summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5931.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5931.txt')
-rw-r--r--doc/rfc/rfc5931.txt2243
1 files changed, 2243 insertions, 0 deletions
diff --git a/doc/rfc/rfc5931.txt b/doc/rfc/rfc5931.txt
new file mode 100644
index 0000000..2f9c3cd
--- /dev/null
+++ b/doc/rfc/rfc5931.txt
@@ -0,0 +1,2243 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) D. Harkins
+Request for Comments: 5931 Aruba Networks
+Category: Informational G. Zorn
+ISSN: 2070-1721 Network Zen
+ August 2010
+
+
+ Extensible Authentication Protocol (EAP) Authentication
+ Using Only a Password
+
+Abstract
+
+ This memo describes an Extensible Authentication Protocol (EAP)
+ method, EAP-pwd, which uses a shared password for authentication.
+ The password may be a low-entropy one and may be drawn from some set
+ of possible passwords, like a dictionary, which is available to an
+ attacker. The underlying key exchange is resistant to active attack,
+ passive attack, and dictionary attack.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5931.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 1]
+
+RFC 5931 EAP Password August 2010
+
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.2. Keyword Definitions . . . . . . . . . . . . . . . . . . . 4
+ 1.3. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.3.1. Resistance to Passive Attack . . . . . . . . . . . . . 4
+ 1.3.2. Resistance to Active Attack . . . . . . . . . . . . . 5
+ 1.3.3. Resistance to Dictionary Attack . . . . . . . . . . . 5
+ 1.3.4. Forward Secrecy . . . . . . . . . . . . . . . . . . . 5
+ 2. Specification of EAP-pwd . . . . . . . . . . . . . . . . . . . 5
+ 2.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.2. Discrete Logarithm Cryptography . . . . . . . . . . . . . 7
+ 2.2.1. Finite Field Cryptography . . . . . . . . . . . . . . 7
+ 2.2.2. Elliptic Curve Cryptography . . . . . . . . . . . . . 8
+ 2.3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.4. Instantiating the Random Function . . . . . . . . . . . . 9
+ 2.5. Key Derivation Function . . . . . . . . . . . . . . . . . 10
+ 2.6. Random Numbers . . . . . . . . . . . . . . . . . . . . . . 10
+ 2.7. Representation and Processing of Input Strings . . . . . . 11
+ 2.7.1. Identity Strings . . . . . . . . . . . . . . . . . . . 11
+
+
+
+Harkins & Zorn Informational [Page 2]
+
+RFC 5931 EAP Password August 2010
+
+
+ 2.7.2. Passwords . . . . . . . . . . . . . . . . . . . . . . 11
+ 2.8. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 12
+ 2.8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . 12
+ 2.8.2. Message Flows . . . . . . . . . . . . . . . . . . . . 12
+ 2.8.3. Fixing the Password Element . . . . . . . . . . . . . 14
+ 2.8.3.1. ECC Operation for PWE . . . . . . . . . . . . . . 15
+ 2.8.3.2. FFC Operation for pwe . . . . . . . . . . . . . . 16
+ 2.8.4. Message Construction . . . . . . . . . . . . . . . . . 16
+ 2.8.4.1. ECC Groups . . . . . . . . . . . . . . . . . . . . 16
+ 2.8.4.2. FFC Groups . . . . . . . . . . . . . . . . . . . . 17
+ 2.8.5. Message Processing . . . . . . . . . . . . . . . . . . 18
+ 2.8.5.1. EAP-pwd-ID Exchange . . . . . . . . . . . . . . . 18
+ 2.8.5.2. EAP-pwd-Commit Exchange . . . . . . . . . . . . . 20
+ 2.8.5.3. EAP-pwd-Confirm Exchange . . . . . . . . . . . . . 21
+ 2.9. Management of EAP-pwd Keys . . . . . . . . . . . . . . . . 22
+ 2.10. Mandatory-to-Implement Parameters . . . . . . . . . . . . 23
+ 3. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . . 23
+ 3.1. EAP-pwd Header . . . . . . . . . . . . . . . . . . . . . . 23
+ 3.2. EAP-pwd Payloads . . . . . . . . . . . . . . . . . . . . . 25
+ 3.2.1. EAP-pwd-ID . . . . . . . . . . . . . . . . . . . . . . 25
+ 3.2.2. EAP-pwd-Commit . . . . . . . . . . . . . . . . . . . . 26
+ 3.2.3. EAP-pwd-Confirm . . . . . . . . . . . . . . . . . . . 27
+ 3.3. Representation of Group Elements and Scalars . . . . . . . 27
+ 3.3.1. Elements in FFC Groups . . . . . . . . . . . . . . . . 27
+ 3.3.2. Elements in ECC Groups . . . . . . . . . . . . . . . . 28
+ 3.3.3. Scalars . . . . . . . . . . . . . . . . . . . . . . . 28
+ 4. Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 31
+ 6.1. Resistance to Passive Attack . . . . . . . . . . . . . . . 31
+ 6.2. Resistance to Active Attack . . . . . . . . . . . . . . . 31
+ 6.3. Resistance to Dictionary Attack . . . . . . . . . . . . . 32
+ 6.4. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 34
+ 6.5. Group Strength . . . . . . . . . . . . . . . . . . . . . . 34
+ 6.6. Random Functions . . . . . . . . . . . . . . . . . . . . . 34
+ 7. Security Claims . . . . . . . . . . . . . . . . . . . . . . . 35
+ 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 37
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38
+ 9.1. Normative References . . . . . . . . . . . . . . . . . . . 38
+ 9.2. Informative References . . . . . . . . . . . . . . . . . . 38
+
+
+
+
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 3]
+
+RFC 5931 EAP Password August 2010
+
+
+1. Introduction
+
+1.1. Background
+
+ The predominant access method for the Internet today is that of a
+ human using a username and password to authenticate to a computer
+ enforcing access control. Proof of knowledge of the password
+ authenticates the human and computer.
+
+ Typically these passwords are not stored on a user's computer for
+ security reasons and must be entered each time the human desires
+ network access. Therefore, the passwords must be ones that can be
+ repeatedly entered by a human with a low probability of error. They
+ will likely not possess high-entropy, and it may be assumed that an
+ adversary with access to a dictionary will have the ability to guess
+ a user's password. It is therefore desirable to have a robust
+ authentication method that is secure even when used with a weak
+ password in the presence of a strong adversary.
+
+ EAP-pwd is an EAP method that addresses the problem of password-based
+ authenticated key exchange -- using a possibly weak password for
+ authentication to derive an authenticated and cryptographically
+ strong shared secret. This problem was first described by Bellovin
+ and Merritt in [BM92] and [BM93]. There have been a number of
+ subsequent suggestions ([JAB96], [LUC97], [BMP00], and others) for
+ password-based authenticated key exchanges.
+
+1.2. Keyword Definitions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+1.3. Requirements
+
+ Any protocol that claims to solve the problem of password-
+ authenticated key exchange must be resistant to active, passive, and
+ dictionary attack and have the quality of forward secrecy. These
+ characteristics are discussed further in the following sections.
+
+1.3.1. Resistance to Passive Attack
+
+ A passive, or benign, attacker is one that merely relays messages
+ back and forth between the peer and server, faithfully, and without
+ modification. The contents of the messages are available for
+ inspection, but that is all. To achieve resistance to passive
+ attack, such an attacker must not be able to obtain any information
+ about the password or anything about the resulting shared secret from
+
+
+
+Harkins & Zorn Informational [Page 4]
+
+RFC 5931 EAP Password August 2010
+
+
+ watching repeated runs of the protocol. Even if a passive attacker
+ is able to learn the password, she will not be able to determine any
+ information about the resulting secret shared by the peer and server.
+
+1.3.2. Resistance to Active Attack
+
+ An active attacker is able to modify, add, delete, and replay
+ messages sent between protocol participants. For this protocol to be
+ resistant to active attack, the attacker must not be able to obtain
+ any information about the password or the shared secret by using any
+ of its capabilities. In addition, the attacker must not be able to
+ fool a protocol participant into thinking that the protocol completed
+ successfully.
+
+ It is always possible for an active attacker to deny delivery of a
+ message critical in completing the exchange. This is no different
+ than dropping all messages and is not an attack against the protocol.
+
+1.3.3. Resistance to Dictionary Attack
+
+ For this protocol to be resistant to dictionary attack, any advantage
+ an adversary can gain must be directly related to the number of
+ interactions she makes with an honest protocol participant and not
+ through computation. The adversary will not be able to obtain any
+ information about the password except whether a single guess from a
+ single protocol run is correct or incorrect.
+
+1.3.4. Forward Secrecy
+
+ Compromise of the password must not provide any information about the
+ secrets generated by earlier runs of the protocol.
+
+2. Specification of EAP-pwd
+
+2.1. Notation
+
+ The following notation is used in this memo:
+
+ peer-ID
+ The peer's identity, the peer NAI [RFC4282].
+
+ server-ID
+ A string that identifies the server to the peer.
+
+ password
+ The password shared between the peer and server.
+
+
+
+
+
+Harkins & Zorn Informational [Page 5]
+
+RFC 5931 EAP Password August 2010
+
+
+ y = H(x)
+ The binary string x is given to a function H, which produces a
+ fixed-length output y.
+
+ a | b
+ The concatenation of string a with string b.
+
+ [a]b
+ A string consisting of the single bit "a" repeated "b" times.
+
+ x mod y
+ The remainder of division of x by y. The result will be between
+ 0 and y.
+
+ g^x mod p
+ The multiplication of the value "g" with itself "x" times, modulo
+ the value "p".
+
+ inv(Q)
+ The inverse of an element, Q, from a finite field.
+
+ len(x)
+ The length in bits of the string x.
+
+ chop(x, y)
+ The reduction of string x, being at least y bits in length, to y
+ bits.
+
+ PRF(x,y)
+ A pseudo-random function that takes a key, x, and variable-length
+ data, y, and produces a fixed-length output that cannot be
+ distinguished (with a significant advantage) from a random
+ source.
+
+ LSB(x)
+ Returns the least-significant bit of the bitstring "x".
+
+ Ciphersuite
+ An encoding of a group to use with EAP-pwd, the definition of
+ function H, and a PRF, in that order.
+
+ MK
+ The Master Key is generated by EAP-pwd. This is a high-entropy
+ secret whose length depends on the random function used.
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 6]
+
+RFC 5931 EAP Password August 2010
+
+
+ MSK
+ The Master Session Key exported by EAP-pwd. This is a high-
+ entropy secret 512 bits in length.
+
+ EMSK
+ The Extended Master Session Key exported by EAP-pwd. This is a
+ high-entropy secret 512 bits in length.
+
+2.2. Discrete Logarithm Cryptography
+
+ This protocol uses discrete logarithm cryptography to achieve
+ authentication and key agreement (see [SP800-56A]). Each party to
+ the exchange derives ephemeral keys with respect to a particular set
+ of domain parameters (referred to here as a "group"). A group can be
+ based on Finite Field Cryptography (FFC) or Elliptic Curve
+ Cryptography (ECC).
+
+2.2.1. Finite Field Cryptography
+
+ Domain parameters for the FFC groups used by EAP-pwd include:
+
+ o A prime, p, determining a prime field GF(p), the integers modulo
+ p. The FFC group will be a subgroup of GF(p)*, the multiplicative
+ group of non-zero elements in GF(p). The group operation for FFC
+ groups is multiplication modulo p.
+
+ o An element, G, in GF(p)* which serves as a generator for the FFC
+ group. G is chosen such that its multiplicative order is a
+ sufficiently large prime divisor of ((p-1)/2).
+
+ o A prime, r, which is the multiplicative order of G, and thus also
+ the size of the cryptographic subgroup of GF(p)* that is generated
+ by G.
+
+ An integer scalar, x, acts on an FFC group element, Y, via
+ exponentiation modulo p -- Y^x mod p.
+
+ The inverse function for an FFC group is defined such that the
+ product of an element and its inverse modulo the group prime equals
+ one (1). In other words,
+
+ (q * inv(q)) mod p = 1
+
+ EAP-pwd uses an IANA registry for the definition of groups. Some FFC
+ groups in this registry are based on safe primes and the order is not
+ included in the domain parameters. In this case only, the order, r,
+ MUST be computed as the prime minus one divided by two -- (p-1)/2.
+ If the definition of the group includes an order in its domain
+
+
+
+Harkins & Zorn Informational [Page 7]
+
+RFC 5931 EAP Password August 2010
+
+
+ parameters, that value MUST be used in this exchange when an order is
+ called for. If an FFC group definition does not have an order in its
+ domain parameters and it is not based on a safe prime, it MUST NOT be
+ used with EAP-pwd.
+
+2.2.2. Elliptic Curve Cryptography
+
+ Domain parameters for the ECC groups used by EAP-pwd include:
+
+ o A prime, p, determining a prime field GF(p). The cryptographic
+ group will be a subgroup of the full elliptic curve group that
+ consists of points on an elliptic curve -- elements from GF(p)
+ that satisfy the curve's equation -- together with the "point at
+ infinity" that serves as the identity element. The group
+ operation for ECC groups is addition of points on the elliptic
+ curve.
+
+ o Elements a and b from GF(p) that define the curve's equation. The
+ point (x, y) in GF(p) x GF(p) is on the elliptic curve if and only
+ if (y^2 - x^3 - a*x - b) mod p equals zero (0).
+
+ o A point, G, on the elliptic curve, which serves as a generator for
+ the ECC group. G is chosen such that its order, with respect to
+ elliptic curve addition, is a sufficiently large prime.
+
+ o A prime, r, which is the order of G, and thus is also the size of
+ the cryptographic subgroup that is generated by G.
+
+ o A co-factor, f, defined by the requirement that the size of the
+ full elliptic curve group (including the "point at infinity") is
+ the product of f and r.
+
+ An integer scalar, x, acts on an ECC group element, Y, via repetitive
+ addition (Y is added to itself x times), also called point
+ multiplication -- x * Y.
+
+ The inverse function for an ECC group is defined such that the sum of
+ an element and its inverse is the "point at infinity" (the identity
+ for elliptic curve point addition). In other words,
+
+ Q + inv(Q) = "O"
+
+ Only ECC groups over GF(p) can be used by EAP-pwd. ECC groups over
+ GF(2^m) SHALL NOT be used by EAP-pwd. While such groups exist in the
+ IANA registry used by EAP-pwd, their use in EAP-pwd is not defined.
+ In addition, ECC groups with a co-factor greater than one (1) SHALL
+ NOT be used by EAP-pwd. At the time of publication, no such groups
+ existed in the IANA registry used by EAP-pwd.
+
+
+
+Harkins & Zorn Informational [Page 8]
+
+RFC 5931 EAP Password August 2010
+
+
+2.3. Assumptions
+
+ In order to see how the protocol addresses the requirements above
+ (see Section 1.3), it is necessary to state some assumptions under
+ which the protocol can be evaluated. They are:
+
+ 1. Function H maps a binary string of indeterminate length onto a
+ fixed binary string that is x bits in length.
+
+ H: {0,1}^* --> {0,1}^x
+
+ 2. Function H is a "random oracle" (see [RANDOR]). Given knowledge
+ of the input to H, an adversary is unable to distinguish the
+ output of H from a random data source.
+
+ 3. Function H is a one-way function. Given the output of H, it is
+ computationally infeasible for an adversary to determine the
+ input.
+
+ 4. For any given input to function H, each of the 2^x possible
+ outputs are equally probable.
+
+ 5. The discrete logarithm problem for the chosen group is hard.
+ That is, given g, p, and y = g^x mod p, it is computationally
+ infeasible to determine x. Similarly, for an ECC group given the
+ curve definition, a generator G, and Y = x * G, it is
+ computationally infeasible to determine x.
+
+ 6. There exists a pool of passwords from which the password shared
+ by the peer and server is drawn. This pool can consist of words
+ from a dictionary, for example. Each password in this pool has
+ an equal probability of being the shared password. All potential
+ attackers have access to this pool of passwords.
+
+2.4. Instantiating the Random Function
+
+ The protocol described in this memo uses a random function, H. As
+ noted in Section 2.3, this is a "random oracle" as defined in
+ [RANDOR]. At first glance, one may view this as a hash function. As
+ noted in [RANDOR], though, hash functions are too structured to be
+ used directly as a random oracle. But they can be used to
+ instantiate the random oracle.
+
+ The random function, H, in this memo is instantiated by HMAC-SHA256
+ (see [RFC4634]) with a key whose length is 32 octets and whose value
+ is zero. In other words,
+
+ H(x) = HMAC-SHA-256([0]32, x)
+
+
+
+Harkins & Zorn Informational [Page 9]
+
+RFC 5931 EAP Password August 2010
+
+
+2.5. Key Derivation Function
+
+ The keys output by this protocol, MSK and EMSK, are each 512 bits in
+ length. The shared secret that results from the successful
+ termination of this protocol is only 256 bits. Therefore, it is
+ necessary to stretch the shared secret using a key derivation
+ function (KDF).
+
+ The KDF used in this protocol has a counter-mode with feedback
+ construction using a generic pseudo-random function (PRF), according
+ to [SP800-108]. The specific value of the PRF is specified along
+ with the random function and group when the server sends the first
+ EAP-pwd packet to the peer.
+
+ The KDF takes a key to stretch, a label to bind into the key, and an
+ indication of the desired length of the output in bits. It uses two
+ internal variables, i and L, each of which is 16 bits in length and
+ is represented in network order. Algorithmically, it is:
+
+ KDF(key, label, length) {
+ i = 1
+ L = length
+ K(1) = PRF(key, i | label | L)
+ res = K(1)
+ while (len(res) < length)
+ do
+ i = i + 1
+ K(i) = PRF(key, K(i-1) | i | label | L)
+ res = res | K(i)
+ done
+ return chop(res, length)
+ }
+
+ Figure 1: Key Derivation Function
+
+2.6. Random Numbers
+
+ The security of EAP-pwd relies upon each side, the peer and server,
+ producing quality secret random numbers. A poor random number chosen
+ by either side in a single exchange can compromise the shared secret
+ from that exchange and open up the possibility of dictionary attack.
+
+ Producing quality random numbers without specialized hardware entails
+ using a cryptographic mixing function (like a strong hash function)
+ to distill entropy from multiple, uncorrelated sources of information
+ and events. A very good discussion of this can be found in
+ [RFC4086].
+
+
+
+
+Harkins & Zorn Informational [Page 10]
+
+RFC 5931 EAP Password August 2010
+
+
+2.7. Representation and Processing of Input Strings
+
+2.7.1. Identity Strings
+
+ The strings representing the server identity and peer identity MUST
+ follow the requirements of [RFC4282] for Network Access Identifiers.
+ This ensures a canonical representation of identities by both ends of
+ the conversation prior to their use in EAP-pwd.
+
+2.7.2. Passwords
+
+ EAP-pwd requires passwords be input as binary strings. For the
+ protocol to successfully terminate, each side must produce identical
+ binary strings from the password. This imposes processing
+ requirements on a password prior to its use.
+
+ Three techniques for password pre-processing exist for EAP-pwd:
+
+ o None: The input password string SHALL be treated as an ASCII
+ string or a hexadecimal string with no treatment or normalization
+ performed. The output SHALL be the binary representation of the
+ input string.
+
+ o RFC 2759: The input password string SHALL be processed to produce
+ the output PasswordHashHash, as defined in [RFC2759], including
+ any approved errata to [RFC2759]. This technique is useful when
+ the server does not have access to the plaintext password.
+
+ o SASLprep: The input password string is processed according to the
+ rules of the [RFC4013] profile of [RFC3454]. A password SHALL be
+ considered a "stored string" per [RFC3454], and unassigned code
+ points are therefore prohibited. The output SHALL be the binary
+ representation of the processed UTF-8 character string.
+ Prohibited output and unassigned codepoints encountered in
+ SASLprep pre-processing SHALL cause a failure of pre-processing,
+ and the output SHALL NOT be used with EAP-pwd.
+
+ Changing a password is out of scope of EAP-pwd, but due to the
+ ambiguities in the way internationalized character strings are
+ handled, 1) it SHOULD be done using SASLprep to ensure a canonical
+ representation of the new password is stored on the server, and 2)
+ subsequent invocations of EAP-pwd SHOULD use SASLprep to ensure that
+ the client generates an identical binary string from the input
+ password.
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 11]
+
+RFC 5931 EAP Password August 2010
+
+
+2.8. Protocol
+
+2.8.1. Overview
+
+ EAP is a two-party protocol spoken between an EAP peer and an
+ authenticator. For scaling purposes, the functionality of the
+ authenticator that speaks EAP is frequently broken out into a stand-
+ alone EAP server. In this case, the EAP peer communicates with an
+ EAP server through the authenticator, with the authenticator merely
+ being a passthrough.
+
+ An EAP method defines the specific authentication protocol being used
+ by EAP. This memo defines a particular method and therefore defines
+ the messages sent between the EAP server (or the "EAP server"
+ functionality in an authenticator if it is not broken out) and the
+ EAP peer for the purposes of authentication and key derivation.
+
+2.8.2. Message Flows
+
+ EAP-pwd defines three message exchanges: an Identity exchange, a
+ Commit exchange, and a Confirm exchange. A successful authentication
+ is shown in Figure 2.
+
+ The peer and server use the Identity exchange to discover each
+ other's identities and to agree upon a Ciphersuite to use in the
+ subsequent exchanges; in addition, the EAP Server uses the EAP-pwd-
+ ID/Request message to inform the client of any password pre-
+ processing that may be required. In the Commit exchange, the peer
+ and server exchange information to generate a shared key and also to
+ bind each other to a particular guess of the password. In the
+ Confirm exchange, the peer and server prove liveness and knowledge of
+ the password by generating and verifying verification data.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 12]
+
+RFC 5931 EAP Password August 2010
+
+
+ +--------+ +--------+
+ | | EAP-pwd-ID/Request | |
+ | EAP |<------------------------------------| EAP |
+ | peer | | server |
+ | | EAP-pwd-ID/Response | |
+ | |------------------------------------>| |
+ | | | |
+ | | EAP-pwd-Commit/Request | |
+ | |<------------------------------------| |
+ | | | |
+ | | EAP-pwd-Commit/Response | |
+ | |------------------------------------>| |
+ | | | |
+ | | EAP-pwd-Confirm/Request | |
+ | |<------------------------------------| |
+ | | | |
+ | | EAP-pwd-Confirm/Response | |
+ | |------------------------------------>| |
+ | | | |
+ | | EAP-Success | |
+ | |<------------------------------------| |
+ +--------+ +--------+
+
+ Figure 2: A Successful EAP-pwd Exchange
+
+ The components of the EAP-pwd-* messages are as follows:
+
+ EAP-pwd-ID/Request
+ Ciphersuite, Token, Password Processing Method, Server_ID
+
+ EAP-pwd-ID/Response
+ Ciphersuite, Token, Password Processing Method, Peer_ID
+
+ EAP-pwd-Commit/Request
+ Scalar_S, Element_S
+
+ EAP-pwd-Commit/Response
+ Scalar_P, Element_P
+
+ EAP-pwd-Confirm/Request
+ Confirm_S
+
+ EAP-pwd-Confirm/Response
+ Confirm_P
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 13]
+
+RFC 5931 EAP Password August 2010
+
+
+2.8.3. Fixing the Password Element
+
+ Once the EAP-pwd-ID exchange is completed, the peer and server use
+ each other's identities and the agreed upon ciphersuite to fix an
+ element in the negotiated group called the Password Element (PWE or
+ pwe, for an element in an ECC group or an FFC group, respectively).
+ The resulting element must be selected in a deterministic fashion
+ using the password but must result in selection of an element that
+ will not leak any information about the password to an attacker.
+ From the point of view of an attacker who does not know the password,
+ the Password Element will be a random element in the negotiated
+ group.
+
+ To properly fix the Password Element, both parties must have a common
+ view of the string "password". Therefore, if a password pre-
+ processing algorithm was negotiated during the EAP-pwd-ID exchange,
+ the client MUST perform the specified password pre-processing prior
+ to fixing the Password Element.
+
+ Fixing the Password Element involves an iterative hunting-and-pecking
+ technique using the prime from the negotiated group's domain
+ parameter set and an ECC- or FFC-specific operation depending on the
+ negotiated group.
+
+ First, an 8-bit counter is set to the value one (1). Then, the
+ agreed-upon random function is used to generate a password seed from
+ the identities and the anti-clogging token from the EAP-pwd-ID
+ exchange (see Section 2.8.5.1):
+
+ pwd-seed = H(token | peer-ID | server-ID | password | counter)
+
+ Then, the pwd-seed is expanded using the KDF from the agreed-upon
+ Ciphersuite out to the length of the prime:
+
+ pwd-value = KDF(pwd-seed, "EAP-pwd Hunting And Pecking", len(p))
+
+ If the pwd-value is greater than or equal to the prime, p, the
+ counter is incremented, and a new pwd-seed is generated and the
+ hunting-and-pecking continues. If pwd-value is less than the prime,
+ p, it is passed to the group-specific operation which either returns
+ the selected Password Element or fails. If the group-specific
+ operation fails, the counter is incremented, a new pwd-seed is
+ generated, and the hunting-and-pecking continues. This process
+ continues until the group-specific operation returns the Password
+ Element.
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 14]
+
+RFC 5931 EAP Password August 2010
+
+
+2.8.3.1. ECC Operation for PWE
+
+ The group-specific operation for ECC groups uses pwd-value, pwd-seed,
+ and the equation for the curve to produce the Password Element.
+ First, pwd-value is used directly as the x-coordinate, x, with the
+ equation for the elliptic curve, with parameters a and b from the
+ domain parameter set of the curve, to solve for a y-coordinate, y.
+ If there is no solution to the quadratic equation, this operation
+ fails and the hunting-and-pecking process continues. If a solution
+ is found, then an ambiguity exists as there are technically two
+ solutions to the equation and pwd-seed is used to unambiguously
+ select one of them. If the low-order bit of pwd-seed is equal to the
+ low-order bit of y, then a candidate PWE is defined as the point
+ (x, y); if the low-order bit of pwd-seed differs from the low-order
+ bit of y, then a candidate PWE is defined as the point (x, p - y),
+ where p is the prime over which the curve is defined. The candidate
+ PWE becomes PWE, and the hunting and pecking terminates successfully.
+
+ Algorithmically, the process looks like this:
+
+ found = 0
+ counter = 1
+ do {
+ pwd-seed = H(token | peer-ID | server-ID | password | counter)
+ pwd-value = KDF(pwd-seed, "EAP-pwd Hunting And Pecking", len(p))
+ if (pwd-value < p)
+ then
+ x = pwd-value
+ if ( (y = sqrt(x^3 + ax + b)) != FAIL)
+ then
+ if (LSB(y) == LSB(pwd-seed))
+ then
+ PWE = (x, y)
+ else
+ PWE = (x, p-y)
+ fi
+ found = 1
+ fi
+ fi
+ counter = counter + 1
+ } while (found == 0)
+
+ Figure 3: Fixing PWE for ECC Groups
+
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 15]
+
+RFC 5931 EAP Password August 2010
+
+
+2.8.3.2. FFC Operation for pwe
+
+ The group-specific operation for FFC groups takes pwd-value, and the
+ prime, p, and order, r, from the group's domain parameter set (see
+ Section 2.2.1 when the order is not part of the defined domain
+ parameter set) to directly produce a candidate Password Element, pwe,
+ by exponentiating the pwd-value to the value ((p-1)/r) modulo the
+ prime. If the result is greater than one (1), the candidate pwe
+ becomes pwe, and the hunting and pecking terminates successfully.
+
+ Algorithmically, the process looks like this:
+
+ found = 0
+ counter = 1
+ do {
+ pwd-seed = H(token | peer-ID | server-ID | password | counter)
+ pwd-value = KDF(pwd-seed, "EAP-pwd Hunting And Pecking", len(p))
+ if (pwd-value < p)
+ then
+ pwe = pwd-value ^ ((p-1)/r) mod p
+ if (pwe > 1)
+ then
+ found = 1
+ fi
+ fi
+ counter = counter + 1
+ } while (found == 0)
+
+ Figure 4: Fixing PWE for FFC Groups
+
+2.8.4. Message Construction
+
+ After the EAP-pwd Identity exchange, the construction of the
+ components of subsequent messages depends on the type of group from
+ the ciphersuite (ECC or FFC). This section provides an overview of
+ the authenticated key exchange. For a complete description of
+ message generation and processing, see Sections 2.8.5.2 and 2.8.5.3.
+
+2.8.4.1. ECC Groups
+
+ Using the mapping function F() defined in Section 2.2.2 and the group
+ order r:
+
+ Server: EAP-pwd-Commit/Request
+ - choose two random numbers, 1 < s_rand, s_mask < r
+ - compute Scalar_S = (s_rand + s_mask) mod r
+ - compute Element_S = inv(s_mask * PWE)
+
+
+
+
+Harkins & Zorn Informational [Page 16]
+
+RFC 5931 EAP Password August 2010
+
+
+ Element_S and Scalar_S are used to construct EAP-pwd-Commit/Request
+
+ Peer: EAP-pwd-Commit/Response
+ - choose two random numbers, 1 < p_rand, p_mask < r
+ - compute Scalar_P = (p_rand + p_mask) mod r
+ - compute Element_P = inv(p_mask * PWE)
+
+ Element_P and Scalar_P are used to construct EAP-pwd-Commit/Response
+
+ Server: EAP-pwd-Confirm/Request
+ - compute KS = (s_rand * (Scalar_P * PWE + Element_P))
+ - compute ks = F(KS)
+ - compute Confirm_S = H(ks | Element_S | Scalar_S |
+ Element_P | Scalar_P | Ciphersuite)
+
+ Confirm_S is used to construct EAP-pwd-Confirm/Request
+
+ Peer: EAP-pwd-Confirm/Response
+ - compute KP = (p_rand * (Scalar_S * PWE + Element_S)),
+ - compute kp = F(KP)
+ - compute Confirm_P = H(kp | Element_P | Scalar_P |
+ Element_S | Scalar_S | Ciphersuite)
+
+ Confirm_P is used to construct EAP-pwd-Confirm/Response
+
+ The EAP Server computes the shared secret as:
+ MK = H(ks | Confirm_P | Confirm_S)
+
+ The EAP Peer computes the shared secret as:
+ MK = H(kp | Confirm_P | Confirm_S)
+
+
+ The MSK and EMSK are derived from MK per Section 2.9.
+
+2.8.4.2. FFC Groups
+
+ There is no mapping function, F(), required for an FFC group. Using
+ the order, r, for the group (see Section 2.2.1 when the order is not
+ part of the defined domain parameters):
+
+ Server: EAP-pwd-Commit/Request
+ - choose two random numbers, 1 < s_rand, s_mask < r
+ - compute Scalar_S = (s_rand + s_mask) mod r
+ - compute Element_S = inv(pwe^s_mask mod p)
+
+ Element_S and Scalar_S are used to construct EAP-pwd-Commit/Request
+
+
+
+
+
+Harkins & Zorn Informational [Page 17]
+
+RFC 5931 EAP Password August 2010
+
+
+ Peer: EAP-pwd-Commit/Response
+ - choose random two numbers, 1 < p_rand, p_mask < r
+ - compute Scalar_P = (p_rand + p_mask) mod r
+ - compute Element_P = inv(pwe^p_mask mod p)
+
+ Element_P and Scalar_P are used to construct EAP-pwd-Commit/Response
+
+ Server: EAP-pwd-Confirm/Request
+ - compute ks = ((pwe^Scalar_P mod p) * Element_P)^s_rand mod p
+ - compute Confirm_S = H(ks | Element_S | Scalar_S |
+ Element_P | Scalar_P | Ciphersuite)
+
+ Confirm_S is used to construct EAP-pwd-Confirm/Request
+
+ Peer: EAP-pwd-Confirm/Response
+ - compute kp = ((pwe^Scalar_S mod p) * Element_S)^p_rand mod p
+ - compute Confirm_P = H(kp | Element_P | Scalar_P |
+ Element_S | Scalar_S | Ciphersuite)
+
+ Confirm_P is used to construct EAP-pwd-Confirm/Request
+
+ The EAP Server computes the shared secret as:
+ MK = H(ks | Confirm_P | Confirm_S)
+
+ The EAP Peer computes the shared secret as:
+ MK = H(kp | Confirm_P | Confirm_S)
+
+
+ The MSK and EMSK are derived from MK per Section 2.9.
+
+2.8.5. Message Processing
+
+2.8.5.1. EAP-pwd-ID Exchange
+
+ Although EAP provides an Identity method to determine the identity of
+ the peer, the value in the Identity Response may have been truncated
+ or obfuscated to provide privacy or decorated for routing purposes
+ [RFC3748], making it inappropriate for usage by the EAP-pwd method.
+ Therefore, the EAP-pwd-ID exchange is defined for the purpose of
+ exchanging identities between the peer and server.
+
+ The EAP-pwd-ID/Request contains the following quantities:
+
+ o a ciphersuite
+
+ o a representation of the server's identity per Section 2.7.1
+
+
+
+
+
+Harkins & Zorn Informational [Page 18]
+
+RFC 5931 EAP Password August 2010
+
+
+ o an anti-clogging token
+
+ o a password pre-processing method
+
+ The ciphersuite specifies the finite cyclic group, random function,
+ and PRF selected by the server for use in the subsequent
+ authentication exchange.
+
+ The value of the anti-clogging token MUST be unpredictable and SHOULD
+ NOT be from a source of random entropy. The purpose of the anti-
+ clogging token is to provide the server an assurance that the peer
+ constructing the EAP-pwd-ID/Response is genuine and not part of a
+ flooding attack.
+
+ A password pre-processing method is communicated to ensure
+ interoperability by producing a canonical representation of the
+ password string between the peer and server (see Section 2.7.2).
+
+ The EAP-pwd-ID/Request is constructed according to Section 3.2.1 and
+ is transmitted to the peer.
+
+ Upon receipt of an EAP-pwd-ID/Request, the peer determines whether
+ the ciphersuite and pre-processing method are acceptable. If not,
+ the peer MUST respond with an EAP-NAK. If acceptable, the peer
+ responds to the EAP-pwd-ID/Request with an EAP-pwd-ID/Response,
+ constructed according to Section 3.2.1, that acknowledges the
+ Ciphersuite, token, and pre-processing method and then adds its
+ identity. After sending the EAP-pwd-ID/Response, the peer has the
+ identity of the server (from the Request), its own identity (it
+ encoded in the Response), a password pre-processing algorithm, and it
+ can compute the Password Element as specified in Section 2.8.3. The
+ Password Element is stored in state allocated for this exchange.
+
+ The EAP-pwd-ID/Response acknowledges the Ciphersuite from the
+ Request, acknowledges the anti-clogging token from the Request
+ providing a demonstration of "liveness" on the part of the peer, and
+ contains the identity of the peer. Upon receipt of the Response, the
+ server verifies that the Ciphersuite acknowledged by the peer is the
+ same as that sent in the Request and that the anti-clogging token
+ added by the peer in the Response is the same as that sent in the
+ Request. If Ciphersuites or anti-clogging tokens differ, the server
+ MUST respond with an EAP-Failure message. If the anti-clogging
+ tokens are the same, the server knows the peer is an active
+ participant in the exchange. If the Ciphersuites are the same, the
+ server now knows its own identity (it encoded in the Request) and the
+ peer's identity (from the Response) and can compute the Password
+
+
+
+
+
+Harkins & Zorn Informational [Page 19]
+
+RFC 5931 EAP Password August 2010
+
+
+ Element according to Section 2.8.3. The server stores the Password
+ Element in state it has allocated for this exchange. The server then
+ initiates an EAP-pwd-Commit exchange.
+
+2.8.5.2. EAP-pwd-Commit Exchange
+
+ The server begins the EAP-pwd-Confirm exchange by choosing two random
+ numbers, s_rand and s_mask, between 1 and r (where r is described in
+ Section 2.1 according to the group established in Section 2.8.5.1)
+ such that their sum modulo r is greater than one (1). It then
+ computes Element_S and Scalar_S as defined in Section 2.8.4 and
+ constructs an EAP-pwd-Commit/Request according to Section 3.2.2.
+ Element_S and Scalar_S are added to the state allocated for this
+ exchange, and the EAP-pwd-Commit/Request is transmitted to the peer.
+
+ Upon receipt of the EAP-pwd-Commit/Request, the peer validates the
+ length of the entire payload based upon the expected lengths of
+ Element_S and Scalar_S (which are fixed according to the length of
+ the agreed-upon group). If the length is incorrect, the peer MUST
+ terminate the exchange. If the length is correct, Element_S and
+ Scalar_S are extracted from the EAP-pwd-Commit/Request. Scalar_S is
+ then checked to ensure it is between 1 and r, exclusive. If it is
+ not, the peer MUST terminate the exchange. If it is, Element_S MUST
+ be validated depending on the type of group -- Element validation for
+ FFC groups is described in Section 2.8.5.2.1, and Element validation
+ for ECC groups is described in Section 2.8.5.2.2. If validation is
+ successful, the peer chooses two random numbers, p_rand and p_mask,
+ between 1 and r (where r is described in Section 2.1 according to the
+ group established in Section 2.8.5.1) such that their sum modulo r is
+ greater than one (1), and computes Element_P and Scalar_P. Next, the
+ peer computes kp from p_rand, Element_S, Scalar_S, and the Password
+ Element according to Section 2.8.4. If kp is the "identity element"
+ -- the point at infinity for an ECC group or the value one (1) for an
+ FFC group -- the peer MUST terminate the exchange. If not, the peer
+ uses Element_P and Scalar_P to construct an EAP-pwd-Commit/Response
+ according to Section 3.2.2 and transmits the EAP-pwd-Commit/Response
+ to the server.
+
+ Upon receipt of the EAP-pwd-Commit/Response, the server validates the
+ length of the entire payload based upon the expected lengths of
+ Element_P and Scalar_P (which are fixed according to the agreed-upon
+ group). If the length is incorrect, the server MUST respond with an
+ EAP-Failure message, and it MUST terminate the exchange and free up
+ any state allocated. If the length is correct, Scalar_P and
+ Element_P are extracted from the EAP-pwd-Commit/Response and compared
+ to Scalar_S and Element_S. If Scalar_P equals Scalar_S and Element_P
+ equals Element_S, it indicates a reflection attack and the server
+ MUST respond with an EAP-failure and terminate the exchange. If they
+
+
+
+Harkins & Zorn Informational [Page 20]
+
+RFC 5931 EAP Password August 2010
+
+
+ differ, Scalar_P is checked to ensure it is between 1 and r,
+ exclusive. If not the server MUST respond with an EAP-failure and
+ terminate the exchange. If it is, Element_P is verified depending on
+ the type of group -- Element validation for FFC groups is described
+ in Section 2.8.5.2.1, and Element validation for ECC groups is
+ described in Section 2.8.5.2.2. If validation is successful, the
+ server computes ks from s_rand, Element_P, Scalar_P, and the Password
+ Element according to Section 2.8.4. If ks is the "identity element"
+ -- the point at infinity for an ECC group or the value one (1) for an
+ FFC group -- the server MUST respond with an EAP-failure and
+ terminate the exchange. Otherwise, the server initiates an EAP-pwd-
+ Confirm exchange.
+
+2.8.5.2.1. Element Validation for FFC Groups
+
+ A received FFC Element is valid if: 1) it is between one (1) and the
+ prime, p, exclusive; and 2) if modular exponentiation of the Element
+ by the group order, r, equals one (1). If either of these conditions
+ are not true the received Element is invalid.
+
+2.8.5.2.2. Element Validation for ECC Groups
+
+ Validating a received ECC Element involves: 1) checking whether the
+ two coordinates, x and y, are both greater than zero (0) and less
+ than the prime defining the underlying field; and 2) checking whether
+ the x- and y-coordinates satisfy the equation of the curve (that is,
+ that they produce a valid point on the curve that is not the point at
+ infinity). If either of these conditions are not met, the received
+ Element is invalid; otherwise, the Element is valid.
+
+2.8.5.3. EAP-pwd-Confirm Exchange
+
+ The server computes Confirm_S according to Section 2.8.4, constructs
+ an EAP-pwd-Confirm/Request according to Section 3.2.3, and sends it
+ to the peer.
+
+ Upon receipt of an EAP-pwd-Confirm/Request, the peer validates the
+ length of the entire payload based upon the expected length of
+ Confirm_S (whose length is fixed by the agreed-upon random function).
+ If the length is incorrect, the peer MUST terminate the exchange and
+ free up any state allocated. If the length is correct, the peer
+ verifies that Confirm_S is the value it expects based on the value of
+ kp. If the value of Confirm_S is incorrect, the peer MUST terminate
+ the exchange and free up any state allocated. If the value of
+ Confirm_S is correct, the peer computes Confirm_P, constructs an EAP-
+ pwd-Confirm/Response according to Section 3.2.3, and sends it off to
+ the server. The peer then computes MK (according to Section 2.8.4)
+ and the MSK and EMSK (according to Section 2.9) and stores these keys
+
+
+
+Harkins & Zorn Informational [Page 21]
+
+RFC 5931 EAP Password August 2010
+
+
+ in state allocated for this exchange. The peer SHOULD export the MSK
+ and EMSK at this time in anticipation of a secure association
+ protocol by the lower layer to create session keys. Alternatively,
+ the peer can wait until an EAP-Success message from the server before
+ exporting the MSK and EMSK.
+
+ Upon receipt of an EAP-pwd-Confirm/Response, the server validates the
+ length of the entire payload based upon the expected length of
+ Confirm_P (whose length is fixed by the agreed-upon random function).
+ If the length is incorrect, the server MUST respond with an EAP-
+ Failure message, and it MUST terminate the exchange and free up any
+ state allocated. If the length is correct, the server verifies that
+ Confirm_P is the value it expects based on the value of ks. If the
+ value of Confirm_P is incorrect, the server MUST respond with an EAP-
+ Failure message. If the value of Confirm_P is correct, the server
+ computes MK (according to Section 2.8.4) and the MSK and EMSK
+ (according to Section 2.9). It exports the MSK and EMSK and responds
+ with an EAP-Success message. The server SHOULD free up state
+ allocated for this exchange.
+
+2.9. Management of EAP-pwd Keys
+
+ [RFC5247] recommends each EAP method define how to construct a
+ Method-ID and Session-ID to identify a particular EAP session between
+ a peer and server. This information is constructed thusly:
+
+ Method-ID = H(Ciphersuite | Scalar_P | Scalar_S)
+
+ Session-ID = Type-Code | Method-ID
+
+ where Ciphersuite, Scalar_P, and Scalar_S are from the specific
+ exchange being identified; H is the random function specified in the
+ Ciphersuite; and, Type-Code is the code assigned for EAP-pwd, 52,
+ represented as a single octet.
+
+ The authenticated key exchange of EAP-pwd generates a shared and
+ authenticated key, MK. The size of MK is dependent on the random
+ function, H, asserted in the Ciphersuite. EAP-pwd must export two
+ 512-bit keys, MSK and EMSK. Regardless of the value of len(MK),
+ implementations MUST invoke the KDF defined in Section 2.5 to
+ construct the MSK and EMSK. The MSK and EMSK are derived thusly:
+
+ MSK | EMSK = KDF(MK, Session-ID, 1024)
+
+ [RFC4962] mentions the importance of naming keys, particularly when
+ key caching is being used. To facilitate such an important
+ optimization, names are assigned thusly:
+
+
+
+
+Harkins & Zorn Informational [Page 22]
+
+RFC 5931 EAP Password August 2010
+
+
+ o EMSK-name = Session-ID | 'E' | 'M'| 'S' | 'K'
+
+ o MSK-name = Session-ID | 'M'| 'S' | 'K'
+
+ where 'E' is a single octet of value 0x45, 'M' is a single octet of
+ value 0x4d, 'S' is a single octet of value 0x53, and 'K' is a single
+ octet of value 0x4b.
+
+ This naming scheme allows for key-management applications to quickly
+ and accurately identify keys for a particular session or all keys of
+ a particular type.
+
+2.10. Mandatory-to-Implement Parameters
+
+ For the purposes of interoperability, compliant EAP-pwd
+ implementations SHALL support the following parameters:
+
+ o Diffie-Hellman Group: group 19 defined in [RFC5114]
+
+ o Random Function: defined in Section 2.4
+
+ o PRF: HMAC-SHA256 defined in [RFC4634]
+
+ o Password Pre-Processing: none
+
+3. Packet Formats
+
+3.1. EAP-pwd Header
+
+ The EAP-pwd header has the following structure:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type |L|M| PWD-Exch | Total-Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Data...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 5: EAP-pwd Header
+
+ Code
+
+ Either 1 (for Request) or 2 (for Response); see [RFC3748].
+
+
+
+
+
+Harkins & Zorn Informational [Page 23]
+
+RFC 5931 EAP Password August 2010
+
+
+ Identifier
+
+ The Identifier field is one octet and aids in matching responses
+ with requests. The Identifier field MUST be changed on each
+ Request packet.
+
+ Length
+
+ The Length field is two octets and indicates the length of the EAP
+ packet including the Code, Identifier, Length, Type, and Data
+ fields. Octets outside the range of the Length field should be
+ treated as Data Link Layer padding and MUST be ignored on
+ reception.
+
+ Type
+
+ 52 - EAP-pwd
+
+ L and M bits
+
+ The L bit (Length included) is set to indicate the presence of the
+ two-octet Total-Length field, and MUST be set for the first
+ fragment of a fragmented EAP-pwd message or set of messages.
+
+ The M bit (more fragments) is set on all but the last fragment.
+
+ PWD-Exch
+
+ The PWD-Exch field identifies the type of EAP-pwd payload
+ encapsulated in the Data field. This document defines the
+ following values for the PWD-Exch field:
+
+ * 0x00 : Reserved
+
+ * 0x01 : EAP-pwd-ID exchange
+
+ * 0x02 : EAP-pwd-Commit exchange
+
+ * 0x03 : EAP-pwd-Confirm exchange
+
+ All other values of the PWD-Exch field are unassigned.
+
+ Total-Length
+
+ The Total-Length field is two octets in length, and is present
+ only if the L bit is set. This field provides the total length of
+ the EAP-pwd message or set of messages that is being fragmented.
+
+
+
+
+Harkins & Zorn Informational [Page 24]
+
+RFC 5931 EAP Password August 2010
+
+
+3.2. EAP-pwd Payloads
+
+ EAP-pwd payloads all contain the EAP-pwd header and encoded
+ information. Encoded information is comprised of sequences of data.
+ Payloads in the EAP-pwd-ID exchange also include a ciphersuite
+ statement indicating what finite cyclic group to use, what
+ cryptographic primitive to use for H, and what PRF to use for
+ deriving keys.
+
+3.2.1. EAP-pwd-ID
+
+ The Group Description, Random Function, and PRF together, and in that
+ order, comprise the Ciphersuite included in the calculation of the
+ peer's and server's confirm messages.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Group Description | Random Func'n | PRF |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Token |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Prep | Identity...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 6: EAP-pwd-ID Payload
+
+ The Group Description field value is taken from the IANA registry for
+ "Group Description" created by IKE [RFC2409].
+
+ This document defines the following value for the Random Function
+ field:
+
+ o 0x01 : Function defined in this memo in Section 2.4
+
+ The value 0x00 is reserved for private use between mutually
+ consenting parties. All other values of the Random Function field
+ are unassigned.
+
+ The PRF field has the following value:
+
+ o 0x01 : HMAC-SHA256 [RFC4634]
+
+ The value 0x00 is reserved for private use between mutually
+ consenting parties. All other values of the PRF field are
+ unassigned.
+
+
+
+
+
+Harkins & Zorn Informational [Page 25]
+
+RFC 5931 EAP Password August 2010
+
+
+ The Token field contains an unpredictable value assigned by the
+ server in an EAP-pwd-ID/Request and acknowledged by the peer in an
+ EAP-pwd-ID/Response (see Section 2.8.5).
+
+ The Prep field represents the password pre-processing technique (see
+ Section 2.7.2) to be used by the client prior to generating the
+ password seed (see Section 2.8.3). This document defines the
+ following values for the Prep field:
+
+ o 0x00 : None
+
+ o 0x01 : RFC2759
+
+ o 0x02 : SASLprep
+
+ All other values of the Prep field are unassigned.
+
+ The Identity field depends on the tuple of PWD-Exch/Code.
+
+ o EAP-pwd-ID/Request : Server_ID
+
+ o EAP-pwd-ID/Response : Peer_ID
+
+ The length of the identity is computed from the Length field in the
+ EAP header.
+
+3.2.2. EAP-pwd-Commit
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ Element ~
+ | |
+ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
+ | |
+ ~ Scalar +-+-+-+-+-+-+-+-+
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 7: EAP-pwd-Commit Payload
+
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 26]
+
+RFC 5931 EAP Password August 2010
+
+
+ The Element and Scalar fields depend on the tuple of PWD-Exch/Code.
+
+ o EAP-pwd-Commit/Request : Element_S, Scalar_S
+
+ o EAP-pwd-Commit/Response : Element_P, Scalar_P
+
+ The Element is encoded according to Section 3.3. The length of the
+ Element is inferred by the finite cyclic group from the agreed-upon
+ Ciphersuite. The length of the scalar can then be computed from the
+ Length in the EAP header.
+
+3.2.3. EAP-pwd-Confirm
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ Confirm ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 8: EAP-pwd-Confirm Payload
+
+ The Confirm field depends on the tuple of PWD-Exch/Code.
+
+ o EAP-pwd-Confirm/Request : Confirm_S
+
+ o EAP-pwd-Confirm/Response : Confirm_P
+
+ The length of the Confirm field computed from the Length in the EAP
+ header.
+
+3.3. Representation of Group Elements and Scalars
+
+ Payloads in the EAP-pwd-Commit exchange contain elements from the
+ agreed-upon finite cyclic cryptographic group (either an FCC group or
+ an ECC group). To ensure interoperability, field elements and
+ scalars MUST be represented in payloads in accordance with the
+ requirements described below.
+
+3.3.1. Elements in FFC Groups
+
+ Elements in an FFC group MUST be represented (in binary form) as
+ unsigned integers that are strictly less than the prime, p, from the
+ group's domain parameter set. The binary representation of each
+ group element MUST have a bit length equal to the bit length of the
+
+
+
+
+
+Harkins & Zorn Informational [Page 27]
+
+RFC 5931 EAP Password August 2010
+
+
+ binary representation of p. This length requirement is enforced, if
+ necessary, by prepending the binary representation of the integer
+ with zeros until the required length is achieved.
+
+3.3.2. Elements in ECC Groups
+
+ Elements in an ECC group are points on the agreed-upon elliptic
+ curve. Each such element MUST be represented by the concatenation of
+ two components, an x-coordinate and a y-coordinate.
+
+ Each of the two components, the x-coordinate and the y-coordinate,
+ MUST be represented (in binary form) as an unsigned integer that is
+ strictly less than the prime, p, from the group's domain parameter
+ set. The binary representation of each component MUST have a bit
+ length equal to the bit length of the binary representation of p.
+ This length requirement is enforced, if necessary, by prepending the
+ binary representation of the integer with zeros until the required
+ length is achieved.
+
+ Since the field element is represented in a payload by the
+ x-coordinate followed by the y-coordinate, it follows that the length
+ of the element in the payload MUST be twice the bit length of p. In
+ other words, "compressed representation" is not used.
+
+3.3.3. Scalars
+
+ Scalars MUST be represented (in binary form) as unsigned integers
+ that are strictly less than r, the order of the generator of the
+ agreed-upon cryptographic group. The binary representation of each
+ scalar MUST have a bit length equal to the bit length of the binary
+ representation of r. This requirement is enforced, if necessary, by
+ prepending the binary representation of the integer with zeros until
+ the required length is achieved.
+
+4. Fragmentation
+
+ EAP [RFC3748] is a request-response protocol. The server sends
+ requests and the peer responds. These request and response messages
+ are assumed to be limited to at most 1020 bytes. Messages in EAP-pwd
+ can be larger than 1020 bytes and therefore require support for
+ fragmentation and reassembly.
+
+ Implementations MUST establish a fragmentation threshold that
+ indicates the maximum size of an EAP-pwd payload. When an
+ implementation knows the maximum transmission unit (MTU) of its lower
+ layer, it SHOULD calculate the fragmentation threshold from that
+ value. In lieu of knowledge of the lower layer's MTU, the
+ fragmentation threshold MUST be set to 1020 bytes.
+
+
+
+Harkins & Zorn Informational [Page 28]
+
+RFC 5931 EAP Password August 2010
+
+
+ Since EAP is a simple ACK-NAK protocol, fragmentation support can be
+ added in a simple manner. In EAP, fragments that are lost or damaged
+ in transit will be retransmitted, and since sequencing information is
+ provided by the Identifier field in EAP, there is no need for a
+ fragment offset field as is provided in IPv4.
+
+ EAP-pwd fragmentation support is provided through the addition of
+ flags within the EAP-Response and EAP-Request packets, as well as a
+ Total-Length field of two octets. Flags include the Length included
+ (L) and More fragments (M) bits. The L flag is set to indicate the
+ presence of the two-octet Total-Length field, and MUST be set for the
+ first fragment of a fragmented EAP-pwd message or set of messages.
+ The M flag is set on all but the last fragment. The Total-Length
+ field is two octets, and provides the total length of the EAP-pwd
+ message or set of messages that is being fragmented; this simplifies
+ buffer allocation.
+
+ When an EAP-pwd peer receives an EAP-Request packet with the M bit
+ set, it MUST respond with an EAP-Response with EAP-Type=EAP-pwd and
+ no data. This serves as a fragment ACK. The EAP server MUST wait
+ until it receives the EAP-Response before sending another fragment.
+ In order to prevent errors in processing of fragments, the EAP server
+ MUST increment the Identifier field for each fragment contained
+ within an EAP-Request, and the peer MUST include this Identifier
+ value in the fragment ACK contained within the EAP-Response.
+ Retransmitted fragments will contain the same Identifier value.
+
+ Similarly, when the EAP server receives an EAP-Response with the M
+ bit set, it MUST respond with an EAP-Request with EAP-Type=EAP-pwd
+ and no data. This serves as a fragment ACK. The EAP peer MUST wait
+ until it receives the EAP-Request before sending another fragment.
+ In order to prevent errors in the processing of fragments, the EAP
+ server MUST increment the Identifier value for each fragment ACK
+ contained within an EAP-Request, and the peer MUST include this
+ Identifier value in the subsequent fragment contained within an EAP-
+ Response.
+
+5. IANA Considerations
+
+ This memo contains new numberspaces to be managed by IANA. The
+ policies used to allocate numbers are described in [RFC5226]. IANA
+ has allocated a new EAP method type for EAP-pwd (52).
+
+ IANA has created new registries for PWD-Exch messages, random
+ functions, PRFs, and password pre-processing methods and has added
+ the message numbers, random function, PRF, and pre-processing methods
+ specified in this memo to those registries, respectively.
+
+
+
+
+Harkins & Zorn Informational [Page 29]
+
+RFC 5931 EAP Password August 2010
+
+
+ The following is the initial PWD-Exch message registry layout:
+
+ o 0x00 : Reserved
+
+ o 0x01 : EAP-pwd-ID exchange
+
+ o 0x02 : EAP-pwd-Commit exchange
+
+ o 0x03 : EAP-pwd-Confirm exchange
+
+ The PWD-Exch field is 6 bits long. The value 0x00 is reserved. All
+ other values are available through assignment by IANA. IANA is
+ instructed to assign values based on "IETF Review" (see [RFC5226]).
+
+ The following is the initial Random Function registry layout:
+
+ o 0x00 : Private Use
+
+ o 0x01 : Function defined in this memo, Section 2.4
+
+ The Random Function field is 8 bits long. The value 0x00 is for
+ Private Use between mutually consenting parties. All other values
+ are available through assignment by IANA. IANA is instructed to
+ assign values based on "Specification Required" (see [RFC5226]). The
+ Designated Expert performing the necessary review MUST ensure the
+ random function has been cryptographically vetted.
+
+ The following is the initial PRF registry layout:
+
+ o 0x00 : Private Use
+
+ o 0x01 : HMAC-SHA256 as defined in [RFC4634]
+
+ The PRF field is 8 bits long. The value 0x00 is for Private Use
+ between mutually consenting parties. All other values are available
+ through assignment by IANA. IANA is instructed to assign values
+ based on "IETF Review" (see [RFC5226]).
+
+ The following is the initial layout for the password pre-processing
+ method registry:
+
+ o 0x00 : None
+
+ o 0x01 : RFC2759
+
+ o 0x02 : SASLprep
+
+
+
+
+
+Harkins & Zorn Informational [Page 30]
+
+RFC 5931 EAP Password August 2010
+
+
+ The Prep field is 8 bits long, and all other values are available
+ through assignment by IANA. IANA is instructed to assign values
+ based on "Specification Required" (see [RFC5226]).
+
+6. Security Considerations
+
+ In Section 1.3, several security properties were presented that
+ motivated the design of this protocol. This section will address how
+ well they are met.
+
+6.1. Resistance to Passive Attack
+
+ A passive attacker will see Scalar_P, Element_P, Scalar_S, and
+ Element_S. She can guess at passwords to compute the password
+ element but will not know s_rand or p_rand and therefore will not be
+ able to compute MK.
+
+ The secret random value of the peer (server) is effectively hidden by
+ adding p_mask (s_mask) to p_rand (s_rand) modulo the order of the
+ group. If the order is "r", then there are approximately "r"
+ distinct pairs of numbers that will sum to the value Scalar_P
+ (Scalar_S). Attempting to guess the particular pair is just as
+ difficult as guessing the secret random value p_rand (s_rand), the
+ probability of a guess is 1/(r - i) after "i" guesses. For a large
+ value of r, this exhaustive search technique is computationally
+ infeasible. An attacker would do better by determining the discrete
+ logarithm of Element_P (Element_S) using an algorithm like the baby-
+ step giant-step algorithm (see [APPCRY]), which runs on the order of
+ the square root of r group operations (e.g., a group with order 2^160
+ would require 2^80 exponentiations or point multiplications). Based
+ on the assumptions made on the finite cyclic group in Section 2.3,
+ that is also computationally infeasible.
+
+6.2. Resistance to Active Attack
+
+ An active attacker can launch her attack after an honest server has
+ sent EAP-pwd-Commit/Request to an honest peer. This would result in
+ the peer sending EAP-pwd-Commit/Response. In this case, the active
+ attack has been reduced to that of a passive attacker since p_rand
+ and s_rand will remain unknown. The active attacker could forge a
+ value of Confirm_P (Confirm_S) and send it to the EAP server (EAP
+ peer) in the hope that it will be accepted, but due to the
+ assumptions on H made in Section 2.3, that is computationally
+ infeasible.
+
+ The active attacker can launch her attack by forging EAP-pwd-Commit/
+ Request and sending it to the peer. This will result in the peer
+ responding with EAP-pwd-Commit/Response. The attacker can then
+
+
+
+Harkins & Zorn Informational [Page 31]
+
+RFC 5931 EAP Password August 2010
+
+
+ attempt to compute ks, but since she doesn't know the password, this
+ is infeasible. It can be shown that an attack by forging an EAP-pwd-
+ Commit/Response is an identical attack with equal infeasibility.
+
+6.3. Resistance to Dictionary Attack
+
+ An active attacker can wait until an honest server sends EAP-pwd-
+ Commit/Request and then forge EAP-pwd-Commit/Response and send it to
+ the server. The server will respond with EAP-pwd-Confirm/Request.
+ Now the attacker can attempt to launch a dictionary attack. She can
+ guess at potential passwords, compute the password element, and
+ compute kp using her p_rand, Scalar_S, and Element_S from the EAP-
+ pwd-Commit/Request and the candidate password element from her guess.
+ She will know if her guess is correct when she is able to verify
+ Confirm_S in EAP-pwd-Confirm/Request.
+
+ But the attacker committed to a password guess with her forged EAP-
+ pwd-Commit/Response when she computed Element_P. That value was used
+ by the server in his computation of ks that was used when he
+ constructed Confirm_S in EAP-pwd-Confirm/Request. Any guess of the
+ password that differs from the one used in the forged EAP-pwd-Commit/
+ Response could not be verified as correct since the attacker has no
+ way of knowing whether it is correct. She is able to make one guess
+ and one guess only per attack. This means that any advantage she can
+ gain -- guess a password, if it fails exclude it from the pool of
+ possible passwords and try again -- is solely through interaction
+ with an honest protocol peer.
+
+ The attacker can commit to the guess with the forged EAP-pwd-Commit/
+ Response and then run through the dictionary, computing the password
+ element and ks using her forged Scalar_P and Element_P. She will
+ know she is correct if she can compute the same value for Confirm_S
+ that the server produced in EAP-pwd-Confirm/Request. But this
+ requires the attacker to know s_rand, which we noted above was not
+ possible.
+
+ The password element PWE/pwe is chosen using a method described in
+ Section 2.8.3. Since this is an element in the group, there exists a
+ scalar value, q, such that:
+
+ PWE = q * G, for an ECC group
+
+ pwe = g^q mod p, for an FFC group
+
+ Knowledge of q can be used to launch a dictionary attack. For the
+ sake of brevity, the attack will be demonstrated assuming an ECC
+ group. The attack works thusly:
+
+
+
+
+Harkins & Zorn Informational [Page 32]
+
+RFC 5931 EAP Password August 2010
+
+
+ The attacker waits until an honest server sends an EAP-pwd-Commit/
+ Request. The attacker then generates a random Scalar_P and a random
+ p_mask and computes Element_P = p_mask * G. The attacker sends the
+ bogus Scalar_P and Element_P to the server and obtains Confirm_S in
+ return. Note that the server is unable to detect that Element_P was
+ calculated incorrectly.
+
+ The attacker now knows that:
+
+ KS = (Scalar_P * q + p_mask) * s_rand * G
+
+ and
+
+ s_rand * G = Scalar_P * G - ((1/q) mod r * -Element_P)
+
+ Since Scalar_P, p_mask, G, and Element_P are all known, the attacker
+ can run through the dictionary, make a password guess, compute PWE
+ using the technique in Section 2.8.3, determine q, and then use the
+ equations above to compute KS and see if it can verify Confirm_S. But
+ to determine q for a candidate PWE, the attacker needs to perform a
+ discrete logarithm that was assumed to be computationally infeasible
+ in Section 2.3. Therefore, this attack is also infeasible.
+
+ The best advantage an attacker can gain in a single active attack is
+ to determine whether a single guess at the password was correct.
+ Therefore, her advantage is solely through interaction and not
+ computation, which is the definition for resistance to dictionary
+ attack.
+
+ Resistance to dictionary attack means that the attacker must launch
+ an active attack to make a single guess at the password. If the size
+ of the dictionary from which the password was extracted was D, and
+ each password in the dictionary has an equal probability of being
+ chosen, then the probability of success after a single guess is 1/D.
+ After X guesses, and removal of failed guesses from the pool of
+ possible passwords, the probability becomes 1/(D-X). As X grows, so
+ does the probability of success. Therefore, it is possible for an
+ attacker to determine the password through repeated brute-force,
+ active, guessing attacks. This protocol does not presume to be
+ secure against this, and implementations SHOULD ensure the size of D
+ is sufficiently large to prevent this attack. Implementations SHOULD
+ also take countermeasures -- for instance, refusing authentication
+ attempts for a certain amount of time, after the number of failed
+ authentication attempts reaches a certain threshold. No such
+ threshold or amount of time is recommended in this memo.
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 33]
+
+RFC 5931 EAP Password August 2010
+
+
+6.4. Forward Secrecy
+
+ The MSK and EMSK are extracted from MK, which is derived from doing
+ group operations with s_rand, p_rand, and the password element. The
+ peer and server choose random values with each run of the protocol.
+ So even if an attacker is able to learn the password, she will not
+ know the random values used by either the peer or server from an
+ earlier run and will therefore be unable to determine MK, or the MSK
+ or EMSK. This is the definition of Forward Secrecy.
+
+6.5. Group Strength
+
+ The strength of the shared secret, MK, derived in Section 2.8.4
+ depends on the effort needed to solve the discrete logarithm problem
+ in the chosen group. [RFC3766] has a good discussion on the strength
+ estimates of symmetric keys derived from discrete logarithm
+ cryptography.
+
+ The mandatory-to-implement group defined in this memo is group 19, a
+ group from [RFC5114] based on Elliptic Curve Cryptography (see
+ Section 2.2.2) with a prime bit length of 256. This group was chosen
+ because the current best estimate of a symmetric key derived using
+ this group is 128 bits, which is the typical length of a key for the
+ Advanced Encryption Standard ([FIPS-197]). While it is possible to
+ obtain a equivalent measure of strength using a group based on Finite
+ Field Cryptography (see Section 2.2.1), it would require a much
+ larger prime and be more memory and compute intensive.
+
+6.6. Random Functions
+
+ The protocol described in this memo uses a function referred to as a
+ "random oracle" (as defined in [RANDOR]). A significant amount of
+ care must be taken to instantiate a random oracle out of handy
+ cryptographic primitives. The random oracle used here is based on
+ the notion of a "Randomness Extractor" from [RFC5869].
+
+ This protocol can use any properly instantiated random oracle. To
+ ensure that any new value for H will use a properly instantiated
+ random oracle, IANA has been instructed (in Section 5) to only
+ allocate values from the Random Function registry after being vetted
+ by an expert.
+
+ A few of the defined groups that can be used with this protocol have
+ a security estimate (see Section 6.5) less than 128 bits, many do not
+ though, and to prevent the random function from being the gating
+ factor (or a target for attack), any new random function MUST map its
+ input to a target of at least 128 bits and SHOULD map its input to a
+ target of at least 256 bits.
+
+
+
+Harkins & Zorn Informational [Page 34]
+
+RFC 5931 EAP Password August 2010
+
+
+7. Security Claims
+
+ [RFC3748] requires that documents describing new EAP methods clearly
+ articulate the security properties of the method. In addition, for
+ use with wireless LANs, [RFC4017] mandates and recommends several of
+ these. The claims are:
+
+ a. mechanism: password.
+
+ b. claims:
+
+ * mutual authentication: the peer and server both authenticate
+ each other by proving possession of a shared password. This
+ is REQUIRED by [RFC4017].
+
+ * forward secrecy: compromise of the password does not reveal
+ the secret keys -- MK, MSK, or EMSK -- from earlier runs of
+ the protocol.
+
+ * replay protection: an attacker is unable to replay messages
+ from a previous exchange to either learn the password or a
+ key derived by the exchange. Similarly the attacker is
+ unable to induce either the peer or server to believe the
+ exchange has successfully completed when it hasn't.
+ Reflection attacks are foiled because the server ensures that
+ the scalar and element supplied by the peer do not equal its
+ own.
+
+ * key derivation: keys are derived by performing a group
+ operation in a finite cyclic group (e.g., exponentiation)
+ using secret data contributed by both the peer and server.
+ An MSK and EMSK are derived from that shared secret. This is
+ REQUIRED by [RFC4017]
+
+ * dictionary attack resistance: this protocol is resistant to
+ dictionary attack because an attacker can only make one
+ password guess per active attack. The advantage gained by an
+ attacker is through interaction not through computation.
+ This is REQUIRED by [RFC4017].
+
+ * session independence: this protocol is resistant to active
+ and passive attack and does not enable compromise of
+ subsequent or prior MSKs or EMSKs from either passive or
+ active attack.
+
+ * Denial-of-Service Resistance: it is possible for an attacker
+ to cause a server to allocate state and consume CPU cycles
+ generating Scalar_S and Element_S. Such an attack is gated,
+
+
+
+Harkins & Zorn Informational [Page 35]
+
+RFC 5931 EAP Password August 2010
+
+
+ though, by the requirement that the attacker first obtain
+ connectivity through a lower-layer protocol (e.g. 802.11
+ authentication followed by 802.11 association, or 802.3
+ "link-up") and respond to two EAP messages --the EAP-ID/
+ Request and the EAP-pwd-ID/Request. The EAP-pwd-ID exchange
+ further includes an anti-clogging token that provides a level
+ of assurance to the server that the peer is, at least,
+ performing a rudimentary amount of processing and not merely
+ spraying packets. This prevents distributed denial-of-
+ service attacks and also requires the attacker to announce,
+ and commit to, a lower-layer identity, such as a MAC (Media
+ Access Control) address.
+
+ * Man-in-the-Middle Attack Resistance: this exchange is
+ resistant to active attack, which is a requirement for
+ launching a man-in-the-middle attack. This is REQUIRED by
+ [RFC4017].
+
+ * shared state equivalence: upon completion of EAP-pwd, the
+ peer and server both agree on MK, MSK, EMSK, Method-ID, and
+ Session-ID. The peer has authenticated the server based on
+ the Server-ID, and the server has authenticated the peer
+ based on the Peer-ID. This is due to the fact that Peer-ID,
+ Server-ID, and the shared password are all combined to make
+ the password element, which must be shared between the peer
+ and server for the exchange to complete. This is REQUIRED by
+ [RFC4017].
+
+ * fragmentation: this protocol defines a technique for
+ fragmentation and reassembly in Section 4.
+
+ * resistance to "Denning-Sacco" attack: learning keys
+ distributed from an earlier run of the protocol, such as the
+ MSK or EMSK, will not help an adversary learn the password.
+
+ c. key strength: the strength of the resulting key depends on the
+ finite cyclic group chosen. See Section 6.5. This is REQUIRED
+ by [RFC4017].
+
+ d. key hierarchy: MSKs and EMSKs are derived from the MK using the
+ KDF defined in Section 2.5 as described in Section 2.8.4.
+
+ e. vulnerabilities (note that none of these are REQUIRED by
+ [RFC4017]):
+
+ * protected ciphersuite negotiation: the ciphersuite offer made
+ by the server is not protected from tampering by an active
+ attacker. Downgrade attacks are prevented, though, since
+
+
+
+Harkins & Zorn Informational [Page 36]
+
+RFC 5931 EAP Password August 2010
+
+
+ this is not a "negotiation" with a list of acceptable
+ ciphersuites. If a Ciphersuite was modified by an active
+ attacker it would result in a failure to confirm the message
+ sent by the other party, since the Ciphersuite is bound by
+ each side into its confirm message, and the protocol would
+ fail as a result.
+
+ * confidentiality: none of the messages sent in this protocol
+ are encrypted.
+
+ * integrity protection: messages in the EAP-pwd-Commit exchange
+ are not integrity protected.
+
+ * channel binding: this protocol does not enable the exchange
+ of integrity-protected channel information that can be
+ compared with values communicated via out-of-band mechanisms.
+
+ * fast reconnect: this protocol does not provide a fast-
+ reconnect capability.
+
+ * cryptographic binding: this protocol is not a tunneled EAP
+ method and therefore has no cryptographic information to
+ bind.
+
+ * identity protection: the EAP-pwd-ID exchange is not
+ protected. An attacker will see the server's identity in the
+ EAP-pwd-ID/Request and see the peer's identity in EAP-pwd-ID/
+ Response.
+
+8. Acknowledgements
+
+ The authors would like to thank Scott Fluhrer for discovering the
+ "password as exponent" attack that was possible in the initial
+ version of this memo and for his very helpful suggestions on the
+ techniques for fixing the PWE/pwe to prevent it. The authors would
+ also like to thank Hideyuki Suzuki for his insight in discovering an
+ attack against a previous version of the underlying key exchange
+ protocol. Special thanks to Lily Chen for helpful discussions on
+ hashing into an elliptic curve and to Jin-Meng Ho for suggesting the
+ countermeasures to protect against a small sub-group attack. Rich
+ Davis suggested the defensive checks to Commit messages, and his
+ various comments greatly improved the quality of this memo and the
+ underlying key exchange on which it is based. Scott Kelly suggested
+ adding the anti-clogging token to the ID exchange to prevent
+ distributed denial-of-service attacks. Dorothy Stanley provided
+ valuable suggestions to improve the quality of this memo. The
+ fragmentation method used was taken from [RFC5216].
+
+
+
+
+Harkins & Zorn Informational [Page 37]
+
+RFC 5931 EAP Password August 2010
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2",
+ RFC 2759, January 2000.
+
+ [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
+ Internationalized Strings ("stringprep")", RFC 3454,
+ December 2002.
+
+ [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
+ H. Levkowetz, "Extensible Authentication Protocol
+ (EAP)", RFC 3748, June 2004.
+
+ [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
+ Names and Passwords", RFC 4013, February 2005.
+
+ [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
+ Network Access Identifier", RFC 4282, December 2005.
+
+ [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
+ (SHA and HMAC-SHA)", RFC 4634, July 2006.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008.
+
+ [SP800-108] Chen, L., "Recommendations for Key Derivation Using
+ Pseudorandom Functions", NIST Special
+ Publication 800-108, April 2008.
+
+ [SP800-56A] Barker, E., Johnson, D., and M. Smid, "Recommendations
+ for Pair-Wise Key Establishment Schemes Using Discrete
+ Logarithm Cryptography", NIST Special
+ Publication 800-56A, March 2007.
+
+9.2. Informative References
+
+ [APPCRY] Menezes, A., van Oorshot, P., and S. Vanstone, "Handbook
+ of Applied Cryptography", CRC Press Series on Discrete
+ Mathematics and Its Applications, 1996.
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 38]
+
+RFC 5931 EAP Password August 2010
+
+
+ [BM92] Bellovin, S. and M. Merritt, "Encrypted Key Exchange:
+ Password-Based Protocols Secure Against Dictionary
+ Attack", Proceedings of the IEEE Symposium on Security
+ and Privacy, Oakland, 1992.
+
+ [BM93] Bellovin, S. and M. Merritt, "Augmented Encrypted Key
+ Exchange: A Password-Based Protocol Secure against
+ Dictionary Attacks and Password File Compromise",
+ Proceedings of the 1st ACM Conference on Computer and
+ Communication Security, ACM Press, 1993.
+
+ [BMP00] Boyko, V., MacKenzie, P., and S. Patel, "Provably Secure
+ Password Authenticated Key Exchange Using Diffie-
+ Hellman", Proceedings of Eurocrypt 2000, LNCS
+ 1807 Springer-Verlag, 2000.
+
+ [FIPS-197] National Institute of Standards and Technology, FIPS Pub
+ 197: Advanced Encryption Standard (AES), November 2001.
+
+ [JAB96] Jablon, D., "Strong Password-Only Authenticated Key
+ Exchange", ACM SIGCOMM Computer Communication
+ Review Volume 1, Issue 5, October 1996.
+
+ [LUC97] Lucks, S., "Open Key Exchange: How to Defeat Dictionary
+ Attacks Without Encrypting Public Keys", Proceedings of
+ the Security Protocols Workshop, LNCS 1361, Springer-
+ Verlag, 1997.
+
+ [RANDOR] Bellare, M. and P. Rogaway, "Random Oracles are
+ Practical: A Paradigm for Designing Efficient
+ Protocols", Proceedings of the 1st ACM Conference on
+ Computer and Communication Security, ACM Press, 1993.
+
+ [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+ [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
+ Public Keys Used For Exchanging Symmetric Keys", BCP 86,
+ RFC 3766, April 2004.
+
+ [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible
+ Authentication Protocol (EAP) Method Requirements for
+ Wireless LANs", RFC 4017, March 2005.
+
+ [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086,
+ June 2005.
+
+
+
+
+Harkins & Zorn Informational [Page 39]
+
+RFC 5931 EAP Password August 2010
+
+
+ [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication,
+ Authorization, and Accounting (AAA) Key Management",
+ BCP 132, RFC 4962, July 2007.
+
+ [RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
+ Groups for Use with IETF Standards", RFC 5114,
+ January 2008.
+
+ [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
+ Authentication Protocol", RFC 5216, March 2008.
+
+ [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible
+ Authentication Protocol (EAP) Key Management Framework",
+ RFC 5247, August 2008.
+
+ [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-
+ Expand Key Derivation Function (HKDF)", RFC 5869,
+ May 2010.
+
+Authors' Addresses
+
+ Dan Harkins
+ Aruba Networks
+ 1322 Crossman Avenue
+ Sunnyvale, CA 94089-1113
+ USA
+
+ EMail: dharkins@arubanetworks.com
+
+
+ Glen Zorn
+ Network Zen
+ 1310 East Thomas Street
+ #306
+ Seattle, WA 98102
+ USA
+
+ Phone: +1 (206) 377-9035
+ EMail: gwz@net-zen.net
+
+
+
+
+
+
+
+
+
+
+
+
+Harkins & Zorn Informational [Page 40]
+