IANA Considerations. Type Value. Attribute Type Values. Key Derivation Function Namespace. Normative References. Informative References. Changes from RFC Importance of Explicit Negotiation. Test Vectors. This function binds the keys derived within the method to the name of the access network. This limits the effects of compromised access network nodes and keys.
Any Arkko, et al. That is, it must not be possible to accidentally connect old equipment to new equipment and get the key derivation wrong or attempt to use wrong keys without getting a proper error message. The change must also be secure against bidding down attacks that attempt to force the participants to use the least secure mechanism. But it is otherwise equivalent to RFC Note: Appendix B explains why it is important to be explicit about the change of semantics for the keys, and why other approaches would lead to severe interoperability problems.
The rest of this specification is structured as follows. Finally, Appendix C provides test vectors. Figure 1 shows an example of the authentication process. The two names are compared for discrepancies, and if necessary, the authentication is aborted. The peer then generates RES. Success requires both to be found correct.
For instance, the pseudonym and fast re-authentication usernames need to be constructed so that the server can recognize them. According to Section 4. Network Name. The Actual Network Name Length field provides the length of the network name in bytes. Network Name This field contains the network name of the access network for which the authentication is being performed. The name does not include any terminating null characters. Because the length of the entire attribute must be a multiple of 4 bytes, the sender pads the name with 1, 2, or 3 bytes of all zero bits when necessary.
Per [ 3GPP. If it is empty, the peer behaves as if AUTN had been incorrect and authentication fails. See Section 3 and Figure 3 of [ RFC ] for an overview of how authentication failures are handled. In addition, the peer MAY check the received value against its own understanding of the network name. Upon detecting a discrepancy, the peer either warns the user and continues, or fails the authentication process. If the policy indicates that the authentication should fail, the peer behaves as if AUTN had been incorrect and authentication fails.
The string is structured as fields separated by colons :. The algorithms and mechanisms to construct the identity string depend on the used access technology. On the network side, the network name construction is a configuration issue in an access network and an authorization check in the authentication server. On the peer, the network name is constructed based on the local observations. For instance, the peer knows which access technology it is using on the link, it can see information in a link-layer beacon, and so on.
The construction rules specify how Arkko, et al. Typically, the network name consists of the name of the access technology, or the name of the access technology followed by some operator identifier that was advertised in a link-layer beacon.
In all cases, [ 3GPP. First, each name is broken down to the fields separated by colons. If one of the names has more colons and fields than the other one, the additional fields are ignored. The remaining sequences of fields are compared, and they match only if they are equal character by character.
This capability is important in order to allow possible updates to the specifications that dictate how the network names are constructed. For instance, if a peer knows that it is running on access technology "FOO", it can use the string "FOO" even if the server uses an additional, more accurate description, e. The allocation procedures in [ 3GPP. The specification also has detailed rules about how a client can determine these based on information available to the client, such as the type of protocol used to attach to the network, beacons sent out by the network, and so on.
Even if the peer uses a fast re-authentication identity, the server may want to fall back on full authentication, for example, because the server does not recognize the fast re-authentication identity or does not want to use fast re-authentication. Fast Re-Authentication Procedure Figure 10 illustrates the fast re-authentication procedure. In this example, the optional protected success indication is not used.
Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication. If these checks are successful, the fast re-authentication has succeeded and the server sends the EAP-Success packet to the peer.
If protected success indications Section 6. Peer MAY store the new re- authentication identity for next re-auth. This is illustrated in Figure The notification code is a bit number. The most significant bit is called the Success bit S bit. The S bit specifies whether the notification implies failure. The code values with the S bit set to zero code values The receipt of a notification code with the S bit set to one values Notification code "Success" has been reserved as a general notification code to indicate successful authentication.
The second most significant bit of the notification code is called the Phase bit P bit. These notifications can only be used to indicate various failure cases. Section 9. Some of the notification codes are authorization related and hence not usually considered as part of the responsibility of an EAP method. However, they are included as part of EAP-AKA because there are currently no other ways to convey this information to the user in a localizable way, and the information is potentially useful for the user.
Result Indications As discussed in Section 6. If the server detects an error after successful authentication, the server uses an EAP-AKA notification to indicate failure to the peer. In this case, the result indication is integrity and replay protected. In other words, these packets are implicit success indications from the peer to the server.
This attribute indicates that the EAP server would like to use result indications in both successful and unsuccessful cases. Error Cases This section specifies the operation of the peer and the server in error cases. By default, the peer uses the client error code 0, "unable to process packet". This error code is used in the following cases: o EAP exchange is not acceptable according to the peer's local policy.
By default, the server uses one of the general failure codes "General failure after authentication" 0 or "General failure" Key Generation This section specifies how keying material is generated. Identity denotes the peer identity string without any terminating null characters.
The identity string is included as-is, without any changes. As discussed in Section 4. The pseudo-random number generator is specified in the change notice 1 October 5 of [ PRF ] Algorithm 1. As specified in the change notice page 74 , when Algorithm 1 is used as a general-purpose pseudo-random number generator, the "mod q" term in step 3. The function G used in the algorithm is constructed via Secure Hash Standard as specified in Appendix 3. It should be noted that the function G is very similar to SHA-1, but the message padding is different.
Please refer to [ PRF ] for full details. For convenience, the random number algorithm with the correct modification is cited in Annex A. The counter is used in network byte order. The MK is the Master Key derived on the preceding full authentication. In this case, only 64 bytes of keying material the MSK are used.
Message Format and Protocol Extensibility 8. The figure below shows the generic format of an attribute. The attribute type values are listed in Section Length Indicates the length of this attribute in multiples of 4 bytes. The maximum length of an attribute is bytes. The length includes the Attribute Type and Length bytes.
Value The particular data associated with this attribute. This field is always included and it is two or more bytes in length. The type and length fields determine the format and length of the value field. Attributes numbered within the range 0 through are called non-skippable attributes. When an attribute numbered in the range through is encountered but not recognized, that particular attribute is ignored, but the rest of the attributes and message data MUST still be processed.
The Length field of the attribute is used to skip the attribute value when searching for the next attribute. These attributes are called skippable attributes. Attributes can be encapsulated within other attributes. In other words, the value field of an attribute type can be specified to contain other attributes. If skippable attributes are used, it is possible to extend the protocol without breaking old implementations.
As specified in Section Hence, the sizes of the new extensions MUST be limited so that the maximum transfer unit MTU of the underlying lower layer is not exceeded.
However, should there be a reason to revise this protocol in the future, new non-skippable or skippable attributes could be specified in order to implement revised EAP-AKA versions in a backward-compatible manner. It specifies when a message may be transmitted or accepted, which attributes are allowed in a message, which attributes are required in a message, and other message-specific details. Message format is specified in Section 8. The usage of this attribute is discussed in Section 6.
Later versions of this protocol MAY specify additional attributes to be included within the encrypted data. The operation in case an error occurs is specified in Section 6. Sending this packet indicates that the peer has successfully authenticated the server and that the EAP exchange will be accepted by the peer's local policy.
This version of the protocol does not specify any attributes for this message. Future versions of the protocol MAY specify attributes for this message. Future versions of the protocol MAY specify other additional attributes for this message. No message-specific data is included in the MAC calculation, see Section The EAP packet is represented as specified in Section 8. The P bit is discussed in Section 6. No message-specific data is included in the MAC calculation. See Section Attributes This section specifies the format of message attributes.
The attribute type numbers are specified in Section Table of Attributes The following table provides a guide to which attributes may be found in which kinds of messages, and in what quantity. The value field only contains two reserved bytes, which are set to zero on sending and ignored on reception. The value field of this attribute begins with 2-byte actual identity length, which specifies the length of the identity in bytes.
This field is followed by the subscriber identity of the indicated actual length. The identity is the permanent identity, a pseudonym identity or a fast re-authentication identity. The identity format is specified in Section 4. The identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary.
The reserved bytes are set to zero when sending and ignored on reception. According to [ TS Next Pseudonym. This field is followed by a pseudonym username that the peer can use in the next authentication.
The username does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the pseudonym with zero bytes when necessary. Next Fast Re-Authentication Username. This field is followed by a fast re-authentication identity that the peer can use in the next fast re-authentication, as described in Section 5. In environments where a realm portion is required, the fast re-authentication identity includes both a username portion and a realm name portion.
The fast re-authentication identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the fast re-authentication identity with zero bytes when necessary. Section 6. Please see [ RFC ] for more information about generating random numbers for security applications. Encrypted Data. The encryption algorithm requires the length of the plaintext to be a multiple of 16 bytes.
The length of the Padding attribute is 4, 8, or 12 bytes. The actual pad bytes in the value field are set to zero 00 hexadecimal on sending.
The recipient of the message MUST verify that the pad bytes are set to zero. This may occur in both full authentication and fast re-authentication. EAP packets are included in the hash calculation "as-is" as they were transmitted or received.
All reserved bytes, padding bytes, etc. No delimiter bytes, padding, or any other framing are included between the EAP packets when calculating the checkcode. Packets that are silently discarded are not included, and retransmitted packets that have the same Identifier value are only included once.
If the checkcode is invalid, the receiver must operate as specified in Section 6. The operation when a mandatory attribute is missing is specified in Section 6. Hence, the length of the MAC is 16 bytes. If the message authentication code is invalid, then the recipient MUST ignore all other attributes in the message and operate as specified in Section 6. The random number is used as challenge for the peer and also as a seed value for the new keying material.
The reserved bytes are set to zero upon sending and ignored upon reception. The first and second bit S and P of the notification code are interpreted as described in Section 6. The descriptions below illustrate the semantics of the notifications. The peer implementation MAY use different wordings when presenting the notifications to the user.
Implies failure, used after successful authentication. Implies failure, used before authentication. User has been successfully authenticated. Does not imply failure, used after successful authentication. The usage of this code is discussed in Section 6. This terminology is also used in [ IEEE In the case where no backend authentication server is used, the EAP server is part of the authenticator.
In the case where the authenticator operates in pass-through mode, the EAP server is located on the backend authentication server. Protocol Overview 2. From this point forward, while nominally the EAP conversation occurs between the EAP authenticator and the peer, the authenticator MAY act as a pass-through device, with the EAP packets received from the peer being encapsulated for transmission to a backend authentication server.
In the discussion that follows, we will use the term "EAP server" to denote the ultimate endpoint conversing with the peer. The data field of this packet will encapsulate one or more TLS records. If the peer's sessionId is null or unrecognized by the server, the server MUST choose the sessionId to establish a new session.
Otherwise, the sessionId will match that offered by the peer, indicating a resumption of the previously established session with that sessionId. The server will also choose a ciphersuite from those offered by the peer. If the session matches the peer's, then the ciphersuite MUST match the one negotiated during the handshake protocol execution that established the session. The certificate message contains a public key certificate chain for either a key exchange public key such as an RSA or Diffie-Hellman key exchange public key or a signature public key such as an RSA or Digital Signature Standard DSS signature public key.
The former contains a certificate for the peer's signature public key, while the latter contains the peer's signed authentication response to the EAP server. After receiving Simon, et al. The finished message contains the peer's authentication response to the EAP server. Session Resumption The purpose of the sessionId within the TLS protocol is to allow for improved efficiency in the case where a peer repeatedly attempts to authenticate to an EAP server within a short period of time.
While this model was developed for use with HTTP authentication, it also can be used to provide "fast reconnect" functionality as defined in Section 7. It is left up to the peer whether to attempt to continue a previous session, thus shortening the TLS conversation. Typically, the peer's decision will be made based on the time elapsed since the previous authentication attempt to that EAP server. Based on the sessionId chosen by the peer, and the time elapsed since the previous authentication, the EAP server will decide whether to allow the continuation or to choose a new session.
In the case where the EAP server and authenticator reside on the same device, the peer will only be able to continue sessions when connecting to the same authenticator. Should the authenticators be set up in a rotary or round-robin, then it may not be possible for the peer to know in advance the authenticator to which it will be connecting, and therefore which sessionId to attempt to reuse.
As a result, it is likely that the continuation attempt will fail. In the case where the EAP authentication is remoted, then continuation is much more likely to be successful, since multiple authenticators will utilize the same backend authentication server. The finished message contains the EAP server's authentication response to the peer. It is up to the EAP server whether to allow restarts, and if so, how many times the conversation can be restarted.
The latter contains the EAP server's authentication response to the peer. The peer will then verify the finished message in order to authenticate the EAP server. The peer MAY send a TLS alert message rather than immediately terminating the conversation so as to allow the EAP server to log the cause of the error for examination by the system administrator.
However, an EAP-TLS peer configured for privacy typically will not be able to successfully authenticate with an EAP-TLS server that does not support privacy, since such a server will typically treat the refusal to provide a client certificate as a terminal error.
This is most easily achieved with EAP lower layers that support network advertisement, so that the network and appropriate privacy configuration can be determined. In order to determine the privacy configuration on link layers such as IEEE wired networks that do not support network advertisement, it may be desirable to utilize information provided in the server certificate such as the subject and subjectAltName fields or within identity selection hints [ RFC ] to determine the appropriate configuration.
In order to protect against reassembly lockup and denial-of-service attacks, it may be desirable for an implementation to set a maximum size for one such group of TLS messages.
Since a single certificate is rarely longer than a few thousand octets, and no other field is likely to be anywhere near as long, a reasonable choice of maximum acceptable message length might be 64 KB. In EAP, fragments that are lost or damaged in transit will be retransmitted, and since sequencing information is provided by the Identifier field in EAP, there is no need for a fragment offset field as is provided in IPv4.
The M flag is set on all but the last fragment.
0コメント