diff options
Diffstat (limited to 'doc/rfc/rfc7170.txt')
-rw-r--r-- | doc/rfc/rfc7170.txt | 5659 |
1 files changed, 5659 insertions, 0 deletions
diff --git a/doc/rfc/rfc7170.txt b/doc/rfc/rfc7170.txt new file mode 100644 index 0000000..6569f6f --- /dev/null +++ b/doc/rfc/rfc7170.txt @@ -0,0 +1,5659 @@ + + + + + + +Internet Engineering Task Force (IETF) H. Zhou +Request for Comments: 7170 N. Cam-Winget +Category: Standards Track J. Salowey +ISSN: 2070-1721 Cisco Systems + S. Hanna + Infineon Technologies + May 2014 + + + Tunnel Extensible Authentication Protocol (TEAP) Version 1 + +Abstract + + This document defines the Tunnel Extensible Authentication Protocol + (TEAP) version 1. TEAP is a tunnel-based EAP method that enables + secure communication between a peer and a server by using the + Transport Layer Security (TLS) protocol to establish a mutually + authenticated tunnel. Within the tunnel, TLV objects are used to + convey authentication-related data between the EAP peer and the EAP + server. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7170. + + + + + + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 1] + +RFC 7170 TEAP May 2014 + + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 + 1.1. Specification Requirements . . . . . . . . . . . . . . . 5 + 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 + 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6 + 2.1. Architectural Model . . . . . . . . . . . . . . . . . . . 7 + 2.2. Protocol-Layering Model . . . . . . . . . . . . . . . . . 8 + 3. TEAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . 9 + 3.1. Version Negotiation . . . . . . . . . . . . . . . . . . . 9 + 3.2. TEAP Authentication Phase 1: Tunnel Establishment . . . . 10 + 3.2.1. TLS Session Resume Using Server State . . . . . . . . 11 + 3.2.2. TLS Session Resume Using a PAC . . . . . . . . . . . 12 + 3.2.3. Transition between Abbreviated and Full TLS Handshake 13 + 3.3. TEAP Authentication Phase 2: Tunneled Authentication . . 14 + 3.3.1. EAP Sequences . . . . . . . . . . . . . . . . . . . . 14 + 3.3.2. Optional Password Authentication . . . . . . . . . . 15 + 3.3.3. Protected Termination and Acknowledged Result + Indication . . . . . . . . . . . . . . . . . . . . . 15 + 3.4. Determining Peer-Id and Server-Id . . . . . . . . . . . . 16 + 3.5. TEAP Session Identifier . . . . . . . . . . . . . . . . . 17 + 3.6. Error Handling . . . . . . . . . . . . . . . . . . . . . 17 + 3.6.1. Outer-Layer Errors . . . . . . . . . . . . . . . . . 18 + 3.6.2. TLS Layer Errors . . . . . . . . . . . . . . . . . . 18 + 3.6.3. Phase 2 Errors . . . . . . . . . . . . . . . . . . . 19 + 3.7. Fragmentation . . . . . . . . . . . . . . . . . . . . . . 19 + 3.8. Peer Services . . . . . . . . . . . . . . . . . . . . . . 20 + 3.8.1. PAC Provisioning . . . . . . . . . . . . . . . . . . 21 + 3.8.2. Certificate Provisioning within the Tunnel . . . . . 22 + 3.8.3. Server Unauthenticated Provisioning Mode . . . . . . 23 + 3.8.4. Channel Binding . . . . . . . . . . . . . . . . . . . 23 + + + + + +Zhou, et al. Standards Track [Page 2] + +RFC 7170 TEAP May 2014 + + + 4. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24 + 4.1. TEAP Message Format . . . . . . . . . . . . . . . . . . . 24 + 4.2. TEAP TLV Format and Support . . . . . . . . . . . . . . . 26 + 4.2.1. General TLV Format . . . . . . . . . . . . . . . . . 28 + 4.2.2. Authority-ID TLV . . . . . . . . . . . . . . . . . . 29 + 4.2.3. Identity-Type TLV . . . . . . . . . . . . . . . . . . 30 + 4.2.4. Result TLV . . . . . . . . . . . . . . . . . . . . . 31 + 4.2.5. NAK TLV . . . . . . . . . . . . . . . . . . . . . . . 32 + 4.2.6. Error TLV . . . . . . . . . . . . . . . . . . . . . . 33 + 4.2.7. Channel-Binding TLV . . . . . . . . . . . . . . . . . 36 + 4.2.8. Vendor-Specific TLV . . . . . . . . . . . . . . . . . 37 + 4.2.9. Request-Action TLV . . . . . . . . . . . . . . . . . 38 + 4.2.10. EAP-Payload TLV . . . . . . . . . . . . . . . . . . . 40 + 4.2.11. Intermediate-Result TLV . . . . . . . . . . . . . . . 41 + 4.2.12. PAC TLV Format . . . . . . . . . . . . . . . . . . . 42 + 4.2.12.1. Formats for PAC Attributes . . . . . . . . . . . 43 + 4.2.12.2. PAC-Key . . . . . . . . . . . . . . . . . . . . 44 + 4.2.12.3. PAC-Opaque . . . . . . . . . . . . . . . . . . . 44 + 4.2.12.4. PAC-Info . . . . . . . . . . . . . . . . . . . . 45 + 4.2.12.5. PAC-Acknowledgement TLV . . . . . . . . . . . . 47 + 4.2.12.6. PAC-Type TLV . . . . . . . . . . . . . . . . . . 48 + 4.2.13. Crypto-Binding TLV . . . . . . . . . . . . . . . . . 48 + 4.2.14. Basic-Password-Auth-Req TLV . . . . . . . . . . . . . 51 + 4.2.15. Basic-Password-Auth-Resp TLV . . . . . . . . . . . . 52 + 4.2.16. PKCS#7 TLV . . . . . . . . . . . . . . . . . . . . . 53 + 4.2.17. PKCS#10 TLV . . . . . . . . . . . . . . . . . . . . . 54 + 4.2.18. Trusted-Server-Root TLV . . . . . . . . . . . . . . . 55 + 4.3. TLV Rules . . . . . . . . . . . . . . . . . . . . . . . . 56 + 4.3.1. Outer TLVs . . . . . . . . . . . . . . . . . . . . . 57 + 4.3.2. Inner TLVs . . . . . . . . . . . . . . . . . . . . . 57 + 5. Cryptographic Calculations . . . . . . . . . . . . . . . . . 58 + 5.1. TEAP Authentication Phase 1: Key Derivations . . . . . . 58 + 5.2. Intermediate Compound Key Derivations . . . . . . . . . . 59 + 5.3. Computing the Compound MAC . . . . . . . . . . . . . . . 61 + 5.4. EAP Master Session Key Generation . . . . . . . . . . . . 61 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 66 + 7.1. Mutual Authentication and Integrity Protection . . . . . 67 + 7.2. Method Negotiation . . . . . . . . . . . . . . . . . . . 67 + 7.3. Separation of Phase 1 and Phase 2 Servers . . . . . . . . 67 + 7.4. Mitigation of Known Vulnerabilities and Protocol + Deficiencies . . . . . . . . . . . . . . . . . . . . . . 68 + 7.4.1. User Identity Protection and Verification . . . . . . 69 + 7.4.2. Dictionary Attack Resistance . . . . . . . . . . . . 70 + 7.4.3. Protection against Man-in-the-Middle Attacks . . . . 70 + 7.4.4. PAC Binding to User Identity . . . . . . . . . . . . 71 + + + + + +Zhou, et al. Standards Track [Page 3] + +RFC 7170 TEAP May 2014 + + + 7.5. Protecting against Forged Cleartext EAP Packets . . . . . 71 + 7.6. Server Certificate Validation . . . . . . . . . . . . . . 72 + 7.7. Tunnel PAC Considerations . . . . . . . . . . . . . . . . 72 + 7.8. Security Claims . . . . . . . . . . . . . . . . . . . . . 73 + 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 75 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 75 + 9.2. Informative References . . . . . . . . . . . . . . . . . 76 + Appendix A. Evaluation against Tunnel-Based EAP Method + Requirements . . . . . . . . . . . . . . . . . . . . 79 + A.1. Requirement 4.1.1: RFC Compliance . . . . . . . . . . . . 79 + A.2. Requirement 4.2.1: TLS Requirements . . . . . . . . . . . 79 + A.3. Requirement 4.2.1.1.1: Ciphersuite Negotiation . . . . . 79 + A.4. Requirement 4.2.1.1.2: Tunnel Data Protection Algorithms 79 + A.5. Requirement 4.2.1.1.3: Tunnel Authentication and Key + Establishment . . . . . . . . . . . . . . . . . . . . . . 79 + A.6. Requirement 4.2.1.2: Tunnel Replay Protection . . . . . . 79 + A.7. Requirement 4.2.1.3: TLS Extensions . . . . . . . . . . . 80 + A.8. Requirement 4.2.1.4: Peer Identity Privacy . . . . . . . 80 + A.9. Requirement 4.2.1.5: Session Resumption . . . . . . . . . 80 + A.10. Requirement 4.2.2: Fragmentation . . . . . . . . . . . . 80 + A.11. Requirement 4.2.3: Protection of Data External to Tunnel 80 + A.12. Requirement 4.3.1: Extensible Attribute Types . . . . . . 80 + A.13. Requirement 4.3.2: Request/Challenge Response Operation . 80 + A.14. Requirement 4.3.3: Indicating Criticality of Attributes . 80 + A.15. Requirement 4.3.4: Vendor-Specific Support . . . . . . . 81 + A.16. Requirement 4.3.5: Result Indication . . . . . . . . . . 81 + A.17. Requirement 4.3.6: Internationalization of Display + Strings . . . . . . . . . . . . . . . . . . . . . . . . . 81 + A.18. Requirement 4.4: EAP Channel-Binding Requirements . . . . 81 + A.19. Requirement 4.5.1.1: Confidentiality and Integrity . . . 81 + A.20. Requirement 4.5.1.2: Authentication of Server . . . . . . 81 + A.21. Requirement 4.5.1.3: Server Certificate Revocation + Checking . . . . . . . . . . . . . . . . . . . . . . . . 81 + A.22. Requirement 4.5.2: Internationalization . . . . . . . . . 81 + A.23. Requirement 4.5.3: Metadata . . . . . . . . . . . . . . . 82 + A.24. Requirement 4.5.4: Password Change . . . . . . . . . . . 82 + A.25. Requirement 4.6.1: Method Negotiation . . . . . . . . . . 82 + A.26. Requirement 4.6.2: Chained Methods . . . . . . . . . . . 82 + A.27. Requirement 4.6.3: Cryptographic Binding with the TLS + Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 82 + A.28. Requirement 4.6.4: Peer-Initiated EAP Authentication . . 82 + A.29. Requirement 4.6.5: Method Metadata . . . . . . . . . . . 82 + Appendix B. Major Differences from EAP-FAST . . . . . . . . . . 83 + Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 83 + C.1. Successful Authentication . . . . . . . . . . . . . . . . 83 + C.2. Failed Authentication . . . . . . . . . . . . . . . . . . 85 + C.3. Full TLS Handshake Using Certificate-Based Ciphersuite . 86 + + + +Zhou, et al. Standards Track [Page 4] + +RFC 7170 TEAP May 2014 + + + C.4. Client Authentication during Phase 1 with Identity + Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 88 + C.5. Fragmentation and Reassembly . . . . . . . . . . . . . . 89 + C.6. Sequence of EAP Methods . . . . . . . . . . . . . . . . . 91 + C.7. Failed Crypto-Binding . . . . . . . . . . . . . . . . . . 94 + C.8. Sequence of EAP Method with Vendor-Specific TLV Exchange 95 + C.9. Peer Requests Inner Method after Server Sends Result TLV 97 + C.10. Channel Binding . . . . . . . . . . . . . . . . . . . . . 99 + +1. Introduction + + A tunnel-based Extensible Authentication Protocol (EAP) method is an + EAP method that establishes a secure tunnel and executes other EAP + methods under the protection of that secure tunnel. A tunnel-based + EAP method can be used in any lower-layer protocol that supports EAP + authentication. There are several existing tunnel-based EAP methods + that use Transport Layer Security (TLS) [RFC5246] to establish the + secure tunnel. EAP methods supporting this include Protected EAP + (PEAP) [PEAP], EAP Tunneled Transport Layer Security (EAP-TTLS) + [RFC5281], and EAP Flexible Authentication via Secure Tunneling (EAP- + FAST) [RFC4851]. However, they all are either vendor-specific or + informational, and the industry calls for a Standards Track tunnel- + based EAP method. [RFC6678] outlines the list of requirements for a + standard tunnel-based EAP method. + + Since its introduction, EAP-FAST [RFC4851] has been widely adopted in + a variety of devices and platforms. It has been adopted by the EMU + working group as the basis for the standard tunnel-based EAP method. + This document describes the Tunnel Extensible Authentication Protocol + (TEAP) version 1, based on EAP-FAST [RFC4851] with some minor changes + to meet the requirements outlined in [RFC6678] for a standard tunnel- + based EAP method. + +1.1. Specification Requirements + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 5] + +RFC 7170 TEAP May 2014 + + +1.2. Terminology + + Much of the terminology in this document comes from [RFC3748]. + Additional terms are defined below: + + Protected Access Credential (PAC) + + Credentials distributed to a peer for future optimized network + authentication. The PAC consists of a minimum of two components: + a shared secret and an opaque element. The shared secret + component contains the pre-shared key between the peer and the + authentication server. The opaque part is provided to the peer + and is presented to the authentication server when the peer wishes + to obtain access to network resources. The opaque element and + shared secret are used with TLS stateless session resumption + defined in [RFC5077] to establish a protected TLS session. The + secret key and opaque part may be distributed using [RFC5077] + messages or using TLVs within the TEAP tunnel. Finally, a PAC may + optionally include other information that may be useful to the + peer. + + Type-Length-Value (TLV) + + The TEAP protocol utilizes objects in TLV format. The TLV format + is defined in Section 4.2. + +2. Protocol Overview + + TEAP authentication occurs in two phases after the initial EAP + Identity request/response exchange. In the first phase, TEAP employs + the TLS [RFC5246] handshake to provide an authenticated key exchange + and to establish a protected tunnel. Once the tunnel is established, + the second phase begins with the peer and server engaging in further + conversations to establish the required authentication and + authorization policies. TEAP makes use of TLV objects to carry out + the inner authentication, results, and other information, such as + channel-binding information. + + TEAP makes use of the TLS SessionTicket extension [RFC5077], which + supports TLS session resumption without requiring session-specific + state stored at the server. In this document, the SessionTicket is + referred to as the Protected Access Credential opaque data (or PAC- + Opaque). The PAC-Opaque may be distributed through the use of the + NewSessionTicket message or through a mechanism that uses TLVs within + Phase 2 of TEAP. The secret key used to resume the session in TEAP + is referred to as the Protected Access Credential key (or PAC-Key). + When the NewSessionTicket message is used to distribute the PAC- + Opaque, the PAC-Key is the master secret for the session. If TEAP + + + +Zhou, et al. Standards Track [Page 6] + +RFC 7170 TEAP May 2014 + + + Phase 2 is used to distribute the PAC-Opaque, then the PAC-Key is + distributed along with the PAC-Opaque. TEAP implementations MUST + support the [RFC5077] mechanism for distributing a PAC-Opaque, and it + is RECOMMENDED that implementations support the capability to + distribute the ticket and secret key within the TEAP tunnel. + + The TEAP conversation is used to establish or resume an existing + session to typically establish network connectivity between a peer + and the network. Upon successful execution of TEAP, the EAP peer and + EAP server both derive strong session key material that can then be + communicated to the network access server (NAS) for use in + establishing a link-layer security association. + +2.1. Architectural Model + + The network architectural model for TEAP usage is shown below: + + +----------+ +----------+ +----------+ +----------+ + | | | | | | | Inner | + | Peer |<---->| Authen- |<---->| TEAP |<---->| Method | + | | | ticator | | server | | server | + | | | | | | | | + +----------+ +----------+ +----------+ +----------+ + + TEAP Architectural Model + + The entities depicted above are logical entities and may or may not + correspond to separate network components. For example, the TEAP + server and inner method server might be a single entity; the + authenticator and TEAP server might be a single entity; or the + functions of the authenticator, TEAP server, and inner method server + might be combined into a single physical device. For example, + typical IEEE 802.11 deployments place the authenticator in an access + point (AP) while a RADIUS server may provide the TEAP and inner + method server components. The above diagram illustrates the division + of labor among entities in a general manner and shows how a + distributed system might be constructed; however, actual systems + might be realized more simply. The security considerations in + Section 7.3 provide an additional discussion of the implications of + separating the TEAP server from the inner method server. + + + + + + + + + + + +Zhou, et al. Standards Track [Page 7] + +RFC 7170 TEAP May 2014 + + +2.2. Protocol-Layering Model + + TEAP packets are encapsulated within EAP; EAP in turn requires a + transport protocol. TEAP packets encapsulate TLS, which is then used + to encapsulate user authentication information. Thus, TEAP messaging + can be described using a layered model, where each layer encapsulates + the layer above it. The following diagram clarifies the relationship + between protocols: + + +---------------------------------------------------------------+ + | Inner EAP Method | Other TLV information | + |---------------------------------------------------------------| + | TLV Encapsulation (TLVs) | + |---------------------------------------------------------------| + | TLS | Optional Outer TLVs | + |---------------------------------------------------------------| + | TEAP | + |---------------------------------------------------------------| + | EAP | + |---------------------------------------------------------------| + | Carrier Protocol (EAP over LAN, RADIUS, Diameter, etc.) | + +---------------------------------------------------------------+ + + Protocol-Layering Model + + The TLV layer is a payload with TLV objects as defined in + Section 4.2. The TLV objects are used to carry arbitrary parameters + between an EAP peer and an EAP server. All conversations in the TEAP + protected tunnel are encapsulated in a TLV layer. + + TEAP packets may include TLVs both inside and outside the TLS tunnel. + The term "Outer TLVs" is used to refer to optional TLVs outside the + TLS tunnel, which are only allowed in the first two messages in the + TEAP protocol. That is the first EAP-server-to-peer message and + first peer-to-EAP-server message. If the message is fragmented, the + whole set of messages is counted as one message. The term "Inner + TLVs" is used to refer to TLVs sent within the TLS tunnel. In TEAP + Phase 1, Outer TLVs are used to help establish the TLS tunnel, but no + Inner TLVs are used. In Phase 2 of the TEAP conversation, TLS + records may encapsulate zero or more Inner TLVs, but no Outer TLVs. + + Methods for encapsulating EAP within carrier protocols are already + defined. For example, IEEE 802.1X [IEEE.802-1X.2013] may be used to + transport EAP between the peer and the authenticator; RADIUS + [RFC3579] or Diameter [RFC4072] may be used to transport EAP between + the authenticator and the EAP server. + + + + + +Zhou, et al. Standards Track [Page 8] + +RFC 7170 TEAP May 2014 + + +3. TEAP Protocol + + The operation of the protocol, including Phase 1 and Phase 2, is the + topic of this section. The format of TEAP messages is given in + Section 4, and the cryptographic calculations are given in Section 5. + +3.1. Version Negotiation + + TEAP packets contain a 3-bit Version field, following the TLS Flags + field, which enables future TEAP implementations to be backward + compatible with previous versions of the protocol. This + specification documents the TEAP version 1 protocol; implementations + of this specification MUST use a Version field set to 1. + + Version negotiation proceeds as follows: + + 1. In the first EAP-Request sent with EAP type=TEAP, the EAP server + MUST set the Version field to the highest version it supports. + + 2a. If the EAP peer supports this version of the protocol, it + responds with an EAP-Response of EAP type=TEAP, including the + version number proposed by the TEAP server. + + 2b. If the TEAP peer does not support the proposed version but + supports a lower version, it responds with an EAP-Response of + EAP type=TEAP and sets the Version field to its highest + supported version. + + 2c. If the TEAP peer only supports versions higher than the version + proposed by the TEAP server, then use of TEAP will not be + possible. In this case, the TEAP peer sends back an EAP-Nak + either to negotiate a different EAP type or to indicate no other + EAP types are available. + + 3a. If the TEAP server does not support the version number proposed + by the TEAP peer, it MUST either terminate the conversation with + an EAP Failure or negotiate a new EAP type. + + 3b. If the TEAP server does support the version proposed by the TEAP + peer, then the conversation continues using the version proposed + by the TEAP peer. + + The version negotiation procedure guarantees that the TEAP peer and + server will agree to the latest version supported by both parties. + If version negotiation fails, then use of TEAP will not be possible, + and another mutually acceptable EAP method will need to be negotiated + if authentication is to proceed. + + + + +Zhou, et al. Standards Track [Page 9] + +RFC 7170 TEAP May 2014 + + + The TEAP version is not protected by TLS and hence can be modified in + transit. In order to detect a modification of the TEAP version, the + peers MUST exchange the TEAP version number received during version + negotiation using the Crypto-Binding TLV described in Section 4.2.13. + The receiver of the Crypto-Binding TLV MUST verify that the version + received in the Crypto-Binding TLV matches the version sent by the + receiver in the TEAP version negotiation. If the Crypto-Binding TLV + fails to be validated, then it is a fatal error and is handled as + described in Section 3.6.3. + +3.2. TEAP Authentication Phase 1: Tunnel Establishment + + TEAP relies on the TLS handshake [RFC5246] to establish an + authenticated and protected tunnel. The TLS version offered by the + peer and server MUST be TLS version 1.2 [RFC5246] or later. This + version of the TEAP implementation MUST support the following TLS + ciphersuites: + + TLS_RSA_WITH_AES_128_CBC_SHA [RFC5246] + + TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC5246] + + This version of the TEAP implementation SHOULD support the following + TLS ciphersuite: + + TLS_RSA_WITH_AES_256_CBC_SHA [RFC5246] + + Other ciphersuites MAY be supported. It is REQUIRED that anonymous + ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA [RFC5246] only + be used in the case when the inner authentication method provides + mutual authentication, key generation, and resistance to man-in-the- + middle and dictionary attacks. TLS ciphersuites that do not provide + confidentiality MUST NOT be used. During the TEAP Phase 1 + conversation, the TEAP endpoints MAY negotiate TLS compression. + During TLS tunnel establishment, TLS extensions MAY be used. For + instance, the Certificate Status Request extension [RFC6066] and the + Multiple Certificate Status Request extension [RFC6961] can be used + to leverage a certificate-status protocol such as Online Certificate + Status Protocol (OCSP) [RFC6960] to check the validity of server + certificates. TLS renegotiation indications defined in RFC 5746 + [RFC5746] MUST be supported. + + The EAP server initiates the TEAP conversation with an EAP request + containing a TEAP/Start packet. This packet includes a set Start (S) + bit, the TEAP version as specified in Section 3.1, and an authority + identity TLV. The TLS payload in the initial packet is empty. The + authority identity TLV (Authority-ID TLV) is used to provide the peer + a hint of the server's identity that may be useful in helping the + + + +Zhou, et al. Standards Track [Page 10] + +RFC 7170 TEAP May 2014 + + + peer select the appropriate credential to use. Assuming that the + peer supports TEAP, the conversation continues with the peer sending + an EAP-Response packet with EAP type of TEAP with the Start (S) bit + clear and the version as specified in Section 3.1. This message + encapsulates one or more TLS handshake messages. If the TEAP version + negotiation is successful, then the TEAP conversation continues until + the EAP server and EAP peer are ready to enter Phase 2. When the + full TLS handshake is performed, then the first payload of TEAP Phase + 2 MAY be sent along with a server-finished handshake message to + reduce the number of round trips. + + TEAP implementations MUST support mutual peer authentication during + tunnel establishment using the TLS ciphersuites specified in this + section. The TEAP peer does not need to authenticate as part of the + TLS exchange but can alternatively be authenticated through + additional exchanges carried out in Phase 2. + + The TEAP tunnel protects peer identity information exchanged during + Phase 2 from disclosure outside the tunnel. Implementations that + wish to provide identity privacy for the peer identity need to + carefully consider what information is disclosed outside the tunnel + prior to Phase 2. TEAP implementations SHOULD support the immediate + renegotiation of a TLS session to initiate a new handshake message + exchange under the protection of the current ciphersuite. This + allows support for protection of the peer's identity when using TLS + client authentication. An example of the exchanges using TLS + renegotiation to protect privacy is shown in Appendix C. + + The following sections describe resuming a TLS session based on + server-side or client-side state. + +3.2.1. TLS Session Resume Using Server State + + TEAP session resumption is achieved in the same manner TLS achieves + session resume. To support session resumption, the server and peer + minimally cache the Session ID, master secret, and ciphersuite. The + peer attempts to resume a session by including a valid Session ID + from a previous TLS handshake in its ClientHello message. If the + server finds a match for the Session ID and is willing to establish a + new connection using the specified session state, the server will + respond with the same Session ID and proceed with the TEAP Phase 1 + tunnel establishment based on a TLS abbreviated handshake. After a + successful conclusion of the TEAP Phase 1 conversation, the + conversation then continues on to Phase 2. + + + + + + + +Zhou, et al. Standards Track [Page 11] + +RFC 7170 TEAP May 2014 + + +3.2.2. TLS Session Resume Using a PAC + + TEAP supports the resumption of sessions based on server state being + stored on the client side using the TLS SessionTicket extension + techniques described in [RFC5077]. This version of TEAP supports the + provisioning of a ticket called a Protected Access Credential (PAC) + through the use of the NewSessionTicket handshake described in + [RFC5077], as well as provisioning of a PAC inside the protected + tunnel. Implementations MUST support the TLS Ticket extension + [RFC5077] mechanism for distributing a PAC and may provide additional + ways to provision the PAC, such as manual configuration. Since the + PAC mentioned here is used for establishing the TLS tunnel, it is + more specifically referred to as the Tunnel PAC. The Tunnel PAC is a + security credential provided by the EAP server to a peer and + comprised of: + + 1. PAC-Key: this is the key used by the peer as the TLS master + secret to establish the TEAP Phase 1 tunnel. The PAC-Key is a + strong, high-entropy, at minimum 48-octet key and is typically + the master secret from a previous TLS session. The PAC-Key is a + secret and MUST be treated accordingly. Otherwise, if leaked, it + could lead to user credentials being compromised if sent within + the tunnel established using the PAC-Key. In the case that a + PAC-Key is provisioned to the peer through another means, it MUST + have its confidentiality and integrity protected by a mechanism, + such as the TEAP Phase 2 tunnel. The PAC-Key MUST be stored + securely by the peer. + + 2. PAC-Opaque: this is a variable-length field containing the ticket + that is sent to the EAP server during the TEAP Phase 1 tunnel + establishment based on [RFC5077]. The PAC-Opaque can only be + interpreted by the EAP server to recover the required information + for the server to validate the peer's identity and + authentication. The PAC-Opaque includes the PAC-Key and other + TLS session parameters. It may contain the PAC's peer identity. + The PAC-Opaque format and contents are specific to the PAC + issuing server. The PAC-Opaque may be presented in the clear, so + an attacker MUST NOT be able to gain useful information from the + PAC-Opaque itself. The server issuing the PAC-Opaque needs to + ensure it is protected with strong cryptographic keys and + algorithms. The PAC-Opaque may be distributed using the + NewSessionTicket message defined in [RFC5077], or it may be + distributed through another mechanism such as the Phase 2 TLVs + defined in this document. + + + + + + + +Zhou, et al. Standards Track [Page 12] + +RFC 7170 TEAP May 2014 + + + 3. PAC-Info: this is an optional variable-length field used to + provide, at a minimum, the authority identity of the PAC issuer. + Other useful but not mandatory information, such as the PAC-Key + lifetime, may also be conveyed by the PAC-issuing server to the + peer during PAC provisioning or refreshment. PAC-Info is not + included if the NewSessionTicket message is used to provision the + PAC. + + The use of the PAC is based on the SessionTicket extension defined in + [RFC5077]. The EAP server initiates the TEAP conversation as normal. + Upon receiving the Authority-ID TLV from the server, the peer checks + to see if it has an existing valid PAC-Key and PAC-Opaque for the + server. If it does, then it obtains the PAC-Opaque and puts it in + the SessionTicket extension in the ClientHello. It is RECOMMENDED in + TEAP that the peer include an empty Session ID in a ClientHello + containing a PAC-Opaque. This version of TEAP supports the + NewSessionTicket Handshake message as described in [RFC5077] for + distribution of a new PAC, as well as the provisioning of PAC inside + the protected tunnel. If the PAC-Opaque included in the + SessionTicket extension is valid and the EAP server permits the + abbreviated TLS handshake, it will select the ciphersuite from + information within the PAC-Opaque and finish with the abbreviated TLS + handshake. If the server receives a Session ID and a PAC-Opaque in + the SessionTicket extension in a ClientHello, it should place the + same Session ID in the ServerHello if it is resuming a session based + on the PAC-Opaque. The conversation then proceeds as described in + [RFC5077] until the handshake completes or a fatal error occurs. + After the abbreviated handshake completes, the peer and the server + are ready to commence Phase 2. + +3.2.3. Transition between Abbreviated and Full TLS Handshake + + If session resumption based on server-side or client-side state + fails, the server can gracefully fall back to a full TLS handshake. + If the ServerHello received by the peer contains an empty Session ID + or a Session ID that is different than in the ClientHello, the server + may fall back to a full handshake. The peer can distinguish the + server's intent to negotiate a full or abbreviated TLS handshake by + checking the next TLS handshake messages in the server response to + the ClientHello. If ChangeCipherSpec follows the ServerHello in + response to the ClientHello, then the server has accepted the session + resumption and intends to negotiate the abbreviated handshake. + Otherwise, the server intends to negotiate the full TLS handshake. A + peer can request that a new PAC be provisioned after the full TLS + handshake and mutual authentication of the peer and the server. A + peer SHOULD NOT request that a new PAC be provisioned after the + abbreviated handshake, as requesting a new session ticket based on + resumed session is not permitted. In order to facilitate the + + + +Zhou, et al. Standards Track [Page 13] + +RFC 7170 TEAP May 2014 + + + fallback to a full handshake, the peer SHOULD include ciphersuites + that allow for a full handshake and possibly PAC provisioning so the + server can select one of these in case session resumption fails. An + example of the transition is shown in Appendix C. + +3.3. TEAP Authentication Phase 2: Tunneled Authentication + + The second portion of the TEAP authentication occurs immediately + after successful completion of Phase 1. Phase 2 occurs even if both + peer and authenticator are authenticated in the Phase 1 TLS + negotiation. Phase 2 MUST NOT occur if the Phase 1 TLS handshake + fails, as that will compromise the security as the tunnel has not + been established successfully. Phase 2 consists of a series of + requests and responses encapsulated in TLV objects defined in + Section 4.2. Phase 2 MUST always end with a Crypto-Binding TLV + exchange described in Section 4.2.13 and a protected termination + exchange described in Section 3.3.3. The TLV exchange may include + the execution of zero or more EAP methods within the protected tunnel + as described in Section 3.3.1. A server MAY proceed directly to the + protected termination exchange if it does not wish to request further + authentication from the peer. However, the peer and server MUST NOT + assume that either will skip inner EAP methods or other TLV + exchanges, as the other peer might have a different security policy. + The peer may have roamed to a network that requires conformance with + a different authentication policy, or the peer may request the server + take additional action (e.g., channel binding) through the use of the + Request-Action TLV as defined in Section 4.2.9. + +3.3.1. EAP Sequences + + EAP [RFC3748] prohibits use of multiple authentication methods within + a single EAP conversation in order to limit vulnerabilities to man- + in-the-middle attacks. TEAP addresses man-in-the-middle attacks + through support for cryptographic protection of the inner EAP + exchange and cryptographic binding of the inner authentication + method(s) to the protected tunnel. EAP methods are executed serially + in a sequence. This version of TEAP does not support initiating + multiple EAP methods simultaneously in parallel. The methods need + not be distinct. For example, EAP-TLS could be run twice as an inner + method, first using machine credentials followed by a second instance + using user credentials. + + EAP method messages are carried within EAP-Payload TLVs defined in + Section 4.2.10. If more than one method is going to be executed in + the tunnel, then upon method completion, the server MUST send an + Intermediate-Result TLV indicating the result. The peer MUST respond + to the Intermediate-Result TLV indicating its result. If the result + indicates success, the Intermediate-Result TLV MUST be accompanied by + + + +Zhou, et al. Standards Track [Page 14] + +RFC 7170 TEAP May 2014 + + + a Crypto-Binding TLV. The Crypto-Binding TLV is further discussed in + Sections 4.2.13 and 5.3. The Intermediate-Result TLVs can be + included with other TLVs such as EAP-Payload TLVs starting a new EAP + conversation or with the Result TLV used in the protected termination + exchange. + + If both peer and server indicate success, then the method is + considered complete. If either indicates failure, then the method is + considered failed. The result of failure of an EAP method does not + always imply a failure of the overall authentication. If one + authentication method fails, the server may attempt to authenticate + the peer with a different method. + +3.3.2. Optional Password Authentication + + The use of EAP-FAST-GTC as defined in RFC 5421 [RFC5421] is NOT + RECOMMENDED with TEAPv1 because EAP-FAST-GTC is not compliant with + EAP-GTC defined in [RFC3748]. Implementations should instead make + use of the password authentication TLVs defined in this + specification. The authentication server initiates password + authentication by sending a Basic-Password-Auth-Req TLV defined in + Section 4.2.14. If the peer wishes to participate in password + authentication, then it responds with a Basic-Password-Auth-Resp TLV + as defined in Section 4.2.15 that contains the username and password. + If it does not wish to perform password authentication, then it + responds with a NAK TLV indicating the rejection of the Basic- + Password-Auth-Req TLV. Upon receiving the response, the server + indicates the success or failure of the exchange using an + Intermediate-Result TLV. Multiple round trips of password + authentication requests and responses MAY be used to support some + "housecleaning" functions such as a password or pin change before a + user is authenticated. + +3.3.3. Protected Termination and Acknowledged Result Indication + + A successful TEAP Phase 2 conversation MUST always end in a + successful Crypto-Binding TLV and Result TLV exchange. A TEAP server + may initiate the Crypto-Binding TLV and Result TLV exchange without + initiating any EAP conversation in TEAP Phase 2. After the final + Result TLV exchange, the TLS tunnel is terminated, and a cleartext + EAP Success or EAP Failure is sent by the server. Peers implementing + TEAP MUST NOT accept a cleartext EAP Success or failure packet prior + to the peer and server reaching synchronized protected result + indication. + + The Crypto-Binding TLV exchange is used to prove that both the peer + and server participated in the tunnel establishment and sequence of + authentications. It also provides verification of the TEAP type, + + + +Zhou, et al. Standards Track [Page 15] + +RFC 7170 TEAP May 2014 + + + version negotiated, and Outer TLVs exchanged before the TLS tunnel + establishment. The Crypto-Binding TLV MUST be exchanged and verified + before the final Result TLV exchange, regardless of whether or not + there is an inner EAP method authentication. The Crypto-Binding TLV + and Intermediate-Result TLV MUST be included to perform cryptographic + binding after each successful EAP method in a sequence of one or more + EAP methods. The server may send the final Result TLV along with an + Intermediate-Result TLV and a Crypto-Binding TLV to indicate its + intention to end the conversation. If the peer requires nothing more + from the server, it will respond with a Result TLV indicating success + accompanied by a Crypto-Binding TLV and Intermediate-Result TLV if + necessary. The server then tears down the tunnel and sends a + cleartext EAP Success or EAP Failure. + + If the peer receives a Result TLV indicating success from the server, + but its authentication policies are not satisfied (for example, it + requires a particular authentication mechanism be run or it wants to + request a PAC), it may request further action from the server using + the Request-Action TLV. The Request-Action TLV is sent with a Status + field indicating what EAP Success/Failure result the peer would + expect if the requested action is not granted. The value of the + Action field indicates what the peer would like to do next. The + format and values for the Request-Action TLV are defined in + Section 4.2.9. + + Upon receiving the Request-Action TLV, the server may process the + request or ignore it, based on its policy. If the server ignores the + request, it proceeds with termination of the tunnel and sends the + cleartext EAP Success or Failure message based on the Status field of + the peer's Request-Action TLV. If the server honors and processes + the request, it continues with the requested action. The + conversation completes with a Result TLV exchange. The Result TLV + may be included with the TLV that completes the requested action. + + Error handling for Phase 2 is discussed in Section 3.6.3. + +3.4. Determining Peer-Id and Server-Id + + The Peer-Id and Server-Id [RFC5247] may be determined based on the + types of credentials used during either the TEAP tunnel creation or + authentication. In the case of multiple peer authentications, all + authenticated peer identities and their corresponding identity types + (Section 4.2.3) need to be exported. In the case of multiple server + authentications, all authenticated server identities need to be + exported. + + + + + + +Zhou, et al. Standards Track [Page 16] + +RFC 7170 TEAP May 2014 + + + When X.509 certificates are used for peer authentication, the Peer-Id + is determined by the subject and subjectAltName fields in the peer + certificate. As noted in [RFC5280]: + + The subject field identifies the entity associated with the public + key stored in the subject public key field. The subject name MAY + be carried in the subject field and/or the subjectAltName + extension. . . . If subject naming information is present only in + the subjectAltName extension (e.g., a key bound only to an email + address or URI), then the subject name MUST be an empty sequence + and the subjectAltName extension MUST be critical. + + Where it is non-empty, the subject field MUST contain an X.500 + distinguished name (DN). + + If an inner EAP method is run, then the Peer-Id is obtained from the + inner method. + + When the server uses an X.509 certificate to establish the TLS + tunnel, the Server-Id is determined in a similar fashion as stated + above for the Peer-Id, e.g., the subject and subjectAltName fields in + the server certificate define the Server-Id. + +3.5. TEAP Session Identifier + + The EAP session identifier [RFC5247] is constructed using the tls- + unique from the Phase 1 outer tunnel at the beginning of Phase 2 as + defined by Section 3.1 of [RFC5929]. The Session-Id is defined as + follows: + + Session-Id = teap_type || tls-unique + + where teap_type is the EAP Type assigned to TEAP + + tls-unique = tls-unique from the Phase 1 outer tunnel at the + beginning of Phase 2 as defined by Section 3.1 of [RFC5929] + + || means concatenation + +3.6. Error Handling + + TEAP uses the error-handling rules summarized below: + + 1. Errors in the outer EAP packet layer are handled as defined in + Section 3.6.1. + + 2. Errors in the TLS layer are communicated via TLS alert messages + in all phases of TEAP. + + + +Zhou, et al. Standards Track [Page 17] + +RFC 7170 TEAP May 2014 + + + 3. The Intermediate-Result TLVs carry success or failure indications + of the individual EAP methods in TEAP Phase 2. Errors within the + EAP conversation in Phase 2 are expected to be handled by + individual EAP methods. + + 4. Violations of the Inner TLV rules are handled using Result TLVs + together with Error TLVs. + + 5. Tunnel-compromised errors (errors caused by a failed or missing + Crypto-Binding) are handled using Result TLVs and Error TLVs. + +3.6.1. Outer-Layer Errors + + Errors on the TEAP outer-packet layer are handled in the following + ways: + + 1. If Outer TLVs are invalid or contain unknown values, they will be + ignored. + + 2. The entire TEAP packet will be ignored if other fields (version, + length, flags, etc.) are inconsistent with this specification. + +3.6.2. TLS Layer Errors + + If the TEAP server detects an error at any point in the TLS handshake + or the TLS layer, the server SHOULD send a TEAP request encapsulating + a TLS record containing the appropriate TLS alert message rather than + immediately terminating the conversation so as to allow the peer to + inform the user of the cause of the failure and possibly allow for a + restart of the conversation. The peer MUST send a TEAP response to + an alert message. The EAP-Response packet sent by the peer may + encapsulate a TLS ClientHello handshake message, in which case the + TEAP server MAY allow the TEAP conversation to be restarted, or it + MAY contain a TEAP response with a zero-length message, in which case + the server MUST terminate the conversation with an EAP Failure + packet. It is up to the TEAP server whether or not to allow + restarts, and, if allowed, how many times the conversation can be + restarted. Per TLS [RFC5246], TLS restart is only allowed for non- + fatal alerts. A TEAP server implementing restart capability SHOULD + impose a limit on the number of restarts, so as to protect against + denial-of-service attacks. If the TEAP server does not allow + restarts, it MUST terminate the conversation with an EAP Failure + packet. + + If the TEAP peer detects an error at any point in the TLS layer, the + TEAP peer SHOULD send a TEAP response encapsulating a TLS record + containing the appropriate TLS alert message. The server may restart + the conversation by sending a TEAP request packet encapsulating the + + + +Zhou, et al. Standards Track [Page 18] + +RFC 7170 TEAP May 2014 + + + TLS HelloRequest handshake message. The peer may allow the TEAP + conversation to be restarted, or it may terminate the conversation by + sending a TEAP response with a zero-length message. + +3.6.3. Phase 2 Errors + + Any time the peer or the server finds a fatal error outside of the + TLS layer during Phase 2 TLV processing, it MUST send a Result TLV of + failure and an Error TLV with the appropriate error code. For errors + involving the processing of the sequence of exchanges, such as a + violation of TLV rules (e.g., multiple EAP-Payload TLVs), the error + code is Unexpected TLVs Exchanged. For errors involving a tunnel + compromise, the error code is Tunnel Compromise Error. Upon sending + a Result TLV with a fatal Error TLV, the sender terminates the TLS + tunnel. Note that a server will still wait for a message from the + peer after it sends a failure; however, the server does not need to + process the contents of the response message. + + For the inner method, retransmission is not needed and SHOULD NOT be + attempted, as the Outer TLS tunnel can be considered a reliable + transport. If there is a non-fatal error handling the inner method, + instead of silently dropping the inner method request or response and + not responding, the receiving side SHOULD use an Error TLV with error + code Inner Method Error to indicate an error processing the current + inner method. The side receiving the Error TLV MAY decide to start a + new inner method instead or send back a Result TLV to terminate the + TEAP authentication session. + + If a server receives a Result TLV of failure with a fatal Error TLV, + it MUST send a cleartext EAP Failure. If a peer receives a Result + TLV of failure, it MUST respond with a Result TLV indicating failure. + If the server has sent a Result TLV of failure, it ignores the peer + response, and it MUST send a cleartext EAP Failure. + +3.7. Fragmentation + + A single TLS record may be up to 16384 octets in length, but a TLS + message may span multiple TLS records, and a TLS certificate message + may, in principle, be as long as 16 MB. This is larger than the + maximum size for a message on most media types; therefore, it is + desirable to support fragmentation. Note that in order to protect + against reassembly lockup and denial-of-service attacks, it may be + desirable for an implementation to set a maximum size for one such + group of TLS messages. Since a typical certificate chain is rarely + longer than a few thousand octets, and no other field is likely to be + anywhere near as long, a reasonable choice of maximum acceptable + message length might be 64 KB. This is still a fairly large message + packet size so a TEAP implementation MUST provide its own support for + + + +Zhou, et al. Standards Track [Page 19] + +RFC 7170 TEAP May 2014 + + + fragmentation and reassembly. Section 3.1 of [RFC3748] discusses + determining the MTU usable by EAP, and Section 4.3 discusses + retransmissions in EAP. + + Since EAP is a lock-step protocol, fragmentation support can be added + in a simple manner. In EAP, fragments that are lost or damaged in + transit will be retransmitted, and since sequencing information is + provided by the Identifier field in EAP, there is no need for a + fragment offset field. + + TEAP fragmentation support is provided through the addition of flag + bits within the EAP-Response and EAP-Request packets, as well as a + Message Length field of four octets. Flags include the Length + included (L), More fragments (M), and TEAP Start (S) bits. The L + flag is set to indicate the presence of the four-octet Message Length + field and MUST be set for the first fragment of a fragmented TLS + message or set of messages. It MUST NOT be present for any other + message. The M flag is set on all but the last fragment. The S flag + is set only within the TEAP start message sent from the EAP server to + the peer. The Message Length field is four octets and provides the + total length of the message that may be fragmented over the data + fields of multiple packets; this simplifies buffer allocation. + + When a TEAP peer receives an EAP-Request packet with the M bit set, + it MUST respond with an EAP-Response with EAP Type of TEAP and no + data. This serves as a fragment ACK. The EAP server MUST wait until + it receives the EAP-Response before sending another fragment. In + order to prevent errors in processing of fragments, the EAP server + MUST increment the Identifier field for each fragment contained + within an EAP-Request, and the peer MUST include this Identifier + value in the fragment ACK contained within the EAP-Response. + Retransmitted fragments will contain the same Identifier value. + + Similarly, when the TEAP server receives an EAP-Response with the M + bit set, it responds with an EAP-Request with EAP Type of TEAP and no + data. This serves as a fragment ACK. The EAP peer MUST wait until + it receives the EAP-Request before sending another fragment. In + order to prevent errors in the processing of fragments, the EAP + server MUST increment the Identifier value for each fragment ACK + contained within an EAP-Request, and the peer MUST include this + Identifier value in the subsequent fragment contained within an EAP- + Response. + +3.8. Peer Services + + Several TEAP services, including server unauthenticated provisioning, + PAC provisioning, certificate provisioning, and channel binding, + depend on the peer trusting the TEAP server. Peers MUST authenticate + + + +Zhou, et al. Standards Track [Page 20] + +RFC 7170 TEAP May 2014 + + + the server before these peer services are used. TEAP peer + implementations MUST have a configuration where authentication fails + if server authentication cannot be achieved. In many cases, the + server will want to authenticate the peer before providing these + services as well. + + TEAP peers MUST track whether or not server authentication has taken + place. Server authentication results if the peer trusts the provided + server certificate. Typically, this involves both validating the + certificate to a trust anchor and confirming the entity named by the + certificate is the intended server. Server authentication also + results when the procedures in Section 3.2 are used to resume a + session in which the peer and server were previously mutually + authenticated. Alternatively, peer services can be used if an inner + EAP method providing mutual authentication and an Extended Master + Session Key (EMSK) is executed and cryptographic binding with the + EMSK Compound Message Authentication Code (MAC) is correctly + validated (Section 4.2.13). This is further described in + Section 3.8.3. + + An additional complication arises when a tunnel method authenticates + multiple parties such as authenticating both the peer machine and the + peer user to the EAP server. Depending on how authentication is + achieved, only some of these parties may have confidence in it. For + example, if a strong shared secret is used to mutually authenticate + the user and the EAP server, the machine may not have confidence that + the EAP server is the authenticated party if the machine cannot trust + the user not to disclose the shared secret to an attacker. In these + cases, the parties who participate in the authentication need to be + considered when evaluating whether to use peer services. + +3.8.1. PAC Provisioning + + To request provisioning of a PAC, a peer sends a PAC TLV as defined + in Section 4.2.12 containing a PAC Attribute as defined in + Section 4.2.12.1 of PAC-Type set to the appropriate value. The peer + MUST successfully authenticate the EAP server and validate the + Crypto-Binding TLV as defined in Section 4.2.13 before issuing the + request. The peer MUST send separate PAC TLVs for each type of PAC + it wants to be provisioned. Multiple PAC TLVs can be sent in the + same packet or in different packets. The EAP server will send the + PACs after its internal policy has been satisfied, or it MAY ignore + the request or request additional authentications if its policy + dictates. The server MAY cache the request and provision the PACs + requested after all of its internal policies have been satisfied. If + a peer receives a PAC with an unknown type, it MUST ignore it. + + + + + +Zhou, et al. Standards Track [Page 21] + +RFC 7170 TEAP May 2014 + + + A PAC TLV containing a PAC-Acknowledge attribute MUST be sent by the + peer to acknowledge the receipt of the Tunnel PAC. A PAC TLV + containing a PAC-Acknowledge attribute MUST NOT be used by the peer + to acknowledge the receipt of other types of PACs. If the peer + receives a PAC TLV with an unknown attribute, it SHOULD ignore the + unknown attribute. + +3.8.2. Certificate Provisioning within the Tunnel + + Provisioning of a peer's certificate is supported in TEAP by + performing the Simple PKI Request/Response from [RFC5272] using + PKCS#10 and PKCS#7 TLVs, respectively. A peer sends the Simple PKI + Request using a PKCS#10 CertificateRequest [RFC2986] encoded into the + body of a PKCS#10 TLV (see Section 4.2.17). The TEAP server issues a + Simple PKI Response using a PKCS#7 [RFC2315] degenerate "Certificates + Only" message encoded into the body of a PKCS#7 TLV (see + Section 4.2.16), only after an authentication method has run and + provided an identity proof on the peer prior to a certificate is + being issued. + + In order to provide linking identity and proof-of-possession by + including information specific to the current authenticated TLS + session within the signed certification request, the peer generating + the request SHOULD obtain the tls-unique value from the TLS subsystem + as defined in "Channel Bindings for TLS" [RFC5929]. The TEAP peer + operations between obtaining the tls_unique value through generation + of the Certification Signing Request (CSR) that contains the current + tls_unique value and the subsequent verification of this value by the + TEAP server are the "phases of the application protocol during which + application-layer authentication occurs" that are protected by the + synchronization interoperability mechanism described in the + interoperability note in "Channel Bindings for TLS" ([RFC5929], + Section 3.1). When performing renegotiation, TLS + "secure_renegotiation" [RFC5746] MUST be used. + + The tls-unique value is base-64-encoded as specified in Section 4 of + [RFC4648], and the resulting string is placed in the certification + request challengePassword field ([RFC2985], Section 5.4.1). The + challengePassword field is limited to 255 octets (Section 7.4.9 of + [RFC5246] indicates that no existing ciphersuite would result in an + issue with this limitation). If tls-unique information is not + embedded within the certification request, the challengePassword + field MUST be empty to indicate that the peer did not include the + optional channel-binding information (any value submitted is verified + by the server as tls-unique information). + + + + + + +Zhou, et al. Standards Track [Page 22] + +RFC 7170 TEAP May 2014 + + + The server SHOULD verify the tls-unique information. This ensures + that the authenticated TEAP peer is in possession of the private key + used to sign the certification request. + + The Simple PKI Request/Response generation and processing rules of + [RFC5272] SHALL apply to TEAP, with the exception of error + conditions. In the event of an error, the TEAP server SHOULD respond + with an Error TLV using the most descriptive error code possible; it + MAY ignore the PKCS#10 request that generated the error. + +3.8.3. Server Unauthenticated Provisioning Mode + + In Server Unauthenticated Provisioning Mode, an unauthenticated + tunnel is established in Phase 1, and the peer and server negotiate + an EAP method in Phase 2 that supports mutual authentication and key + derivation that is resistant to attacks such as man-in-the-middle and + dictionary attacks. This provisioning mode enables the bootstrapping + of peers when the peer lacks the ability to authenticate the server + during Phase 1. This includes both cases in which the ciphersuite + negotiated does not provide authentication and in which the + ciphersuite negotiated provides the authentication but the peer is + unable to validate the identity of the server for some reason. + + Upon successful completion of the EAP method in Phase 2, the peer and + server exchange a Crypto-Binding TLV to bind the inner method with + the outer tunnel and ensure that a man-in-the-middle attack has not + been attempted. + + Support for the Server Unauthenticated Provisioning Mode is optional. + The ciphersuite TLS_DH_anon_WITH_AES_128_CBC_SHA is RECOMMENDED when + using Server Unauthenticated Provisioning Mode, but other anonymous + ciphersuites MAY be supported as long as the TLS pre-master secret is + generated from contribution from both peers. Phase 2 EAP methods + used in Server Unauthenticated Provisioning Mode MUST provide mutual + authentication, provide key generation, and be resistant to + dictionary attack. Example inner methods include EAP-pwd [RFC5931] + and EAP-EKE [RFC6124]. + +3.8.4. Channel Binding + + [RFC6677] defines EAP channel bindings to solve the "lying NAS" and + the "lying provider" problems, using a process in which the EAP peer + gives information about the characteristics of the service provided + by the authenticator to the Authentication, Authorization, and + Accounting (AAA) server protected within the EAP method. This allows + the server to verify the authenticator is providing information to + + + + + +Zhou, et al. Standards Track [Page 23] + +RFC 7170 TEAP May 2014 + + + the peer that is consistent with the information received from this + authenticator as well as the information stored about this + authenticator. + + TEAP supports EAP channel binding using the Channel-Binding TLV + defined in Section 4.2.7. If the TEAP server wants to request the + channel-binding information from the peer, it sends an empty Channel- + Binding TLV to indicate the request. The peer responds to the + request by sending a Channel-Binding TLV containing a channel-binding + message as defined in [RFC6677]. The server validates the channel- + binding message and sends back a Channel-Binding TLV with a result + code. If the server didn't initiate the channel-binding request and + the peer still wants to send the channel-binding information to the + server, it can do that by using the Request-Action TLV along with the + Channel-Binding TLV. The peer MUST only send channel-binding + information after it has successfully authenticated the server and + established the protected tunnel. + +4. Message Formats + + The following sections describe the message formats used in TEAP. + The fields are transmitted from left to right in network byte order. + +4.1. TEAP Message Format + + A summary of the TEAP Request/Response packet format is shown below. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Flags | Ver | Message Length : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Message Length | Outer TLV Length + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Outer TLV Length | TLS Data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Outer TLVs... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + The Code field is one octet in length and is defined as follows: + + 1 Request + + 2 Response + + + +Zhou, et al. Standards Track [Page 24] + +RFC 7170 TEAP May 2014 + + + Identifier + + The Identifier field is one octet and aids in matching responses + with requests. The Identifier field MUST be changed on each + Request packet. The Identifier field in the Response packet MUST + match the Identifier field from the corresponding request. + + Length + + The Length field is two octets and indicates the length of the EAP + packet including the Code, Identifier, Length, Type, Flags, Ver, + Message Length, TLS Data, and Outer TLVs fields. Octets outside + the range of the Length field should be treated as Data Link Layer + padding and should be ignored on reception. + + Type + + 55 for TEAP + + Flags + + 0 1 2 3 4 + +-+-+-+-+-+ + |L M S O R| + +-+-+-+-+-+ + + L Length included; set to indicate the presence of the four-octet + Message Length field. It MUST be present for the first + fragment of a fragmented message. It MUST NOT be present for + any other message. + + M More fragments; set on all but the last fragment. + + S TEAP start; set in a TEAP Start message sent from the server to + the peer. + + O Outer TLV length included; set to indicate the presence of the + four-octet Outer TLV Length field. It MUST be present only in + the initial request and response messages. If the initial + message is fragmented, then it MUST be present only on the + first fragment. + + R Reserved (MUST be zero and ignored upon receipt) + + Ver + + This field contains the version of the protocol. This document + describes version 1 (001 in binary) of TEAP. + + + +Zhou, et al. Standards Track [Page 25] + +RFC 7170 TEAP May 2014 + + + Message Length + + The Message Length field is four octets and is present only if the + L bit is set. This field provides the total length of the message + that may be fragmented over the data fields of multiple packets. + + Outer TLV Length + + The Outer TLV Length field is four octets and is present only if + the O bit is set. This field provides the total length of the + Outer TLVs if present. + + TLS Data + + When the TLS Data field is present, it consists of an encapsulated + TLS packet in TLS record format. A TEAP packet with Flags and + Version fields, but with zero length TLS Data field, is used to + indicate TEAP acknowledgement for either a fragmented message, a + TLS Alert message, or a TLS Finished message. + + Outer TLVs + + The Outer TLVs consist of the optional data used to help establish + the TLS tunnel in TLV format. They are only allowed in the first + two messages in the TEAP protocol. That is the first EAP-server- + to-peer message and first peer-to-EAP-server message. The start + of the Outer TLVs can be derived from the EAP Length field and + Outer TLV Length field. + +4.2. TEAP TLV Format and Support + + The TLVs defined here are TLV objects. The TLV objects could be used + to carry arbitrary parameters between an EAP peer and EAP server + within the protected TLS tunnel. + + The EAP peer may not necessarily implement all the TLVs supported by + the EAP server. To allow for interoperability, TLVs are designed to + allow an EAP server to discover if a TLV is supported by the EAP peer + using the NAK TLV. The mandatory bit in a TLV indicates whether + support of the TLV is required. If the peer or server does not + support a TLV marked mandatory, then it MUST send a NAK TLV in the + response, and all the other TLVs in the message MUST be ignored. If + an EAP peer or server finds an unsupported TLV that is marked as + optional, it can ignore the unsupported TLV. It MUST NOT send a NAK + TLV for a TLV that is not marked mandatory. If all TLVs in a message + are marked optional and none are understood by the peer, then a NAK + TLV or Result TLV could be sent to the other side in order to + continue the conversation. + + + +Zhou, et al. Standards Track [Page 26] + +RFC 7170 TEAP May 2014 + + + Note that a peer or server may support a TLV with the mandatory bit + set but may not understand the contents. The appropriate response to + a supported TLV with content that is not understood is defined by the + individual TLV specification. + + EAP implementations compliant with this specification MUST support + TLV exchanges as well as the processing of mandatory/optional + settings on the TLV. Implementations conforming to this + specification MUST support the following TLVs: + + Authority-ID TLV + + Identity-Type TLV + + Result TLV + + NAK TLV + + Error TLV + + Request-Action TLV + + EAP-Payload TLV + + Intermediate-Result TLV + + Crypto-Binding TLV + + Basic-Password-Auth-Req TLV + + Basic-Password-Auth-Resp TLV + + + + + + + + + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 27] + +RFC 7170 TEAP May 2014 + + +4.2.1. General TLV Format + + TLVs are defined as described below. The fields are transmitted from + left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 Optional TLV + + 1 Mandatory TLV + + R + + Reserved, set to zero (0) + + TLV Type + + A 14-bit field, denoting the TLV type. Allocated types include: + + 0 Unassigned + + 1 Authority-ID TLV (Section 4.2.2) + + 2 Identity-Type TLV (Section 4.2.3) + + 3 Result TLV (Section 4.2.4) + + 4 NAK TLV (Section 4.2.5) + + 5 Error TLV (Section 4.2.6) + + 6 Channel-Binding TLV (Section 4.2.7) + + 7 Vendor-Specific TLV (Section 4.2.8) + + 8 Request-Action TLV (Section 4.2.9) + + 9 EAP-Payload TLV (Section 4.2.10) + + 10 Intermediate-Result TLV (Section 4.2.11) + + + +Zhou, et al. Standards Track [Page 28] + +RFC 7170 TEAP May 2014 + + + 11 PAC TLV (Section 4.2.12) + + 12 Crypto-Binding TLV (Section 4.2.13) + + 13 Basic-Password-Auth-Req TLV (Section 4.2.14) + + 14 Basic-Password-Auth-Resp TLV (Section 4.2.15) + + 15 PKCS#7 TLV (Section 4.2.16) + + 16 PKCS#10 TLV (Section 4.2.17) + + 17 Trusted-Server-Root TLV (Section 4.2.18) + + Length + + The length of the Value field in octets. + + Value + + The value of the TLV. + +4.2.2. Authority-ID TLV + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ID... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 1 - Authority-ID + + Length + + The Length field is two octets and contains the length of the ID + field in octets. + + + +Zhou, et al. Standards Track [Page 29] + +RFC 7170 TEAP May 2014 + + + ID + + Hint of the identity of the server to help the peer to match the + credentials available for the server. It should be unique across + the deployment. + +4.2.3. Identity-Type TLV + + The Identity-Type TLV allows an EAP server to send a hint to help the + EAP peer select the right type of identity, for example, user or + machine. TEAPv1 implementations MUST support this TLV. Only one + Identity-Type TLV SHOULD be present in the TEAP request or response + packet. The Identity-Type TLV request MUST come with an EAP-Payload + TLV or Basic-Password-Auth-Req TLV. If the EAP peer does have an + identity corresponding to the identity type requested, then the peer + SHOULD respond with an Identity-Type TLV with the requested type. If + the Identity-Type field does not contain one of the known values or + if the EAP peer does not have an identity corresponding to the + identity type requested, then the peer SHOULD respond with an + Identity-Type TLV with the one of available identity types. If the + server receives an identity type in the response that does not match + the requested type, then the peer does not possess the requested + credential type, and the server SHOULD proceed with authentication + for the credential type proposed by the peer, proceed with requesting + another credential type, or simply apply the network policy based on + the configured policy, e.g., sending Result TLV with Failure. + + The Identity-Type TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Identity-Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 (Optional) + + R + + Reserved, set to zero (0) + + TLV Type + + 2 - Identity-Type TLV + + + +Zhou, et al. Standards Track [Page 30] + +RFC 7170 TEAP May 2014 + + + Length + + 2 + + Identity-Type + + The Identity-Type field is two octets. Values include: + + 1 User + + 2 Machine + +4.2.4. Result TLV + + The Result TLV provides support for acknowledged success and failure + messages for protected termination within TEAP. If the Status field + does not contain one of the known values, then the peer or EAP server + MUST treat this as a fatal error of Unexpected TLVs Exchanged. The + behavior of the Result TLV is further discussed in Sections 3.3.3 and + 3.6.3. A Result TLV indicating failure MUST NOT be accompanied by + the following TLVs: NAK, EAP-Payload TLV, or Crypto-Binding TLV. The + Result TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Status | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 3 - Result TLV + + Length + + 2 + + + + + +Zhou, et al. Standards Track [Page 31] + +RFC 7170 TEAP May 2014 + + + Status + + The Status field is two octets. Values include: + + 1 Success + + 2 Failure + +4.2.5. NAK TLV + + The NAK TLV allows a peer to detect TLVs that are not supported by + the other peer. A TEAP packet can contain 0 or more NAK TLVs. A NAK + TLV should not be accompanied by other TLVs. A NAK TLV MUST NOT be + sent in response to a message containing a Result TLV, instead a + Result TLV of failure should be sent indicating failure and an Error + TLV of Unexpected TLVs Exchanged. The NAK TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Vendor-Id | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | NAK-Type | TLVs... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 4 - NAK TLV + + Length + + >=6 + + Vendor-Id + + The Vendor-Id field is four octets and contains the Vendor-Id of + the TLV that was not supported. The high-order octet is 0, and + the low-order three octets are the Structure of Management + + + +Zhou, et al. Standards Track [Page 32] + +RFC 7170 TEAP May 2014 + + + Information (SMI) Network Management Private Enterprise Number of + the Vendor in network byte order. The Vendor-Id field MUST be + zero for TLVs that are not Vendor-Specific TLVs. + + NAK-Type + + The NAK-Type field is two octets. The field contains the type of + the TLV that was not supported. A TLV of this type MUST have been + included in the previous packet. + + TLVs + + This field contains a list of zero or more TLVs, each of which + MUST NOT have the mandatory bit set. These optional TLVs are for + future extensibility to communicate why the offending TLV was + determined to be unsupported. + +4.2.6. Error TLV + + The Error TLV allows an EAP peer or server to indicate errors to the + other party. A TEAP packet can contain 0 or more Error TLVs. The + Error-Code field describes the type of error. Error codes 1-999 + represent successful outcomes (informative messages), 1000-1999 + represent warnings, and 2000-2999 represent fatal errors. A fatal + Error TLV MUST be accompanied by a Result TLV indicating failure, and + the conversation is terminated as described in Section 3.6.3. + + Many of the error codes below refer to errors in inner method + processing that may be retrieved if made available by the inner + method. Implementations MUST take care that error messages do not + reveal too much information to an attacker. For example, the usage + of error message 1031 (User account credentials incorrect) is NOT + RECOMMENDED, because it allows an attacker to determine valid + usernames by differentiating this response from other responses. It + should only be used for troubleshooting purposes. + + The Error TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Error-Code | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + + +Zhou, et al. Standards Track [Page 33] + +RFC 7170 TEAP May 2014 + + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 5 - Error TLV + + Length + + 4 + + Error-Code + + The Error-Code field is four octets. Currently defined values for + Error-Code include: + + 1 User account expires soon + + 2 User account credential expires soon + + 3 User account authorizations change soon + + 4 Clock skew detected + + 5 Contact administrator + + 6 User account credentials change required + + 1001 Inner Method Error + + 1002 Unspecified authentication infrastructure problem + + 1003 Unspecified authentication failure + + 1004 Unspecified authorization failure + + 1005 User account credentials unavailable + + 1006 User account expired + + 1007 User account locked: try again later + + 1008 User account locked: admin intervention required + + + +Zhou, et al. Standards Track [Page 34] + +RFC 7170 TEAP May 2014 + + + 1009 Authentication infrastructure unavailable + + 1010 Authentication infrastructure not trusted + + 1011 Clock skew too great + + 1012 Invalid inner realm + + 1013 Token out of sync: administrator intervention required + + 1014 Token out of sync: PIN change required + + 1015 Token revoked + + 1016 Tokens exhausted + + 1017 Challenge expired + + 1018 Challenge algorithm mismatch + + 1019 Client certificate not supplied + + 1020 Client certificate rejected + + 1021 Realm mismatch between inner and outer identity + + 1022 Unsupported Algorithm In Certificate Signing Request + + 1023 Unsupported Extension In Certificate Signing Request + + 1024 Bad Identity In Certificate Signing Request + + 1025 Bad Certificate Signing Request + + 1026 Internal CA Error + + 1027 General PKI Error + + 1028 Inner method's channel-binding data required but not + supplied + + 1029 Inner method's channel-binding data did not include required + information + + 1030 Inner method's channel binding failed + + 1031 User account credentials incorrect [USAGE NOT RECOMMENDED] + + + + +Zhou, et al. Standards Track [Page 35] + +RFC 7170 TEAP May 2014 + + + 2001 Tunnel Compromise Error + + 2002 Unexpected TLVs Exchanged + +4.2.7. Channel-Binding TLV + + The Channel-Binding TLV provides a mechanism for carrying channel- + binding data from the peer to the EAP server and a channel-binding + response from the EAP server to the peer as described in [RFC6677]. + TEAPv1 implementations MAY support this TLV, which cannot be + responded to with a NAK TLV. If the Channel-Binding data field does + not contain one of the known values or if the EAP server does not + support this TLV, then the server MUST ignore the value. The + Channel-Binding TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Data ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 (Optional) + + R + + Reserved, set to zero (0) + + TLV Type + + 6 - Channel-Binding TLV + + Length + + variable + + Data + + The data field contains a channel-binding message as defined in + Section 5.3 of [RFC6677]. + + + + + + + + +Zhou, et al. Standards Track [Page 36] + +RFC 7170 TEAP May 2014 + + +4.2.8. Vendor-Specific TLV + + The Vendor-Specific TLV is available to allow vendors to support + their own extended attributes not suitable for general usage. A + Vendor-Specific TLV attribute can contain one or more TLVs, referred + to as Vendor TLVs. The TLV type of a Vendor-TLV is defined by the + vendor. All the Vendor TLVs inside a single Vendor-Specific TLV + belong to the same vendor. There can be multiple Vendor-Specific + TLVs from different vendors in the same message. Error handling in + the Vendor TLV could use the vendor's own specific error-handling + mechanism or use the standard TEAP error codes defined. + + Vendor TLVs may be optional or mandatory. Vendor TLVs sent with + Result TLVs MUST be marked as optional. If the Vendor-Specific TLV + is marked as mandatory, then it is expected that the receiving side + needs to recognize the vendor ID, parse all Vendor TLVs within, and + deal with error handling within the Vendor-Specific TLV as defined by + the vendor. + + The Vendor-Specific TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Vendor-Id | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Vendor TLVs.... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 or 1 + + R + + Reserved, set to zero (0) + + TLV Type + + 7 - Vendor-Specific TLV + + Length + + 4 + cumulative length of all included Vendor TLVs + + Vendor-Id + + + +Zhou, et al. Standards Track [Page 37] + +RFC 7170 TEAP May 2014 + + + The Vendor-Id field is four octets and contains the Vendor-Id of + the TLV. The high-order octet is 0, and the low-order 3 octets + are the SMI Network Management Private Enterprise Number of the + Vendor in network byte order. + + Vendor TLVs + + This field is of indefinite length. It contains Vendor-Specific + TLVs, in a format defined by the vendor. + +4.2.9. Request-Action TLV + + The Request-Action TLV MAY be sent by both the peer and the server in + response to a successful or failed Result TLV. It allows the peer or + server to request the other side to negotiate additional EAP methods + or process TLVs specified in the response packet. The receiving side + MUST process this TLV. The processing for the TLV is as follows: + + The receiving entity MAY choose to process any of the TLVs that + are included in the message. + + If the receiving entity chooses NOT to process any TLV in the + list, then it sends back a Result TLV with the same code in the + Status field of the Request-Action TLV. + + If multiple Request-Action TLVs are in the request, the session + can continue if any of the TLVs in any Request-Action TLV are + processed. + + If multiple Request-Action TLVs are in the request and none of + them is processed, then the most fatal status should be used in + the Result TLV returned. If a status code in the Request-Action + TLV is not understood by the receiving entity, then it should be + treated as a fatal error. + + After processing the TLVs or EAP method in the request, another + round of Result TLV exchange would occur to synchronize the final + status on both sides. + + The peer or the server MAY send multiple Request-Action TLVs to the + other side. Two Request-Action TLVs MUST NOT occur in the same TEAP + packet if they have the same Status value. The order of processing + multiple Request-Action TLVs is implementation dependent. If the + receiving side processes the optional (non-fatal) items first, it is + possible that the fatal items will disappear at a later time. If the + receiving side processes the fatal items first, the communication + time will be shorter. + + + + +Zhou, et al. Standards Track [Page 38] + +RFC 7170 TEAP May 2014 + + + The peer or the server MAY return a new set of Request-Action TLVs + after one or more of the requested items has been processed and the + other side has signaled it wants to end the EAP conversation. + + The Request-Action TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Status | Action | TLVs.... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-+-+-+-+-+-+-+-+-+-+-+- + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 8 - Request-Action TLV + + Length + + 2 + cumulative length of all included TLVs + + Status + + The Status field is one octet. This indicates the result if the + server does not process the action requested by the peer. Values + include: + + 1 Success + + 2 Failure + + Action + + The Action field is one octet. Values include: + + 1 Process-TLV + + 2 Negotiate-EAP + + + + +Zhou, et al. Standards Track [Page 39] + +RFC 7170 TEAP May 2014 + + + TLVs + + This field is of indefinite length. It contains TLVs that the + peer wants the server to process. + +4.2.10. EAP-Payload TLV + + To allow piggybacking an EAP request or response with other TLVs, the + EAP-Payload TLV is defined, which includes an encapsulated EAP packet + and a list of optional TLVs. The optional TLVs are provided for + future extensibility to provide hints about the current EAP + authentication. Only one EAP-Payload TLV is allowed in a message. + The EAP-Payload TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | EAP packet... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | TLVs... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 9 - EAP-Payload TLV + + Length + + length of embedded EAP packet + cumulative length of additional + TLVs + + EAP packet + + This field contains a complete EAP packet, including the EAP + header (Code, Identifier, Length, Type) fields. The length of + this field is determined by the Length field of the encapsulated + EAP packet. + + + + +Zhou, et al. Standards Track [Page 40] + +RFC 7170 TEAP May 2014 + + + TLVs + + This (optional) field contains a list of TLVs associated with the + EAP packet field. The TLVs MUST NOT have the mandatory bit set. + The total length of this field is equal to the Length field of the + EAP-Payload TLV, minus the Length field in the EAP header of the + EAP packet field. + +4.2.11. Intermediate-Result TLV + + The Intermediate-Result TLV provides support for acknowledged + intermediate Success and Failure messages between multiple inner EAP + methods within EAP. An Intermediate-Result TLV indicating success + MUST be accompanied by a Crypto-Binding TLV. The optional TLVs + associated with this TLV are provided for future extensibility to + provide hints about the current result. The Intermediate-Result TLV + is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Status | TLVs... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 10 - Intermediate-Result TLV + + Length + + 2 + cumulative length of the embedded associated TLVs + + Status + + The Status field is two octets. Values include: + + 1 Success + + + + +Zhou, et al. Standards Track [Page 41] + +RFC 7170 TEAP May 2014 + + + 2 Failure + + TLVs + + This field is of indeterminate length and contains zero or more of + the TLVs associated with the Intermediate Result TLV. The TLVs in + this field MUST NOT have the mandatory bit set. + +4.2.12. PAC TLV Format + + The PAC TLV provides support for provisioning the Protected Access + Credential (PAC). The PAC TLV carries the PAC and related + information within PAC attribute fields. Additionally, the PAC TLV + MAY be used by the peer to request provisioning of a PAC of the type + specified in the PAC-Type PAC attribute. The PAC TLV MUST only be + used in a protected tunnel providing encryption and integrity + protection. A general PAC TLV format is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | PAC Attributes... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 or 1 + + R + + Reserved, set to zero (0) + + TLV Type + + 11 - PAC TLV + + Length + + Two octets containing the length of the PAC Attributes field in + octets. + + PAC Attributes + + A list of PAC attributes in the TLV format. + + + + + +Zhou, et al. Standards Track [Page 42] + +RFC 7170 TEAP May 2014 + + +4.2.12.1. Formats for PAC Attributes + + Each PAC attribute in a PAC TLV is formatted as a TLV defined as + follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + The Type field is two octets, denoting the attribute type. + Allocated types include: + + 1 - PAC-Key + + 2 - PAC-Opaque + + 3 - PAC-Lifetime + + 4 - A-ID + + 5 - I-ID + + 6 - Reserved + + 7 - A-ID-Info + + 8 - PAC-Acknowledgement + + 9 - PAC-Info + + 10 - PAC-Type + + Length + + Two octets containing the length of the Value field in octets. + + Value + + The value of the PAC attribute. + + + + + + +Zhou, et al. Standards Track [Page 43] + +RFC 7170 TEAP May 2014 + + +4.2.12.2. PAC-Key + + The PAC-Key is a secret key distributed in a PAC attribute of type + PAC-Key. The PAC-Key attribute is included within the PAC TLV + whenever the server wishes to issue or renew a PAC that is bound to a + key such as a Tunnel PAC. The key is a randomly generated octet + string that is 48 octets in length. The generator of this key is the + issuer of the credential, which is identified by the Authority + Identifier (A-ID). + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ Key ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 1 - PAC-Key + + Length + + 2-octet length indicating the length of the key. + + Key + + The value of the PAC-Key. + +4.2.12.3. PAC-Opaque + + The PAC-Opaque attribute is included within the PAC TLV whenever the + server wishes to issue or renew a PAC. + + The PAC-Opaque is opaque to the peer, and thus the peer MUST NOT + attempt to interpret it. A peer that has been issued a PAC-Opaque by + a server stores that data and presents it back to the server + according to its PAC-Type. The Tunnel PAC is used in the ClientHello + SessionTicket extension field defined in [RFC5077]. If a peer has + opaque data issued to it by multiple servers, then it stores the data + issued by each server separately according to the A-ID. This + requirement allows the peer to maintain and use each opaque datum as + an independent PAC pairing, with a PAC-Key mapping to a PAC-Opaque + identified by the A-ID. As there is a one-to-one correspondence + between the PAC-Key and PAC-Opaque, the peer determines the PAC-Key + + + +Zhou, et al. Standards Track [Page 44] + +RFC 7170 TEAP May 2014 + + + and corresponding PAC-Opaque based on the A-ID provided in the + TEAP/Start message and the A-ID provided in the PAC-Info when it was + provisioned with a PAC-Opaque. + + The PAC-Opaque attribute format is summarized as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 2 - PAC-Opaque + + Length + + The Length field is two octets, which contains the length of the + Value field in octets. + + Value + + The Value field contains the actual data for the PAC-Opaque. It + is specific to the server implementation. + +4.2.12.4. PAC-Info + + The PAC-Info is comprised of a set of PAC attributes as defined in + Section 4.2.12.1. The PAC-Info attribute MUST contain the A-ID, + A-ID-Info, and PAC-Type attributes. Other attributes MAY be included + in the PAC-Info to provide more information to the peer. The + PAC-Info attribute MUST NOT contain the PAC-Key, PAC-Acknowledgement, + PAC-Info, or PAC-Opaque attributes. The PAC-Info attribute is + included within the PAC TLV whenever the server wishes to issue or + renew a PAC. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + +Zhou, et al. Standards Track [Page 45] + +RFC 7170 TEAP May 2014 + + + Type + + 9 - PAC-Info + + Length + + 2-octet field containing the length of the Attributes field in + octets. + + Attributes + + The Attributes field contains a list of PAC attributes. Each + mandatory and optional field type is defined as follows: + + 3 - PAC-Lifetime + + This is a 4-octet quantity representing the expiration time of + the credential expressed as the number of seconds, excluding + leap seconds, after midnight UTC, January 1, 1970. This + attribute MAY be provided to the peer as part of the PAC-Info. + + 4 - A-ID + + The A-ID is the identity of the authority that issued the PAC. + The A-ID is intended to be unique across all issuing servers to + avoid namespace collisions. The A-ID is used by the peer to + determine which PAC to employ. The A-ID is treated as an + opaque octet string. This attribute MUST be included in the + PAC-Info attribute. The A-ID MUST match the Authority-ID the + server used to establish the tunnel. One method for generating + the A-ID is to use a high-quality random number generator to + generate a random number. An alternate method would be to take + the hash of the public key or public key certificate belonging + to a server represented by the A-ID. + + 5 - I-ID + + Initiator Identifier (I-ID) is the peer identity associated + with the credential. This identity is derived from the inner + authentication or from the client-side authentication during + tunnel establishment if inner authentication is not used. The + server employs the I-ID in the TEAP Phase 2 conversation to + validate that the same peer identity used to execute TEAP Phase + 1 is also used in at minimum one inner authentication in TEAP + Phase 2. If the server is enforcing the I-ID validation on the + inner authentication, then the I-ID MUST be included in the + PAC-Info, to enable the peer to also enforce a unique PAC for + each unique user. If the I-ID is missing from the PAC-Info, it + + + +Zhou, et al. Standards Track [Page 46] + +RFC 7170 TEAP May 2014 + + + is assumed that the Tunnel PAC can be used for multiple users + and the peer will not enforce the unique-Tunnel-PAC-per-user + policy. + + 7 - A-ID-Info + + Authority Identifier Information is intended to provide a user- + friendly name for the A-ID. It may contain the enterprise name + and server name in a human-readable format. This TLV serves as + an aid to the peer to better inform the end user about the + A-ID. The name is encoded in UTF-8 [RFC3629] format. This + attribute MUST be included in the PAC-Info. + + 10 - PAC-Type + + The PAC-Type is intended to provide the type of PAC. This + attribute SHOULD be included in the PAC-Info. If the PAC-Type + is not present, then it defaults to a Tunnel PAC (Type 1). + +4.2.12.5. PAC-Acknowledgement TLV + + The PAC-Acknowledgement is used to acknowledge the receipt of the + Tunnel PAC by the peer. The peer includes the PAC-Acknowledgement + TLV in a PAC TLV sent to the server to indicate the result of the + processing and storing of a newly provisioned Tunnel PAC. This TLV + is only used when Tunnel PAC is provisioned. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Result | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 8 - PAC-Acknowledgement + + Length + + The length of this field is two octets containing a value of 2. + + Result + + The resulting value MUST be one of the following: + + 1 - Success + + + +Zhou, et al. Standards Track [Page 47] + +RFC 7170 TEAP May 2014 + + + 2 - Failure + +4.2.12.6. PAC-Type TLV + + The PAC-Type TLV is a TLV intended to specify the PAC-Type. It is + included in a PAC TLV sent by the peer to request PAC provisioning + from the server. Its format is described below: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | PAC-Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 10 - PAC-Type + + Length + + 2-octet field with a value of 2. + + PAC-Type + + This 2-octet field defines the type of PAC being requested or + provisioned. The following values are defined: + + 1 - Tunnel PAC + +4.2.13. Crypto-Binding TLV + + The Crypto-Binding TLV is used to prove that both the peer and server + participated in the tunnel establishment and sequence of + authentications. It also provides verification of the TEAP type, + version negotiated, and Outer TLVs exchanged before the TLS tunnel + establishment. + + The Crypto-Binding TLV MUST be exchanged and verified before the + final Result TLV exchange, regardless of whether there is an inner + EAP method authentication or not. It MUST be included with the + Intermediate-Result TLV to perform cryptographic binding after each + successful EAP method in a sequence of EAP methods, before proceeding + with another inner EAP method. The Crypto-Binding TLV is valid only + if the following checks pass: + + o The Crypto-Binding TLV version is supported. + + + +Zhou, et al. Standards Track [Page 48] + +RFC 7170 TEAP May 2014 + + + o The MAC verifies correctly. + + o The received version in the Crypto-Binding TLV matches the version + sent by the receiver during the EAP version negotiation. + + o The subtype is set to the correct value. + + If any of the above checks fails, then the TLV is invalid. An + invalid Crypto-Binding TLV is a fatal error and is handled as + described in Section 3.6.3 + + The Crypto-Binding TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Reserved | Version | Received Ver.| Flags|Sub-Type| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ Nonce ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ EMSK Compound MAC ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ MSK Compound MAC ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + Mandatory, set to one (1) + + R + + Reserved, set to zero (0) + + TLV Type + + 12 - Crypto-Binding TLV + + Length + + 76 + + + +Zhou, et al. Standards Track [Page 49] + +RFC 7170 TEAP May 2014 + + + Reserved + + Reserved, set to zero (0) + + Version + + The Version field is a single octet, which is set to the version + of Crypto-Binding TLV the TEAP method is using. For an + implementation compliant with this version of TEAP, the version + number MUST be set to one (1). + + Received Ver + + The Received Ver field is a single octet and MUST be set to the + TEAP version number received during version negotiation. Note + that this field only provides protection against downgrade + attacks, where a version of EAP requiring support for this TLV is + required on both sides. + + Flags + + The Flags field is four bits. Defined values include + + 1 EMSK Compound MAC is present + + 2 MSK Compound MAC is present + + 3 Both EMSK and MSK Compound MAC are present + + Sub-Type + + The Sub-Type field is four bits. Defined values include + + 0 Binding Request + + 1 Binding Response + + Nonce + + The Nonce field is 32 octets. It contains a 256-bit nonce that is + temporally unique, used for Compound MAC key derivation at each + end. The nonce in a request MUST have its least significant bit + set to zero (0), and the nonce in a response MUST have the same + value as the request nonce except the least significant bit MUST + be set to one (1). + + + + + + +Zhou, et al. Standards Track [Page 50] + +RFC 7170 TEAP May 2014 + + + EMSK Compound MAC + + The EMSK Compound MAC field is 20 octets. This can be the Server + MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the + MAC is described in Section 5.3. + + MSK Compound MAC + + The MSK Compound MAC field is 20 octets. This can be the Server + MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the + MAC is described in Section 5.3. + +4.2.14. Basic-Password-Auth-Req TLV + + The Basic-Password-Auth-Req TLV is used by the authentication server + to request a username and password from the peer. It contains an + optional user prompt message for the request. The peer is expected + to obtain the username and password and send them in a Basic- + Password-Auth-Resp TLV. + + The Basic-Password-Auth-Req TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Prompt .... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 (Optional) + + R + + Reserved, set to zero (0) + + TLV Type + + 13 - Basic-Password-Auth-Req TLV + + Length + + variable + + + + + + +Zhou, et al. Standards Track [Page 51] + +RFC 7170 TEAP May 2014 + + + Prompt + + optional user prompt message in UTF-8 [RFC3629] format + +4.2.15. Basic-Password-Auth-Resp TLV + + The Basic-Password-Auth-Resp TLV is used by the peer to respond to a + Basic-Password-Auth-Req TLV with a username and password. The TLV + contains a username and password. The username and password are in + UTF-8 [RFC3629] format. + + The Basic-Password-Auth-Resp TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Userlen | Username + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ... Username ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Passlen | Password + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ... Password ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M + + 0 (Optional) + + R + + Reserved, set to zero (0) + + TLV Type + + 14 - Basic-Password-Auth-Resp TLV + + Length + + variable + + Userlen + + Length of Username field in octets + + + + + +Zhou, et al. Standards Track [Page 52] + +RFC 7170 TEAP May 2014 + + + Username + + Username in UTF-8 [RFC3629] format + + Passlen + + Length of Password field in octets + + Password + + Password in UTF-8 [RFC3629] format + +4.2.16. PKCS#7 TLV + + The PKCS#7 TLV is used by the EAP server to deliver certificate(s) to + the peer. The format consists of a certificate or certificate chain + in binary DER encoding [X.690] in a degenerate Certificates Only + PKCS#7 SignedData Content as defined in [RFC5652]. + + When used in response to a Trusted-Server-Root TLV request from the + peer, the EAP server MUST send the PKCS#7 TLV inside a Trusted- + Server-Root TLV. When used in response to a PKCS#10 certificate + enrollment request from the peer, the EAP server MUST send the PKCS#7 + TLV without a Trusted-Server-Root TLV. The PKCS#7 TLV is always + marked as optional, which cannot be responded to with a NAK TLV. + TEAP implementations that support the Trusted-Server-Root TLV or the + PKCS#10 TLV MUST support this TLV. Peers MUST NOT assume that the + certificates in a PKCS#7 TLV are in any order. + + TEAP servers MAY return self-signed certificates. Peers that handle + self-signed certificates or trust anchors MUST NOT implicitly trust + these certificates merely due to their presence in the certificate + bag. Note: Peers are advised to take great care in deciding whether + to use a received certificate as a trust anchor. The authenticated + nature of the tunnel in which a PKCS#7 bag is received can provide a + level of authenticity to the certificates contained therein. Peers + are advised to take into account the implied authority of the EAP + server and to constrain the trust it can achieve through the trust + anchor received in a PKCS#7 TLV. + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 53] + +RFC 7170 TEAP May 2014 + + + The PKCS#7 TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | PKCS#7 Data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + M + + 0 - Optional TLV + + R + + Reserved, set to zero (0) + + TLV Type + + 15 - PKCS#7 TLV + + Length + + The length of the PKCS#7 Data field. + + PKCS#7 Data + + This field contains the DER-encoded X.509 certificate or + certificate chain in a Certificates-Only PKCS#7 SignedData + message. + +4.2.17. PKCS#10 TLV + + The PKCS#10 TLV is used by the peer to initiate the "simple PKI" + Request/Response from [RFC5272]. The format of the request is as + specified in Section 6.4 of [RFC4945]. The PKCS#10 TLV is always + marked as optional, which cannot be responded to with a NAK TLV. + + The PKCS#10 TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | PKCS#10 Data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + + +Zhou, et al. Standards Track [Page 54] + +RFC 7170 TEAP May 2014 + + + M + + 0 - Optional TLV + + R + + Reserved, set to zero (0) + + TLV Type + + 16 - PKCS#10 TLV + + Length + + The length of the PKCS#10 Data field. + + PKCS#10 Data + + This field contains the DER-encoded PKCS#10 certificate request. + +4.2.18. Trusted-Server-Root TLV + + Trusted-Server-Root TLV facilitates the request and delivery of a + trusted server root certificate. The Trusted-Server-Root TLV can be + exchanged in regular TEAP authentication mode or provisioning mode. + The Trusted-Server-Root TLV is always marked as optional and cannot + be responded to with a Negative Acknowledgement (NAK) TLV. The + Trusted-Server-Root TLV MUST only be sent as an Inner TLV (inside the + protection of the tunnel). + + After the peer has determined that it has successfully authenticated + the EAP server and validated the Crypto-Binding TLV, it MAY send one + or more Trusted-Server-Root TLVs (marked as optional) to request the + trusted server root certificates from the EAP server. The EAP server + MAY send one or more root certificates with a Public Key + Cryptographic System #7 (PKCS#7) TLV inside the Trusted-Server-Root + TLV. The EAP server MAY also choose not to honor the request. + + The Trusted-Server-Root TLV allows the peer to send a request to the + EAP server for a list of trusted roots. The server may respond with + one or more root certificates in PKCS#7 [RFC2315] format. + + If the EAP server sets the credential format to PKCS#7-Server- + Certificate-Root, then the Trusted-Server-Root TLV should contain the + root of the certificate chain of the certificate issued to the EAP + server packaged in a PKCS#7 TLV. If the server certificate is a + self-signed certificate, then the root is the self-signed + certificate. + + + +Zhou, et al. Standards Track [Page 55] + +RFC 7170 TEAP May 2014 + + + If the Trusted-Server-Root TLV credential format contains a value + unknown to the peer, then the EAP peer should ignore the TLV. + + The Trusted-Server-Root TLV is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |M|R| TLV Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Credential-Format | Cred TLVs... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + M + + 0 - Optional TLV + + R + + Reserved, set to zero (0) + + TLV Type + + 17 - Trusted-Server-Root TLV + + Length + + >=2 octets + + Credential-Format + + The Credential-Format field is two octets. Values include: + + 1 - PKCS#7-Server-Certificate-Root + + Cred TLVs + + This field is of indefinite length. It contains TLVs associated + with the credential format. The peer may leave this field empty + when using this TLV to request server trust roots. + +4.3. TLV Rules + + To save round trips, multiple TLVs can be sent in a single TEAP + packet. However, multiple EAP Payload TLVs, multiple Basic Password + Authentication TLVs, or an EAP Payload TLV with a Basic Password + Authentication TLV within one single TEAP packet is not supported in + this version and MUST NOT be sent. If the peer or EAP server + + + +Zhou, et al. Standards Track [Page 56] + +RFC 7170 TEAP May 2014 + + + receives multiple EAP Payload TLVs, then it MUST terminate the + connection with the Result TLV. The order of TLVs in TEAP does not + matter, except one should always process the Identity-Type TLV before + processing the EAP TLV or Basic Password Authentication TLV as the + Identity-Type TLV is a hint to the type of identity that is to be + authenticated. + + The following define the meaning of the table entries in the sections + below: + + 0 This TLV MUST NOT be present in the message. + + 0+ Zero or more instances of this TLV MAY be present in the + message. + + 0-1 Zero or one instance of this TLV MAY be present in the message. + + 1 Exactly one instance of this TLV MUST be present in the + message. + +4.3.1. Outer TLVs + + The following table provides a guide to which TLVs may be included in + the TEAP packet outside the TLS channel, which kind of packets, and + in what quantity: + + Request Response Success Failure TLVs + 0-1 0 0 0 Authority-ID + 0-1 0-1 0 0 Identity-Type + 0+ 0+ 0 0 Vendor-Specific + + Outer TLVs MUST be marked as optional. Vendor-TLVs inside Vendor- + Specific TLV MUST be marked as optional when included in Outer TLVs. + Outer TLVs MUST NOT be included in messages after the first two TEAP + messages sent by peer and EAP-server respectively. That is the first + EAP-server-to-peer message and first peer-to-EAP-server message. If + the message is fragmented, the whole set of messages is counted as + one message. If Outer TLVs are included in messages after the first + two TEAP messages, they MUST be ignored. + +4.3.2. Inner TLVs + + The following table provides a guide to which Inner TLVs may be + encapsulated in TLS in TEAP Phase 2, in which kind of packets, and in + what quantity. The messages are as follows: Request is a TEAP + Request, Response is a TEAP Response, Success is a message containing + a successful Result TLV, and Failure is a message containing a failed + Result TLV. + + + +Zhou, et al. Standards Track [Page 57] + +RFC 7170 TEAP May 2014 + + + Request Response Success Failure TLVs + 0-1 0-1 0 0 Identity-Type + 0-1 0-1 1 1 Result + 0+ 0+ 0 0 NAK + 0+ 0+ 0+ 0+ Error + 0-1 0-1 0 0 Channel-Binding + 0+ 0+ 0+ 0+ Vendor-Specific + 0+ 0+ 0+ 0+ Request-Action + 0-1 0-1 0 0 EAP-Payload + 0-1 0-1 0-1 0-1 Intermediate-Result + 0+ 0+ 0+ 0 PAC TLV + 0-1 0-1 0-1 0-1 Crypto-Binding + 0-1 0 0 0 Basic-Password-Auth-Req + 0 0-1 0 0 Basic-Password-Auth-Resp + 0-1 0 0-1 0 PKCS#7 + 0 0-1 0 0 PKCS#10 + 0-1 0-1 0-1 0 Trusted-Server-Root + + NOTE: Vendor TLVs (included in Vendor-Specific TLVs) sent with a + Result TLV MUST be marked as optional. + +5. Cryptographic Calculations + + For key derivation and crypto-binding, TEAP uses the Pseudorandom + Function (PRF) and MAC algorithms negotiated in the underlying TLS + session. Since these algorithms depend on the TLS version and + ciphersuite, TEAP implementations need a mechanism to determine the + version and ciphersuite in use for a particular session. The + implementation can then use this information to determine which PRF + and MAC algorithm to use. + +5.1. TEAP Authentication Phase 1: Key Derivations + + With TEAPv1, the TLS master secret is generated as specified in TLS. + If a PAC is used, then the master secret is obtained as described in + [RFC5077]. + + TEAPv1 makes use of the TLS Keying Material Exporters defined in + [RFC5705] to derive the session_key_seed. The label used in the + derivation is "EXPORTER: teap session key seed". The length of the + session key seed material is 40 octets. No context data is used in + the export process. + + The session_key_seed is used by the TEAP authentication Phase 2 + conversation to both cryptographically bind the inner method(s) to + the tunnel as well as generate the resulting TEAP session keys. The + other TLS keying materials are derived and used as defined in + [RFC5246]. + + + +Zhou, et al. Standards Track [Page 58] + +RFC 7170 TEAP May 2014 + + +5.2. Intermediate Compound Key Derivations + + The session_key_seed derived as part of TEAP Phase 2 is used in TEAP + Phase 2 to generate an Intermediate Compound Key (IMCK) used to + verify the integrity of the TLS tunnel after each successful inner + authentication and in the generation of Master Session Key (MSK) and + Extended Master Session Key (EMSK) defined in [RFC3748]. Note that + the IMCK MUST be recalculated after each successful inner EAP method. + + The first step in these calculations is the generation of the base + compound key, IMCK[n] from the session_key_seed, and any session keys + derived from the successful execution of nth inner EAP methods. The + inner EAP method(s) may provide Inner Method Session Keys (IMSKs), + IMSK1..IMSKn, corresponding to inner method 1 through n. + + If an inner method supports export of an Extended Master Session Key + (EMSK), then the IMSK SHOULD be derived from the EMSK as defined in + [RFC5295]. The usage label used is "TEAPbindkey@ietf.org", and the + length is 64 octets. Optional data parameter is not used in the + derivation. + + IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" | + "\0" | 64) + + where "|" denotes concatenation, EMSK is the EMSK from the inner + method, "TEAPbindkey@ietf.org" consists the ASCII value for the + label "TEAPbindkey@ietf.org" (without quotes), "\0" = is a NULL + octet (0x00 in hex), length is the 2-octet unsigned integer in + network byte order, and TLS-PRF is the PRF negotiated as part of + TLS handshake [RFC5246]. + + If an inner method does not support export of an Extended Master + Session Key (EMSK), then IMSK is the MSK of the inner method. The + MSK is truncated at 32 octets if it is longer than 32 octets or + padded to a length of 32 octets with zeros if it is less than 32 + octets. + + However, it's possible that the peer and server sides might not have + the same capability to export EMSK. In order to maintain maximum + flexibility while prevent downgrading attack, the following mechanism + is in place. + + On the sender of the Crypto-Binding TLV side: + + If the EMSK is not available, then the sender computes the Compound + MAC using the MSK of the inner method. + + + + + +Zhou, et al. Standards Track [Page 59] + +RFC 7170 TEAP May 2014 + + + If the EMSK is available and the sender's policy accepts MSK-based + MAC, then the sender computes two Compound MAC values. The first + is computed with the EMSK. The second one is computed using the + MSK. Both MACs are then sent to the other side. + + If the EMSK is available but the sender's policy does not allow + downgrading to MSK-generated MAC, then the sender SHOULD only send + EMSK-based MAC. + + On the receiver of the Crypto-Binding TLV side: + + If the EMSK is not available and an MSK-based Compound MAC was + sent, then the receiver validates the Compound MAC and sends back + an MSK-based Compound MAC response. + + If the EMSK is not available and no MSK-based Compound MAC was + sent, then the receiver handles like an invalid Crypto-Binding TLV + with a fatal error. + + If the EMSK is available and an EMSK-based Compound MAC was sent, + then the receiver validates it and creates a response Compound MAC + using the EMSK. + + If the EMSK is available but no EMSK-based Compound MAC was sent + and its policy accepts MSK-based MAC, then the receiver validates + it using the MSK and, if successful, generates and returns an MSK- + based Compound MAC. + + If the EMSK is available but no EMSK Compound MAC was sent and its + policy does not accept MSK-based MAC, then the receiver handles + like an invalid Crypto-Binding TLV with a fatal error. + + If the ith inner method does not generate an EMSK or MSK, then IMSKi + is set to zero (e.g., MSKi = 32 octets of 0x00s). If an inner method + fails, then it is not included in this calculation. The derivation + of S-IMCK is as follows: + + S-IMCK[0] = session_key_seed + For j = 1 to n-1 do + IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", + IMSK[j], 60) + S-IMCK[j] = first 40 octets of IMCK[j] + CMK[j] = last 20 octets of IMCK[j] + + where TLS-PRF is the PRF negotiated as part of TLS handshake + [RFC5246]. + + + + + +Zhou, et al. Standards Track [Page 60] + +RFC 7170 TEAP May 2014 + + +5.3. Computing the Compound MAC + + For authentication methods that generate keying material, further + protection against man-in-the-middle attacks is provided through + cryptographically binding keying material established by both TEAP + Phase 1 and TEAP Phase 2 conversations. After each successful inner + EAP authentication, EAP EMSK and/or MSKs are cryptographically + combined with key material from TEAP Phase 1 to generate a Compound + Session Key (CMK). The CMK is used to calculate the Compound MAC as + part of the Crypto-Binding TLV described in Section 4.2.13, which + helps provide assurance that the same entities are involved in all + communications in TEAP. During the calculation of the Compound MAC, + the MAC field is filled with zeros. + + The Compound MAC computation is as follows: + + CMK = CMK[j] + Compound-MAC = MAC( CMK, BUFFER ) + + where j is the number of the last successfully executed inner EAP + method, MAC is the MAC function negotiated in TLS 1.2 [RFC5246], and + BUFFER is created after concatenating these fields in the following + order: + + 1 The entire Crypto-Binding TLV attribute with both the EMSK and MSK + Compound MAC fields zeroed out. + + 2 The EAP Type sent by the other party in the first TEAP message. + + 3 All the Outer TLVs from the first TEAP message sent by EAP server + to peer. If a single TEAP message is fragmented into multiple + TEAP packets, then the Outer TLVs in all the fragments of that + message MUST be included. + + 4 All the Outer TLVs from the first TEAP message sent by the peer to + the EAP server. If a single TEAP message is fragmented into + multiple TEAP packets, then the Outer TLVs in all the fragments of + that message MUST be included. + +5.4. EAP Master Session Key Generation + + TEAP authentication assures the Master Session Key (MSK) and Extended + Master Session Key (EMSK) output from the EAP method are the result + of all authentication conversations by generating an Intermediate + Compound Key (IMCK). The IMCK is mutually derived by the peer and + the server as described in Section 5.2 by combining the MSKs from + + + + + +Zhou, et al. Standards Track [Page 61] + +RFC 7170 TEAP May 2014 + + + inner EAP methods with key material from TEAP Phase 1. The resulting + MSK and EMSK are generated as part of the IMCKn key hierarchy as + follows: + + MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64) + EMSK = TLS-PRF(S-IMCK[j], + "Extended Session Key Generating Function", 64) + + where j is the number of the last successfully executed inner EAP + method. + + The EMSK is typically only known to the TEAP peer and server and is + not provided to a third party. The derivation of additional keys and + transportation of these keys to a third party are outside the scope + of this document. + + If no EAP methods have been negotiated inside the tunnel or no EAP + methods have been successfully completed inside the tunnel, the MSK + and EMSK will be generated directly from the session_key_seed meaning + S-IMCK = session_key_seed. + +6. IANA Considerations + + This section provides guidance to the Internet Assigned Numbers + Authority (IANA) regarding registration of values related to the TEAP + protocol, in accordance with BCP 26 [RFC5226]. + + The EAP Method Type number 55 has been assigned for TEAP. + + The document defines a registry for TEAP TLV types, which may be + assigned by Specification Required as defined in [RFC5226]. + Section 4.2 defines the TLV types that initially populate the + registry. A summary of the TEAP TLV types is given below: + + 0 Unassigned + + 1 Authority-ID TLV + + 2 Identity-Type TLV + + 3 Result TLV + + 4 NAK TLV + + 5 Error TLV + + 6 Channel-Binding TLV + + + + +Zhou, et al. Standards Track [Page 62] + +RFC 7170 TEAP May 2014 + + + 7 Vendor-Specific TLV + + 8 Request-Action TLV + + 9 EAP-Payload TLV + + 10 Intermediate-Result TLV + + 11 PAC TLV + + 12 Crypto-Binding TLV + + 13 Basic-Password-Auth-Req TLV + + 14 Basic-Password-Auth-Resp TLV + + 15 PKCS#7 TLV + + 16 PKCS#10 TLV + + 17 Trusted-Server-Root TLV + + The Identity-Type defined in Section 4.2.3 contains an identity type + code that is assigned on a Specification Required basis as defined in + [RFC5226]. The initial types defined are: + + 1 User + + 2 Machine + + The Result TLV defined in Section 4.2.4, Request-Action TLV defined + in Section 4.2.9, and Intermediate-Result TLV defined in + Section 4.2.11 contain a Status code that is assigned on a + Specification Required basis as defined in [RFC5226]. The initial + types defined are: + + 1 Success + + 2 Failure + + The Error-TLV defined in Section 4.2.6 requires an error code. TEAP + Error-TLV error codes are assigned based on a Specification Required + basis as defined in [RFC5226]. The initial list of error codes is as + follows: + + 1 User account expires soon + + 2 User account credential expires soon + + + +Zhou, et al. Standards Track [Page 63] + +RFC 7170 TEAP May 2014 + + + 3 User account authorizations change soon + + 4 Clock skew detected + + 5 Contact administrator + + 6 User account credentials change required + + 1001 Inner Method Error + + 1002 Unspecified authentication infrastructure problem + + 1003 Unspecified authentication failure + + 1004 Unspecified authorization failure + + 1005 User account credentials unavailable + + 1006 User account expired + + 1007 User account locked: try again later + + 1008 User account locked: admin intervention required + + 1009 Authentication infrastructure unavailable + + 1010 Authentication infrastructure not trusted + + 1011 Clock skew too great + + 1012 Invalid inner realm + + 1013 Token out of sync: administrator intervention required + + 1014 Token out of sync: PIN change required + + 1015 Token revoked + + 1016 Tokens exhausted + + 1017 Challenge expired + + 1018 Challenge algorithm mismatch + + 1019 Client certificate not supplied + + 1020 Client certificate rejected + + + + +Zhou, et al. Standards Track [Page 64] + +RFC 7170 TEAP May 2014 + + + 1021 Realm mismatch between inner and outer identity + + 1022 Unsupported Algorithm In Certificate Signing Request + + 1023 Unsupported Extension In Certificate Signing Request + + 1024 Bad Identity In Certificate Signing Request + + 1025 Bad Certificate Signing Request + + 1026 Internal CA Error + + 1027 General PKI Error + + 1028 Inner method's channel-binding data required but not supplied + + 1029 Inner method's channel-binding data did not include required + information + + 1030 Inner method's channel binding failed + + 1031 User account credentials incorrect [USAGE NOT RECOMMENDED] + + 2001 Tunnel Compromise Error + + 2002 Unexpected TLVs Exchanged + + The Request-Action TLV defined in Section 4.2.9 contains an action + code that is assigned on a Specification Required basis as defined in + [RFC5226]. The initial actions defined are: + + 1 Process-TLV + + 2 Negotiate-EAP + + The PAC Attribute defined in Section 4.2.12.1 contains a Type code + that is assigned on a Specification Required basis as defined in + [RFC5226]. The initial types defined are: + + 1 PAC-Key + + 2 PAC-Opaque + + 3 PAC-Lifetime + + 4 A-ID + + 5 I-ID + + + +Zhou, et al. Standards Track [Page 65] + +RFC 7170 TEAP May 2014 + + + 6 Reserved + + 7 A-ID-Info + + 8 PAC-Acknowledgement + + 9 PAC-Info + + 10 PAC-Type + + The PAC-Type defined in Section 4.2.12.6 contains a type code that is + assigned on a Specification Required basis as defined in [RFC5226]. + The initial type defined is: + + 1 Tunnel PAC + + The Trusted-Server-Root TLV defined in Section 4.2.18 contains a + Credential-Format code that is assigned on a Specification Required + basis as defined in [RFC5226]. The initial type defined is: + + 1 PKCS#7-Server-Certificate-Root + + The various values under the Vendor-Specific TLV are assigned by + Private Use and do not need to be assigned by IANA. + + TEAP registers the label "EXPORTER: teap session key seed" in the TLS + Exporter Label Registry [RFC5705]. This label is used in derivation + as defined in Section 5.1. + + TEAP registers a TEAP binding usage label from the "User Specific + Root Keys (USRK) Key Labels" name space defined in [RFC5295] with a + value "TEAPbindkey@ietf.org". + +7. Security Considerations + + TEAP is designed with a focus on wireless media, where the medium + itself is inherent to eavesdropping. Whereas in wired media an + attacker would have to gain physical access to the wired medium, + wireless media enables anyone to capture information as it is + transmitted over the air, enabling passive attacks. Thus, physical + security can not be assumed, and security vulnerabilities are far + greater. The threat model used for the security evaluation of TEAP + is defined in EAP [RFC3748]. + + + + + + + + +Zhou, et al. Standards Track [Page 66] + +RFC 7170 TEAP May 2014 + + +7.1. Mutual Authentication and Integrity Protection + + As a whole, TEAP provides message and integrity protection by + establishing a secure tunnel for protecting the authentication + method(s). The confidentiality and integrity protection is defined + by TLS and provides the same security strengths afforded by TLS + employing a strong entropy shared master secret. The integrity of + the key generating authentication methods executed within the TEAP + tunnel is verified through the calculation of the Crypto-Binding TLV. + This ensures that the tunnel endpoints are the same as the inner + method endpoints. + + The Result TLV is protected and conveys the true Success or Failure + of TEAP, and it should be used as the indicator of its success or + failure respectively. However, as EAP terminates with either a + cleartext EAP Success or Failure, a peer will also receive a + cleartext EAP Success or Failure. The received cleartext EAP Success + or Failure MUST match that received in the Result TLV; the peer + SHOULD silently discard those cleartext EAP Success or Failure + messages that do not coincide with the status sent in the protected + Result TLV. + +7.2. Method Negotiation + + As is true for any negotiated EAP protocol, NAK packets used to + suggest an alternate authentication method are sent unprotected and, + as such, are subject to spoofing. During unprotected EAP method + negotiation, NAK packets may be interjected as active attacks to + negotiate down to a weaker form of authentication, such as EAP-MD5 + (which only provides one-way authentication and does not derive a + key). Both the peer and server should have a method selection policy + that prevents them from negotiating down to weaker methods. Inner + method negotiation resists attacks because it is protected by the + mutually authenticated TLS tunnel established. Selection of TEAP as + an authentication method does not limit the potential inner + authentication methods, so TEAP should be selected when available. + + An attacker cannot readily determine the inner EAP method used, + except perhaps by traffic analysis. It is also important that peer + implementations limit the use of credentials with an unauthenticated + or unauthorized server. + +7.3. Separation of Phase 1 and Phase 2 Servers + + Separation of the TEAP Phase 1 from the Phase 2 conversation is NOT + RECOMMENDED. Allowing the Phase 1 conversation to be terminated at a + different server than the Phase 2 conversation can introduce + vulnerabilities if there is not a proper trust relationship and + + + +Zhou, et al. Standards Track [Page 67] + +RFC 7170 TEAP May 2014 + + + protection for the protocol between the two servers. Some + vulnerabilities include: + + o Loss of identity protection + + o Offline dictionary attacks + + o Lack of policy enforcement + + o Man-in-the-middle attacks (as described in [RFC7029]) + + There may be cases where a trust relationship exists between the + Phase 1 and Phase 2 servers, such as on a campus or between two + offices within the same company, where there is no danger in + revealing the inner identity and credentials of the peer to entities + between the two servers. In these cases, using a proxy solution + without end-to-end protection of TEAP MAY be used. The TEAP + encrypting/decrypting gateway MUST, at a minimum, provide support for + IPsec, TLS, or similar protection in order to provide confidentiality + for the portion of the conversation between the gateway and the EAP + server. In addition, separation of the inner and outer method + servers allows for crypto-binding based on the inner method MSK to be + thwarted as described in [RFC7029]. Implementation and deployment + SHOULD adopt various mitigation strategies described in [RFC7029]. + If the inner method is deriving EMSK, then this threat is mitigated + as TEAP utilizes the mutual crypto-binding based on EMSK as described + in [RFC7029]. + +7.4. Mitigation of Known Vulnerabilities and Protocol Deficiencies + + TEAP addresses the known deficiencies and weaknesses in the EAP + method. By employing a shared secret between the peer and server to + establish a secured tunnel, TEAP enables: + + o Per-packet confidentiality and integrity protection + + o User identity protection + + o Better support for notification messages + + o Protected EAP inner method negotiation + + o Sequencing of EAP methods + + o Strong mutually derived MSKs + + o Acknowledged success/failure indication + + + + +Zhou, et al. Standards Track [Page 68] + +RFC 7170 TEAP May 2014 + + + o Faster re-authentications through session resumption + + o Mitigation of dictionary attacks + + o Mitigation of man-in-the-middle attacks + + o Mitigation of some denial-of-service attacks + + It should be noted that in TEAP, as in many other authentication + protocols, a denial-of-service attack can be mounted by adversaries + sending erroneous traffic to disrupt the protocol. This is a problem + in many authentication or key agreement protocols and is therefore + noted for TEAP as well. + + TEAP was designed with a focus on protected authentication methods + that typically rely on weak credentials, such as password-based + secrets. To that extent, the TEAP authentication mitigates several + vulnerabilities, such as dictionary attacks, by protecting the weak + credential-based authentication method. The protection is based on + strong cryptographic algorithms in TLS to provide message + confidentiality and integrity. The keys derived for the protection + relies on strong random challenges provided by both peer and server + as well as an established key with strong entropy. Implementations + should follow the recommendation in [RFC4086] when generating random + numbers. + +7.4.1. User Identity Protection and Verification + + The initial identity request response exchange is sent in cleartext + outside the protection of TEAP. Typically, the Network Access + Identifier (NAI) [RFC4282] in the identity response is useful only + for the realm of information that is used to route the authentication + requests to the right EAP server. This means that the identity + response may contain an anonymous identity and just contain realm + information. In other cases, the identity exchange may be eliminated + altogether if there are other means for establishing the destination + realm of the request. In no case should an intermediary place any + trust in the identity information in the identity response since it + is unauthenticated and may not have any relevance to the + authenticated identity. TEAP implementations should not attempt to + compare any identity disclosed in the initial cleartext EAP Identity + response packet with those Identities authenticated in Phase 2. + + Identity request/response exchanges sent after the TEAP tunnel is + established are protected from modification and eavesdropping by + attackers. + + + + + +Zhou, et al. Standards Track [Page 69] + +RFC 7170 TEAP May 2014 + + + Note that since TLS client certificates are sent in the clear, if + identity protection is required, then it is possible for the TLS + authentication to be renegotiated after the first server + authentication. To accomplish this, the server will typically not + request a certificate in the server_hello; then, after the + server_finished message is sent and before TEAP Phase 2, the server + MAY send a TLS hello_request. This allows the peer to perform client + authentication by sending a client_hello if it wants to or send a + no_renegotiation alert to the server indicating that it wants to + continue with TEAP Phase 2 instead. Assuming that the peer permits + renegotiation by sending a client_hello, then the server will respond + with server_hello, certificate, and certificate_request messages. + The peer replies with certificate, client_key_exchange, and + certificate_verify messages. Since this renegotiation occurs within + the encrypted TLS channel, it does not reveal client certificate + details. It is possible to perform certificate authentication using + an EAP method (for example, EAP-TLS) within the TLS session in TEAP + Phase 2 instead of using TLS handshake renegotiation. + +7.4.2. Dictionary Attack Resistance + + TEAP was designed with a focus on protected authentication methods + that typically rely on weak credentials, such as password-based + secrets. TEAP mitigates dictionary attacks by allowing the + establishment of a mutually authenticated encrypted TLS tunnel + providing confidentiality and integrity to protect the weak + credential-based authentication method. + +7.4.3. Protection against Man-in-the-Middle Attacks + + Allowing methods to be executed both with and without the protection + of a secure tunnel opens up a possibility of a man-in-the-middle + attack. To avoid man-in-the-middle attacks it is recommended to + always deploy authentication methods with the protection of TEAP. + TEAP provides protection from man-in-the-middle attacks even if a + deployment chooses to execute inner EAP methods both with and without + TEAP protection. TEAP prevents this attack in two ways: + + 1. By using the PAC-Key to mutually authenticate the peer and server + during TEAP authentication Phase 1 establishment of a secure + tunnel. + + 2. By using the keys generated by the inner authentication method + (if the inner methods are key generating) in the crypto-binding + exchange and in the generation of the key material exported by + the EAP method described in Section 5. + + + + + +Zhou, et al. Standards Track [Page 70] + +RFC 7170 TEAP May 2014 + + + TEAP crypto binding does not guarantee man-in-the-middle protection + if the client allows a connection to an untrusted server, such as in + the case where the client does not properly validate the server's + certificate. If the TLS ciphersuite derives the master secret solely + from the contribution of secret data from one side of the + conversation (such as ciphersuites based on RSA key transport), then + an attacker who can convince the client to connect and engage in + authentication can impersonate the client to another server even if a + strong inner method is executed within the tunnel. If the TLS + ciphersuite derives the master secret from the contribution of + secrets from both sides of the conversation (such as in ciphersuites + based on Diffie-Hellman), then crypto binding can detect an attacker + in the conversation if a strong inner method is used. + +7.4.4. PAC Binding to User Identity + + A PAC may be bound to a user identity. A compliant implementation of + TEAP MUST validate that an identity obtained in the PAC-Opaque field + matches at minimum one of the identities provided in the TEAP Phase 2 + authentication method. This validation provides another binding to + ensure that the intended peer (based on identity) has successfully + completed the TEAP Phase 1 and proved identity in the Phase 2 + conversations. + +7.5. Protecting against Forged Cleartext EAP Packets + + EAP Success and EAP Failure packets are, in general, sent in + cleartext and may be forged by an attacker without detection. Forged + EAP Failure packets can be used to attempt to convince an EAP peer to + disconnect. Forged EAP Success packets may be used to attempt to + convince a peer that authentication has succeeded, even though the + authenticator has not authenticated itself to the peer. + + By providing message confidentiality and integrity, TEAP provides + protection against these attacks. Once the peer and authentication + server (AS) initiate the TEAP authentication Phase 2, compliant TEAP + implementations MUST silently discard all cleartext EAP messages, + unless both the TEAP peer and server have indicated success or + failure using a protected mechanism. Protected mechanisms include + the TLS alert mechanism and the protected termination mechanism + described in Section 3.3.3. + + The success/failure decisions within the TEAP tunnel indicate the + final decision of the TEAP authentication conversation. After a + success/failure result has been indicated by a protected mechanism, + the TEAP peer can process unprotected EAP Success and EAP Failure + messages; however, the peer MUST ignore any unprotected EAP Success + + + + +Zhou, et al. Standards Track [Page 71] + +RFC 7170 TEAP May 2014 + + + or Failure messages where the result does not match the result of the + protected mechanism. + + To abide by [RFC3748], the server sends a cleartext EAP Success or + EAP Failure packet to terminate the EAP conversation. However, since + EAP Success and EAP Failure packets are not retransmitted, the final + packet may be lost. While a TEAP-protected EAP Success or EAP + Failure packet should not be a final packet in a TEAP conversation, + it may occur based on the conditions stated above, so an EAP peer + should not rely upon the unprotected EAP Success and Failure + messages. + +7.6. Server Certificate Validation + + As part of the TLS negotiation, the server presents a certificate to + the peer. The peer SHOULD verify the validity of the EAP server + certificate and SHOULD also examine the EAP server name presented in + the certificate in order to determine whether the EAP server can be + trusted. When performing server certificate validation, + implementations MUST provide support for the rules in [RFC5280] for + validating certificates against a known trust anchor. In addition, + implementations MUST support matching the realm portion of the peer's + NAI against a SubjectAltName of type dNSName within the server + certificate. However, in certain deployments, this might not be + turned on. Please note that in the case where the EAP authentication + is remote, the EAP server will not reside on the same machine as the + authenticator, and therefore, the name in the EAP server's + certificate cannot be expected to match that of the intended + destination. In this case, a more appropriate test might be whether + the EAP server's certificate is signed by a certification authority + (CA) controlling the intended domain and whether the authenticator + can be authorized by a server in that domain. + +7.7. Tunnel PAC Considerations + + Since the Tunnel PAC is stored by the peer, special care should be + given to the overall security of the peer. The Tunnel PAC MUST be + securely stored by the peer to prevent theft or forgery of any of the + Tunnel PAC components. In particular, the peer MUST securely store + the PAC-Key and protect it from disclosure or modification. + Disclosure of the PAC-Key enables an attacker to establish the TEAP + tunnel; however, disclosure of the PAC-Key does not reveal the peer + or server identity or compromise any other peer's PAC credentials. + Modification of the PAC-Key or PAC-Opaque components of the Tunnel + PAC may also lead to denial of service as the tunnel establishment + will fail. The PAC-Opaque component is the effective TLS ticket + extension used to establish the tunnel using the techniques of + [RFC5077]. Thus, the security considerations defined by [RFC5077] + + + +Zhou, et al. Standards Track [Page 72] + +RFC 7170 TEAP May 2014 + + + also apply to the PAC-Opaque. The PAC-Info may contain information + about the Tunnel PAC such as the identity of the PAC issuer and the + Tunnel PAC lifetime for use in the management of the Tunnel PAC. The + PAC-Info should be securely stored by the peer to protect it from + disclosure and modification. + +7.8. Security Claims + + This section provides the needed security claim requirement for EAP + [RFC3748]. + + Auth. mechanism: Certificate-based, shared-secret-based, and + various tunneled authentication mechanisms. + + Ciphersuite negotiation: Yes + + Mutual authentication: Yes + + Integrity protection: Yes. Any method executed within the TEAP + tunnel is integrity protected. The + cleartext EAP headers outside the tunnel are + not integrity protected. + + Replay protection: Yes + + Confidentiality: Yes + + Key derivation: Yes + + Key strength: See Note 1 below. + + Dictionary attack prot.: Yes + + Fast reconnect: Yes + + Cryptographic binding: Yes + + Session independence: Yes + + Fragmentation: Yes + + Key Hierarchy: Yes + + Channel binding: Yes + + + + + + + +Zhou, et al. Standards Track [Page 73] + +RFC 7170 TEAP May 2014 + + + Notes + + 1. BCP 86 [RFC3766] offers advice on appropriate key sizes. The + National Institute for Standards and Technology (NIST) also + offers advice on appropriate key sizes in [NIST-SP-800-57]. + [RFC3766], Section 5 advises use of the following required RSA or + DH (Diffie-Hellman) module and DSA (Digital Signature Algorithm) + subgroup size in bits for a given level of attack resistance in + bits. Based on the table below, a 2048-bit RSA key is required + to provide 112-bit equivalent key strength: + + Attack Resistance RSA or DH Modulus DSA subgroup + (bits) size (bits) size (bits) + ----------------- ----------------- ------------ + 70 947 129 + 80 1228 148 + 90 1553 167 + 100 1926 186 + 150 4575 284 + 200 8719 383 + 250 14596 482 + +8. Acknowledgements + + This specification is based on EAP-FAST [RFC4851], which included the + ideas and efforts of Nancy Cam-Winget, David McGrew, Joe Salowey, Hao + Zhou, Pad Jakkahalli, Mark Krischer, Doug Smith, and Glen Zorn of + Cisco Systems, Inc. + + The TLV processing was inspired from work on the Protected Extensible + Authentication Protocol version 2 (PEAPv2) with Ashwin Palekar, Dan + Smith, Sean Turner, and Simon Josefsson. + + The method for linking identity and proof-of-possession by placing + the tls-unique value in the challengePassword field of the CSR as + described in Section 3.8.2 was inspired by the technique described in + "Enrollment over Secure Transport" [RFC7030]. + + Helpful review comments were provided by Russ Housley, Jari Arkko, + Ilan Frenkel, Jeremy Steiglitz, Dan Harkins, Sam Hartman, Jim Schaad, + Barry Leiba, Stephen Farrell, Chris Lonvick, and Josh Howlett. + + + + + + + + + + +Zhou, et al. Standards Track [Page 74] + +RFC 7170 TEAP May 2014 + + +9. References + +9.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. + Levkowetz, "Extensible Authentication Protocol (EAP)", RFC + 3748, June 2004. + + [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, + "Transport Layer Security (TLS) Session Resumption without + Server-Side State", RFC 5077, January 2008. + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, August 2008. + + [RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri, + "Specification for the Derivation of Root Keys from an + Extended Master Session Key (EMSK)", RFC 5295, August + 2008. + + [RFC5705] Rescorla, E., "Keying Material Exporters for Transport + Layer Security (TLS)", RFC 5705, March 2010. + + [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, + "Transport Layer Security (TLS) Renegotiation Indication + Extension", RFC 5746, February 2010. + + [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings + for TLS", RFC 5929, July 2010. + + [RFC6677] Hartman, S., Clancy, T., and K. Hoeper, "Channel-Binding + Support for Extensible Authentication Protocol (EAP) + Methods", RFC 6677, July 2012. + + + + + + + + + + + +Zhou, et al. Standards Track [Page 75] + +RFC 7170 TEAP May 2014 + + +9.2. Informative References + + [IEEE.802-1X.2013] + IEEE, "Local and Metropolitan Area Networks: Port-Based + Network Access Control", IEEE Standard 802.1X, December + 2013. + + [NIST-SP-800-57] + National Institute of Standards and Technology, + "Recommendation for Key Management", NIST Special + Publication 800-57, July 2012. + + [PEAP] Microsoft Corporation, "[MS-PEAP]: Protected Extensible + Authentication Protocol (PEAP)", February 2014. + + [RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax + Version 1.5", RFC 2315, March 1998. + + [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object + Classes and Attribute Types Version 2.0", RFC 2985, + November 2000. + + [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification + Request Syntax Specification Version 1.7", RFC 2986, + November 2000. + + [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication + Dial In User Service) Support For Extensible + Authentication Protocol (EAP)", RFC 3579, September 2003. + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", STD 63, RFC 3629, November 2003. + + [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For + Public Keys Used For Exchanging Symmetric Keys", BCP 86, + RFC 3766, April 2004. + + [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible + Authentication Protocol (EAP) Method Requirements for + Wireless LANs", RFC 4017, March 2005. + + [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible + Authentication Protocol (EAP) Application", RFC 4072, + August 2005. + + [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + + + +Zhou, et al. Standards Track [Page 76] + +RFC 7170 TEAP May 2014 + + + [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The + Network Access Identifier", RFC 4282, December 2005. + + [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data + Encodings", RFC 4648, October 2006. + + [RFC4851] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "The + Flexible Authentication via Secure Tunneling Extensible + Authentication Protocol Method (EAP-FAST)", RFC 4851, May + 2007. + + [RFC4945] Korver, B., "The Internet IP Security PKI Profile of IKEv1 + /ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. + + [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, + Authorization, and Accounting (AAA) Key Management", BCP + 132, RFC 4962, July 2007. + + [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible + Authentication Protocol (EAP) Key Management Framework", + RFC 5247, August 2008. + + [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS + (CMC)", RFC 5272, June 2008. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 5280, May 2008. + + [RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication + Protocol Tunneled Transport Layer Security Authenticated + Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008. + + [RFC5421] Cam-Winget, N. and H. Zhou, "Basic Password Exchange + within the Flexible Authentication via Secure Tunneling + Extensible Authentication Protocol (EAP-FAST)", RFC 5421, + March 2009. + + [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, + RFC 5652, September 2009. + + [RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication + Protocol (EAP) Authentication Using Only a Password", RFC + 5931, August 2010. + + [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: + Extension Definitions", RFC 6066, January 2011. + + + +Zhou, et al. Standards Track [Page 77] + +RFC 7170 TEAP May 2014 + + + [RFC6124] Sheffer, Y., Zorn, G., Tschofenig, H., and S. Fluhrer, "An + EAP Authentication Method Based on the Encrypted Key + Exchange (EKE) Protocol", RFC 6124, February 2011. + + [RFC6678] Hoeper, K., Hanna, S., Zhou, H., and J. Salowey, + "Requirements for a Tunnel-Based Extensible Authentication + Protocol (EAP) Method", RFC 6678, July 2012. + + [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., + Galperin, S., and C. Adams, "X.509 Internet Public Key + Infrastructure Online Certificate Status Protocol - OCSP", + RFC 6960, June 2013. + + [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) + Multiple Certificate Status Request Extension", RFC 6961, + June 2013. + + [RFC7029] Hartman, S., Wasserman, M., and D. Zhang, "Extensible + Authentication Protocol (EAP) Mutual Cryptographic + Binding", RFC 7029, October 2013. + + [RFC7030] Pritikin, M., Yee, P., and D. Harkins, "Enrollment over + Secure Transport", RFC 7030, October 2013. + + [X.690] ITU-T, "ASN.1 encoding rules: Specification of Basic + Encoding Rules (BER), Canonical Encoding Rules (CER) and + Distinguished Encoding Rules (DER)", ITU-T Recommendation + X.690, November 2008. + + + + + + + + + + + + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 78] + +RFC 7170 TEAP May 2014 + + +Appendix A. Evaluation against Tunnel-Based EAP Method Requirements + + This section evaluates all tunnel-based EAP method requirements + described in [RFC6678] against TEAP version 1. + +A.1. Requirement 4.1.1: RFC Compliance + + TEAPv1 meets this requirement by being compliant with RFC 3748 + [RFC3748], RFC 4017 [RFC4017], RFC 5247 [RFC5247], and RFC 4962 + [RFC4962]. It is also compliant with the "cryptographic algorithm + agility" requirement by leveraging TLS 1.2 for all cryptographic + algorithm negotiation. + +A.2. Requirement 4.2.1: TLS Requirements + + TEAPv1 meets this requirement by mandating TLS version 1.2 support as + defined in Section 3.2. + +A.3. Requirement 4.2.1.1.1: Ciphersuite Negotiation + + TEAPv1 meets this requirement by using TLS to provide protected + ciphersuite negotiation. + +A.4. Requirement 4.2.1.1.2: Tunnel Data Protection Algorithms + + TEAPv1 meets this requirement by mandating + TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory-to-implement ciphersuite + as defined in Section 3.2. + +A.5. Requirement 4.2.1.1.3: Tunnel Authentication and Key Establishment + + TEAPv1 meets this requirement by mandating + TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory-to-implement ciphersuite + that provides certificate-based authentication of the server and is + approved by NIST. The mandatory-to-implement ciphersuites only + include ciphersuites that use strong cryptographic algorithms. They + do not include ciphersuites providing mutually anonymous + authentication or static Diffie-Hellman ciphersuites as defined in + Section 3.2. + +A.6. Requirement 4.2.1.2: Tunnel Replay Protection + + TEAPv1 meets this requirement by using TLS to provide sufficient + replay protection. + + + + + + + +Zhou, et al. Standards Track [Page 79] + +RFC 7170 TEAP May 2014 + + +A.7. Requirement 4.2.1.3: TLS Extensions + + TEAPv1 meets this requirement by allowing TLS extensions, such as TLS + Certificate Status Request extension [RFC6066] and SessionTicket + extension [RFC5077], to be used during TLS tunnel establishment. + +A.8. Requirement 4.2.1.4: Peer Identity Privacy + + TEAPv1 meets this requirement by establishment of the TLS tunnel and + protection identities specific to the inner method. In addition, the + peer certificate can be sent confidentially (i.e., encrypted). + +A.9. Requirement 4.2.1.5: Session Resumption + + TEAPv1 meets this requirement by mandating support of TLS session + resumption as defined in Section 3.2.1 and TLS session resume using a + PAC as defined in Section 3.2.2 . + +A.10. Requirement 4.2.2: Fragmentation + + TEAPv1 meets this requirement by leveraging fragmentation support + provided by TLS as defined in Section 3.7. + +A.11. Requirement 4.2.3: Protection of Data External to Tunnel + + TEAPv1 meets this requirement by including the TEAP version number + received in the computation of the Crypto-Binding TLV as defined in + Section 4.2.13. + +A.12. Requirement 4.3.1: Extensible Attribute Types + + TEAPv1 meets this requirement by using an extensible TLV data layer + inside the tunnel as defined in Section 4.2. + +A.13. Requirement 4.3.2: Request/Challenge Response Operation + + TEAPv1 meets this requirement by allowing multiple TLVs to be sent in + a single EAP request or response packet, while maintaining the half- + duplex operation typical of EAP. + +A.14. Requirement 4.3.3: Indicating Criticality of Attributes + + TEAPv1 meets this requirement by having a mandatory bit in each TLV + to indicate whether it is mandatory to support or not as defined in + Section 4.2. + + + + + + +Zhou, et al. Standards Track [Page 80] + +RFC 7170 TEAP May 2014 + + +A.15. Requirement 4.3.4: Vendor-Specific Support + + TEAPv1 meets this requirement by having a Vendor-Specific TLV to + allow vendors to define their own attributes as defined in + Section 4.2.8. + +A.16. Requirement 4.3.5: Result Indication + + TEAPv1 meets this requirement by having a Result TLV to exchange the + final result of the EAP authentication so both the peer and server + have a synchronized state as defined in Section 4.2.4. + +A.17. Requirement 4.3.6: Internationalization of Display Strings + + TEAPv1 meets this requirement by supporting UTF-8 format in the + Basic-Password-Auth-Req TLV as defined in Section 4.2.14 and the + Basic-Password-Auth-Resp TLV as defined in Section 4.2.15. + +A.18. Requirement 4.4: EAP Channel-Binding Requirements + + TEAPv1 meets this requirement by having a Channel-Binding TLV to + exchange the EAP channel-binding data as defined in Section 4.2.7. + +A.19. Requirement 4.5.1.1: Confidentiality and Integrity + + TEAPv1 meets this requirement by running the password authentication + inside a protected TLS tunnel. + +A.20. Requirement 4.5.1.2: Authentication of Server + + TEAPv1 meets this requirement by mandating authentication of the + server before establishment of the protected TLS and then running + inner password authentication as defined in Section 3.2. + +A.21. Requirement 4.5.1.3: Server Certificate Revocation Checking + + TEAPv1 meets this requirement by supporting TLS Certificate Status + Request extension [RFC6066] during tunnel establishment. + +A.22. Requirement 4.5.2: Internationalization + + TEAPv1 meets this requirement by supporting UTF-8 format in Basic- + Password-Auth-Req TLV as defined in Section 4.2.14 and Basic- + Password-Auth-Resp TLV as defined in Section 4.2.15. + + + + + + + +Zhou, et al. Standards Track [Page 81] + +RFC 7170 TEAP May 2014 + + +A.23. Requirement 4.5.3: Metadata + + TEAPv1 meets this requirement by supporting Identity-Type TLV as + defined in Section 4.2.3 to indicate whether the authentication is + for a user or a machine. + +A.24. Requirement 4.5.4: Password Change + + TEAPv1 meets this requirement by supporting multiple Basic-Password- + Auth-Req TLV and Basic-Password-Auth-Resp TLV exchanges within a + single EAP authentication, which allows "housekeeping"" functions + such as password change. + +A.25. Requirement 4.6.1: Method Negotiation + + TEAPv1 meets this requirement by supporting inner EAP method + negotiation within the protected TLS tunnel. + +A.26. Requirement 4.6.2: Chained Methods + + TEAPv1 meets this requirement by supporting inner EAP method chaining + within protected TLS tunnels as defined in Section 3.3.1. + +A.27. Requirement 4.6.3: Cryptographic Binding with the TLS Tunnel + + TEAPv1 meets this requirement by supporting cryptographic binding of + the inner EAP method keys with the keys derived from the TLS tunnel + as defined in Section 4.2.13. + +A.28. Requirement 4.6.4: Peer-Initiated EAP Authentication + + TEAPv1 meets this requirement by supporting the Request-Action TLV as + defined in Section 4.2.9 to allow a peer to initiate another inner + EAP method. + +A.29. Requirement 4.6.5: Method Metadata + + TEAPv1 meets this requirement by supporting the Identity-Type TLV as + defined in Section 4.2.3 to indicate whether the authentication is + for a user or a machine. + + + + + + + + + + + +Zhou, et al. Standards Track [Page 82] + +RFC 7170 TEAP May 2014 + + +Appendix B. Major Differences from EAP-FAST + + This document is a new standard tunnel EAP method based on revision + of EAP-FAST version 1 [RFC4851] that contains improved flexibility, + particularly for negotiation of cryptographic algorithms. The major + changes are: + + 1. The EAP method name has been changed from EAP-FAST to TEAP; this + change thus requires that a new EAP Type be assigned. + + 2. This version of TEAP MUST support TLS 1.2 [RFC5246]. + + 3. The key derivation now makes use of TLS keying material exporters + [RFC5705] and the PRF and hash function negotiated in TLS. This + is to simplify implementation and better support cryptographic + algorithm agility. + + 4. TEAP is in full conformance with TLS ticket extension [RFC5077] + as described in Section 3.2.2. + + 5. Support is provided for passing optional Outer TLVs in the first + two message exchanges, in addition to the Authority-ID TLV data + in EAP-FAST. + + 6. Basic password authentication on the TLV level has been added in + addition to the existing inner EAP method. + + 7. Additional TLV types have been defined to support EAP channel + binding and metadata. They are the Identity-Type TLV and + Channel-Binding TLVs, defined in Section 4.2. + +Appendix C. Examples + +C.1. Successful Authentication + + The following exchanges show a successful TEAP authentication with + basic password authentication and optional PAC refreshment. The + conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/ + Identity + EAP-Response/ + Identity (MyID1) -> + + + + + + +Zhou, et al. Standards Track [Page 83] + +RFC 7170 TEAP May 2014 + + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello with + PAC-Opaque in SessionTicket extension)-> + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + (TLS change_cipher_spec, + TLS finished) + + EAP-Response/ + EAP-Type=TEAP, V=1 -> + (TLS change_cipher_spec, + TLS finished) + + TLS channel established + (messages sent within the TLS channel) + + <- Basic-Password-Auth-Req TLV, Challenge + + Basic-Password-Auth-Resp TLV, Response with both + username and password) -> + + optional additional exchanges (new pin mode, + password change, etc.) ... + + <- Crypto-Binding TLV (Request), + Result TLV (Success), + (Optional PAC TLV) + + Crypto-Binding TLV(Response), + Result TLV (Success), + (PAC-Acknowledgement TLV) -> + + TLS channel torn down + (messages sent in cleartext) + + <- EAP-Success + + + + + + + + +Zhou, et al. Standards Track [Page 84] + +RFC 7170 TEAP May 2014 + + +C.2. Failed Authentication + + The following exchanges show a failed TEAP authentication due to + wrong user credentials. The conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/Identity + + EAP-Response/ + Identity (MyID1) -> + + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello with + PAC-Opaque in SessionTicket extension)-> + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + (TLS change_cipher_spec, + TLS finished) + + EAP-Response/ + EAP-Type=TEAP, V=1 -> + (TLS change_cipher_spec, + TLS finished) + + TLS channel established + (messages sent within the TLS channel) + + <- Basic-Password-Auth-Req TLV, Challenge + + Basic-Password-Auth-Resp TLV, Response with both + username and password) -> + + <- Result TLV (Failure) + + + + + + + + + +Zhou, et al. Standards Track [Page 85] + +RFC 7170 TEAP May 2014 + + + Result TLV (Failure) -> + + TLS channel torn down + (messages sent in cleartext) + + <- EAP-Failure + +C.3. Full TLS Handshake Using Certificate-Based Ciphersuite + + In the case within TEAP Phase 1 where an abbreviated TLS handshake is + tried, fails, and falls back to the certificate-based full TLS + handshake, the conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/Identity + EAP-Response/ + Identity (MyID1) -> + + // Identity sent in the clear. May be a hint to help route + the authentication request to EAP server, instead of the + full user identity. + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello with + PAC-Opaque in SessionTicket extension)-> + + // Peer sends PAC-Opaque of Tunnel PAC along with a list of + ciphersuites supported. If the server rejects the PAC- + Opaque, it falls through to the full TLS handshake. + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + + + + + + + + + +Zhou, et al. Standards Track [Page 86] + +RFC 7170 TEAP May 2014 + + + EAP-Response/ + EAP-Type=TEAP, V=1 + ([TLS certificate,] + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec, + TLS finished, + EAP-Payload-TLV[EAP-Request/ + Identity]) + + // TLS channel established + (messages sent within the TLS channel) + + // First EAP Payload TLV is piggybacked to the TLS Finished as + Application Data and protected by the TLS tunnel. + + EAP-Payload-TLV + [EAP-Response/Identity (MyID2)]-> + + // identity protected by TLS. + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X] -> + + // Method X exchanges followed by Protected Termination + + <- Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Request), + Result TLV (Success) + + Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Response), + Result-TLV (Success) -> + + // TLS channel torn down + (messages sent in cleartext) + + <- EAP-Success + + + + + + +Zhou, et al. Standards Track [Page 87] + +RFC 7170 TEAP May 2014 + + +C.4. Client Authentication during Phase 1 with Identity Privacy + + In the case where a certificate-based TLS handshake occurs within + TEAP Phase 1 and client certificate authentication and identity + privacy is desired (and therefore TLS renegotiation is being used to + transmit the peer credentials in the protected TLS tunnel), the + conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/Identity + EAP-Response/ + Identity (MyID1) -> + + // Identity sent in the clear. May be a hint to help route + the authentication request to EAP server, instead of the + full user identity. + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello)-> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_key_exchange, + TLS change_cipher_spec, + TLS finished) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec, + TLS finished, + EAP-Payload-TLV[EAP-Request/ + Identity]) + + // TLS channel established + (EAP Payload messages sent within the TLS channel) + + // peer sends TLS client_hello to request TLS renegotiation + + + + +Zhou, et al. Standards Track [Page 88] + +RFC 7170 TEAP May 2014 + + + TLS client_hello -> + + <- TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done + [TLS certificate,] + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished -> + + <- TLS change_cipher_spec, + TLS finished, + Crypto-Binding TLV (Request), + Result TLV (Success) + + Crypto-Binding TLV (Response), + Result-TLV (Success)) -> + + //TLS channel torn down + (messages sent in cleartext) + + <- EAP-Success + +C.5. Fragmentation and Reassembly + + In the case where TEAP fragmentation is required, the conversation + will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/ + Identity + EAP-Response/ + Identity (MyID) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello)-> + + + + + + + +Zhou, et al. Standards Track [Page 89] + +RFC 7170 TEAP May 2014 + + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + (Fragment 1: L, M bits set) + + EAP-Response/ + EAP-Type=TEAP, V=1 -> + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (Fragment 2: M bit set) + EAP-Response/ + EAP-Type=TEAP, V=1 -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (Fragment 3) + EAP-Response/ + EAP-Type=TEAP, V=1 + ([TLS certificate,] + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished) + (Fragment 1: L, M bits set)-> + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + EAP-Response/ + EAP-Type=TEAP, V=1 + (Fragment 2)-> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec, + TLS finished, + [EAP-Payload-TLV[ + EAP-Request/Identity]]) + + // TLS channel established + (messages sent within the TLS channel) + + // First EAP Payload TLV is piggybacked to the TLS Finished as + Application Data and protected by the TLS tunnel. + + + + + +Zhou, et al. Standards Track [Page 90] + +RFC 7170 TEAP May 2014 + + + EAP-Payload-TLV + [EAP-Response/Identity (MyID2)]-> + + // identity protected by TLS. + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X] -> + + // Method X exchanges followed by Protected Termination + + <- Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Request), + Result TLV (Success) + + Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Response), + Result-TLV (Success) -> + + // TLS channel torn down + (messages sent in cleartext) + + <- EAP-Success + +C.6. Sequence of EAP Methods + + When TEAP is negotiated with a sequence of EAP method X followed by + method Y, the conversation will occur as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/ + Identity + EAP-Response/ + Identity (MyID1) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello)-> + + + + + + + +Zhou, et al. Standards Track [Page 91] + +RFC 7170 TEAP May 2014 + + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + EAP-Response/ + EAP-Type=TEAP, V=1 + ([TLS certificate,] + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec, + TLS finished, + Identity-Type TLV, + EAP-Payload-TLV[ + EAP-Request/Identity]) + + // TLS channel established + (messages sent within the TLS channel) + + // First EAP Payload TLV is piggybacked to the TLS Finished as + Application Data and protected by the TLS tunnel + + Identity_Type TLV + EAP-Payload-TLV + [EAP-Response/Identity] -> + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X] -> + + // Optional additional X Method exchanges... + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X]-> + + + + + + +Zhou, et al. Standards Track [Page 92] + +RFC 7170 TEAP May 2014 + + + <- Intermediate Result TLV (Success), + Crypto-Binding TLV (Request), + Identity-Type TLV, + EAP Payload TLV [EAP-Type=Y], + + // Next EAP conversation started after successful completion + of previous method X. The Intermediate-Result and Crypto- + Binding TLVs are sent in next packet to minimize round + trips. In this example, an identity request is not sent + before negotiating EAP-Type=Y. + + // Compound MAC calculated using keys generated from + EAP method X and the TLS tunnel. + + Intermediate Result TLV (Success), + Crypto-Binding TLV (Response), + EAP-Payload-TLV [EAP-Type=Y] -> + + // Optional additional Y Method exchanges... + + <- EAP Payload TLV [ + EAP-Type=Y] + + EAP Payload TLV + [EAP-Type=Y] -> + + <- Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Request), + Result TLV (Success) + + Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Response), + Result-TLV (Success) -> + + // Compound MAC calculated using keys generated from EAP + methods X and Y and the TLS tunnel. Compound keys are + generated using keys generated from EAP methods X and Y + and the TLS tunnel. + + // TLS channel torn down (messages sent in cleartext) + + <- EAP-Success + + + + + + + + + +Zhou, et al. Standards Track [Page 93] + +RFC 7170 TEAP May 2014 + + +C.7. Failed Crypto-Binding + + The following exchanges show a failed crypto-binding validation. The + conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/ + Identity + EAP-Response/ + Identity (MyID1) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello without + PAC-Opaque in SessionTicket extension)-> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS Server Key Exchange + TLS Server Hello Done) + EAP-Response/ + EAP-Type=TEAP, V=1 -> + (TLS Client Key Exchange + TLS change_cipher_spec, + TLS finished) + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec + TLS finished) + EAP-Payload-TLV[ + EAP-Request/Identity]) + + // TLS channel established + (messages sent within the TLS channel) + + // First EAP Payload TLV is piggybacked to the TLS Finished as + Application Data and protected by the TLS tunnel. + + EAP-Payload TLV/ + EAP Identity Response -> + + <- EAP Payload TLV, EAP-Request, + (EAP-MSCHAPV2, Challenge) + + + + +Zhou, et al. Standards Track [Page 94] + +RFC 7170 TEAP May 2014 + + + EAP Payload TLV, EAP-Response, + (EAP-MSCHAPV2, Response) -> + + <- EAP Payload TLV, EAP-Request, + (EAP-MSCHAPV2, Success Request) + + EAP Payload TLV, EAP-Response, + (EAP-MSCHAPV2, Success Response) -> + + <- Intermediate-Result-TLV (Success), + Crypto-Binding TLV (Request), + Result TLV (Success) + + Intermediate-Result-TLV (Success), + Result TLV (Failure) + Error TLV with + (Error Code = 2001) -> + + // TLS channel torn down + (messages sent in cleartext) + + <- EAP-Failure + +C.8. Sequence of EAP Method with Vendor-Specific TLV Exchange + + When TEAP is negotiated with a sequence of EAP methods followed by a + Vendor-Specific TLV exchange, the conversation will occur as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/ + Identity + EAP-Response/ + Identity (MyID1) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello)-> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + + + +Zhou, et al. Standards Track [Page 95] + +RFC 7170 TEAP May 2014 + + + EAP-Response/ + EAP-Type=TEAP, V=1 + ([TLS certificate,] + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished) -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec, + TLS finished, + EAP-Payload-TLV[ + EAP-Request/Identity]) + + // TLS channel established + (messages sent within the TLS channel) + + // First EAP Payload TLV is piggybacked to the TLS Finished as + Application Data and protected by the TLS tunnel. + + EAP-Payload-TLV + [EAP-Response/Identity] -> + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X] -> + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X]-> + + <- Intermediate Result TLV (Success), + Crypto-Binding TLV (Request), + Vendor-Specific TLV, + + // Vendor-Specific TLV exchange started after successful + completion of previous method X. The Intermediate-Result + and Crypto-Binding TLVs are sent with Vendor-Specific TLV + in next packet to minimize round trips. + + // Compound MAC calculated using keys generated from + EAP method X and the TLS tunnel. + + + + + +Zhou, et al. Standards Track [Page 96] + +RFC 7170 TEAP May 2014 + + + Intermediate Result TLV (Success), + Crypto-Binding TLV (Response), + Vendor-Specific TLV -> + + // Optional additional Vendor-Specific TLV exchanges... + + <- Vendor-Specific TLV + + Vendor-Specific TLV -> + <- Result TLV (Success) + + Result-TLV (Success) -> + + // TLS channel torn down (messages sent in cleartext) + + <- EAP-Success + +C.9. Peer Requests Inner Method after Server Sends Result TLV + + In the case where the peer is authenticated during Phase 1 and the + server sends back a Result TLV but the peer wants to request another + inner method, the conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/Identity + EAP-Response/ + Identity (MyID1) -> + + // Identity sent in the clear. May be a hint to help route + the authentication request to EAP server, instead of the + full user identity. + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello)-> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + + + + + +Zhou, et al. Standards Track [Page 97] + +RFC 7170 TEAP May 2014 + + + EAP-Response/ + EAP-Type=TEAP, V=1 + [TLS certificate,] + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished -> + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS change_cipher_spec, + TLS finished, + Crypto-Binding TLV (Request), + Result TLV (Success)) + + // TLS channel established + (TLV Payload messages sent within the TLS channel) + + Crypto-Binding TLV(Response), + Request-Action TLV + (Status=Failure, Action=Negotiate-EAP)-> + + <- EAP-Payload-TLV + [EAP-Request/Identity] + + EAP-Payload-TLV + [EAP-Response/Identity] -> + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X] -> + + <- EAP-Payload-TLV + [EAP-Request/EAP-Type=X] + + EAP-Payload-TLV + [EAP-Response/EAP-Type=X]-> + + <- Intermediate Result TLV (Success), + Crypto-Binding TLV (Request), + Result TLV (Success) + + Intermediate Result TLV (Success), + Crypto-Binding TLV (Response), + Result-TLV (Success)) -> + + + + + +Zhou, et al. Standards Track [Page 98] + +RFC 7170 TEAP May 2014 + + + // TLS channel torn down + (messages sent in cleartext) + + <- EAP-Success + +C.10. Channel Binding + + The following exchanges show a successful TEAP authentication with + basic password authentication and channel binding using a Request- + Action TLV. The conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- EAP-Request/ + Identity + EAP-Response/ + Identity (MyID1) -> + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TEAP Start, S bit set, Authority-ID) + + EAP-Response/ + EAP-Type=TEAP, V=1 + (TLS client_hello with + PAC-Opaque in SessionTicket extension)-> + + <- EAP-Request/ + EAP-Type=TEAP, V=1 + (TLS server_hello, + (TLS change_cipher_spec, + TLS finished) + + EAP-Response/ + EAP-Type=TEAP, V=1 -> + (TLS change_cipher_spec, + TLS finished) + + TLS channel established + (messages sent within the TLS channel) + + <- Basic-Password-Auth-Req TLV, Challenge + + Basic-Password-Auth-Resp TLV, Response with both + username and password) -> + + optional additional exchanges (new pin mode, + password change, etc.) ... + + + +Zhou, et al. Standards Track [Page 99] + +RFC 7170 TEAP May 2014 + + + <- Crypto-Binding TLV (Request), + Result TLV (Success), + + Crypto-Binding TLV(Response), + Request-Action TLV + (Status=Failure, Action=Process-TLV, + TLV=Channel-Binding TLV)-> + + <- Channel-Binding TLV (Response), + Result TLV (Success), + + Result-TLV (Success) -> + + TLS channel torn down + (messages sent in cleartext) + + <- EAP-Success + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 100] + +RFC 7170 TEAP May 2014 + + +Authors' Addresses + + Hao Zhou + Cisco Systems + 4125 Highlander Parkway + Richfield, OH 44286 + US + + EMail: hzhou@cisco.com + + + Nancy Cam-Winget + Cisco Systems + 3625 Cisco Way + San Jose, CA 95134 + US + + EMail: ncamwing@cisco.com + + + Joseph Salowey + Cisco Systems + 2901 3rd Ave + Seattle, WA 98121 + US + + EMail: jsalowey@cisco.com + + + Stephen Hanna + Infineon Technologies + 79 Parsons Street + Brighton, MA 02135 + US + + EMail: steve.hanna@infineon.com + + + + + + + + + + + + + + + +Zhou, et al. Standards Track [Page 101] + |