authorizations as would have been created
+ had the new authenticator completed a AAA conversation with the
+ backend authentication server.
+
+ A properly designed handoff scheme will only succeed if it is
+ "correct" in this way. If a successful handoff would establish
+ "incorrect" authorizations, it is preferable for it to fail. Where
+ the supported services differ between authenticators, a handoff that
+ bypasses the backend authentication server is likely to fail.
+ Section 1.1 of [RFC2865] states:
+
+ A authenticator that does not implement a given service MUST NOT
+ implement the RADIUS attributes for that service. For example, a
+ authenticator that is unable to offer ARAP service MUST NOT
+ implement the RADIUS attributes for ARAP. A authenticator MUST
+ treat a RADIUS access-accept authorizing an unavailable service as
+ an access-reject instead.
+
+ This behavior applies to attributes that are known, but not
+ implemented. For attributes that are unknown, Section 5 of [RFC2865]
+ states:
+
+ A RADIUS server MAY ignore Attributes with an unknown Type. A
+ RADIUS client MAY ignore Attributes with an unknown Type.
+
+ In order to perform a correct handoff, if a new authenticator is
+ provided with RADIUS authorizations for a known but unavailable
+ service, then it MUST process these authorizations the same way it
+ would handle a RADIUS Access-Accept requesting an unavailable
+
+
+
+Aboba, et al. Standards Track [Page 48]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ service; this MUST cause the handoff to fail. However, if a new
+ authenticator is provided with authorizations including unknown
+ attributes, then these attributes MAY be ignored. The definition of
+ a "known but unsupported service" MUST encompass requests for
+ unavailable security services. This includes vendor-specific
+ attributes related to security, such as those described in [RFC2548].
+ Although it can seem somewhat counter-intuitive, failure is indeed
+ the "correct" result where a known but unsupported service is
+ requested.
+
+ Presumably, a correctly configured backend authentication server
+ would not request that an authenticator provide a service that it
+ does not implement. This implies that if the new authenticator were
+ to complete a AAA conversation, it would be likely to receive
+ different service instructions. Failure of the handoff is the
+ desired result since it will cause the new authenticator to go back
+ to the backend server in order to receive the appropriate service
+ definition.
+
+ Handoff mechanisms that bypass the backend authentication server are
+ most likely to be successful when employed in a homogeneous
+ deployment within a single administrative domain. In a heterogeneous
+ deployment, the backend authentication server can return different
+ authorizations depending on the authenticator making the request in
+ order to make sure that the requested service is consistent with the
+ authenticator capabilities. Where a backend authentication server
+ would send different authorizations to the new authenticator than
+ were sent to a previous authenticator, transferring authorizations
+ between the previous authenticator and the new authenticator will
+ result in incorrect authorization.
+
+ Virtual LAN (VLAN) support is defined in [IEEE-802.1Q]; RADIUS
+ support for dynamic VLANs is described in [RFC3580] and [RFC4675].
+ If some authenticators support dynamic VLANs while others do not,
+ then attributes present in the Access-Request (such as the
+ NAS-Port-Type, NAS-IP-Address, NAS-IPv6-Address, and NAS-Identifier)
+ could be examined by the backend authentication server to determine
+ when VLAN attributes will be returned, and if so, which ones.
+ However, if the backend authenticator is bypassed, then a handoff
+ occurring between authenticators supporting different VLAN
+ capabilities could result in a user obtaining access to an
+ unauthorized VLAN (e.g., a user with access to a guest VLAN being
+ given unrestricted access to the network).
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 49]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Similarly, it is preferable for a handoff between an authenticator
+ providing confidentiality and another that does not to fail, since if
+ the handoff were successful, the user would be moved from a secure to
+ an insecure channel without permission from the backend
+ authentication server.
+
+5. Security Considerations
+
+ The EAP threat model is described in [RFC3748] Section 7.1. The
+ security properties of EAP methods (known as "security claims") are
+ described in [RFC3748] Section 7.2.1. EAP method requirements for
+ applications such as Wireless LAN authentication are described in
+ [RFC4017]. The RADIUS threat model is described in [RFC3579] Section
+ 4.1, and responses to these threats are described in [RFC3579],
+ Sections 4.2 and 4.3.
+
+ However, in addition to threats against EAP and AAA, there are other
+ system level threats. In developing the threat model, it is assumed
+ that:
+
+ All traffic is visible to the attacker.
+ The attacker can alter, forge, or replay messages.
+ The attacker can reroute messages to another principal.
+ The attacker can be a principal or an outsider.
+ The attacker can compromise any key that is sufficiently old.
+
+ Threats arising from these assumptions include:
+
+ (a) An attacker can compromise or steal an EAP peer or
+ authenticator, in an attempt to gain access to other EAP peers
+ or authenticators or to obtain long-term secrets.
+
+ (b) An attacker can attempt a downgrade attack in order to exploit
+ known weaknesses in an authentication method or cryptographic
+ algorithm.
+
+ (c) An attacker can try to modify or spoof packets, including
+ Discovery or Secure Association Protocol frames, EAP or AAA
+ packets.
+
+ (d) An attacker can attempt to induce an EAP peer, authenticator, or
+ server to disclose keying material to an unauthorized party, or
+ utilize keying material outside the context that it was intended
+ for.
+
+ (e) An attacker can alter, forge, or replay packets.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 50]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ (f) An attacker can cause an EAP peer, authenticator, or server to
+ reuse a stale key. Use of stale keys can also occur
+ unintentionally. For example, a poorly implemented backend
+ authentication server can provide stale keying material to an
+ authenticator, or a poorly implemented authenticator can reuse
+ nonces.
+
+ (g) An authenticated attacker can attempt to obtain elevated
+ privilege in order to access information that it does not have
+ rights to.
+
+ (h) An attacker can attempt a man-in-the-middle attack in order to
+ gain access to the network.
+
+ (i) An attacker can compromise an EAP authenticator in an effort to
+ commit fraud. For example, a compromised authenticator can
+ provide incorrect information to the EAP peer and/or server via
+ out-of-band mechanisms (such as via a AAA or lower-layer
+ protocol). This includes impersonating another authenticator,
+ or providing inconsistent information to the peer and EAP
+ server.
+
+ (j) An attacker can launch a denial-of-service attack against the
+ EAP peer, authenticator, or backend authentication server.
+
+ In order to address these threats, [RFC4962] Section 3 describes
+ required and recommended security properties. The sections that
+ follow analyze the compliance of EAP methods, AAA protocols, and
+ Secure Association Protocols with those guidelines.
+
+5.1. Peer and Authenticator Compromise
+
+ Requirement: In the event that an authenticator is compromised or
+ stolen, an attacker can gain access to the network through that
+ authenticator, or can obtain the credentials needed for the
+ authenticator/AAA client to communicate with one or more backend
+ authentication servers. Similarly, if a peer is compromised or
+ stolen, an attacker can obtain credentials needed to communicate with
+ one or more authenticators. A mandatory requirement from [RFC4962]
+ Section 3:
+
+ Prevent the Domino effect
+
+ Compromise of a single peer MUST NOT compromise keying material
+ held by any other peer within the system, including session keys
+ and long-term keys. Likewise, compromise of a single
+ authenticator MUST NOT compromise keying material held by any
+ other authenticator within the system. In the context of a key
+
+
+
+Aboba, et al. Standards Track [Page 51]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ hierarchy, this means that the compromise of one node in the key
+ hierarchy must not disclose the information necessary to
+ compromise other branches in the key hierarchy. Obviously, the
+ compromise of the root of the key hierarchy will compromise all of
+ the keys; however, a compromise in one branch MUST NOT result in
+ the compromise of other branches. There are many implications of
+ this requirement; however, two implications deserve highlighting.
+ First, the scope of the keying material must be defined and
+ understood by all parties that communicate with a party that holds
+ that keying material. Second, a party that holds keying material
+ in a key hierarchy must not share that keying material with
+ parties that are associated with other branches in the key
+ hierarchy.
+
+ Group keys are an obvious exception. Since all members of the
+ group have a copy of the same key, compromise of any one of the
+ group members will result in the disclosure of the group key.
+
+ Some of the implications of the requirement are as follows:
+
+ Key Sharing
+ In order to be able to determine whether keying material has
+ been shared, it is necessary for the identity of the EAP
+ authenticator (NAS-Identifier) to be defined and understood by
+ all parties that communicate with it. EAP lower-layer
+ specifications such as [IEEE-802.11], [IEEE-802.16e],
+ [IEEE-802.1X], IKEv2 [RFC4306], and PPP [RFC1661] do not involve
+ key sharing.
+
+ AAA Credential Sharing
+ AAA credentials (such as RADIUS shared secrets, IPsec pre-shared
+ keys or certificates) MUST NOT be shared between AAA clients,
+ since if one AAA client were compromised, this would enable an
+ attacker to impersonate other AAA clients to the backend
+ authentication server, or even to impersonate a backend
+ authentication server to other AAA clients.
+
+ Compromise of Long-Term Credentials
+ An attacker obtaining keying material (such as TSKs, TEKs, or
+ the MSK) MUST NOT be able to obtain long-term user credentials
+ such as pre-shared keys, passwords, or private-keys without
+ breaking a fundamental cryptographic assumption. The mandatory
+ requirements of [RFC4017] Section 2.2 include generation of EAP
+ keying material, capability to generate EAP keying material with
+ 128 bits of effective strength, resistance to dictionary
+ attacks, shared state equivalence, and protection against
+ man-in-the-middle attacks.
+
+
+
+
+Aboba, et al. Standards Track [Page 52]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+5.2. Cryptographic Negotiation
+
+ Mandatory requirements from [RFC4962] Section 3:
+
+ Cryptographic algorithm independent
+
+ The AAA key management protocol MUST be cryptographic algorithm
+ independent. However, an EAP method MAY depend on a specific
+ cryptographic algorithm. The ability to negotiate the use of a
+ particular cryptographic algorithm provides resilience against
+ compromise of a particular cryptographic algorithm. Algorithm
+ independence is also REQUIRED with a Secure Association Protocol
+ if one is defined. This is usually accomplished by including an
+ algorithm identifier and parameters in the protocol, and by
+ specifying the algorithm requirements in the protocol
+ specification. While highly desirable, the ability to negotiate
+ key derivation functions (KDFs) is not required. For
+ interoperability, at least one suite of mandatory-to-implement
+ algorithms MUST be selected. Note that without protection by
+ IPsec as described in [RFC3579] Section 4.2, RADIUS [RFC2865] does
+ not meet this requirement, since the integrity protection
+ algorithm cannot be negotiated.
+
+ This requirement does not mean that a protocol must support both
+ public-key and symmetric-key cryptographic algorithms. It means
+ that the protocol needs to be structured in such a way that
+ multiple public-key algorithms can be used whenever a public-key
+ algorithm is employed. Likewise, it means that the protocol needs
+ to be structured in such a way that multiple symmetric-key
+ algorithms can be used whenever a symmetric-key algorithm is
+ employed.
+
+ Confirm ciphersuite selection
+
+ The selection of the "best" ciphersuite SHOULD be securely
+ confirmed. The mechanism SHOULD detect attempted roll-back
+ attacks.
+
+ EAP methods satisfying [RFC4017] Section 2.2 mandatory requirements
+ and AAA protocols utilizing transmission-layer security are capable
+ of addressing downgrade attacks. [RFC3748] Section 7.2.1 describes
+ the "protected ciphersuite negotiation" security claim that refers to
+ the ability of an EAP method to negotiate the ciphersuite used to
+ protect the EAP method conversation, as well as to integrity protect
+ the ciphersuite negotiation. [RFC4017] Section 2.2 requires EAP
+ methods satisfying this security claim. Since TLS v1.2 [RFC5246] and
+ IKEv2 [RFC4306] support negotiation of Key Derivation Functions
+ (KDFs), EAP methods based on TLS or IKEv2 will, if properly designed,
+
+
+
+Aboba, et al. Standards Track [Page 53]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ inherit this capability. However, negotiation of KDFs is not
+ required by RFC 4962 [RFC4962], and EAP methods based on neither TLS
+ nor IKEv2 typically do not support KDF negotiation.
+
+ When AAA protocols utilize TLS [RFC5246] or IPsec [RFC4301] for
+ transmission layer security, they can leverage the cryptographic
+ algorithm negotiation support provided by IKEv2 [RFC4306] or TLS
+ [RFC5246]. RADIUS [RFC3579] by itself does not support cryptographic
+ algorithm negotiation and relies on MD5 for integrity protection,
+ authentication, and confidentiality. Given the known weaknesses in
+ MD5 [MD5Collision], this is undesirable, and can be addressed via use
+ of RADIUS over IPsec, as described in [RFC3579] Section 4.2.
+
+ To ensure against downgrade attacks within lower-layer protocols,
+ algorithm independence is REQUIRED with lower layers using EAP for
+ key derivation. For interoperability, at least one suite of
+ mandatory-to-implement algorithms MUST be selected. Lower-layer
+ protocols supporting EAP for key derivation SHOULD also support
+ secure ciphersuite negotiation as well as KDF negotiation.
+
+ As described in [RFC1968], PPP ECP does not support secure
+ ciphersuite negotiation. While [IEEE-802.16e] and [IEEE-802.11]
+ support ciphersuite negotiation for protection of data, they do not
+ support negotiation of the cryptographic primitives used within the
+ Secure Association Protocol, such as message integrity checks (MICs)
+ and KDFs.
+
+5.3. Confidentiality and Authentication
+
+ Mandatory requirements from [RFC4962] Section 3:
+
+ Authenticate all parties
+
+ Each party in the AAA key management protocol MUST be
+ authenticated to the other parties with whom they communicate.
+ Authentication mechanisms MUST maintain the confidentiality of any
+ secret values used in the authentication process. When a secure
+ association protocol is used to establish session keys, the
+ parties involved in the secure association protocol MUST identify
+ themselves using identities that are meaningful in the lower-layer
+ protocol environment that will employ the session keys. In this
+ situation, the authenticator and peer may be known by different
+ identifiers in the AAA protocol environment and the lower-layer
+ protocol environment, making authorization decisions difficult
+ without a clear key scope. If the lower-layer identifier of the
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 54]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ peer will be used to make authorization decisions, then the pair
+ of identifiers associated with the peer MUST be authorized by the
+ authenticator and/or the AAA server.
+
+ AAA protocols, such as RADIUS [RFC2865] and Diameter [RFC3588],
+ provide a mechanism for the identification of AAA clients; since
+ the EAP authenticator and AAA client are always co-resident, this
+ mechanism is applicable to the identification of EAP
+ authenticators.
+
+ When multiple base stations and a "controller" (such as a WLAN
+ switch) comprise a single EAP authenticator, the "base station
+ identity" is not relevant; the EAP method conversation takes place
+ between the EAP peer and the EAP server. Also, many base stations
+ can share the same authenticator identity. The authenticator
+ identity is important in the AAA protocol exchange and the secure
+ association protocol conversation.
+
+ Authentication mechanisms MUST NOT employ plaintext passwords.
+ Passwords may be used provided that they are not sent to another
+ party without confidentiality protection.
+
+ Keying material confidentiality and integrity
+
+ While preserving algorithm independence, confidentiality and
+ integrity of all keying material MUST be maintained.
+
+ Conformance to these requirements is analyzed in the sections that
+ follow.
+
+5.3.1. Spoofing
+
+ Per-packet authentication and integrity protection provides
+ protection against spoofing attacks.
+
+ Diameter [RFC3588] provides support for per-packet authentication and
+ integrity protection via use of IPsec or TLS. RADIUS/EAP [RFC3579]
+ provides for per-packet authentication and integrity protection via
+ use of the Message-Authenticator Attribute.
+
+ [RFC3748] Section 7.2.1 describes the "integrity protection" security
+ claim and [RFC4017] Section 2.2 requires EAP methods supporting this
+ claim.
+
+ In order to prevent forgery of Secure Association Protocol frames,
+ per-frame authentication and integrity protection is RECOMMENDED on
+ all messages. IKEv2 [RFC4306] supports per-frame integrity
+
+
+
+
+Aboba, et al. Standards Track [Page 55]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ protection and authentication, as does the Secure Association
+ Protocol defined in [IEEE-802.16e]. [IEEE-802.11] supports per-frame
+ integrity protection and authentication on all messages within the
+ 4-way handshake except the first message. An attack leveraging this
+ omission is described in [Analysis].
+
+5.3.2. Impersonation
+
+ Both RADIUS [RFC2865] and Diameter [RFC3588] implementations are
+ potentially vulnerable to a rogue authenticator impersonating another
+ authenticator. While both protocols support mutual authentication
+ between the AAA client/authenticator and the backend authentication
+ server, the security mechanisms vary.
+
+ In RADIUS, the shared secret used for authentication is determined by
+ the source address of the RADIUS packet. However, when RADIUS
+ Access-Requests are forwarded by a proxy, the NAS-IP-Address,
+ NAS-Identifier, or NAS-IPv6-Address attributes received by the RADIUS
+ server will not correspond to the source address. As noted in
+ [RFC3579] Section 4.3.7, if the first-hop proxy does not check the
+ NAS identification attributes against the source address in the
+ Access-Request packet, it is possible for a rogue authenticator to
+ forge NAS-IP-Address [RFC2865], NAS-IPv6-Address [RFC3162], or
+ NAS-Identifier [RFC2865] attributes in order to impersonate another
+ authenticator; attributes such as the Called-Station-Id [RFC2865] and
+ Calling-Station-Id [RFC2865] can be forged as well. Among other
+ things, this can result in messages (and transported keying material)
+ being sent to the wrong authenticator.
+
+ While [RFC3588] requires use of the Route-Record AVP, this utilizes
+ Fully Qualified Domain Names (FQDNs), so that impersonation detection
+ requires DNS A, AAAA, and PTR Resource Records (RRs) to be properly
+ configured. As a result, Diameter is as vulnerable to this attack as
+ RADIUS, if not more so. [RFC3579] Section 4.3.7 recommends
+ mechanisms for impersonation detection; to prevent access to keying
+ material by proxies without a "need to know", it is necessary to
+ allow the backend authentication server to communicate with the
+ authenticator directly, such as via the redirect functionality
+ supported in [RFC3588].
+
+5.3.3. Channel Binding
+
+ It is possible for a compromised or poorly implemented EAP
+ authenticator to communicate incorrect information to the EAP peer
+ and/or server. This can enable an authenticator to impersonate
+ another authenticator or communicate incorrect information via
+ out-of-band mechanisms (such as via AAA or the lower layer).
+
+
+
+
+Aboba, et al. Standards Track [Page 56]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ Where EAP is used in pass-through mode, the EAP peer does not verify
+ the identity of the pass-through authenticator within the EAP
+ conversation. Within the Secure Association Protocol, the EAP peer
+ and authenticator only demonstrate mutual possession of the
+ transported keying material; they do not mutually authenticate. This
+ creates a potential security vulnerability, described in [RFC3748]
+ Section 7.15.
+
+ As described in [RFC3579] Section 4.3.7, it is possible for a
+ first-hop AAA proxy to detect a AAA client attempting to impersonate
+ another authenticator. However, it is possible for a pass-through
+ authenticator acting as a AAA client to provide correct information
+ to the backend authentication server while communicating misleading
+ information to the EAP peer via the lower layer.
+
+ For example, a compromised authenticator can utilize another
+ authenticator's Called-Station-Id or NAS-Identifier in communicating
+ with the EAP peer via the lower layer. Also, a pass-through
+ authenticator acting as a AAA client can provide an incorrect peer
+ Calling-Station-Id [RFC2865] [RFC3580] to the backend authentication
+ server via the AAA protocol.
+
+ As noted in [RFC3748] Section 7.15, this vulnerability can be
+ addressed by EAP methods that support a protected exchange of channel
+ properties such as endpoint identifiers, including (but not limited
+ to): Called-Station-Id [RFC2865] [RFC3580], Calling-Station-Id
+ [RFC2865] [RFC3580], NAS-Identifier [RFC2865], NAS-IP-Address
+ [RFC2865], and NAS-IPv6-Address [RFC3162].
+
+ Using such a protected exchange, it is possible to match the channel
+ properties provided by the authenticator via out-of-band mechanisms
+ against those exchanged within the EAP method. Typically, the EAP
+ method imports channel binding parameters from the lower layer on the
+ peer, and transmits them securely to the EAP server, which exports
+ them to the lower layer or AAA layer. However, transport can occur
+ from EAP server to peer, or can be bi-directional. On the side of
+ the exchange (peer or server) where channel binding is verified, the
+ lower layer or AAA layer passes the result of the verification (TRUE
+ or FALSE) up to the EAP method. While the verification can be done
+ either by the peer or the server, typically only the server has the
+ knowledge to determine the correctness of the values, as opposed to
+ merely verifying their equality. For further discussion, see
+ [EAP-SERVICE].
+
+ It is also possible to perform channel binding without transporting
+ data over EAP, as described in [EAP-CHANNEL]. In this approach the
+ EAP method includes channel binding parameters in the calculation of
+ exported EAP keying material, making it impossible for the peer and
+
+
+
+Aboba, et al. Standards Track [Page 57]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ authenticator to complete the Secure Association Protocol if there is
+ a mismatch in the channel binding parameters. However, this approach
+ can only be applied where methods generating EAP keying material are
+ used along with lower layers that utilize EAP keying material. For
+ example, this mechanism would not enable verification of channel
+ binding on wired IEEE 802 networks using [IEEE-802.1X].
+
+5.3.4. Mutual Authentication
+
+ [RFC3748] Section 7.2.1 describes the "mutual authentication" and
+ "dictionary attack resistance" claims, and [RFC4017] requires EAP
+ methods satisfying these claims. EAP methods complying with
+ [RFC4017] therefore provide for mutual authentication between the EAP
+ peer and server.
+
+ [RFC3748] Section 7.2.1 also describes the "Cryptographic binding"
+ security claim, and [RFC4017] Section 2.2 requires support for this
+ claim. As described in [EAP-BINDING], EAP method sequences and
+ compound authentication mechanisms can be subject to
+ man-in-the-middle attacks. When such attacks are successfully
+ carried out, the attacker acts as an intermediary between a victim
+ and a legitimate authenticator. This allows the attacker to
+ authenticate successfully to the authenticator, as well as to obtain
+ access to the network.
+
+ In order to prevent these attacks, [EAP-BINDING] recommends
+ derivation of a compound key by which the EAP peer and server can
+ prove that they have participated in the entire EAP exchange. Since
+ the compound key MUST NOT be known to an attacker posing as an
+ authenticator, and yet must be derived from EAP keying material, it
+ MAY be desirable to derive the compound key from a portion of the
+ EMSK. Where this is done, in order to provide proper key hygiene, it
+ is RECOMMENDED that the compound key used for man-in-the-middle
+ protection be cryptographically separate from other keys derived from
+ the EMSK.
+
+ Diameter [RFC3588] provides for per-packet authentication and
+ integrity protection via IPsec or TLS, and RADIUS/EAP [RFC3579] also
+ provides for per-packet authentication and integrity protection.
+ Where the authenticator/AAA client and backend authentication server
+ communicate directly and credible key wrap is used (see Section 3.8),
+ this ensures that the AAA Key Transport (phase 1b) achieves its
+ security objectives: mutually authenticating the AAA
+ client/authenticator and backend authentication server and providing
+ transported keying material to the EAP authenticator and to no other
+ party.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 58]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [RFC2607] Section 7 describes the security issues occurring when the
+ authenticator/AAA client and backend authentication server do not
+ communicate directly. Where a AAA intermediary is present (such as a
+ RADIUS proxy or a Diameter agent), and data object security is not
+ used, transported keying material can be recovered by an attacker in
+ control of the intermediary. As discussed in Section 2.1, unless the
+ TSKs are derived independently from EAP keying material (as in
+ IKEv2), possession of transported keying material enables decryption
+ of data traffic sent between the peer and the authenticator to whom
+ the keying material was transported. It also allows the AAA
+ intermediary to impersonate the authenticator or the peer. Since the
+ peer does not authenticate to a AAA intermediary, it has no ability
+ to determine whether it is authentic or authorized to obtain keying
+ material.
+
+ However, as long as transported keying material or keys derived from
+ it are only utilized by a single authenticator, compromise of the
+ transported keying material does not enable an attacker to
+ impersonate the peer to another authenticator. Vulnerability to
+ compromise of a AAA intermediary can be mitigated by implementation
+ of redirect functionality, as described in [RFC3588] and [RFC4072].
+
+ The Secure Association Protocol does not provide for mutual
+ authentication between the EAP peer and authenticator, only mutual
+ proof of possession of transported keying material. In order for the
+ peer to verify the identity of the authenticator, mutual proof of
+ possession needs to be combined with impersonation prevention and
+ channel binding. Impersonation prevention (described in Section
+ 5.3.2) enables the backend authentication server to determine that
+ the transported keying material has been provided to the correct
+ authenticator. When utilized along with impersonation prevention,
+ channel binding (described in Section 5.3.3) enables the EAP peer to
+ verify that the EAP server has authorized the authenticator to
+ possess the transported keying material. Completion of the Secure
+ Association Protocol exchange demonstrates that the EAP peer and the
+ authenticator possess the transported keying material.
+
+5.4. Key Binding
+
+ Mandatory requirement from [RFC4962] Section 3:
+
+ Bind key to its context
+
+ Keying material MUST be bound to the appropriate context. The
+ context includes the following:
+
+ o The manner in which the keying material is expected to be used.
+
+
+
+
+Aboba, et al. Standards Track [Page 59]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ o The other parties that are expected to have access to the
+ keying material.
+
+ o The expected lifetime of the keying material. Lifetime of a
+ child key SHOULD NOT be greater than the lifetime of its parent
+ in the key hierarchy.
+
+ Any party with legitimate access to keying material can determine
+ its context. In addition, the protocol MUST ensure that all
+ parties with legitimate access to keying material have the same
+ context for the keying material. This requires that the parties
+ are properly identified and authenticated, so that all of the
+ parties that have access to the keying material can be determined.
+
+ The context will include the peer and NAS identities in more than
+ one form. One (or more) name form is needed to identify these
+ parties in the authentication exchange and the AAA protocol.
+ Another name form may be needed to identify these parties within
+ the lower layer that will employ the session key.
+
+ Within EAP, exported keying material (MSK, EMSK,IV) is bound to the
+ Peer-Id(s) and Server-Id(s), which are exported along with the keying
+ material. However, not all EAP methods support authenticated server
+ identities (see Appendix A).
+
+ Within the AAA protocol, transported keying material is destined for
+ the EAP authenticator identified by the NAS-Identifier Attribute
+ within the request, and is for use by the EAP peer identified by the
+ Peer-Id(s), User-Name [RFC2865], or Chargeable User Identity (CUI)
+ [RFC4372] attributes. The maximum lifetime of the transported keying
+ material can be provided, as discussed in Section 3.5.1. Key usage
+ restrictions can also be included as described in Section 3.2. Key
+ lifetime issues are discussed in Sections 3.3, 3.4, and 3.5.
+
+5.5. Authorization
+
+ Requirement: The Secure Association Protocol (phase 2) conversation
+ may utilize different identifiers from the EAP conversation (phase
+ 1a), so that binding between the EAP and Secure Association Protocol
+ identities is REQUIRED.
+
+ Mandatory requirement from [RFC4962] Section 3:
+
+ Peer and authenticator authorization
+
+ Peer and authenticator authorization MUST be performed. These
+ entities MUST demonstrate possession of the appropriate keying
+ material, without disclosing it. Authorization is REQUIRED
+
+
+
+Aboba, et al. Standards Track [Page 60]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ whenever a peer associates with a new authenticator. The
+ authorization checking prevents an elevation of privilege attack,
+ and it ensures that an unauthorized authenticator is detected.
+
+ Authorizations SHOULD be synchronized between the peer, NAS, and
+ backend authentication server. Once the AAA key management
+ protocol exchanges are complete, all of these parties should hold
+ a common view of the authorizations associated with the other
+ parties.
+
+ In addition to authenticating all parties, key management
+ protocols need to demonstrate that the parties are authorized to
+ possess keying material. Note that proof of possession of keying
+ material does not necessarily prove authorization to hold that
+ keying material. For example, within an IEEE 802.11, the 4-way
+ handshake demonstrates that both the peer and authenticator
+ possess the same EAP keying material. However, by itself, this
+ possession proof does not demonstrate that the authenticator was
+ authorized by the backend authentication server to possess that
+ keying material. As noted in [RFC3579] in Section 4.3.7, where
+ AAA proxies are present, it is possible for one authenticator to
+ impersonate another, unless each link in the AAA chain implements
+ checks against impersonation. Even with these checks in place, an
+ authenticator may still claim different identities to the peer and
+ the backend authentication server. As described in [RFC3748]
+ Section 7.15, channel binding is required to enable the peer to
+ verify that the authenticator claim of identity is both consistent
+ and correct.
+
+ Recommendation from [RFC4962] Section 3:
+
+ Authorization restriction
+
+ If peer authorization is restricted, then the peer SHOULD be made
+ aware of the restriction. Otherwise, the peer may inadvertently
+ attempt to circumvent the restriction. For example, authorization
+ restrictions in an IEEE 802.11 environment include:
+
+ o Key lifetimes, where the keying material can only be used for a
+ certain period of time;
+
+ o SSID restrictions, where the keying material can only be used
+ with a specific IEEE 802.11 SSID;
+
+ o Called-Station-ID restrictions, where the keying material can
+ only be used with a single IEEE 802.11 BSSID; and
+
+
+
+
+
+Aboba, et al. Standards Track [Page 61]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ o Calling-Station-ID restrictions, where the keying material can
+ only be used with a single peer IEEE 802 MAC address.
+
+ As described in Section 2.3, consistent identification of the EAP
+ authenticator enables the EAP peer to determine the scope of keying
+ material provided to an authenticator, as well as to confirm with the
+ backend authentication server that an EAP authenticator proving
+ possession of EAP keying material during the Secure Association
+ Protocol was authorized to obtain it.
+
+ Within the AAA protocol, the authorization attributes are bound to
+ the transported keying material. While the AAA exchange provides the
+ AAA client/authenticator with authorizations relating to the EAP
+ peer, neither the EAP nor AAA exchanges provide authorizations to the
+ EAP peer. In order to ensure that all parties hold the same view of
+ the authorizations, it is RECOMMENDED that the Secure Association
+ Protocol enable communication of authorizations between the EAP
+ authenticator and peer.
+
+ In lower layers where the authenticator consistently identifies
+ itself to the peer and backend authentication server and the EAP peer
+ completes the Secure Association Protocol exchange with the same
+ authenticator through which it completed the EAP conversation,
+ authorization of the authenticator is demonstrated to the peer by
+ mutual authentication between the peer and authenticator as discussed
+ in the previous section. Identification issues are discussed in
+ Sections 2.3, 2.4, and 2.5 and key scope issues are discussed in
+ Section 3.2.
+
+ Where the EAP peer utilizes different identifiers within the EAP
+ method and Secure Association Protocol conversations, peer
+ authorization can be difficult to demonstrate to the authenticator
+ without additional restrictions. This problem does not exist in
+ IKEv2 where the Identity Payload is used for peer identification both
+ within IKEv2 and EAP, and where the EAP conversation is
+ cryptographically protected within IKEv2 binding the EAP and IKEv2
+ exchanges. However, within [IEEE-802.11], the EAP peer identity is
+ not used within the 4-way handshake, so that it is necessary for the
+ authenticator to require that the EAP peer utilize the same MAC
+ address for EAP authentication as for the 4-way handshake.
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 62]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+5.6. Replay Protection
+
+ Mandatory requirement from [RFC4962] Section 3:
+
+ Replay detection mechanism
+
+ The AAA key management protocol exchanges MUST be replay
+ protected, including AAA, EAP and Secure Association Protocol
+ exchanges. Replay protection allows a protocol message recipient
+ to discard any message that was recorded during a previous
+ legitimate dialogue and presented as though it belonged to the
+ current dialogue.
+
+ [RFC3748] Section 7.2.1 describes the "replay protection" security
+ claim, and [RFC4017] Section 2.2 requires use of EAP methods
+ supporting this claim.
+
+ Diameter [RFC3588] provides support for replay protection via use of
+ IPsec or TLS. "RADIUS Support for EAP" [RFC3579] protects against
+ replay of keying material via the Request Authenticator. According
+ to [RFC2865] Section 3:
+
+ In Access-Request Packets, the Authenticator value is a 16 octet
+ random number, called the Request Authenticator.
+
+ However, some RADIUS packets are not replay protected. In
+ Accounting, Disconnect, and Care-of Address (CoA)-Request packets,
+ the Request Authenticator contains a keyed Message Integrity Code
+ (MIC) rather than a nonce. The Response Authenticator in Accounting,
+ Disconnect, and CoA-Response packets also contains a keyed MIC whose
+ calculation does not depend on a nonce in either the Request or
+ Response packets. Therefore, unless an Event-Timestamp attribute is
+ included or IPsec is used, it is possible that the recipient will not
+ be able to determine whether these packets have been replayed. This
+ issue is discussed further in [RFC5176] Section 6.3.
+
+ In order to prevent replay of Secure Association Protocol frames,
+ replay protection is REQUIRED on all messages. [IEEE-802.11]
+ supports replay protection on all messages within the 4-way
+ handshake; IKEv2 [RFC4306] also supports this.
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 63]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+5.7. Key Freshness
+
+ Requirement: A session key SHOULD be considered compromised if it
+ remains in use beyond its authorized lifetime. Mandatory requirement
+ from [RFC4962] Section 3:
+
+ Strong, fresh session keys
+
+ While preserving algorithm independence, session keys MUST be
+ strong and fresh. Each session deserves an independent session
+ key. Fresh keys are required even when a long replay counter
+ (that is, one that "will never wrap") is used to ensure that loss
+ of state does not cause the same counter value to be used more
+ than once with the same session key.
+
+ Some EAP methods are capable of deriving keys of varying strength,
+ and these EAP methods MUST permit the generation of keys meeting a
+ minimum equivalent key strength. BCP 86 [RFC3766] offers advice
+ on appropriate key sizes. The National Institute for Standards
+ and Technology (NIST) also offers advice on appropriate key sizes
+ in [SP800-57].
+
+ A fresh cryptographic key is one that is generated specifically
+ for the intended use. In this situation, a secure association
+ protocol is used to establish session keys. The AAA protocol and
+ EAP method MUST ensure that the keying material supplied as an
+ input to session key derivation is fresh, and the secure
+ association protocol MUST generate a separate session key for each
+ session, even if the keying material provided by EAP is cached. A
+ cached key persists after the authentication exchange has
+ completed. For the AAA/EAP server, key caching can happen when
+ state is kept on the server. For the NAS or client, key caching
+ can happen when the NAS or client does not destroy keying material
+ immediately following the derivation of session keys.
+
+ Session keys MUST NOT be dependent on one another. Multiple
+ session keys may be derived from a higher-level shared secret as
+ long as a one-time value, usually called a nonce, is used to
+ ensure that each session key is fresh. The mechanism used to
+ generate session keys MUST ensure that the disclosure of one
+ session key does not aid the attacker in discovering any other
+ session keys.
+
+ EAP, AAA, and the lower layer each bear responsibility for ensuring
+ the use of fresh, strong session keys. EAP methods need to ensure
+ the freshness and strength of EAP keying material provided as an
+ input to session key derivation. [RFC3748] Section 7.10 states:
+
+
+
+
+Aboba, et al. Standards Track [Page 64]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ EAP methods SHOULD ensure the freshness of the MSK and EMSK, even
+ in cases where one party may not have a high quality random number
+ generator. A RECOMMENDED method is for each party to provide a
+ nonce of at least 128 bits, used in the derivation of the MSK and
+ EMSK.
+
+ The contribution of nonces enables the EAP peer and server to ensure
+ that exported EAP keying material is fresh.
+
+ [RFC3748] Section 7.2.1 describes the "key strength" and "session
+ independence" security claims, and [RFC4017] requires EAP methods
+ supporting these claims as well as methods capable of providing
+ equivalent key strength of 128 bits or greater. See Section 3.7 for
+ more information on key strength.
+
+ The AAA protocol needs to ensure that transported keying material is
+ fresh and is not utilized outside its recommended lifetime. Replay
+ protection is necessary for key freshness, but an attacker can
+ deliver a stale (and therefore potentially compromised) key in a
+ replay-protected message, so replay protection is not sufficient. As
+ discussed in Section 3.5, the Session-Timeout Attribute enables the
+ backend authentication server to limit the exposure of transported
+ keying material.
+
+ The EAP Session-Id, described in Section 1.4, enables the EAP peer,
+ authenticator, and server to distinguish EAP conversations. However,
+ unless the authenticator keeps track of EAP Session-Ids, the
+ authenticator cannot use the Session-Id to guarantee the freshness of
+ keying material.
+
+ The Secure Association Protocol, described in Section 3.1, MUST
+ generate a fresh session key for each session, even if the EAP keying
+ material and parameters provided by methods are cached, or either the
+ peer or authenticator lack a high entropy random number generator. A
+ RECOMMENDED method is for the peer and authenticator to each provide
+ a nonce or counter used in session key derivation. If a nonce is
+ used, it is RECOMMENDED that it be at least 128 bits. While
+ [IEEE-802.11] and IKEv2 [RFC4306] satisfy this requirement,
+ [IEEE-802.16e] does not, since randomness is only contributed from
+ the Base Station.
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 65]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+5.8. Key Scope Limitation
+
+ Mandatory requirement from [RFC4962] Section 3:
+
+ Limit key scope
+
+ Following the principle of least privilege, parties MUST NOT have
+ access to keying material that is not needed to perform their
+ role. A party has access to a particular key if it has access to
+ all of the secret information needed to derive it.
+
+ Any protocol that is used to establish session keys MUST specify
+ the scope for session keys, clearly identifying the parties to
+ whom the session key is available.
+
+ Transported keying material is permitted to be accessed by the EAP
+ peer, authenticator and server. The EAP peer and server derive EAP
+ keying material during the process of mutually authenticating each
+ other using the selected EAP method. During the Secure Association
+ Protocol exchange, the EAP peer utilizes keying material to
+ demonstrate to the authenticator that it is the same party that
+ authenticated to the EAP server and was authorized by it. The EAP
+ authenticator utilizes the transported keying material to prove to
+ the peer not only that the EAP conversation was transported through
+ it (this could be demonstrated by a man-in-the-middle), but that it
+ was uniquely authorized by the EAP server to provide the peer with
+ access to the network. Unique authorization can only be demonstrated
+ if the EAP authenticator does not share the transported keying
+ material with a party other than the EAP peer and server. TSKs are
+ permitted to be accessed only by the EAP peer and authenticator (see
+ Section 1.5); TSK derivation is discussed in Section 2.1. Since
+ demonstration of authorization within the Secure Association Protocol
+ exchange depends on possession of transported keying material, the
+ backend authentication server can obtain TSKs unless it deletes the
+ transported keying material after sending it.
+
+5.9. Key Naming
+
+ Mandatory requirement from [RFC4962] Section 3:
+
+ Uniquely named keys
+
+ AAA key management proposals require a robust key naming scheme,
+ particularly where key caching is supported. The key name
+ provides a way to refer to a key in a protocol so that it is clear
+ to all parties which key is being referenced. Objects that cannot
+ be named cannot be managed. All keys MUST be uniquely named, and
+ the key name MUST NOT directly or indirectly disclose the keying
+
+
+
+Aboba, et al. Standards Track [Page 66]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ material. If the key name is not based on the keying material,
+ then one can be sure that it cannot be used to assist in a search
+ for the key value.
+
+ EAP key names (defined in Section 1.4.1), along with the Peer-Id(s)
+ and Server-Id(s), uniquely identify EAP keying material, and do not
+ directly or indirectly expose EAP keying material.
+
+ Existing AAA server implementations do not distribute key names along
+ with the transported keying material. However, Diameter EAP
+ [RFC4072] Section 4.1.4 defines the EAP-Key-Name AVP for the purpose
+ of transporting the EAP Session-Id. Since the EAP-Key-Name AVP is
+ defined within the RADIUS attribute space, it can be used either with
+ RADIUS or Diameter.
+
+ Since the authenticator is not provided with the name of the
+ transported keying material by existing backend authentication server
+ implementations, existing Secure Association Protocols do not utilize
+ EAP key names. For example, [IEEE-802.11] supports PMK caching; to
+ enable the peer and authenticator to determine the cached PMK to
+ utilize within the 4-way handshake, the PMK needs to be named. For
+ this purpose, [IEEE-802.11] utilizes a PMK naming scheme that is
+ based on the key. Since IKEv2 [RFC4306] does not cache transported
+ keying material, it does not need to refer to transported keying
+ material.
+
+5.10. Denial-of-Service Attacks
+
+ Key caching can result in vulnerability to denial-of-service attacks.
+ For example, EAP methods that create persistent state can be
+ vulnerable to denial-of-service attacks on the EAP server by a rogue
+ EAP peer.
+
+ To address this vulnerability, EAP methods creating persistent state
+ can limit the persistent state created by an EAP peer. For example,
+ for each peer an EAP server can choose to limit persistent state to a
+ few EAP conversations, distinguished by the EAP Session-Id. This
+ prevents a rogue peer from denying access to other peers.
+
+ Similarly, to conserve resources an authenticator can choose to limit
+ the persistent state corresponding to each peer. This can be
+ accomplished by limiting each peer to persistent state corresponding
+ to a few EAP conversations, distinguished by the EAP Session-Id.
+
+ Whether creation of new TSKs implies deletion of previously derived
+ TSKs depends on the EAP lower layer. Where there is no implied
+ deletion, the authenticator can choose to limit the number of TSKs
+ and associated state that can be stored for each peer.
+
+
+
+Aboba, et al. Standards Track [Page 67]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+6. References
+
+6.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
+ H. Levkowetz, Ed., "Extensible Authentication Protocol
+ (EAP)", RFC 3748, June 2004.
+
+ [RFC4962] Housley, R. and B. Aboba, "Guidance for
+ Authentication, Authorization, and Accounting (AAA)
+ Key Management", BCP 132, RFC 4962, July 2007.
+
+6.2. Informative References
+
+ [8021XPreAuth] Pack, S. and Y. Choi, "Pre-Authenticated Fast Handoff
+ in a Public Wireless LAN Based on IEEE 802.1x Model",
+ Proceedings of the IFIP TC6/WG6.8 Working Conference
+ on Personal Wireless Communications, p.175-182,
+ October 23-25, 2002.
+
+ [Analysis] He, C. and J. Mitchell, "Analysis of the 802.11i 4-Way
+ Handshake", Proceedings of the 2004 ACM Workshop on
+ Wireless Security, pp. 43-50, ISBN: 1-58113-925-X.
+
+ [Bargh] Bargh, M., Hulsebosch, R., Eertink, E., Prasad, A.,
+ Wang, H. and P. Schoo, "Fast Authentication Methods
+ for Handovers between IEEE 802.11 Wireless LANs",
+ Proceedings of the 2nd ACM international workshop on
+ Wireless mobile applications and services on WLAN
+ hotspots, October, 2004.
+
+ [GKDP] Dondeti, L., Xiang, J., and S. Rowles, "GKDP: Group
+ Key Distribution Protocol", Work in Progress, March
+ 2006.
+
+ [He] He, C., Sundararajan, M., Datta, A. Derek, A. and J.
+ C. Mitchell, "A Modular Correctness Proof of TLS and
+ IEEE 802.11i", ACM Conference on Computer and
+ Communications Security (CCS '05), November, 2005.
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 68]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [IEEE-802.11] Institute of Electrical and Electronics Engineers,
+ "Information technology - Telecommunications and
+ information exchange between systems - Local and
+ metropolitan area networks - Specific Requirements
+ Part 11: Wireless LAN Medium Access Control (MAC) and
+ Physical Layer (PHY) Specifications", IEEE Standard
+ 802.11-2007, 2007.
+
+ [IEEE-802.1X] Institute of Electrical and Electronics Engineers,
+ "Local and Metropolitan Area Networks: Port-Based
+ Network Access Control", IEEE Standard 802.1X-2004,
+ December 2004.
+
+ [IEEE-802.1Q] IEEE Standards for Local and Metropolitan Area
+ Networks: Draft Standard for Virtual Bridged Local
+ Area Networks, P802.1Q-2003, January 2003.
+
+ [IEEE-802.11i] Institute of Electrical and Electronics Engineers,
+ "Supplement to Standard for Telecommunications and
+ Information Exchange Between Systems - LAN/MAN
+ Specific Requirements - Part 11: Wireless LAN Medium
+ Access Control (MAC) and Physical Layer (PHY)
+ Specifications: Specification for Enhanced Security",
+ IEEE 802.11i/D1, 2001.
+
+ [IEEE-802.11F] Institute of Electrical and Electronics Engineers,
+ "Recommended Practice for Multi-Vendor Access Point
+ Interoperability via an Inter-Access Point Protocol
+ Across Distribution Systems Supporting IEEE 802.11
+ Operation", IEEE 802.11F, July 2003 (now deprecated).
+
+ [IEEE-802.16e] Institute of Electrical and Electronics Engineers,
+ "IEEE Standard for Local and Metropolitan Area
+ Networks: Part 16: Air Interface for Fixed and Mobile
+ Broadband Wireless Access Systems: Amendment for
+ Physical and Medium Access Control Layers for Combined
+ Fixed and Mobile Operations in Licensed Bands" IEEE
+ 802.16e, August 2005.
+
+ [IEEE-03-084] Mishra, A., Shin, M., Arbaugh, W., Lee, I. and K.
+ Jang, "Proactive Key Distribution to support fast and
+ secure roaming", IEEE 802.11 Working Group, IEEE-03-
+ 084r1-I, http://www.ieee802.org/11/Documents/
+ DocumentHolder/3-084.zip, January 2003.
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 69]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [EAP-SERVICE] Arkko, J. and P. Eronen, "Authenticated Service
+ Information for the Extensible Authentication Protocol
+ (EAP)", Work in Progress, October 2005.
+
+ [SHORT-TERM] Friedman, A., Sheffer, Y., and A. Shaqed, "Short-Term
+ Certificates", Work in Progress, June 2007.
+
+ [HANDOFF] Arbaugh, W. and B. Aboba, "Handoff Extension to
+ RADIUS", Work in Progress, October 2003.
+
+ [EAP-CHANNEL] Ohba, Y., Parthasrathy, M., and M. Yanagiya, "Channel
+ Binding Mechanism Based on Parameter Binding in Key
+ Derivation", Work in Progress, June 2007.
+
+ [EAP-BINDING] Puthenkulam, J., Lortz, V., Palekar, A., and D. Simon,
+ "The Compound Authentication Binding Problem", Work in
+ Progress, October 2003.
+
+ [MD5Collision] Klima, V., "Tunnels in Hash Functions: MD5 Collisions
+ Within a Minute", Cryptology ePrint Archive, March
+ 2006, http://eprint.iacr.org/2006/105.pdf
+
+ [MishraPro] Mishra, A., Shin, M. and W. Arbaugh, "Pro-active Key
+ Distribution using Neighbor Graphs", IEEE Wireless
+ Communications, vol. 11, February 2004.
+
+ [RFC1661] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)",
+ STD 51, RFC 1661, July 1994.
+
+ [RFC1968] Meyer, G., "The PPP Encryption Control Protocol
+ (ECP)", RFC 1968, June 1996.
+
+ [RFC2230] Atkinson, R., "Key Exchange Delegation Record for the
+ DNS", RFC 2230, November 1997.
+
+ [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+ [RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone,
+ D., and R. Wheeler, "A Method for Transmitting PPP
+ Over Ethernet (PPPoE)", RFC 2516, February 1999.
+
+ [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS
+ Attributes", RFC 2548, March 1999.
+
+ [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and
+ Policy Implementation in Roaming", RFC 2607, June
+ 1999.
+
+
+
+Aboba, et al. Standards Track [Page 70]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication
+ Protocol", RFC 2716, October 1999.
+
+ [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR
+ for specifying the location of services (DNS SRV)",
+ RFC 2782, February 2000.
+
+ [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+ Wellington, "Secret Key Transaction Authentication for
+ DNS (TSIG)", RFC 2845, May 2000.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3007] Wellington, B., "Secure Domain Name System (DNS)
+ Dynamic Update", RFC 3007, November 2000.
+
+ [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
+ RFC 3162, August 2001.
+
+ [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney,
+ "The Group Domain of Interpretation", RFC 3547, July
+ 2003.
+
+ [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote
+ Authentication Dial In User Service) Support For
+ Extensible Authentication Protocol (EAP)", RFC 3579,
+ September 2003.
+
+ [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J.
+ Roese, "IEEE 802.1X Remote Authentication Dial In User
+ Service (RADIUS) Usage Guidelines", RFC 3580,
+ September 2003.
+
+ [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and
+ J. Arkko, "Diameter Base Protocol", RFC 3588,
+ September 2003.
+
+ [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
+ Public Keys Used For Exchanging Symmetric Keys", BCP
+ 86, RFC 3766, April 2004.
+
+ [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and
+ K. Norrman, "MIKEY: Multimedia Internet KEYing", RFC
+ 3830, August 2004.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 71]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
+ "Diameter Network Access Server Application", RFC
+ 4005, August 2005.
+
+ [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible
+ Authentication Protocol (EAP) Method Requirements for
+ Wireless LANs", RFC 4017, March 2005.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and
+ S. Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and
+ S. Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC4067] Loughney, J., Ed., Nakhjiri, M., Perkins, C., and R.
+ Koodli, "Context Transfer Protocol (CXTP)", RFC 4067,
+ July 2005.
+
+ [RFC4072] Eronen, P., Ed., Hiller, T., and G. Zorn, "Diameter
+ Extensible Authentication Protocol (EAP) Application",
+ RFC 4072, August 2005.
+
+ [RFC4118] Yang, L., Zerfos, P., and E. Sadot, "Architecture
+ Taxonomy for Control and Provisioning of Wireless
+ Access Points (CAPWAP)", RFC 4118, June 2005.
+
+ [RFC4186] Haverinen, H., Ed., and J. Salowey, Ed., "Extensible
+ Authentication Protocol Method for Global System for
+ Mobile Communications (GSM) Subscriber Identity
+ Modules (EAP-SIM)", RFC 4186, January 2006.
+
+ [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
+ Protocol Method for 3rd Generation Authentication and
+ Key Agreement (EAP-AKA)", RFC 4187, January 2006.
+
+ [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
+ Network Access Identifier", RFC 4282, December 2005.
+
+ [RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen,
+ "Identity Selection Hints for the Extensible
+ Authentication Protocol (EAP)", RFC 4284, January
+ 2006.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+
+
+
+Aboba, et al. Standards Track [Page 72]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
+ Protocol", RFC 4306, December 2005.
+
+ [RFC4372] Adrangi, F., Lior, A., Korhonen, J., and J. Loughney,
+ "Chargeable User Identity", RFC 4372, January 2006.
+
+ [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and
+ Attributes Supporting Authentication in Point-to-Point
+ Protocol (PPP) and Wireless Local Area Networks
+ (WLAN)", RFC 4334, February 2006.
+
+ [RFC4535] Harney, H., Meth, U., Colegrove, A., and G. Gross,
+ "GSAKMP: Group Secure Association Key Management
+ Protocol", RFC 4535, June 2006.
+
+ [RFC4763] Vanderveen, M. and H. Soliman, "Extensible
+ Authentication Protocol Method for Shared-secret
+ Authentication and Key Establishment (EAP-SAKE)", RFC
+ 4763, November 2006.
+
+ [RFC4675] Congdon, P., Sanchez, M., and B. Aboba, "RADIUS
+ Attributes for Virtual LAN and Priority Support", RFC
+ 4675, September 2006.
+
+ [RFC4718] Eronen, P. and P. Hoffman, "IKEv2 Clarifications and
+ Implementation Guidelines", RFC 4718, October 2006.
+
+ [RFC4764] Bersani, F. and H. Tschofenig, "The EAP-PSK Protocol:
+ A Pre-Shared Key Extensible Authentication Protocol
+ (EAP) Method", RFC 4764, January 2007.
+
+ [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
+ Aboba, "Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)", RFC
+ 5176, January 2008.
+
+ [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
+ Authentication Protocol", RFC 5216, March 2008.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
+ Security (TLS) Protocol Version 1.2", RFC 5246, August
+ 2008.
+
+ [SP800-57] National Institute of Standards and Technology,
+ "Recommendation for Key Management", Special
+ Publication 800-57, May 2006.
+
+
+
+
+
+Aboba, et al. Standards Track [Page 73]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ [Token] Fantacci, R., Maccari, L., Pecorella, T., and F.
+ Frosali, "A secure and performant token-based
+ authentication for infrastructure and mesh 802.1X
+ networks", IEEE Conference on Computer Communications,
+ June 2006.
+
+ [Tokenk] Ohba, Y., Das, S., and A. Duttak, "Kerberized Handover
+ Keying: A Media-Independent Handover Key Management
+ Architecture", Mobiarch 2007.
+
+Acknowledgments
+
+ Thanks to Ashwin Palekar, Charlie Kaufman, and Tim Moore of
+ Microsoft, Jari Arkko of Ericsson, Dorothy Stanley of Aruba Networks,
+ Bob Moskowitz of TruSecure, Jesse Walker of Intel, Joe Salowey of
+ Cisco, and Russ Housley of Vigil Security for useful feedback.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 74]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+Appendix A - Exported Parameters in Existing Methods
+
+ This Appendix specifies Session-Id, Peer-Id, Server-Id and
+ Key-Lifetime for EAP methods that have been published prior to this
+ specification. Future EAP method specifications MUST include a
+ definition of the Session-Id, Peer-Id and Server-Id (could be the
+ null string). In the descriptions that follow, all fields comprising
+ the Session-Id are assumed to be in network byte order.
+
+ EAP-Identity
+
+ The EAP-Identity method is defined in [RFC3748]. It does not
+ derive keys, and therefore does not define the Session-Id. The
+ Peer-Id and Server-Id are the null string (zero length).
+
+ EAP-Notification
+
+ The EAP-Notification method is defined in [RFC3748]. It does not
+ derive keys and therefore does not define the Session-Id. The
+ Peer-Id and Server-Id are the null string (zero length).
+
+ EAP-MD5-Challenge
+
+ The EAP-MD5-Challenge method is defined in [RFC3748]. It does not
+ derive keys and therefore does not define the Session-Id. The
+ Peer-Id and Server-Id are the null string (zero length).
+
+ EAP-GTC
+
+ The EAP-GTC method is defined in [RFC3748]. It does not derive
+ keys and therefore does not define the Session-Id. The Peer-Id
+ and Server-Id are the null string (zero length).
+
+ EAP-OTP
+
+ The EAP-OTP method is defined in [RFC3748]. It does not derive
+ keys and therefore does not define the Session-Id. The Peer-Id
+ and Server-Id are the null string (zero length).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 75]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ EAP-AKA
+
+ EAP-AKA is defined in [RFC4187]. The EAP-AKA Session-Id is the
+ concatenation of the EAP Type Code (0x17) with the contents of the
+ RAND field from the AT_RAND attribute, followed by the contents of
+ the AUTN field in the AT_AUTN attribute:
+
+ Session-Id = 0x17 || RAND || AUTN
+
+ The Peer-Id is the contents of the Identity field from the
+ AT_IDENTITY attribute, using only the Actual Identity Length
+ octets from the beginning, however. Note that the contents are
+ used as they are transmitted, regardless of whether the
+ transmitted identity was a permanent, pseudonym, or fast EAP
+ re-authentication identity. The Server-Id is the null string
+ (zero length).
+
+ EAP-SIM
+
+ EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is the
+ concatenation of the EAP Type Code (0x12) with the contents of the
+ RAND field from the AT_RAND attribute, followed by the contents of
+ the NONCE_MT field in the AT_NONCE_MT attribute:
+
+ Session-Id = 0x12 || RAND || NONCE_MT
+
+ The Peer-Id is the contents of the Identity field from the
+ AT_IDENTITY attribute, using only the Actual Identity Length
+ octets from the beginning, however. Note that the contents are
+ used as they are transmitted, regardless of whether the
+ transmitted identity was a permanent, pseudonym, or fast EAP
+ re-authentication identity. The Server-Id is the null string
+ (zero length).
+
+ EAP-PSK
+
+ EAP-PSK is defined in [RFC4764]. The EAP-PSK Session-Id is the
+ concatenation of the EAP Type Code (0x2F) with the peer (RAND_P)
+ and server (RAND_S) nonces:
+
+ Session-Id = 0x2F || RAND_P || RAND_S
+
+ The Peer-Id is the contents of the ID_P field and the Server-Id is
+ the contents of the ID_S field.
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 76]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+ EAP-SAKE
+
+ EAP-SAKE is defined in [RFC4763]. The EAP-SAKE Session-Id is the
+ concatenation of the EAP Type Code (0x30) with the contents of the
+ RAND_S field from the AT_RAND_S attribute, followed by the
+ contents of the RAND_P field in the AT_RAND_P attribute:
+
+ Session-Id = 0x30 || RAND_S || RAND_P
+
+ Note that the EAP-SAKE Session-Id is not the same as the "Session
+ ID" parameter chosen by the Server, which is sent in the first
+ message, and replicated in subsequent messages. The Peer-Id is
+ contained within the value field of the AT_PEERID attribute and
+ the Server-Id, if available, is contained in the value field of
+ the AT_SERVERID attribute.
+
+ EAP-TLS
+
+ For EAP-TLS, the Peer-Id, Server-Id and Session-Id are defined in
+ [RFC5216].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 77]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+Authors' Addresses
+
+ Bernard Aboba
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ EMail: bernarda@microsoft.com
+ Phone: +1 425 706 6605
+ Fax: +1 425 936 7329
+
+ Dan Simon
+ Microsoft Research
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ EMail: dansimon@microsoft.com
+ Phone: +1 425 706 6711
+ Fax: +1 425 936 7329
+
+ Pasi Eronen
+ Nokia Research Center
+ P.O. Box 407
+ FIN-00045 Nokia Group
+ Finland
+
+ EMail: pasi.eronen@nokia.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 78]
+
+RFC 5247 EAP Key Management Framework August 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, et al. Standards Track [Page 79]
+