1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
|
Network Working Group M. Vanderveen
Request for Comments: 4763 H. Soliman
Category: Informational Qualcomm Flarion Technologies
November 2006
Extensible Authentication Protocol Method for
Shared-secret Authentication and Key Establishment (EAP-SAKE)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2006).
IESG Note
This RFC is not a candidate for any level of Internet Standard. The
IETF disclaims any knowledge of the fitness of this RFC for any
purpose and in particular notes that the decision to publish is not
based on IETF review for such things as security, congestion control,
or inappropriate interaction with deployed protocols. The RFC Editor
has chosen to publish this document at its discretion. Readers of
this document should exercise caution in evaluating its value for
implementation and deployment. See RFC 3932 for more information.
Abstract
This document specifies an Extensible Authentication Protocol (EAP)
mechanism for Shared-secret Authentication and Key Establishment
(SAKE). This RFC is published as documentation for the IANA
assignment of an EAP Type for a vendor's EAP method per RFC 3748.
The specification has passed Designated Expert review for this IANA
assignment.
Vanderveen & Soliman Informational [Page 1]
^L
RFC 4763 EAP-SAKE November 2006
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................3
3. Protocol Description ............................................4
3.1. Overview and Motivation of EAP-SAKE ........................4
3.2. Protocol Operation .........................................5
3.2.1. Successful Exchange .................................5
3.2.2. Authentication Failure ..............................7
3.2.3. Identity Management ................................11
3.2.4. Obtaining Peer Identity ............................11
3.2.5. Key Hierarchy ......................................13
3.2.6. Key Derivation .....................................15
3.2.7. Ciphersuite Negotiation ............................17
3.2.8. Message Integrity and Encryption ...................17
3.2.9. Fragmentation ......................................21
3.2.10. Error Cases .......................................21
3.3. Message Formats ...........................................22
3.3.1. Message Format Summary .............................22
3.3.2. Attribute Format ...................................23
3.3.3. Use of AT_ENCR_DATA Attribute ......................25
3.3.4. EAP.Request/SAKE/Challenge Format ..................26
3.3.5. EAP.Response/SAKE/Challenge Format .................28
3.3.6. EAP.Request/SAKE/Confirm Format ....................30
3.3.7. EAP.Response/SAKE/Confirm Format ...................32
3.3.8. EAP.Response/SAKE/Auth-Reject Format ...............33
3.3.9. EAP.Request/SAKE/Identity Format ...................34
3.3.10. EAP.Response/SAKE/Identity Format .................36
3.3.11. Other EAP Messages Formats ........................37
4. IANA Considerations ............................................37
5. Security Considerations ........................................38
5.1. Denial-of-Service Attacks .................................38
5.2. Root Secret Considerations ................................38
5.3. Mutual Authentication .....................................39
5.4. Integrity Protection ......................................39
5.5. Replay Protection .........................................39
5.6. Confidentiality ...........................................40
5.7. Key Derivation, Strength ..................................40
5.8. Dictionary Attacks ........................................41
5.9. Man-in-the-Middle Attacks .................................41
5.10. Result Indication Protection .............................41
5.11. Cryptographic Separation of Keys .........................41
5.12. Session Independence .....................................41
5.13. Identity Protection ......................................42
5.14. Channel Binding ..........................................42
5.15. Ciphersuite Negotiation ..................................42
5.16. Random Number Generation .................................43
6. Security Claims ................................................43
Vanderveen & Soliman Informational [Page 2]
^L
RFC 4763 EAP-SAKE November 2006
7. Acknowledgements ...............................................44
8. References .....................................................44
8.1. Normative References ......................................44
8.2. Informative References ....................................45
1. Introduction
The Extensible Authentication Protocol (EAP), described in [EAP],
provides a standard mechanism for support of multiple authentication
methods. EAP is also used within IEEE 802 networks through the IEEE
802.11i [IEEE802.11i] framework.
EAP supports several authentication schemes, including smart cards,
Kerberos, Public Key, One Time Passwords, TLS, and others. This
document defines an authentication scheme, called the EAP-SAKE.
EAP-SAKE supports mutual authentication and session key derivation,
based on a static pre-shared secret data. This RFC is published as
documentation for the IANA assignment of an EAP Type for a vendor's
EAP method per RFC 3748. The specification has passed Designated
Expert review for this IANA assignment.
2. Terminology
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized. The key
words "MUST", "MUST NOT", "REQUIRED", "MUST", "MUST NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14 [KEYWORDS].
In addition to the terms used in [EAP], this document frequently uses
the following terms and abbreviations:
MIC Message Integrity Check
SMS SAKE Master Secret
NAI Network Access Identifier
Vanderveen & Soliman Informational [Page 3]
^L
RFC 4763 EAP-SAKE November 2006
3. Protocol Description
3.1. Overview and Motivation of EAP-SAKE
The EAP-SAKE authentication protocol is a native EAP authentication
method. That is, a stand-alone version of EAP-SAKE outside of EAP is
not defined. EAP-SAKE is designed to enable mutual authentication,
based on pre-shared keys and well-known public cryptographic
algorithms. This method is ideal for subscription-based public
access networks, e.g., cellular networks.
EAP-SAKE assumes a long-term or pre-shared secret known only to the
Peer and the Server. This pre-shared secret is called the Root
Secret. The Root Secret consists of a 16-byte part Root-Secret-A,
and 16-byte part Root-Secret-B. The Root-Secret-A secret is reserved
for use local to the EAP-SAKE method, i.e., to mutually authenticate
the EAP Peer and EAP Server. The Root-Secret-B secret is used to
derive other quantities such as the Master Session Key (MSK) and
Extended Master Session Key (EMSK). Root-Secret-B and Root-Secret-A
MUST be cryptographically separate.
When a Backend Authentication Server is used, the Server typically
communicates with the Authenticator using an AAA protocol. The AAA
communications are outside the scope of this document.
Some of the advantages of EAP-SAKE are as follows:
o It is based on well-established Bellare-Rogaway mutual
authentication protocol.
o It supports key derivation for local EAP method use and for export
to other third parties to use them independently of EAP.
o It employs only two request/response exchanges.
o It relies on the (corrected) IEEE 802.11i function for key
derivation and message integrity. This way a device implementing a
lower-layer secure association protocol compliant with IEEE 802.11i
standard will not need additional cryptographic code.
o Its encryption algorithm is securely negotiated (with no extra
messages), yet encryption use is optional.
o Keys used for authentication and those used for encryption are
cryptographically separate.
o User identity anonymity can be optionally supported.
Vanderveen & Soliman Informational [Page 4]
^L
RFC 4763 EAP-SAKE November 2006
o No synchronization (e.g., of counters) needed between server and
peer.
o There is no one-time key pre-processing step.
3.2. Protocol Operation
EAP-SAKE uses four messages consisting of two EAP request/response
exchanges. The EAP.Success and EAP.Failure messages shown in the
figures are not part of the EAP-SAKE method. As a convention, method
attributes are named AT_XX, where XX is the name of the parameter the
attribute value is set to.
3.2.1. Successful Exchange
A successful EAP-SAKE authentication exchange is depicted in Figure
1. The following steps take place:
Peer Server
| |
| EAP.Request/SAKE/Challenge |
| (AT_RAND_S, AT_SERVERID) |
1 |<---------------------------------------------------------|
| |
| EAP.Response/SAKE/Challenge |
| (AT_RAND_P, AT_PEERID, AT_SPI_P, AT_MIC_P) |
2 |--------------------------------------------------------->|
| |
| EAP.Request/SAKE/Confirm |
| (AT_SPI_S, AT_ENCR_DATA, AT_MIC_S)|
3 |<---------------------------------------------------------|
| |
| EAP.Response/SAKE/Confirm |
| (AT_MIC_P) |
4 |--------------------------------------------------------->|
| |
| |
| EAP-Success |
5 |<---------------------------------------------------------|
| |
Figure 1. EAP-SAKE Authentication Procedure (with ciphersuite
negotiation)
1. The EAP server sends the first message of the EAP-SAKE exchange.
This message is an EAP.Request message of type SAKE and subtype
Challenge. The EAP.Request/SAKE/Challenge message contains the
attributes: AT_RAND_S, whose value is a nonce freshly generated
Vanderveen & Soliman Informational [Page 5]
^L
RFC 4763 EAP-SAKE November 2006
by the Server; and AT_SERVERID, which carries an identifier of
the Server (a fully qualified domain name, such as the realm of
the user NAI [NAI]). The AT_SERVERID attribute is OPTIONAL but
SHOULD be included in this message. The purpose of the
AT_SERVERID is to aid the Peer in selecting the correct security
association (i.e., Root-Secret, PEERID, and SERVERID) to use
during this EAP phase.
2. The Peer responds by sending an EAP.Response message of type SAKE
and subtype Challenge. The EAP.Response/SAKE/Challenge message
contains the attributes: AT_RAND_P, which carries a nonce freshly
generated by the Peer; AT_PEERID, which carries a Peer
identifier; AT_SPI_P, which carries a list of one or more
ciphersuites supported by the Peer; and AT_MIC_P, containing a
message integrity check. The AT_SPI_P and AT_PEERID attributes
are OPTIONAL. The AT_PEERID attribute SHOULD be included, in
order to cover the case of multi-homed hosts. A supported
ciphersuite is represented by a value local to the EAP-SAKE
method, or "Security Parameter Index", see section 3.2.8.3. The
Peer uses both nonces, along with the Root-Secret-A key, to
derive a SAKE Master Secret (SMS) and Temporary EAP Keys (TEKs),
which also include the TEK-Auth and TEK-Cipher keys. The MIC_P
value is computed based on both nonces RAND_S and RAND_P, and the
entire EAP packet, using the key TEK-Auth, see Section 3.2.6.
3. Upon receipt of the EAP.Response/SAKE/Challenge message, the
Server uses both nonces RAND_S and RAND_P, along with the Root-
Secret-A key, to compute the SMS and TEK in exactly the same way
the Peer did. Following that, the Server computes the Peer's
MIC_P in exactly the same way the Peer did. The Server then
compares the computed MIC_P with the MIC_P it received from the
Peer. If they match, the Server considers the Peer
authenticated. If encryption is needed, the Server selects the
strongest ciphersuite from the Peer's ciphersuite list SPI_P, or
a suitable ciphersuite if the Peer did not include the AT_SPI_P
attribute. The Server sends an EAP.Request message of type SAKE
and subtype Confirm, containing the attributes: AT_SPI_S,
carrying the ciphersuite chosen by the Server; AT_ENCR_DATA,
containing encrypted data; and AT_MIC_S, carrying a message
integrity check. The AT_SPI_S and AT_ENCR_DATA are OPTIONAL
attributes, included if confidentiality and/or user identity
anonymity is desired. Other OPTIONAL attributes that MAY be
included are AT_NEXT_TMPID, and AT_MSK_LIFE. As before, the
MIC_S value is computed using both nonces RAND_S and RAND_P, and
the entire EAP packet, using the key TEK-Auth.
Vanderveen & Soliman Informational [Page 6]
^L
RFC 4763 EAP-SAKE November 2006
4. If the Peer receives the EAP.Request/SAKE/Confirm message
indicating successful authentication by the Server, the Peer
computes the MIC_S in the same manner as the Server did. The
Peer then compares the received MIC_S with the MIC_S it computed.
If they match, the Peer considers the Server authenticated, and
it sends an EAP.Response message of type SAKE and subtype
Confirm, with the attribute AT_MIC_P containing a message
integrity check, computed in the same manner as before.
5. After a successful EAP-SAKE exchange, the Server concludes the
EAP conversation by sending an EAP.Success message to the Peer.
All EAP-SAKE messages contain a Session ID, which is chosen by the
Server, sent in the first message, and replicated in subsequent
messages until an EAP.Success or EAP.Failure is sent. Upon receipt
of an EAP-SAKE message, both Peer and Server MUST check the format of
the message to ensure that it is well-formed and contains a valid
Session ID.
Note that the Session ID is introduced mainly for replay protection
purposes, as it helps uniquely identify a session between a Peer and
a Server. In most cases, there is a one-to-one relationship between
the Session ID and the Peer/Server pair.
The parameters used by the EAP-SAKE method are summarized in the
table below:
Name Length (bytes) Description
---------+---------------+-------------
RAND_P 16 Peer nonce
RAND_S 16 Server nonce
MIC_P 16 Peer MIC
MIC_S 16 Server MIC
SPI_P variable Peer ciphersuite preference(s)
SPI_S variable Server chosen ciphersuite
PEERID variable Peer identifier
SERVERID variable Server identifier (FQDN)
3.2.2. Authentication Failure
If the Authenticator receives an EAP.Failure message from the Server,
the Authenticator MUST terminate the connection with the Peer
immediately.
The Server considers the Peer to have failed authentication if either
of the two received MIC_P values does not match the computed MIC_P.
Vanderveen & Soliman Informational [Page 7]
^L
RFC 4763 EAP-SAKE November 2006
The Server SHOULD deny authorization for a Peer that does not
advertise any of the ciphersuites that are considered acceptable
(e.g., by local system policy) and send an EAP.Failure message.
In case of authentication failure, the Server MUST send an
EAP.Failure message to the Peer as in Figure 2. The following steps
take place:
Peer Server
| |
| EAP.Request/SAKE/Challenge |
| (AT_RAND_S, AT_SERVERID) |
1 |<---------------------------------------------------------|
| |
| EAP.Response/SAKE/Challenge |
| (AT_RAND_P, AT_PEERID, AT_SPI_P, AT_MIC_P) |
2 |--------------------------------------------------------->|
| |
| +-------------------------------------------+
| | Server finds MIC_P invalid. |
| +-------------------------------------------+
| |
| EAP-Failure |
3 |<---------------------------------------------------------|
Figure 2. EAP-SAKE Authentication Procedure, Peer Fails
Authentication
1. As in step 1 of Figure 1.
2. As in step 2 of Figure 1.
3. Upon receipt of the EAP.Response/SAKE/Challenge message, the
Server uses both nonces RAND_S and RAND_P, along with the Root-
Secret-A key, to compute the SMS and TEK in exactly the same way
the Peer did. Following that, the Server computes the Peer's MIC
in exactly the same way the Peer did. The Server then compares
the computed MIC_P with the MIC_P it received from the Peer.
Since they do not match, the Server considers the Peer to have
failed authentication and sends an EAP.Failure message back to
the Peer.
Vanderveen & Soliman Informational [Page 8]
^L
RFC 4763 EAP-SAKE November 2006
If the AT_SPI_S attribute does not contain one of the SPI values that
the Peer listed in the previous message, or if the Peer did not
include an AT_SPI_P attribute yet does not accept the ciphersuite the
Server has chosen, then the Peer SHOULD silently discard this
message. Alternatively, the Peer MAY send a SAKE/Auth-Reject message
back to the Server; in response to this message, the Server MUST send
an EAP.Failure message to the Peer.
The AT_SPI_S attribute MUST be included if encryption is to be used.
The Server knows whether or not encryption is to be used, as it is
usually the Server that needs to protect some data intended for the
Peer (e.g., temporary ID, group keys, etc). If the Peer receives an
AT_SPI_S attribute yet there is no AT_ENCR_DATA attribute, the Peer
SHOULD process the message and skip the AT_SPI_S attribute.
The Peer considers the Server to have failed authentication if the
received and the computed MIC_S values do not match. In this case,
the Peer MUST send to the Server an EAP.Response message of type SAKE
and subtype Auth-Reject, indicating an authentication failure. In
this case, the Server MUST send an EAP.Failure message to the Peer as
in Figure 3. The following steps take place:
Vanderveen & Soliman Informational [Page 9]
^L
RFC 4763 EAP-SAKE November 2006
Peer Server
| |
| EAP.Request/SAKE/Challenge |
| (AT_RAND_S, AT_SERVERID) |
1 |<---------------------------------------------------------|
| |
| EAP.Response/SAKE/Challenge |
| (AT_RAND_P, AT_PEERID, AT_SPI_P, AT_MIC_P) |
2 |--------------------------------------------------------->|
| |
| EAP.Request/SAKE/Confirm |
| (AT_SPI_S, AT_ENCR_DATA, AT_MIC_S)|
3 |<---------------------------------------------------------|
| |
+-----------------------------------------------+ |
| Peer finds MIC_S invalid. | |
+-----------------------------------------------+ |
| |
| EAP.Response/SAKE/Auth-Reject |
4 |--------------------------------------------------------->|
| |
| EAP-Failure |
5 |<---------------------------------------------------------|
| |
Figure 3. EAP-SAKE Authentication Procedure, Server Fails
Authentication
1. As in step 1 of Figure 1.
2. As in step 2 of Figure 1.
3. As in step 3 of Figure 1.
4. The Peer receives a EAP.Request/SAKE/Confirm message indicating
successful authentication by the Server. The Peer computes the
MIC_S in the same manner as the Server did. The Peer then
compares the received MIC_S with the MIC_S it computed. Since
they do not match, the Peer considers the Server to have failed
authentication. In this case, the Peer responds with an
EAP.Response message of type SAKE and subtype Auth-Reject,
indicating authentication failure.
5. Upon receipt of a EAP.Response/SAKE/Auth-Reject message, the
Server sends an EAP.Failure message back to the Peer.
Vanderveen & Soliman Informational [Page 10]
^L
RFC 4763 EAP-SAKE November 2006
3.2.3. Identity Management
It may be advisable to assign a temporary identifier (TempID) to a
Peer when user anonymity is desired. The TempID is delivered to the
Peer in the EAP.Request/SAKE/Confirm message. The TempID follows the
format of any NAI [NAI] and is generated by the EAP Server that
engages in the EAP-SAKE authentication task with the Peer. EAP
servers SHOULD be configurable with TempID spaces that can be
distinguished from the permanent identity space. For instance, a
specific realm could be assigned for TempIDs (e.g., tmp.example.biz).
A TempID is not assigned an explicit lifetime. The TempID is valid
until the Server requests the permanent identifier, or the Peer
triggers the start of a new EAP session by sending in its permanent
identifier. A Peer MUST be able to trigger an EAP session at any
time using its permanent identifier. A new TempID assigned during a
successful EAP session MUST replace the existing TempID for future
transactions between the Peer and the Server.
Note that the delivery of a TempID does not imply that the Server
considers the Peer authenticated; the Server still has to check the
MIC in the EAP.Response/SAKE/Confirm message. In case the EAP phase
ends with an EAP.Failure message, then the Server and the Peer MUST
consider the TempID that was just delivered as invalid. Hence, the
Peer MUST NOT use this TempID the next time it tries to authenticate
with the Server.
3.2.4. Obtaining Peer Identity
The types of identities that a Peer may possess are permanent and
temporary identities, referred to as PermID and TempID, respectively.
A PermID can be an NAI associated with the Root Secret, and is long-
lived. A TempID is an identifier generated through the EAP method
and that the Peer can use to identify itself during subsequent EAP
sessions with the Server. The purpose of the TempID is to allow for
user anonymity support. The use of TempIDs is optional in the EAP-
SAKE method.
The Server MAY request the Peer ID via the EAP.Request/SAKE/Identity
message, as shown in Figure 4. This case may happen if, for example,
the Server wishes to initiate an EAP-SAKE session for a Peer it does
not have a subscriber identifier for. The following steps take
place:
Vanderveen & Soliman Informational [Page 11]
^L
RFC 4763 EAP-SAKE November 2006
Peer Server
| |
| +---------------------------------+
| | Server wishes to initiate |
| | an EAP-SAKE session |
| | |
| +---------------------------------+
| |
| EAP.Request/SAKE/Identity |
| (AT_ANY_ID_REQ, AT_SERVERID) |
1 |<---------------------------------------------------------|
| |
| EAP.Response/SAKE/Identity |
| (AT_PEERID) |
2 |--------------------------------------------------------->|
| |
+--------------------------------------------------------------+
| If identity found, normal EAP-SAKE authentication follows. |
+--------------------------------------------------------------+
Figure 4. Server Requests Peer Identity
1. The Server sends an EAP.Request message of type SAKE and subtype
Identity, with the attribute AT_ANY_ID_REQ, indicating a request
for any Peer identifier.
2. The Peer constructs an EAP.Response message of type SAKE and
subtype Identity, with the attribute AT_PEER_ID containing any
Peer identifier (PermID or TempID).
If the Server cannot find the Peer identity reported in the
EAP.Response/SAKE/Identity message, or if it does not recognize the
format of the Peer identifier, the Server MAY send an EAP.Failure
message to the Peer.
If the Server is unable to look up a Peer by its TempID, or if policy
dictates that the Peer should now use its permanent id, then the
Server may specifically ask for the permanent identifier, as in
Figure 5. The following steps occur:
Vanderveen & Soliman Informational [Page 12]
^L
RFC 4763 EAP-SAKE November 2006
Peer Server
| |
| +---------------------------------+
1 | | Server obtains TempID but |
| | requires PermID |
| +---------------------------------+
| |
| EAP.Request/SAKE/Identity |
| (AT_PERM_ID_REQ, AT_SERVERID) |
2 |<---------------------------------------------------------|
| |
| EAP.Response/SAKE/Identity |
| (AT_PEERID) |
3 |--------------------------------------------------------->|
| |
| +---------------------------------+
| | Server finds and uses |
| | Peer PermID to start a |
| | EAP-SAKE authentication phase |
| +---------------------------------+
|
+---------------------------------------------------------------+
| Normal EAP-SAKE authentication follows. |
+---------------------------------------------------------------+
Figure 5. Server Is Given a TempID as Peer Identity; Server
Requires a PermID
1. The Peer (or the Authenticator on behalf of the Peer) sends an
EAP.Request message of type Identity and includes the TempID.
2. The Server requires a PermID instead, so it sends an EAP.Request
message of type SAKE and subtype Identity with attributes
AT_PERM_ID_REQ and AT_SERVERID.
3. The Peer sends an EAP.Response message of type SAKE and subtype
Identity containing the attribute AT_PEERID carrying the Peer
PermID.
3.2.5. Key Hierarchy
EAP-SAKE uses a three-level key hierarchy.
Level 1 contains the pre-shared secret called Root Secret. This is a
32-byte high-entropy string partitioned into the Root-Secret-A part
(16 bytes) and the Root-Secret-B part (16 bytes).
Vanderveen & Soliman Informational [Page 13]
^L
RFC 4763 EAP-SAKE November 2006
Level 2 contains the key derivation key called the SAKE Master Secret
(SMS). SMS-A is derived from the Root-Secret-A key and the Peer and
Server nonces using the EAP-SAKE Key-Derivation Function (KDF), and
similarly for SMS-B. The SMS is known only to the Peer and Server
and is not made known to other parties.
Level 3 contains session keys, such as Transient EAP Keys (TEK),
Master Session Key (MSK), and Extended MSK (EMSK). TEKs are keys for
use local to the EAP method only. They are derived from the SMS-A
and the nonces using the EAP-SAKE KDF. They are partitioned into a
16-byte TEK-Auth, used to compute the MICs, and a 16-byte TEK-Cipher,
used to encrypt selected attributes. Since the SMS is fresh, so are
the derived TEKs.
+--------------------+ +--------------------+
| Root-Secret-A | | Root-Secret-B |
| (pre-shared secret)| | (pre-shared secret)|
+--------------------+ +--------------------+
| |
V V
+-------------------+ +--------------------+
| SAKE Master Secret|<---RAND_S------------->| SAKE Master Secret |
| (SMS-A) | | | (SMS-B) |
| |<-------]---RAND_P----->| |
+-------------------+ | | +--------------------+
| | | |
V | | V
+--------------------+ | | +--------------------+
| Transient EAP Keys |<------+-----+-------->| Session Keys: |
| TEK-Auth,TEK-Cipher|<------------+-------->| MSK, EMSK |
+--------------------+ +--------------------+
Figure 6. Key Hierarchy for the EAP-SAKE Method
On another branch of level 3 of the key hierarchy are the MSK and
EMSK, each mandated to be 64 bytes long. They are derived from the
SMS-B and the nonces using the EAP-SAKE KDF. Again, since the SMS is
fresh, so are the derived MSK/EMSK. The MSK is meant to be exported
and relayed to other parties. The EMSK is reserved for future use,
such as derivation of application-specific keys, and is not shared
with other parties.
Vanderveen & Soliman Informational [Page 14]
^L
RFC 4763 EAP-SAKE November 2006
The EAP-SAKE key material is summarized in the table below.
===================================================================
Key Size Scope Lifetime Use
(bytes)
===================================================================
Root-Secret-A 16 Peer, Server Device Derive TEK
--------------------------------------------------------------------
Root-Secret-B 16 Peer, Server Device Derive MSK, EMSK
--------------------------------------------------------------------
TEK-Auth 16 Peer, Server MSK Life Compute MICs
--------------------------------------------------------------------
TEK-Cipher 16 Peer, Server MSK Life Encrypt attribute
--------------------------------------------------------------------
MSK 64 Peer, Server, MSK Life Derive keys for
Authenticator lower-layer use
--------------------------------------------------------------------
EMSK 64 Peer, Server MSK Life Reserved
--------------------------------------------------------------------
A key name format is not provided in this version.
Since this version of EAP-SAKE does not support fast re-
authentication, the lifetime of the TEKs is to extend only until the
next EAP mutual authentication. The MSK lifetime dictates when the
next mutual authentication is to take place. The Server MAY convey
the MSK lifetime to the Peer in the AT_MSK_LIFE attribute. Note that
EAP-SAKE does not support key lifetime negotiation.
The EAP-SAKE Method-Id is the contents of the RAND_S field from the
AT_RAND_S attribute, followed by the contents of the RAND_P field in
the AT_RAND_P attribute.
3.2.6. Key Derivation
3.2.6.1. Key-Derivation Function
For the rest of this document, KDF-X denotes the EAP-SAKE Key-
Derivation Function whose output is X bytes. This function is the
pseudo-random function of [IEEE802.11i].
The function takes three strings of bytes of arbitrary lengths: a
Key, a Label, and a Msg, and outputs a string Out of length X bytes
as follows:
Out = KDF-X (Key, Label, Msg)
Vanderveen & Soliman Informational [Page 15]
^L
RFC 4763 EAP-SAKE November 2006
The KDF is a keyed hash function with key "Key" and operating on
input "Label | Msg". The convention followed herein is that
concatenation is denoted by |, FLOOR denotes the floor function, and
[x...y] denotes bytes x through y.
The label is an ASCII character string. It is included in the exact
form it is given without a length byte or trailing null character.
Below, "Length" denotes a single unsigned octet with values between 0
and 255 (bytes). The following functions are defined (see [HMAC],
[SHA1]):
H-SHA1(Key, Label, Msg, Length) := HMAC-SHA1(Key, Label|Y|Msg|Length)
where Y := 0x00
KDF-16(Key, Label, Msg) := KDF(Key, Label, Msg, 16)
KDF-32(Key, Label, Msg) := KDF(Key, Label, Msg, 32)
KDF-128(Key, Label, Msg) := KDF(Key, Label, Msg, 128)
KDF(Key, Label, Msg, Length)
R := [] ;; null string
for i := 0 to FLOOR(Length/20)-1 do
R := R | H-SHA1(Key, Label, Msg, i)
return R[0...(Length-1)]
3.2.6.2. Transient EAP Keys Derivation
The Peer and Server derive the SMS and then the TEK as follows:
SMS-A = KDF-16 (Root-Secret-A, "SAKE Master Secret A", RAND_P|RAND_S)
TEK = KDF-32 (SMS-A, "Transient EAP Key", RAND_S | RAND_P)
TEK-Auth = TEK[0...15]
TEK-Cipher = TEK[16...31]
3.2.6.3. Extended/Master Session Key Derivation
The Peer and the Server derive the MSK/EMSK, as follows:
SMS-B = KDF-16 (Root-Secret-B, "SAKE Master Secret B", RAND_P|RAND_S)
Session-Key-Block=KDF-128(SMS-B, "Master Session Key", RAND_S|RAND_P)
MSK = Session-Key-Block[0...63]
EMSK = Session-Key-Block[64...127]
The derivation above affords the required cryptographic separation
between the MSK and EMSK. That is, knowledge of the EMSK does not
immediately lead to knowledge of the MSK, nor does knowledge of the
MSK immediately lead to knowledge of the EMSK.
Vanderveen & Soliman Informational [Page 16]
^L
RFC 4763 EAP-SAKE November 2006
3.2.7. Ciphersuite Negotiation
A ciphersuite is identified by a numeric value called the Security
Parameter Index (SPI). The SPI is used here in the EAP-SAKE method
in order to negotiate a ciphersuite between the Peer and the Server
for EAP data protection only. Obviously, this ciphersuite can only
be used late in the EAP conversation, after it has been agreed upon
by both the Peer and the Server.
The EAP method may or may not need to use this ciphersuite, since
attribute encryption is optional. For example, if the temporary
identifier needs to be delivered to the Peer and needs to be
encrypted, then the negotiated ciphersuite will be used for this
task. If there are no attributes that need encryption as they are
passed to the Peer, then this ciphersuite is never used.
As with most other methods employing ciphersuite negotiation, the
following exchange is employed: the Peer sends an ordered list of one
or more supported ciphersuites, starting with the most preferred one,
in a field SPI_P. The Server then sends back the one ciphersuite
chosen in a field SPI_S. The Server SHOULD choose the strongest
ciphersuite supported by both of them.
Ciphersuite negotiation for data protection is achieved via SAKE
Signaling as follows. In the EAP.Response/SAKE/Challenge, the Peer
sends a list of supported ciphersuites, SPI_P, and protects that with
a MIC. In the EAP.Request/SAKE/Confirm, the Server sends one
selected ciphersuite, SPI_S, and signs that with a MIC. Finally, the
Peer confirms the selected ciphersuite and readiness to use it in a
signed EAP.Response/SAKE/Confirm message. The negotiation is secure
because of the Message Integrity Checks that cover the entire EAP
message.
3.2.8. Message Integrity and Encryption
This section specifies the EAP/SAKE attributes used for message
integrity and attribute encryption: AT_MIC_S, AT_MIC_P, AT_IV,
AT_ENCR_DATA, and AT_PADDING. Only the AT_MIC_S and AT_MIC_P are
mandatory to use during the EAP-SAKE exchange.
Because the TEKs necessary for protection of the attributes and for
message authentication are derived using the nonces RAND_S and
RAND_P, the AT_MIC_S and AT_MIC_P attributes can only be used in the
EAP.Response/SAKE/Challenge message and any messages sent thereafter.
Vanderveen & Soliman Informational [Page 17]
^L
RFC 4763 EAP-SAKE November 2006
3.2.8.1. The AT_MIC_S and AT_MIC_P Attributes
The AT_MIC_S and AT_MIC_P attributes are used for EAP-SAKE message
integrity. The AT_MIC_S attribute MUST be included in all EAP-SAKE
packets that the Server sends whenever key material (TEK) has been
derived. That is, the AT_MIC_S attribute MUST be included in the
EAP.Request/SAKE/Confirm message. The AT_MIC_S MUST NOT be included
in EAP.Request/SAKE/Challenge messages, or EAP.Request/SAKE/Identity
messages.
The AT_MIC_P attribute MUST be included in all EAP-SAKE packets the
Peer sends whenever key material (TEK) has been derived. That is,
the AT_MIC_P attribute MUST be included in the
EAP.Response/SAKE/Challenge and EAP.Response/SAKE/Confirm messages.
The AT_MIC_P attribute MUST NOT be included in the
EAP.Response/SAKE/Auth-Reject message since the Peer has not
confirmed that it has the same TEK as the Server.
Messages that do not meet the conditions specified above MUST be
silently discarded upon reception.
The value field of the AT_MIC_S and AT_MIC_P attributes contain a
message integrity check (MIC). The MIC is calculated over the entire
EAP packet, prepended with the Server nonce and identifier and the
Peer nonce and identifier. The value field of the MIC attribute is
set to zero when calculating the MIC. Including the Server and Peer
nonces and identifiers aids in detecting replay and man-in-the-middle
attacks.
The Peer computes its MIC as follows:
MIC_P = KDF-16 (TEK-Auth, "Peer MIC", RAND_S | RAND_P |
PEERID | 0x00 | SERVERID | 0x00 | <EAP-packet>),
while the Server computes its MIC as
MIC_S = KDF-16 (TEK-Auth, "Server MIC", RAND_P |RAND_S |
SERVERID | 0x00 | PEERID | 0x00 | <EAP-packet>).
Here, <EAP-packet> denotes the entire EAP packet, used as a string of
bytes, the MIC value field set to zero. 0x00 denotes a single octet
value used to delimit SERVERID and PEERID. The PEERID and SERVERID,
respectively, are the ones carried in the corresponding attributes in
the SAKE/Challenge messages.
Vanderveen & Soliman Informational [Page 18]
^L
RFC 4763 EAP-SAKE November 2006
In case the SAKE/Challenge exchange was preceded by an
EAP.Request/SAKE/Identity message containing the AT_SERVERID
Attribute, then the SERVERID value in the MIC_P and MIC_S computation
MUST be set to the value of this attribute.
If the AT_SERVERID was not included in either the SAKE/Challenge
message or the SAKE/Identity message, then the value of the SERVERID
used in the computation of MIC_P and MIC_S MUST be empty. If the
AT_PEERID was not included in the SAKE/Challenge message, and there
was no EAP.Response/SAKE/Identity message preceding the
SAKE/Challenge messages, then the value of the PEERID used in the
computation of MIC_P and MIC_S MUST be empty.
The Server and Peer identity are included in the computation of the
signed responses so that the Peer and Server can verify each other's
identities, and the possession of a common secret, the TEK-Auth.
However, since the AT_SERVERID is not explicitly signed with a MIC by
the Server, EAP-SAKE does not claim channel binding.
3.2.8.2. The AT_IV, AT_ENCR_DATA, and AT_PADDING Attributes
The AT_IV and AT_ENCR_DATA attributes can be used to transmit
encrypted information between the Server and the Peer. The value
field of AT_IV contains an initialization vector (IV) if one is
required by the encryption algorithm used. It is not mandatory that
the AT_IV attribute be included whenever the AT_ENCR_DATA attribute
is.
However, the AT_IV attribute MUST NOT be included unless the
AT_ENCR_DATA is included. Messages that do not meet this condition
MUST be silently discarded.
Attributes can be encrypted only after a ciphersuite has been agreed
on, i.e., in any message starting with the Server's
EAP.Request/SAKE/Confirm message. The attributes MUST be encrypted
using algorithms corresponding to the SPI value specified by the
AT_SPI_S attribute. The attributes MUST be encrypted using the TEK-
Cipher key, whose derivation is specified in Section 3.2.6.2.
If an IV is required by the encryption algorithm, then the sender of
the AT_IV attribute MUST NOT reuse the IV value from previous EAP-
SAKE packets. The sender MUST choose a new value for each AT_IV
attribute. The sender SHOULD use a good random number generator to
generate the initialization vector (see [RFC4086] for guidelines).
Vanderveen & Soliman Informational [Page 19]
^L
RFC 4763 EAP-SAKE November 2006
The value field of the AT_ENCR_DATA attribute consists of bytes
encrypted using the ciphersuite specified in the AT_SPI_S attribute.
The encryption key is the TEK-Cipher, and the plaintext consists of
one or more concatenated EAP-SAKE attributes.
The default encryption algorithm, as described in Section 3.2.8.3,
requires the length of the plaintext to be a multiple of 16 bytes.
The sender MAY need to include the AT_PADDING attribute as the last
attribute within the value field of the AT_ENCR_DATA attribute. The
length of the padding is chosen so that the length of the value field
of the AT_ENCR_DATA attribute becomes a multiple of 16 bytes. The
AT_PADDING attribute SHOULD NOT be included if the total length of
other attributes present within the AT_ENCR_DATA attribute is a
multiple of 16 bytes. The length of the AT_PADDING attribute
includes the Attribute Type and Attribute Length fields. The actual
pad bytes in the value field are set to zero (0x00) on sending. The
recipient of the message MUST verify that the pad bytes are zero
after decryption and MUST silently discard the message otherwise.
The MIC computed on the entire EAP message can be used to obviate the
need for special integrity protection or message authentication of
the encrypted attributes.
An example of the AT_ENCR_DATA attribute is shown in Section 3.3.3.
3.2.8.3. Security Parameter Index (SPI) Considerations
An SPI value is a variable-length string identifying at least an
encryption algorithm and possibly a "security association". EAP-SAKE
does not mandate the format of the SPI; it only mandates that the
default encryption algorithm be supported if encryption is supported.
That is, if an implementation compliant with this document supports
encryption, then it MUST support the AES-CBC cipher.
The default encryption algorithm AES-CBC involves the AES block
cipher [AES] in the Cipher-Block-Chaining (CBC) mode of operation
[CBC].
The Peer in the EAP-SAKE method can send up to four SPI values in its
SPI_P field. Because the length of the AT_SPI_P and AT_SPI_S
attributes must each be a multiple of 2 bytes, the sender pads the
value field with zero bytes when necessary (the AT_PADDING attribute
is not used here). For example, the value field of the AT_SPI_S
contains one byte with the chosen SPI, followed by one byte of zeros.
Vanderveen & Soliman Informational [Page 20]
^L
RFC 4763 EAP-SAKE November 2006
3.2.9. Fragmentation
The EAP-SAKE method does not require fragmentation, as the messages
do not get excessively long. That is, EAP packets are well within
the limit of the maximum transmission unit of other layers (link,
network). The only variable fields are those carrying NAIs, which
are limited by their length field to 256 bytes.
3.2.10. Error Cases
Malformed messages: As a general rule, if a Peer or Server receives
an EAP-SAKE packet that contains an error, the implementation SHOULD
silently discard this packet, not change state, and not send any EAP
messages to the other party. Examples of such errors include a
missing mandatory attribute, an attribute that is not allowed in this
type of message, and unrecognized subtypes or attributes.
Non-matching Session Id: If a Peer or Server receives an EAP-SAKE
packet with a Session Id field not matching the Session Id from the
previous packet in this session, that entity SHOULD silently discard
this packet (not applicable for the first message of an EAP-SAKE
session).
Peer Authorization Failure: It may be possible that a Peer is not
authorized for services, such as when the terminal device is reported
stolen. In that case, the Server SHOULD send an EAP.Failure message.
Unexpected EAP.Success: A Server MUST NOT send an EAP-Success message
before the SAKE/Challenge and SAKE/Confirm rounds. The Peer MUST
silently discard any EAP.Success packets before the Peer has
successfully authenticated the Server via the
EAP.Response/SAKE/Confirm packet.
The Peer and Server SHOULD log all error cases.
Vanderveen & Soliman Informational [Page 21]
^L
RFC 4763 EAP-SAKE November 2006
3.3. Message Formats
3.3.1. Message Format Summary
A summary of the EAP packet format [EAP] is shown below for
convenience. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
1 - Request
2 - Response
Identifier
The identifier field is one octet and aids in matching responses
with requests.
Length
The Length field is two octets and indicates the number of octets
in an EAP message including the Code, Identifier, Length, Type,
and Data fields.
Type
To be assigned.
Version
The EAP-SAKE method as described herein is version 2.
Session ID
The Session ID is a 1-byte random number that MUST be freshly
generated by the Server that must match all EAP messages in a
particular EAP conversation.
Vanderveen & Soliman Informational [Page 22]
^L
RFC 4763 EAP-SAKE November 2006
Subtype
EAP-SAKE subtype: SAKE/Challenge, SAKE/Confirm, SAKE/Auth-Reject,
and SAKE/Identity. All messages of type "EAP-SAKE" that are not
of these subtypes MUST silently discarded.
Message Name Subtype Value (decimal)
=============================================
SAKE/Challenge 1
SAKE/Confirm 2
SAKE/Auth-Reject 3
SAKE/Identity 4
3.3.2. Attribute Format
The EAP-SAKE attributes that are part of the EAP-SAKE packet follow
the Type-Length-Value format with 1-byte Type, 1-byte Length, and
variable-length Value (up to 255 bytes). The Length field is in
octets and includes the length of the Type and Length fields. The
EAP-SAKE attribute format is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
1-byte unsigned integer; see Table below.
Length
The total number of octets in the attribute, including Type and
Length.
Value
Attribute-specific.
Vanderveen & Soliman Informational [Page 23]
^L
RFC 4763 EAP-SAKE November 2006
The following attribute types are allocated.
-----------------------------------------------------------------
Attr. Name Length
(bytes) Skippable Description
-----------------------------------------------------------------
AT_RAND_S 18 No Server Nonce RAND_S
AT_RAND_P 18 No Peer Nonce RAND_P
AT_MIC_S 10 No Server MIC
AT_MIC_P 10 No Peer MIC
AT_SERVERID variable No Server FQDN
AT_PEERID variable No Peer NAI (tmp, perm)
AT_SPI_S variable No Server chosen SPI SPI_S
AT_SPI_P variable No Peer SPI list SPI_P
AT_ANY_ID_REQ 4 No Requires any Peer Id (tmp, perm)
AT_PERM_ID_REQ 4 No Requires Peer's permanent Id/NAI
AT_ENCR_DATA Variable Yes Contains encrypted attributes
AT_IV Variable Yes IV for encrypted attributes
AT_PADDING 2 to 18 Yes Padding for encrypted attributes
AT_NEXT_TMPID variable Yes TempID for next EAP-SAKE phase
AT_MSK_LIFE 6 Yes MSK Lifetime in seconds
-----------------------------------------------------------------
Vanderveen & Soliman Informational [Page 24]
^L
RFC 4763 EAP-SAKE November 2006
3.3.3. Use of AT_ENCR_DATA Attribute
An example of the AT_ENCR_DATA attribute, as used in the
EAP.Request/SAKE/Confirm message, is shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IV | Length = 18 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| Initialization Vector |
| |
| |-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |AT_ENCR_DATA | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+}e
| AT_NEXT_TMPID | Length | |}n
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |}c
| |}r
. Peer TempID |}y
. |}p
. |}t
| |}e
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+}d
| AT_MIC_S | Length = 10 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| MIC_S |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| |AT_PADDING | Length=2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vanderveen & Soliman Informational [Page 25]
^L
RFC 4763 EAP-SAKE November 2006
3.3.4. EAP.Request/SAKE/Challenge Format
The format of the EAP.Request/SAKE/Challenge packet is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_RAND_S | Length = 18 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| RAND_S |
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | AT_SERVERID | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
: :
| Server ID |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
1 for Request
Identifier
A random number. See [EAP].
Length
The length of the entire EAP packet in octets.
Type
EAP-SAKE
Version
2
Vanderveen & Soliman Informational [Page 26]
^L
RFC 4763 EAP-SAKE November 2006
Session ID
A random number chosen by the server to identify this EAP-Session.
Subtype
1 for SAKE/Challenge
AT_RAND_S
The value field of this attribute contains the Server nonce RAND_S
parameter. The RAND_S attribute MUST be present in
EAP.Request/SAKE/Challenge.
AT_SERVERID
The value field of this attribute contains the Server identifier
(e.g., a non-null terminated string). The AT_SERVERID attribute
SHOULD be present in EAP.Request/SAKE Challenge.
Vanderveen & Soliman Informational [Page 27]
^L
RFC 4763 EAP-SAKE November 2006
3.3.5. EAP.Response/SAKE/Challenge Format
The format of the EAP.Response/SAKE/Challenge packet is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_RAND_P | Length = 18 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| RAND_P |
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | AT_PEERID | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
: Peer NAI :
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | AT_SPI_P | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIP | AT_MIC_P | Length = 18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MIC_P |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
2 for Response
Identifier
A number that MUST match the Identifier field from the
corresponding Request.
Length
The length of the entire EAP packet in octets.
Vanderveen & Soliman Informational [Page 28]
^L
RFC 4763 EAP-SAKE November 2006
Type
EAP-SAKE
Version
2
Session ID
A number matching all other EAP messages in this EAP session.
Subtype
1 for SAKE/Challenge
AT_RAND_P
The value field of this attribute contains the Peer nonce RAND_P
parameter. The AT_RAND_P attribute MUST be present in the
EAP.Response/SAKE/Challenge.
AT_PEERID
The value field of this attribute contains the NAI of the Peer.
The Peer identity follows the same Network Access Identifier
format that is used in EAP.Response/Identity, i.e., including the
NAI realm portion. The identity is the permanent identity, or a
temporary identity. The identity does not include any terminating
null characters. The AT_PEERID attribute is optional in the
EAP.Response/SAKE/Challenge.
AT_SPI_P
The value field of this attribute contains the Peer's ciphersuite
list SPI_P parameter. The AT_SPI_P attribute is optional in the
EAP.Response/SAKE/Challenge.
AT_MIC_P
The value field of this attribute contains the Peer MIC_P
parameter. The AT_MIC_P attribute MUST be present in the
EAP.Response/SAKE/Challenge.
Vanderveen & Soliman Informational [Page 29]
^L
RFC 4763 EAP-SAKE November 2006
3.3.6. EAP.Request/SAKE/Confirm Format
The format of the EAP.Request/SAKE/Confirm packet is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_SPI_S | Length | SPI_S |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IV | Length | Initialization Vector ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ :
| |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | AT_ENCR_DATA | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encrypted Data... |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_MSK_LIFE | Length=6 | MSK Lifetime... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | AT_MIC_S | Length=18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MIC_S |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
1 for Request
Identifier
A random number. See [EAP].
Length
The length of the entire EAP packet in octets.
Vanderveen & Soliman Informational [Page 30]
^L
RFC 4763 EAP-SAKE November 2006
Type
EAP-SAKE
Version
2
Session ID
A number matching all other EAP messages in this EAP session.
Subtype
2 for SAKE Confirm
AT_SPI_S
The value field of this attribute contains the Server chosen
ciphersuite SPI_S parameter. The AT_SPI_S attribute is optional
in the EAP.Request/SAKE/Confirm.
AT_IV
This attribute is optional to use in this message. The value
field of this attribute contains the Initialization Vector that is
used with the encrypted data following.
AT_ENCR_DATA
This attribute is optional to use in this message. The encrypted
data, if present, may contain an attribute AT_NEXT_TMPID,
containing the NAI the Peer should use in the next EAP
authentication.
AT_MSK_LIFE
This attribute is optional to use in this message. The value
field of this attribute contains the MSK Lifetime in seconds.
AT_MIC_S
The value field of this attribute contains the Server MIC_S
parameter. The AT_MIC_S attribute MUST be present in the
EAP.Request/SAKE/Confirm.
Vanderveen & Soliman Informational [Page 31]
^L
RFC 4763 EAP-SAKE November 2006
3.3.7. EAP.Response/SAKE/Confirm Format
The format of the EAP.Response/SAKE/Confirm packet is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_MIC_P | Length = 18 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| MIC_P |
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | AT_PADDING | Length = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
2 for Response
Identifier
A number that MUST match the Identifier field from the
corresponding Request.
Length
The length of the entire EAP packet in octets.
Type
EAP-SAKE
Version
2
Session ID
A number matching all other EAP messages in this EAP session.
Vanderveen & Soliman Informational [Page 32]
^L
RFC 4763 EAP-SAKE November 2006
Subtype
2 for SAKE Confirm
AT_MIC_P
The value field of this attribute contains the Peer's MIC_P
parameter. The AT_MIC_P attribute MUST be present in the
EAP.Response/SAKE/Confirm.
AT_PADDING
The value field is set to zero. Added to achieve 32-bit alignment
of the EAP-SAKE packet.
3.3.8. EAP.Response/SAKE/Auth-Reject Format
The format of the EAP.Response/SAKE/Auth-Reject packet is shown
below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
2 for Response
Identifier
A number that MUST match the Identifier field from the
corresponding Request.
Length
The length of the entire EAP packet in octets.
Type
EAP-SAKE
Vanderveen & Soliman Informational [Page 33]
^L
RFC 4763 EAP-SAKE November 2006
Version
2
Session ID
A number matching all other EAP messages in this EAP session.
Subtype
3 for SAKE/Auth-Reject
3.3.9. EAP.Request/SAKE/Identity Format
The format of the EAP.Request/SAKE/Identity is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_PERM_ID_REQ | Length = 4 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_ANY_ID_REQ | Length = 4 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_SERVERID | Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ :
| Server ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
1 for Request
Identifier
A random number. See [EAP].
Length
The length of the entire EAP packet in octets.
Vanderveen & Soliman Informational [Page 34]
^L
RFC 4763 EAP-SAKE November 2006
Type
EAP-SAKE
Version
2
Session ID
A number matching all other EAP messages in this EAP session.
Subtype
4 for SAKE/Identity
AT_PERM_ID_REQ
The AT_PERM_ID_REQ attribute is optional, to be included in cases
where the Server requires the Peer to give its permanent
identifier (i.e., PermID). The AT_PERM_ID_REQ MUST NOT be
included if the AT_ANY_ID_REQ attribute is included. The value
field only contains two reserved bytes, which are set to zero on
sending and ignored on reception.
AT_ANY_ID_REQ
The AT_ANY_ID_REQ attribute is optional, to be included in cases
where the Server requires the Peer to send any identifier (e.g.,
PermID, TempID). The AT_ANY_ID_REQ MUST NOT be included if
AT_PERM_ID_REQ is included. The value field only contains two
reserved bytes, which are set to zero on sending and ignored on
reception. One of the AT_PERM_ID_REQ and AT_ANY_ID_REQ MUST be
included.
AT_SERVERID
The value field of this attribute contains the identifier/realm of
the Server. The AT_SERVERID attribute is optional but RECOMMENDED
to include in the EAP.Request/SAKE/Identity.
Vanderveen & Soliman Informational [Page 35]
^L
RFC 4763 EAP-SAKE November 2006
3.3.10. EAP.Response/SAKE/Identity Format
The format of the EAP.Response/SAKE/Identity is shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=EAP-SAKE | Version=2 | Session ID | Subtype=4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_PEERID | Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ :
| Peer NAI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The semantics of the fields is described below:
Code
2 for Response
Identifier
A number that MUST match the Identifier field from the
corresponding Request.
Length
The length of the entire EAP packet.
Type
EAP-SAKE
Version
2
Session ID
A number matching all other EAP messages in this EAP session.
Subtype
4 for SAKE/Identity
Vanderveen & Soliman Informational [Page 36]
^L
RFC 4763 EAP-SAKE November 2006
AT_PEERID
The value field of this attribute contains the NAI of the Peer.
The AT_PEERID attribute MUST be present in
EAP.Response/SAKE/Identity.
3.3.11. Other EAP Messages Formats
The format of the EAP.Request/Identity and EAP.Response/Identity
packets is described in [EAP]. The user ID (e.g., NAI) SHOULD be
present in this packet.
The format of the EAP-Success and EAP-Failure packet is also shown in
[EAP].
4. IANA Considerations
IANA allocated a new EAP Type for EAP-SAKE.
EAP-SAKE messages include an 8-bit Subtype field. The Subtype is a
new numbering space for which IANA administration is required. The
following subtypes are specified in this memo:
SAKE/Challenge.................1
SAKE/Confirm...................2
SAKE/Auth-Reject...............3
SAKE/Identity..................4
The Subtype-specific data is composed of attributes, which have an
8-bit type number. Attributes numbered within the range 0 through
127 are called non-skippable attributes, and attributes within the
range of 128 through 255 are called skippable attributes. The EAP-
SAKE attribute type number is a new numbering space for which IANA
administration is required. The following attribute types are
specified:
AT_RAND_S.......................................1
AT_RAND_P.......................................2
AT_MIC_S........................................3
AT_MIC_P........................................4
AT_SERVERID.....................................5
AT_PEERID.......................................6
AT_SPI_S........................................7
AT_SPI_P........................................8
AT_ANY_ID_REQ...................................9
AT_PERM_ID_REQ.................................10
Vanderveen & Soliman Informational [Page 37]
^L
RFC 4763 EAP-SAKE November 2006
AT_ENCR_DATA..................................128
AT_IV.........................................129
AT_PADDING....................................130
AT_NEXT_TMPID.................................131
AT_MSK_LIFE...................................132
All requests for value assignment from the two number spaces
described in this memo require proper documentation, according to the
"Specification Required" policy described in [IANA].
All assignments of values from the two number spaces described in
this memo require IETF consensus.
5. Security Considerations
The EAP specification [EAP] describes the security vulnerabilities of
EAP, which does not include its method-specific security mechanisms.
This section discusses the claimed security properties of the EAP-
SAKE method, along with vulnerabilities and security recommendations.
5.1. Denial-of-Service Attacks
Since EAP-SAKE is not a tunneling method, the
EAP.Response/SAKE/Auth-Reject, EAP.Success, and EAP.Failure packets
are not integrity or replay protected. This makes it possible for an
attacker to spoof such messages. Note that EAP.Response/SAKE/Auth-
Reject cannot be protected with a MIC since an authentication failure
indicates that the Server and Peer do not agree on a common key.
Most importantly, an attacker cannot cause a Peer to accept an
EAP.Success packet as indication that the Server considers the mutual
authentication to have been achieved. This is because a Peer does
not accept EAP.Success packets before it has authenticated the Server
or after it has considered the Server to have failed authentication.
5.2. Root Secret Considerations
If the Root Secret is known to any party other than the Server and
Peer, then the mutual authentication and key establishment using
EAP-SAKE is compromised.
EAP-SAKE does not address how the Root Secret is generated or
distributed to the Server and Peer. It is RECOMMENDED that the
entropy of the Root Secret be maximized. The Root Secret SHOULD be
machine-generated.
Vanderveen & Soliman Informational [Page 38]
^L
RFC 4763 EAP-SAKE November 2006
If the Root Secret is derived from a low-entropy, guessable quantity
such as a human-selected password, then the EAP-SAKE key derivation
is subject to on-line and off-line dictionary attacks. To help
identify whether such a password has been compromised,
implementations SHOULD keep a log of the number of EAP-SAKE messages
received with invalid MIC fields. In these cases, a procedure for
updating the Root Secret securely SHOULD be in place.
5.3. Mutual Authentication
Mutual authentication is accomplished via the SAKE/Challenge and
SAKE/Confirm messages. The EAP.Request/SAKE/Challenge contains the
Server nonce RAND_S; the EAP.Response/SAKE/Challenge contains the
Peer nonce RAND_P, along with the Peer MIC (MIC_P); and the
EAP.Request/SAKE/Confirm contains the Server MIC (MIC_S). Both MICs
(MIC_S and MIC_P) are computed using both nonces RAND_S and RAND_P
and are keyed by the TEK, a shared secret derived from the Root
Secret. The Server considers the Peer authenticated if the MIC_P it
computes matches the one that the Peer sends. Similarly, the Peer
considers the Server authenticated if the MIC_S it computes matches
the one that the Server sends. The way the MICs are computed
involves a keyed one-way hash function, which makes it
computationally hard for an attacker to produce the correct MIC
without knowledge of the shared secret.
5.4. Integrity Protection
Integrity protection of EAP-SAKE messages is accomplished through the
use of the Message Integrity Checks (MIC), which are present in every
message as soon as a common shared secret (TEK) is available, i.e.,
any message after the EAP.Request/SAKE/Challenge. An adversary
cannot modify any of the MIC-protected messages without causing the
recipient to encounter a MIC failure. The extent of the integrity
protection is commensurate with the security of the KDF used to
derive the MIC, the length and entropy of the shared secret used by
the KDF, and the length of the MIC.
5.5. Replay Protection
The first message of most session establishment protocols, such as
EAP-SAKE, is subject to replay. A replayed
EAP.Request/SAKE/Challenge message results in the Peer sending an
EAP.Response/SAKE/Challenge message back, which contains a MIC that
was computed using the attacker's chosen nonce. This poses a minimal
risk to the compromise of the TEK-Auth key, and this EAP Session
cannot proceed successfully as the Peer will find the Server's MIC
invalid.
Vanderveen & Soliman Informational [Page 39]
^L
RFC 4763 EAP-SAKE November 2006
Replay protection is achieved via the RAND_S and RAND_P values,
together with the Session ID field, which are included in the
calculation of the MIC present in each packet subsequent to the EAP-
SAKE/Challenge request packet. The Session ID MUST be generated anew
by the Server for each EAP session. Session Ids also aid in
identification of possible multiple EAP sessions between a Peer and a
Server. Within the same session, messages can be replayed by an
attacker, but the state machine SHOULD be able to handle these cases.
Note that a replay within a session is indistinguishable to a
recipient from a network malfunction (e.g., message was first lost
and then re-transmitted, so the recipient thinks it is a duplicate
message).
Replay protection between EAP sessions and within an EAP session is
also accomplished via the MIC, which covers not only the entire EAP
packet (including the Session ID) but also the nonces RAND_S and
RAND_P. Thus, the recipient of an EAP message can be assured that
the message it just received is the one just sent by the other Peer
and not a replay, since it contains a valid MIC of the recipient's
nonce and the other Peer nonce. As before, the extent of replay
protection is commensurate with the security of the KDF used to
derive the MIC, the length and entropy of the shared secret used by
the KDF, and the length of the MIC.
5.6. Confidentiality
Confidentiality of EAP-SAKE attributes is supported through the use
of the AT_ENCR_DATA and AT_IV attributes. A ciphersuite is
negotiated securely (see Section 3.2.7) and can be used to encrypt
any attributes as needed. The default ciphersuite contains a strong
cipher based on AES.
5.7. Key Derivation, Strength
EAP-SAKE derives a Master Key (for EAP use) and Master Session Key,
as well as other lower-level keys, such as TEKs. Some of the lower-
level keys may or may not be used. The strength (entropy) of all
these keys is at most the strength of the Root Secret.
The entropy of the MSK and of the EMSK, assuming that the Server and
Peer 128-bit nonces are generated using good random number
generators, is at most 256-bits.
Vanderveen & Soliman Informational [Page 40]
^L
RFC 4763 EAP-SAKE November 2006
5.8. Dictionary Attacks
Dictionary attacks are not feasible to mount on the EAP-SAKE method
because passwords are not used. Instead, the Root Secret is
machine-generated. This does not necessarily pose provisioning
problems.
5.9. Man-in-the-Middle Attacks
Resistance to man-in-the-middle attacks is provided through the
integrity protection that each EAP message carries (i.e., Message
Integrity Check field) as soon as a common key for this EAP session
has been derived through mutual authentication. As before, the
extent of this resistance is commensurate with the strength of the
MIC itself. Man-in-the-middle attacks associated with the use of any
EAP method within a tunneling or sequencing protocol are beyond the
scope of this document.
5.10. Result Indication Protection
EAP-SAKE provides result indication protection in that it provides
result indications, integrity protection, and replay protection. The
Server indicates that it has successfully authenticated the Peer by
sending the EAP.Request/SAKE/Confirm message, which is integrity and
replay protected. The Peer indicates that it has successfully
authenticated the Server by sending the EAP.Response/SAKE/Confirm
message, which is also integrity and replay protected.
5.11. Cryptographic Separation of Keys
The TEKs used to protect EAP-SAKE packets (TEK-Auth, TEK-Cipher), the
Master Session Key, and the Extended Master Session Key are
cryptographically separate. Information about any of these keys does
not lead to information about any other keys. We also note that it
is infeasible to calculate the Root Secret from any or all of the
TEKs, the MSK, or the EMSK.
5.12. Session Independence
Within each EAP-SAKE session, fresh keying material is generated.
The keying material exported by this method from two independent
EAP-SAKE sessions is cryptographically separate, as explained below.
Both the Server and the Peer SHOULD generate fresh random numbers
(i.e., nonces) for the EAP-SAKE exchange. If either entity re-uses a
random number from a previous session, then the fact that the other
does use a freshly generated random number implies that the TEKs,
MSK, and EMSK derived within this session are cryptographically
Vanderveen & Soliman Informational [Page 41]
^L
RFC 4763 EAP-SAKE November 2006
separate from the corresponding keys derived in the previous
exchange.
Therefore, compromise of MSK or EMSK on one exchange does not
compromise the MSK and EMSK of previous or subsequent exchanges
between a Peer and a Server.
5.13. Identity Protection
As seen from Section 3.2.3., the Server may assign a temporary NAI to
a Peer in order to achieve user anonymity. This identifier may be
used by the Peer the next time it engages in an EAP-SAKE
authentication phase with the Server. The TempID is protected by
sending it encrypted, within an AT_ENCR_DATA attribute, and signed by
the Server with a MIC. Thus, an eavesdropper cannot link the
original PermID that the Peer first sends (e.g., on power-up) to any
subsequent TempID values sent in the clear to the Server.
The Server and Peer MAY be configured such that only TempID
identities are exchanged after one initial EAP-SAKE phase that uses
the Peer permanent identity. In this case, in order to achieve
maximum identity protection, the TempID SHOULD be stored in non-
volatile memory in the Peer and Server. Thus, compliance with this
document does not preclude or mandate Peer identity protection across
the lifetime of the Peer.
5.14. Channel Binding
The Server identifier and Peer identifier MAY be sent in the
SAKE/Challenge messages. However, since there is no established
authentication key at the time of the first message, the Server
identifier is not integrity-protected here.
All subsequent EAP-SAKE messages exchanged during a successful EAP-
SAKE phase are integrity-protected, as they contain a Message
Integrity Check (MIC). The MIC is computed over the EAP message and
also over the Server and Peer identities. In that, both EAP
endpoints can verify the identity of the other party.
5.15. Ciphersuite Negotiation
EAP-SAKE does not support negotiation of the ciphersuite used to
integrity-protect the EAP conversation. However, negotiation of a
ciphersuite for data protection is supported. This ciphersuite
negotiation is protected in order to minimize the risk of down-
negotiation or man-in-the-middle attacks.
Vanderveen & Soliman Informational [Page 42]
^L
RFC 4763 EAP-SAKE November 2006
This negotiation is secure because of the Message Integrity Checks
(MICs) that cover the entire EAP messages used for ciphersuite
negotiation (see Section 3.2.7.). The extent of the security of the
negotiation is commensurate with the security of the KDF used to
derive the MICs, the length and entropy of the shared secret used by
the KDF, and the length of the MICs.
5.16. Random Number Generation
EAP-SAKE supports key derivation from a 32-byte Root Secret. The
entropy of all other keys derived from it is reduced somewhat through
the use of keyed hash functions (e.g. KDF). Thus, assuming
optimistically that the effective key strength of the Root Secret is
32 bytes, the effective key strengths of the derived keys is at most
the effective key strength of the Root Secret quantities they are
derived from: EMSK, at most 16 bytes; MSK, at most 16 bytes.
6. Security Claims
This section provides the security claims as required by [EAP].
[a] Mechanism: EAP-SAKE is a challenge/response authentication and
key establishment mechanism based on a symmetric pre-shared
secret.
[b] Security claims. EAP-SAKE provides:
Mutual authentication (Section 5.3)
Integrity protection (Section 5.4)
Replay protection (Section 5.5)
Confidentiality (optional, Section 5.6 and Section 5.13)
Key derivation (Section 5.7)
Dictionary attack protection (Section 5.8)
Protected result indication of successful authentication from
Server and from Peer (Section 5.10)
Session independence (Section 5.12)
[c] Key strength. EAP-SAKE supports key derivation with 256-bit
effective key strength (Section 5.7)
[d] Description of key hierarchy: see Section 3.2.5.
Vanderveen & Soliman Informational [Page 43]
^L
RFC 4763 EAP-SAKE November 2006
[e] Indication of vulnerabilities: EAP-Make does not provide:
Fast reconnect
Fragmentation
Channel binding
Cryptographic binding
7. Acknowledgements
Thanks to R. Dynarski for his helpful comments.
8. References
8.1. Normative References
[AES] National Institute of Standards and Technology,
"Federal Information Processing Standards (FIPS)
Publication 197, Advanced Encryption Standard (AES)",
November 2001. http://csrc.nist.gov/publications/
fips/fips197/fips-197.pdf
[CBC] National Institute of Standards and Technology, NIST
Special Publication 800-38A, "Recommendation for Block
Cipher Modes of Operation - Methods and Techniques",
December 2001. http://csrc.nist.gov/publications/
drafts/Draft-NIST_SP800-38D_Public_Comment.pdf
[EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
H. Levkowetz, "Extensible Authentication Protocol
(EAP)", RFC 3748, June 2004.
[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication", RFC 2104,
February 1997.
[IANA] Narten, T. and H. Alvestrand, "Guidelines for Writing
an IANA Considerations Section in RFCs", BCP 26, RFC
2434, October 1998.
[IEEE802.11i] "IEEE Standard for Information Technology-
Telecommunications and Information Exchange between
Systems - LAN/MAN Specific Requirements - Part 11:
Wireless Medium Access Control (MAC) and physical
layer (PHY) specifications: Amendment 6: Medium Access
Control (MAC) Security Enhancements", June 2004.
Vanderveen & Soliman Informational [Page 44]
^L
RFC 4763 EAP-SAKE November 2006
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[SHA1] National Institute of Standards and Technology, U.S.
Department of Commerce, Federal Information Processing
Standard (FIPS) Publication 180-1, "Secure Hash
Standard", April 1995.
8.2. Informative References
[NAI] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", RFC 4282, December 2005.
[RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC
4086, June 2005.
Authors' Addresses
Michaela Vanderveen
Qualcomm Flarion Technologies
135 Rte. 202/206 South
Bedminster, NJ 07921
USA
EMail: mvandervn@yahoo.com
Hesham Soliman
Qualcomm Flarion Technologies
135 Rte. 202/206 South
Bedminster, NJ 07921
USA
EMail: solimanhs@gmail.com
Vanderveen & Soliman Informational [Page 45]
^L
RFC 4763 EAP-SAKE November 2006
Full Copyright Statement
Copyright (C) The IETF Trust (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78 and at www.rfc-editor.org/copyright.html, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST,
AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Vanderveen & Soliman Informational [Page 46]
^L
|
