7 Network Working Group B. Aboba
8 Request for Comments: 5247 D. Simon
9 Updates: 3748 Microsoft Corporation
10 Category: Standards Track P. Eronen
15 Extensible Authentication Protocol (EAP) Key Management Framework
19 This document specifies an Internet standards track protocol for the
20 Internet community, and requests discussion and suggestions for
21 improvements. Please refer to the current edition of the "Internet
22 Official Protocol Standards" (STD 1) for the standardization state
23 and status of this protocol. Distribution of this memo is unlimited.
27 The Extensible Authentication Protocol (EAP), defined in RFC 3748,
28 enables extensible network access authentication. This document
29 specifies the EAP key hierarchy and provides a framework for the
30 transport and usage of keying material and parameters generated by
31 EAP authentication algorithms, known as "methods". It also provides
32 a detailed system-level security analysis, describing the conditions
33 under which the key management guidelines described in RFC 4962 can
58 Aboba, et al. Standards Track [Page 1]
60 RFC 5247 EAP Key Management Framework August 2008
65 1. Introduction ....................................................3
66 1.1. Requirements Language ......................................3
67 1.2. Terminology ................................................3
68 1.3. Overview ...................................................7
69 1.4. EAP Key Hierarchy .........................................10
70 1.5. Security Goals ............................................15
71 1.6. EAP Invariants ............................................16
72 2. Lower-Layer Operation ..........................................20
73 2.1. Transient Session Keys ....................................20
74 2.2. Authenticator and Peer Architecture .......................22
75 2.3. Authenticator Identification ..............................23
76 2.4. Peer Identification .......................................27
77 2.5. Server Identification .....................................29
78 3. Security Association Management ................................31
79 3.1. Secure Association Protocol ...............................32
80 3.2. Key Scope .................................................35
81 3.3. Parent-Child Relationships ................................35
82 3.4. Local Key Lifetimes .......................................37
83 3.5. Exported and Calculated Key Lifetimes .....................37
84 3.6. Key Cache Synchronization .................................40
85 3.7. Key Strength ..............................................40
86 3.8. Key Wrap ..................................................41
87 4. Handoff Vulnerabilities ........................................41
88 4.1. EAP Pre-Authentication ....................................43
89 4.2. Proactive Key Distribution ................................44
90 4.3. AAA Bypass ................................................46
91 5. Security Considerations ........................................50
92 5.1. Peer and Authenticator Compromise .........................51
93 5.2. Cryptographic Negotiation .................................53
94 5.3. Confidentiality and Authentication ........................54
95 5.4. Key Binding ...............................................59
96 5.5. Authorization .............................................60
97 5.6. Replay Protection .........................................63
98 5.7. Key Freshness .............................................64
99 5.8. Key Scope Limitation ......................................66
100 5.9. Key Naming ................................................66
101 5.10. Denial-of-Service Attacks ................................67
102 6. References .....................................................68
103 6.1. Normative References ......................................68
104 6.2. Informative References ....................................68
105 Acknowledgments ...................................................74
106 Appendix A - Exported Parameters in Existing Methods ..............75
114 Aboba, et al. Standards Track [Page 2]
116 RFC 5247 EAP Key Management Framework August 2008
121 The Extensible Authentication Protocol (EAP), defined in [RFC3748],
122 was designed to enable extensible authentication for network access
123 in situations in which the Internet Protocol (IP) protocol is not
124 available. Originally developed for use with Point-to-Point Protocol
125 (PPP) [RFC1661], it has subsequently also been applied to IEEE 802
126 wired networks [IEEE-802.1X], Internet Key Exchange Protocol version
127 2 (IKEv2) [RFC4306], and wireless networks such as [IEEE-802.11] and
130 EAP is a two-party protocol spoken between the EAP peer and server.
131 Within EAP, keying material is generated by EAP authentication
132 algorithms, known as "methods". Part of this keying material can be
133 used by EAP methods themselves, and part of this material can be
134 exported. In addition to the export of keying material, EAP methods
135 can also export associated parameters such as authenticated peer and
136 server identities and a unique EAP conversation identifier, and can
137 import and export lower-layer parameters known as "channel binding
138 parameters", or simply "channel bindings".
140 This document specifies the EAP key hierarchy and provides a
141 framework for the transport and usage of keying material and
142 parameters generated by EAP methods. It also provides a detailed
143 security analysis, describing the conditions under which the
144 requirements described in "Guidance for Authentication,
145 Authorization, and Accounting (AAA) Key Management" [RFC4962] can be
148 1.1. Requirements Language
150 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
151 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
152 document are to be interpreted as described in [RFC2119].
156 The terms "Cryptographic binding", "Cryptographic separation", "Key
157 strength" and "Mutual authentication" are defined in [RFC3748] and
158 are used with the same meaning in this document, which also
159 frequently uses the following terms:
162 A pairwise Authentication and Key Management Protocol (AKMP)
163 defined in [IEEE-802.11], which confirms mutual possession of a
164 Pairwise Master Key by two parties and distributes a Group Key.
170 Aboba, et al. Standards Track [Page 3]
172 RFC 5247 EAP Key Management Framework August 2008
175 AAA Authentication, Authorization, and Accounting
176 AAA protocols with EAP support include "RADIUS Support for EAP"
177 [RFC3579] and "Diameter EAP Application" [RFC4072]. In this
178 document, the terms "AAA server" and "backend authentication
179 server" are used interchangeably.
182 The term AAA-Key is synonymous with Master Session Key (MSK).
183 Since multiple keys can be transported by AAA, the term is
184 potentially confusing and is not used in this document.
187 The entity initiating EAP authentication.
189 Backend Authentication Server
190 A backend authentication server is an entity that provides an
191 authentication service to an authenticator. When used, this
192 server typically executes EAP methods for the authenticator. This
193 terminology is also used in [IEEE-802.1X].
196 A secure mechanism for ensuring that a subset of the parameters
197 transmitted by the authenticator (such as authenticator
198 identifiers and properties) are agreed upon by the EAP peer and
199 server. It is expected that the parameters are also securely
200 agreed upon by the EAP peer and authenticator via the lower layer
201 if the authenticator advertised the parameters.
203 Derived Keying Material
204 Keys derived from EAP keying material, such as Transient Session
208 Keys derived by an EAP method; this includes exported keying
209 material (MSK, Extended MSK (EMSK), Initialization Vector (IV)) as
210 well as local keying material such as Transient EAP Keys (TEKs).
212 EAP Pre-Authentication
213 The use of EAP to pre-establish EAP keying material on an
214 authenticator prior to arrival of the peer at the access network
215 managed by that authenticator.
217 EAP Re-Authentication
218 EAP authentication between an EAP peer and a server with whom the
219 EAP peer shares valid unexpired EAP keying material.
226 Aboba, et al. Standards Track [Page 4]
228 RFC 5247 EAP Key Management Framework August 2008
232 The entity that terminates the EAP authentication method with the
233 peer. In the case where no backend authentication server is used,
234 the EAP server is part of the authenticator. In the case where
235 the authenticator operates in pass-through mode, the EAP server is
236 located on the backend authentication server.
238 Exported Keying Material
239 The EAP Master Session Key (MSK), Extended Master Session Key
240 (EMSK), and Initialization Vector (IV).
242 Extended Master Session Key (EMSK)
243 Additional keying material derived between the peer and server
244 that is exported by the EAP method. The EMSK is at least 64
245 octets in length and is never shared with a third party. The EMSK
246 MUST be at least as long as the MSK in size.
248 Initialization Vector (IV)
249 A quantity of at least 64 octets, suitable for use in an
250 initialization vector field, that is derived between the peer and
251 EAP server. Since the IV is a known value in methods such as
252 EAP-TLS (Transport Layer Security) [RFC5216], it cannot be used by
253 itself for computation of any quantity that needs to remain
254 secret. As a result, its use has been deprecated and it is
255 OPTIONAL for EAP methods to generate it. However, when it is
256 generated, it MUST be unpredictable.
259 Unless otherwise qualified, the term "keying material" refers to
260 EAP keying material as well as derived keying material.
263 The parties to whom a key is available.
266 The encryption of one symmetric cryptographic key in another. The
267 algorithm used for the encryption is called a key wrap algorithm
268 or a key encryption algorithm. The key used in the encryption
269 process is called a key-encryption key (KEK).
272 EAP methods frequently make use of long-term secrets in order to
273 enable authentication between the peer and server. In the case of
274 a method based on pre-shared key authentication, the long-term
275 credential is the pre-shared key. In the case of a
276 public-key-based method, the long-term credential is the
277 corresponding private key.
282 Aboba, et al. Standards Track [Page 5]
284 RFC 5247 EAP Key Management Framework August 2008
288 The lower layer is responsible for carrying EAP frames between the
289 peer and authenticator.
292 A name used to identify the EAP peer and authenticator within the
295 Master Session Key (MSK)
296 Keying material that is derived between the EAP peer and server
297 and exported by the EAP method. The MSK is at least 64 octets in
300 Network Access Server (NAS)
301 A device that provides an access service for a user to a network.
303 Pairwise Master Key (PMK)
304 Lower layers use the MSK in a lower-layer dependent manner. For
305 instance, in IEEE 802.11 [IEEE-802.11], Octets 0-31 of the MSK are
306 known as the Pairwise Master Key (PMK); the Temporal Key Integrity
307 Protocol (TKIP) and Advanced Encryption Standard Counter Mode with
308 CBC-MAC Protocol (AES CCMP) ciphersuites derive their Transient
309 Session Keys (TSKs) solely from the PMK, whereas the Wired
310 Equivalent Privacy (WEP) ciphersuite, as noted in "IEEE 802.1X
311 RADIUS Usage Guidelines" [RFC3580], derives its TSKs from both
312 halves of the MSK. In [IEEE-802.16e], the MSK is truncated to 20
313 octets for PMK and 20 octets for PMK2.
316 The entity that responds to the authenticator. In [IEEE-802.1X],
317 this entity is known as the Supplicant.
320 A set of policies and cryptographic state used to protect
321 information. Elements of a security association include
322 cryptographic keys, negotiated ciphersuites and other parameters,
323 counters, sequence spaces, authorization attributes, etc.
325 Secure Association Protocol
326 An exchange that occurs between the EAP peer and authenticator in
327 order to manage security associations derived from EAP exchanges.
328 The protocol establishes unicast and (optionally) multicast
329 security associations, which include symmetric keys and a context
330 for the use of the keys. An example of a Secure Association
331 Protocol is the 4-way handshake defined within [IEEE-802.11].
338 Aboba, et al. Standards Track [Page 6]
340 RFC 5247 EAP Key Management Framework August 2008
344 The EAP Session-Id uniquely identifies an EAP authentication
345 exchange between an EAP peer (as identified by the Peer-Id(s)) and
346 server (as identified by the Server-Id(s)). For more information,
349 Transient EAP Keys (TEKs)
350 Session keys that are used to establish a protected channel
351 between the EAP peer and server during the EAP authentication
352 exchange. The TEKs are appropriate for use with the ciphersuite
353 negotiated between EAP peer and server for use in protecting the
354 EAP conversation. The TEKs are stored locally by the EAP method
355 and are not exported. Note that the ciphersuite used to set up
356 the protected channel between the EAP peer and server during EAP
357 authentication is unrelated to the ciphersuite used to
358 subsequently protect data sent between the EAP peer and
361 Transient Session Keys (TSKs)
362 Keys used to protect data exchanged after EAP authentication has
363 successfully completed using the ciphersuite negotiated between
364 the EAP peer and authenticator.
368 Where EAP key derivation is supported, the conversation typically
369 takes place in three phases:
372 Phase 1: Authentication
373 1a: EAP authentication
374 1b: AAA Key Transport (optional)
375 Phase 2: Secure Association Protocol
376 2a: Unicast Secure Association
377 2b: Multicast Secure Association (optional)
379 Of these phases, phase 0, 1b, and 2 are handled external to EAP.
380 phases 0 and 2 are handled by the lower-layer protocol, and phase 1b
381 is typically handled by a AAA protocol.
383 In the discovery phase (phase 0), peers locate authenticators and
384 discover their capabilities. A peer can locate an authenticator
385 providing access to a particular network, or a peer can locate an
386 authenticator behind a bridge with which it desires to establish a
387 Secure Association. Discovery can occur manually or automatically,
388 depending on the lower layer over which EAP runs.
394 Aboba, et al. Standards Track [Page 7]
396 RFC 5247 EAP Key Management Framework August 2008
399 The authentication phase (phase 1) can begin once the peer and
400 authenticator discover each other. This phase, if it occurs, always
401 includes EAP authentication (phase 1a). Where the chosen EAP method
402 supports key derivation, in phase 1a, EAP keying material is derived
403 on both the peer and the EAP server.
405 An additional step (phase 1b) is needed in deployments that include a
406 backend authentication server, in order to transport keying material
407 from the backend authentication server to the authenticator. In
408 order to obey the principle of mode independence (see Section 1.6.1),
409 where a backend authentication server is present, all keying material
410 needed by the lower layer is transported from the EAP server to the
411 authenticator. Since existing TSK derivation and transport
412 techniques depend solely on the MSK, in existing implementations,
413 this is the only keying material replicated in the AAA key transport
416 Successful completion of EAP authentication and key derivation by a
417 peer and EAP server does not necessarily imply that the peer is
418 committed to joining the network associated with an EAP server.
419 Rather, this commitment is implied by the creation of a security
420 association between the EAP peer and authenticator, as part of the
421 Secure Association Protocol (phase 2). The Secure Association
422 Protocol exchange (phase 2) occurs between the peer and authenticator
423 in order to manage the creation and deletion of unicast (phase 2a)
424 and multicast (phase 2b) security associations between the peer and
425 authenticator. The conversation between the parties is shown in
428 EAP peer Authenticator Auth. Server
429 -------- ------------- ------------
430 |<----------------------------->| |
431 | Discovery (phase 0) | |
432 |<----------------------------->|<----------------------------->|
433 | EAP auth (phase 1a) | AAA pass-through (optional) |
435 | |<----------------------------->|
436 | | AAA Key transport |
437 | | (optional; phase 1b) |
438 |<----------------------------->| |
439 | Unicast Secure association | |
442 |<----------------------------->| |
443 | Multicast Secure association | |
444 | (optional; phase 2b) | |
450 Aboba, et al. Standards Track [Page 8]
452 RFC 5247 EAP Key Management Framework August 2008
455 Figure 1: Conversation Overview
459 Existing EAP lower layers implement phase 0, 2a, and 2b in different
463 The Point-to-Point Protocol (PPP), defined in [RFC1661], does not
464 support discovery, nor does it include a Secure Association
468 PPP over Ethernet (PPPoE), defined in [RFC2516], includes support
469 for a Discovery stage (phase 0). In this step, the EAP peer sends
470 a PPPoE Active Discovery Initiation (PADI) packet to the broadcast
471 address, indicating the service it is requesting. The Access
472 Concentrator replies with a PPPoE Active Discovery Offer (PADO)
473 packet containing its name, the service name, and an indication of
474 the services offered by the concentrator. The discovery phase is
475 not secured. PPPoE, like PPP, does not include a Secure
476 Association Protocol.
479 Internet Key Exchange v2 (IKEv2), defined in [RFC4306], includes
480 support for EAP and handles the establishment of unicast security
481 associations (phase 2a). However, the establishment of multicast
482 security associations (phase 2b) typically does not involve EAP
483 and needs to be handled by a group key management protocol such as
484 Group Domain of Interpretation (GDOI) [RFC3547], Group Secure
485 Association Key Management Protocol (GSAKMP) [RFC4535], Multimedia
486 Internet KEYing (MIKEY) [RFC3830], or Group Key Distribution
487 Protocol (GKDP) [GKDP]. Several mechanisms have been proposed for
488 the discovery of IPsec security gateways. [RFC2230] discusses the
489 use of Key eXchange (KX) Resource Records (RRs) for IPsec gateway
490 discovery; while KX RRs are supported by many Domain Name Service
491 (DNS) server implementations, they have not yet been widely
492 deployed. Alternatively, DNS SRV RRs [RFC2782] can be used for
493 this purpose. Where DNS is used for gateway location, DNS
494 security mechanisms such as DNS Security (DNSSEC) ([RFC4033],
495 [RFC4035]), TSIG [RFC2845], and Simple Secure Dynamic Update
496 [RFC3007] are available.
499 IEEE 802.11, defined in [IEEE-802.11], handles discovery via the
500 Beacon and Probe Request/Response mechanisms. IEEE 802.11 Access
501 Points (APs) periodically announce their Service Set Identifiers
502 (SSIDs) as well as capabilities using Beacon frames. Stations can
506 Aboba, et al. Standards Track [Page 9]
508 RFC 5247 EAP Key Management Framework August 2008
511 query for APs by sending a Probe Request. Neither Beacon nor
512 Probe Request/Response frames are secured. The 4-way handshake
513 defined in [IEEE-802.11] enables the derivation of unicast (phase
514 2a) and multicast/broadcast (phase 2b) secure associations. Since
515 the group key exchange transports a group key from the AP to the
516 station, two 4-way handshakes can be needed in order to support
517 peer-to-peer communications. A proof of the security of the IEEE
518 802.11 4-way handshake, when used with EAP-TLS, is provided in
522 IEEE 802.1X-2004, defined in [IEEE-802.1X], does not support
523 discovery (phase 0), nor does it provide for derivation of unicast
524 or multicast secure associations.
526 1.4. EAP Key Hierarchy
528 As illustrated in Figure 2, the EAP method key derivation has, at the
529 root, the long-term credential utilized by the selected EAP method.
530 If authentication is based on a pre-shared key, the parties store the
531 EAP method to be used and the pre-shared key. The EAP server also
532 stores the peer's identity as well as additional information. This
533 information is typically used outside of the EAP method to determine
534 whether to grant access to a service. The peer stores information
535 necessary to choose which secret to use for which service.
537 If authentication is based on proof of possession of the private key
538 corresponding to the public key contained within a certificate, the
539 parties store the EAP method to be used and the trust anchors used to
540 validate the certificates. The EAP server also stores the peer's
541 identity, and the peer stores information necessary to choose which
542 certificate to use for which service. Based on the long-term
543 credential established between the peer and the server, methods
544 derive two types of EAP keying material:
546 (a) Keying material calculated locally by the EAP method but not
547 exported, such as the Transient EAP Keys (TEKs).
549 (b) Keying material exported by the EAP method: Master Session Key
550 (MSK), Extended Master Session Key (EMSK), Initialization
553 As noted in [RFC3748] Section 7.10:
555 In order to provide keying material for use in a subsequently
556 negotiated ciphersuite, an EAP method supporting key derivation
557 MUST export a Master Session Key (MSK) of at least 64 octets, and
558 an Extended Master Session Key (EMSK) of at least 64 octets.
562 Aboba, et al. Standards Track [Page 10]
564 RFC 5247 EAP Key Management Framework August 2008
567 EAP methods also MAY export the IV; however, the use of the IV is
568 deprecated. The EMSK MUST NOT be provided to an entity outside the
569 EAP server or peer, nor is it permitted to pass any quantity to an
570 entity outside the EAP server or peer from which the EMSK could be
571 computed without breaking some cryptographic assumption, such as
572 inverting a one-way function.
574 EAP methods supporting key derivation and mutual authentication
575 SHOULD export a method-specific EAP conversation identifier known as
576 the Session-Id, as well as one or more method-specific peer
577 identifiers (Peer-Id(s)) and MAY export one or more method-specific
578 server identifiers (Server-Id(s)). EAP methods MAY also support the
579 import and export of channel binding parameters. EAP method
580 specifications developed after the publication of this document MUST
581 define the Peer-Id, Server-Id, and Session-Id. The Peer-Id(s) and
582 Server-Id(s), when provided, identify the entities involved in
583 generating EAP keying material. For existing EAP methods, the
584 Peer-Id, Server-Id, and Session-Id are defined in Appendix A.
618 Aboba, et al. Standards Track [Page 11]
620 RFC 5247 EAP Key Management Framework August 2008
623 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+
627 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | |
629 | | EAP Method Key |<->| Long-Term | | |
630 | | Derivation | | Credential | | |
632 | | | +-+-+-+-+-+-+-+ | Local to |
634 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Method |
639 | | +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | |
640 | | | TEK | |MSK, EMSK | |IV | | |
641 | | |Derivation | |Derivation | |Derivation | | |
642 | | | | | | |(Deprecated) | | |
643 | | +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+ | |
646 +-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+ ---+
649 | Peer-Id(s), | channel | MSK (64+B) | IV (64B) by |
650 | Server-Id(s), | bindings | EMSK (64+B) | (Optional) EAP |
651 | Session-Id | & Result | | Method |
654 Figure 2: EAP Method Parameter Import/Export
658 If an EAP method that generates keys authenticates one or more
659 method-specific peer identities, those identities are exported by
660 the method as the Peer-Id(s). It is possible for more than one
661 Peer-Id to be exported by an EAP method. Not all EAP methods
662 provide a method-specific peer identity; where this is not
663 defined, the Peer-Id is the null string. In EAP methods that do
664 not support key generation, the Peer-Id MUST be the null string.
665 Where an EAP method that derives keys does not provide a Peer-Id,
666 the EAP server will not authenticate the identity of the EAP peer
667 with which it derived keying material.
674 Aboba, et al. Standards Track [Page 12]
676 RFC 5247 EAP Key Management Framework August 2008
681 If an EAP method that generates keys authenticates one or more
682 method-specific server identities, those identities are exported
683 by the method as the Server-Id(s). It is possible for more than
684 one Server-Id to be exported by an EAP method. Not all EAP
685 methods provide a method-specific server identity; where this is
686 not defined, the Server-Id is the null string. If the EAP method
687 does not generate keying material, the Server-Id MUST be the null
688 string. Where an EAP method that derives keys does not provide a
689 Server-Id, the EAP peer will not authenticate the identity of the
690 EAP server with which it derived EAP keying material.
694 The Session-Id uniquely identifies an EAP session between an EAP
695 peer (as identified by the Peer-Id) and server (as identified by
696 the Server-Id). Where non-expanded EAP Type Codes are used (EAP
697 Type Code not equal to 254), the EAP Session-Id is the
698 concatenation of the single octet EAP Type Code and a temporally
699 unique identifier obtained from the method (known as the
703 Session-Id = Type-Code || Method-Id
705 Where expanded EAP Type Codes are used, the EAP Session-Id
706 consists of the Expanded Type Code (including the Type, Vendor-Id
707 (in network byte order) and Vendor-Type fields (in network byte
708 order) defined in [RFC3748] Section 5.7), concatenated with a
709 temporally unique identifier obtained from the method (Method-Id):
711 Session-Id = 0xFE || Vendor-Id || Vendor-Type || Method-Id
713 The Method-Id is typically constructed from nonces or counters
714 used within the EAP method exchange. The inclusion of the Type
715 Code or Expanded Type Code in the EAP Session-Id ensures that each
716 EAP method has a distinct Session-Id space. Since an EAP session
717 is not bound to a particular authenticator or specific ports on
718 the peer and authenticator, the authenticator port or identity are
719 not included in the Session-Id.
730 Aboba, et al. Standards Track [Page 13]
732 RFC 5247 EAP Key Management Framework August 2008
737 Channel binding is the process by which lower-layer parameters are
738 verified for consistency between the EAP peer and server. In
739 order to avoid introducing media dependencies, EAP methods that
740 transport channel binding parameters MUST treat this data as
741 opaque octets. See Section 5.3.3 for further discussion.
745 Each key created within the EAP key management framework has a name
746 (a unique identifier), as well as a scope (the parties to whom the
747 key is available). The scope of exported keying material and TEKs is
748 defined by the authenticated method-specific peer identities
749 (Peer-Id(s)) and the authenticated server identities (Server-Id(s)),
753 The MSK and EMSK are exported by the EAP peer and EAP server,
754 and MUST be named using the EAP Session-Id and a binary or
755 textual indication of the EAP keying material being referred to.
758 This document does not specify a naming scheme for the Pairwise
759 Master Key (PMK). The PMK is only identified by the name of the
760 key from which it is derived.
762 Note: IEEE 802.11 names the PMK for the purposes of being able
763 to refer to it in the Secure Association Protocol; the PMK name
764 (known as the PMKID) is based on a hash of the PMK itself as
765 well as some other parameters (see [IEEE-802.11] Section
769 Transient EAP Keys (TEKs) MAY be named; their naming is
770 specified in the EAP method specification.
773 Transient Session Keys (TSKs) are typically named. Their naming
774 is specified in the lower layer so that the correct set of TSKs
775 can be identified for processing a given packet.
786 Aboba, et al. Standards Track [Page 14]
788 RFC 5247 EAP Key Management Framework August 2008
793 The goal of the EAP conversation is to derive fresh session keys
794 between the EAP peer and authenticator that are known only to those
795 parties, and for both the EAP peer and authenticator to demonstrate
796 that they are authorized to perform their roles either by each other
797 or by a trusted third party (the backend authentication server).
799 Completion of an EAP method exchange (phase 1a) supporting key
800 derivation results in the derivation of EAP keying material (MSK,
801 EMSK, TEKs) known only to the EAP peer (identified by the Peer-Id(s))
802 and EAP server (identified by the Server-Id(s)). Both the EAP peer
803 and EAP server know this keying material to be fresh. The Peer-Id
804 and Server-Id are discussed in Sections 1.4, 2.4, and 2.5 as well as
805 in Appendix A. Key freshness is discussed in Sections 3.4, 3.5, and
808 Completion of the AAA exchange (phase 1b) results in the transport of
809 keying material from the EAP server (identified by the Server-Id(s))
810 to the EAP authenticator (identified by the NAS-Identifier) without
811 disclosure to any other party. Both the EAP server and EAP
812 authenticator know this keying material to be fresh. Disclosure
813 issues are discussed in Sections 3.8 and 5.3; security properties of
814 AAA protocols are discussed in Sections 5.1 - 5.9.
816 The backend authentication server is trusted to transport keying
817 material only to the authenticator that was established with the
818 peer, and it is trusted to transport that keying material to no other
819 parties. In many systems, EAP keying material established by the EAP
820 peer and EAP server are combined with publicly available data to
821 derive other keys. The backend authentication server is trusted to
822 refrain from deriving these same keys or acting as a
823 man-in-the-middle even though it has access to the keying material
824 that is needed to do so.
826 The authenticator is also a trusted party. The authenticator is
827 trusted not to distribute keying material provided by the backend
828 authentication server to any other parties. If the authenticator
829 uses a key derivation function to derive additional keying material,
830 the authenticator is trusted to distribute the derived keying
831 material only to the appropriate party that is known to the peer, and
832 no other party. When this approach is used, care must be taken to
833 ensure that the resulting key management system meets all of the
834 principles in [RFC4962], confirming that keys used to protect data
835 are to be known only by the peer and authenticator.
842 Aboba, et al. Standards Track [Page 15]
844 RFC 5247 EAP Key Management Framework August 2008
847 Completion of the Secure Association Protocol (phase 2) results in
848 the derivation or transport of Transient Session Keys (TSKs) known
849 only to the EAP peer (identified by the Peer-Id(s)) and authenticator
850 (identified by the NAS-Identifier). Both the EAP peer and
851 authenticator know the TSKs to be fresh. Both the EAP peer and
852 authenticator demonstrate that they are authorized to perform their
853 roles. Authorization issues are discussed in Sections 4.3.2 and 5.5;
854 security properties of Secure Association Protocols are discussed in
859 Certain basic characteristics, known as "EAP Invariants", hold true
860 for EAP implementations:
865 Ciphersuite independence
867 1.6.1. Mode Independence
869 EAP is typically deployed to support extensible network access
870 authentication in situations where a peer desires network access via
871 one or more authenticators. Where authenticators are deployed
872 standalone, the EAP conversation occurs between the peer and
873 authenticator, and the authenticator locally implements one or more
874 EAP methods. However, when utilized in "pass-through" mode, EAP
875 enables the deployment of new authentication methods without
876 requiring the development of new code on the authenticator.
878 While the authenticator can implement some EAP methods locally and
879 use those methods to authenticate local users, it can at the same
880 time act as a pass-through for other users and methods, forwarding
881 EAP packets back and forth between the backend authentication server
882 and the peer. This is accomplished by encapsulating EAP packets
883 within the Authentication, Authorization, and Accounting (AAA)
884 protocol spoken between the authenticator and backend authentication
885 server. AAA protocols supporting EAP include RADIUS [RFC3579] and
888 It is a fundamental property of EAP that at the EAP method layer, the
889 conversation between the EAP peer and server is unaffected by whether
890 the EAP authenticator is operating in "pass-through" mode. EAP
891 methods operate identically in all aspects, including key derivation
892 and parameter import/export, regardless of whether or not the
893 authenticator is operating as a pass-through.
898 Aboba, et al. Standards Track [Page 16]
900 RFC 5247 EAP Key Management Framework August 2008
903 The successful completion of an EAP method that supports key
904 derivation results in the export of EAP keying material and
905 parameters on the EAP peer and server. Even though the EAP peer or
906 server can import channel binding parameters that can include the
907 identity of the EAP authenticator, this information is treated as
908 opaque octets. As a result, within EAP, the only relevant identities
909 are the Peer-Id(s) and Server-Id(s). Channel binding parameters are
910 only interpreted by the lower layer.
912 Within EAP, the primary function of the AAA protocol is to maintain
913 the principle of mode independence. As far as the EAP peer is
914 concerned, its conversation with the EAP authenticator, and all
915 consequences of that conversation, are identical, regardless of the
916 authenticator mode of operation.
918 1.6.2. Media Independence
920 One of the goals of EAP is to allow EAP methods to function on any
921 lower layer meeting the criteria outlined in [RFC3748] Section 3.1.
922 For example, as described in [RFC3748], EAP authentication can be run
923 over PPP [RFC1661], IEEE 802 wired networks [IEEE-802.1X], and
924 wireless networks such as 802.11 [IEEE-802.11] and 802.16
927 In order to maintain media independence, it is necessary for EAP to
928 avoid consideration of media-specific elements. For example, EAP
929 methods cannot be assumed to have knowledge of the lower layer over
930 which they are transported, and cannot be restricted to identifiers
931 associated with a particular usage environment (e.g., Medium Access
932 Control (MAC) addresses).
934 Note that media independence can be retained within EAP methods that
935 support channel binding or method-specific identification. An EAP
936 method need not be aware of the content of an identifier in order to
937 use it. This enables an EAP method to use media-specific identifiers
938 such as MAC addresses without compromising media independence.
939 Channel binding parameters are treated as opaque octets by EAP
940 methods so that handling them does not require media-specific
954 Aboba, et al. Standards Track [Page 17]
956 RFC 5247 EAP Key Management Framework August 2008
959 1.6.3. Method Independence
961 By enabling pass-through, authenticators can support any method
962 implemented on the peer and server, not just locally implemented
963 methods. This allows the authenticator to avoid having to implement
964 the EAP methods configured for use by peers. In fact, since a
965 pass-through authenticator need not implement any EAP methods at all,
966 it cannot be assumed to support any EAP method-specific code. As
967 noted in [RFC3748] Section 2.3:
969 Compliant pass-through authenticator implementations MUST by
970 default forward EAP packets of any Type.
972 This is useful where there is no single EAP method that is both
973 mandatory to implement and offers acceptable security for the media
974 in use. For example, the [RFC3748] mandatory-to-implement EAP method
975 (MD5-Challenge) does not provide dictionary attack resistance, mutual
976 authentication, or key derivation, and as a result, is not
977 appropriate for use in Wireless Local Area Network (WLAN)
978 authentication [RFC4017]. However, despite this, it is possible for
979 the peer and authenticator to interoperate as long as a suitable EAP
980 method is supported both on the EAP peer and server.
982 1.6.4. Ciphersuite Independence
984 Ciphersuite Independence is a requirement for media independence.
985 Since lower-layer ciphersuites vary between media, media independence
986 requires that exported EAP keying material be large enough (with
987 sufficient entropy) to handle any ciphersuite.
989 While EAP methods can negotiate the ciphersuite used in protection of
990 the EAP conversation, the ciphersuite used for the protection of the
991 data exchanged after EAP authentication has completed is negotiated
992 between the peer and authenticator within the lower layer, outside of
995 For example, within PPP, the ciphersuite is negotiated within the
996 Encryption Control Protocol (ECP) defined in [RFC1968], after EAP
997 authentication is completed. Within [IEEE-802.11], the AP
998 ciphersuites are advertised in the Beacon and Probe Responses prior
999 to EAP authentication and are securely verified during a 4-way
1010 Aboba, et al. Standards Track [Page 18]
1012 RFC 5247 EAP Key Management Framework August 2008
1015 Since the ciphersuites used to protect data depend on the lower
1016 layer, requiring that EAP methods have knowledge of lower-layer
1017 ciphersuites would compromise the principle of media independence.
1018 As a result, methods export EAP keying material that is ciphersuite
1019 independent. Since ciphersuite negotiation occurs in the lower
1020 layer, there is no need for lower-layer ciphersuite negotiation
1023 In order to allow a ciphersuite to be usable within the EAP keying
1024 framework, the ciphersuite specification needs to describe how TSKs
1025 suitable for use with the ciphersuite are derived from exported EAP
1026 keying material. To maintain method independence, algorithms for
1027 deriving TSKs MUST NOT depend on the EAP method, although algorithms
1028 for TEK derivation MAY be specific to the EAP method.
1030 Advantages of ciphersuite-independence include:
1032 Reduced update requirements
1033 Ciphersuite independence enables EAP methods to be used with new
1034 ciphersuites without requiring the methods to be updated. If
1035 EAP methods were to specify how to derive transient session keys
1036 for each ciphersuite, they would need to be updated each time a
1037 new ciphersuite is developed. In addition, backend
1038 authentication servers might not be usable with all EAP-capable
1039 authenticators, since the backend authentication server would
1040 also need to be updated each time support for a new ciphersuite
1041 is added to the authenticator.
1043 Reduced EAP method complexity
1044 Ciphersuite independence enables EAP methods to avoid having to
1045 include ciphersuite-specific code. Requiring each EAP method to
1046 include ciphersuite-specific code for transient session key
1047 derivation would increase method complexity and result in
1050 Simplified configuration
1051 Ciphersuite independence enables EAP method implementations on
1052 the peer and server to avoid having to configure
1053 ciphersuite-specific parameters. The ciphersuite is negotiated
1054 between the peer and authenticator outside of EAP. Where the
1055 authenticator operates in "pass-through" mode, the EAP server is
1056 not a party to this negotiation, nor is it involved in the data
1057 flow between the EAP peer and authenticator. As a result, the
1058 EAP server does not have knowledge of the ciphersuites and
1059 negotiation policies implemented by the peer and authenticator,
1060 nor is it aware of the ciphersuite negotiated between them. For
1061 example, since Encryption Control Protocol (ECP) negotiation
1062 occurs after authentication, when run over PPP, the EAP peer and
1066 Aboba, et al. Standards Track [Page 19]
1068 RFC 5247 EAP Key Management Framework August 2008
1071 server cannot anticipate the negotiated ciphersuite, and
1072 therefore, this information cannot be provided to the EAP
1075 2. Lower-Layer Operation
1077 On completion of EAP authentication, EAP keying material and
1078 parameters exported by the EAP method are provided to the lower layer
1079 and AAA layer (if present). These include the Master Session Key
1080 (MSK), Extended Master Session Key (EMSK), Peer-Id(s), Server-Id(s),
1081 and Session-Id. The Initialization Vector (IV) is deprecated, but
1084 In order to preserve the security of EAP keying material derived
1085 within methods, lower layers MUST NOT export keys passed down by EAP
1086 methods. This implies that EAP keying material passed down to a
1087 lower layer is for the exclusive use of that lower layer and MUST NOT
1088 be used within another lower layer. This prevents compromise of one
1089 lower layer from compromising other applications using EAP keying
1092 EAP keying material provided to a lower layer MUST NOT be transported
1093 to another entity. For example, EAP keying material passed down to
1094 the EAP peer lower layer MUST NOT leave the peer; EAP keying
1095 material passed down or transported to the EAP authenticator lower
1096 layer MUST NOT leave the authenticator.
1098 On the EAP server, keying material and parameters requested by and
1099 passed down to the AAA layer MAY be replicated to the AAA layer on
1100 the authenticator (with the exception of the EMSK). On the
1101 authenticator, the AAA layer provides the replicated keying material
1102 and parameters to the lower layer over which the EAP authentication
1103 conversation took place. This enables mode independence to be
1106 The EAP layer, as well as the peer and authenticator layers, MUST NOT
1107 modify or cache keying material or parameters (including channel
1108 bindings) passing in either direction between the EAP method layer
1109 and the lower layer or AAA layer.
1111 2.1. Transient Session Keys
1113 Where explicitly supported by the lower layer, lower layers MAY cache
1114 keying material, including exported EAP keying material and/or TSKs;
1115 the structure of this key cache is defined by the lower layer. So as
1116 to enable interoperability, new lower-layer specifications MUST
1117 describe key caching behavior. Unless explicitly specified by the
1118 lower layer, the EAP peer, server, and authenticator MUST assume that
1122 Aboba, et al. Standards Track [Page 20]
1124 RFC 5247 EAP Key Management Framework August 2008
1127 peers and authenticators do not cache keying material. Existing EAP
1128 lower layers and AAA layers handle the generation of transient
1129 session keys and caching of EAP keying material in different ways:
1132 When used with wired networks, IEEE 802.1X-2004 [IEEE-802.1X]
1133 does not support link-layer ciphersuites, and as a result, it
1134 does not provide for the generation of TSKs or caching of EAP
1135 keying material and parameters. Once EAP authentication
1136 completes, it is assumed that EAP keying material and parameters
1137 are discarded; on IEEE 802 wired networks, there is no
1138 subsequent Secure Association Protocol exchange. Perfect
1139 Forward Secrecy (PFS) is only possible if the negotiated EAP
1140 method supports this.
1143 PPP, defined in [RFC1661], does not include support for a Secure
1144 Association Protocol, nor does it support caching of EAP keying
1145 material or parameters. PPP ciphersuites derive their TSKs
1146 directly from the MSK, as described in [RFC2716] Section 3.5.
1147 This is NOT RECOMMENDED, since if PPP were to support caching of
1148 EAP keying material, this could result in TSK reuse. As a
1149 result, once the PPP session is terminated, EAP keying material
1150 and parameters MUST be discarded. Since caching of EAP keying
1151 material is not permitted within PPP, there is no way to handle
1152 TSK re-key without EAP re-authentication. Perfect Forward
1153 Secrecy (PFS) is only possible if the negotiated EAP method
1157 IKEv2, defined in [RFC4306], only uses the MSK for
1158 authentication purposes and not key derivation. The EMSK, IV,
1159 Peer-Id, Server-Id or Session-Id are not used. As a result, the
1160 TSKs derived by IKEv2 are cryptographically independent of the
1161 EAP keying material and re-key of IPsec SAs can be handled
1162 without requiring EAP re-authentication. Within IKEv2, it is
1163 possible to negotiate PFS, regardless of which EAP method is
1164 negotiated. IKEv2 as specified in [RFC4306] does not cache EAP
1165 keying material or parameters; once IKEv2 authentication
1166 completes, it is assumed that EAP keying material and parameters
1167 are discarded. The Session-Timeout Attribute is therefore
1168 interpreted as a limit on the VPN session time, rather than an
1169 indication of the MSK key lifetime.
1172 IEEE 802.11 enables caching of the MSK, but not the EMSK, IV,
1173 Peer-Id, Server-Id, or Session-Id. More details about the
1174 structure of the cache are available in [IEEE-802.11]. In IEEE
1178 Aboba, et al. Standards Track [Page 21]
1180 RFC 5247 EAP Key Management Framework August 2008
1183 802.11, TSKs are derived from the MSK using a Secure Association
1184 Protocol known as the 4-way handshake, which includes a nonce
1185 exchange. This guarantees TSK freshness even if the MSK is
1186 reused. The 4-way handshake also enables TSK re-key without EAP
1187 re-authentication. PFS is only possible within IEEE 802.11 if
1188 caching is not enabled and the negotiated EAP method supports
1192 IEEE 802.16e, defined in [IEEE-802.16e], supports caching of the
1193 MSK, but not the EMSK, IV, Peer-Id, Server-Id, or Session-Id.
1194 IEEE 802.16e supports a Secure Association Protocol in which
1195 TSKs are chosen by the authenticator without any contribution by
1196 the peer. The TSKs are encrypted, authenticated, and integrity
1197 protected using the MSK and are transported from the
1198 authenticator to the peer. TSK re-key is possible without EAP
1199 re-authentication. PFS is not possible even if the negotiated
1200 EAP method supports it.
1203 Existing implementations and specifications for RADIUS/EAP
1204 [RFC3579] or Diameter EAP [RFC4072] do not support caching of
1205 keying material or parameters. In existing AAA clients, proxy
1206 and server implementations, exported EAP keying material (MSK,
1207 EMSK, and IV), as well as parameters and derived keys are not
1208 cached and MUST be presumed lost after the AAA exchange
1211 In order to avoid key reuse, the AAA layer MUST delete
1212 transported keys once they are sent. The AAA layer MUST NOT
1213 retain keys that it has previously sent. For example, a AAA
1214 layer that has transported the MSK MUST delete it, and keys MUST
1215 NOT be derived from the MSK from that point forward.
1217 2.2. Authenticator and Peer Architecture
1219 This specification does not impose constraints on the architecture of
1220 the EAP authenticator or peer. For example, any of the authenticator
1221 architectures described in [RFC4118] can be used. As a result, lower
1222 layers need to identify EAP peers and authenticators unambiguously,
1223 without incorporating implicit assumptions about peer and
1224 authenticator architectures.
1234 Aboba, et al. Standards Track [Page 22]
1236 RFC 5247 EAP Key Management Framework August 2008
1239 For example, it is possible for multiple base stations and a
1240 "controller" (e.g., WLAN switch) to comprise a single EAP
1241 authenticator. In such a situation, the "base station identity" is
1242 irrelevant to the EAP method conversation, except perhaps as an
1243 opaque blob to be used in channel binding. Many base stations can
1244 share the same authenticator identity. An EAP authenticator or peer:
1246 (a) can contain one or more physical or logical ports;
1247 (b) can advertise itself as one or more "virtual" authenticators
1249 (c) can utilize multiple CPUs;
1250 (d) can support clustering services for load balancing or
1253 Both the EAP peer and authenticator can have more than one physical
1254 or logical port. A peer can simultaneously access the network via
1255 multiple authenticators, or via multiple physical or logical ports on
1256 a given authenticator. Similarly, an authenticator can offer network
1257 access to multiple peers, each via a separate physical or logical
1258 port. When a single physical authenticator advertises itself as
1259 multiple virtual authenticators, it is possible for a single physical
1260 port to belong to multiple virtual authenticators.
1262 An authenticator can be configured to communicate with more than one
1263 EAP server, each of which is configured to communicate with a subset
1264 of the authenticators. The situation is illustrated in Figure 3.
1266 2.3. Authenticator Identification
1268 The EAP method conversation is between the EAP peer and server. The
1269 authenticator identity, if considered at all by the EAP method, is
1270 treated as an opaque blob for the purpose of channel binding (see
1271 Section 5.3.3). However, the authenticator identity is important in
1272 two other exchanges - the AAA protocol exchange and the Secure
1273 Association Protocol conversation.
1275 The AAA conversation is between the EAP authenticator and the backend
1276 authentication server. From the point of view of the backend
1277 authentication server, keying material and parameters are transported
1278 to the EAP authenticator identified by the NAS-Identifier Attribute.
1279 Since an EAP authenticator MUST NOT share EAP keying material or
1280 parameters with another party, if the EAP peer or backend
1281 authentication server detects use of EAP keying material and
1282 parameters outside the scope defined by the NAS-Identifier, the
1283 keying material MUST be considered compromised.
1290 Aboba, et al. Standards Track [Page 23]
1292 RFC 5247 EAP Key Management Framework August 2008
1295 The Secure Association Protocol conversation is between the peer and
1296 the authenticator. For lower layers that support key caching, it is
1297 particularly important for the EAP peer, authenticator, and backend
1298 server to have a consistent view of the usage scope of the
1299 transported keying material. In order to enable this, it is
1300 RECOMMENDED that the Secure Association Protocol explicitly
1301 communicate the usage scope of the EAP keying material passed down to
1302 the lower layer, rather than implicitly assuming that this is defined
1303 by the authenticator and peer endpoint addresses.
1318 | | | | | | | | | Ports
1319 +-+-+-+-+ +-+-+-+-+ +-+-+-+-+
1321 | Auth1 | | Auth2 | | Auth3 |
1323 +-+-+-+-+ +-+-+-+-+ +-+-+-+-+
1327 EAP over AAA \ | \ |
1332 +-+-+-+-+-+ +-+-+-+-+-+ Backend
1333 | EAP | | EAP | Authentication
1334 | Server1 | | Server2 | Servers
1335 +-+-+-+-+-+ +-+-+-+-+-+
1337 Figure 3: Relationship between EAP Peer, Authenticator, and Server
1339 Since an authenticator can have multiple ports, the scope of the
1340 authenticator key cache cannot be described by a single endpoint
1341 address. Similarly, where a peer can have multiple ports and sharing
1342 of EAP keying material and parameters between peer ports of the same
1346 Aboba, et al. Standards Track [Page 24]
1348 RFC 5247 EAP Key Management Framework August 2008
1351 link type is allowed, the extent of the peer key cache cannot be
1352 communicated by using a single endpoint address. Instead, it is
1353 RECOMMENDED that the EAP peer and authenticator consistently identify
1354 themselves utilizing explicit identifiers, rather than endpoint
1355 addresses or port identifiers.
1357 AAA protocols such as RADIUS [RFC3579] and Diameter [RFC4072] provide
1358 a mechanism for the identification of AAA clients; since the EAP
1359 authenticator and AAA client MUST be co-resident, this mechanism is
1360 applicable to the identification of EAP authenticators.
1362 RADIUS [RFC2865] requires that an Access-Request packet contain one
1363 or more of the NAS-Identifier, NAS-IP-Address, and NAS-IPv6-Address
1364 attributes. Since a NAS can have more than one IP address, the
1365 NAS-Identifier Attribute is RECOMMENDED for explicit identification
1366 of the authenticator, both within the AAA protocol exchange and the
1367 Secure Association Protocol conversation.
1369 Problems that can arise where the peer and authenticator implicitly
1370 identify themselves using endpoint addresses include the following:
1372 (a) It is possible that the peer will not be able to determine which
1373 authenticator ports are associated with which authenticators.
1374 As a result, the EAP peer will be unable to utilize the
1375 authenticator key cache in an efficient way, and will also be
1376 unable to determine whether EAP keying material has been shared
1377 outside its authorized scope, and therefore needs to be
1378 considered compromised.
1380 (b) It is possible that the authenticator will not be able to
1381 determine which peer ports are associated with which peers,
1382 preventing the peer from communicating with it utilizing
1383 multiple peer ports.
1385 (c) It is possible that the peer will not be able to determine with
1386 which virtual authenticator it is communicating. For example,
1387 multiple virtual authenticators can share a MAC address, but
1388 utilize different NAS-Identifiers.
1390 (d) It is possible that the authenticator will not be able to
1391 determine with which virtual peer it is communicating. Multiple
1392 virtual peers can share a MAC address, but utilize different
1395 (e) It is possible that the EAP peer and server will not be able to
1396 verify the authenticator identity via channel binding.
1402 Aboba, et al. Standards Track [Page 25]
1404 RFC 5247 EAP Key Management Framework August 2008
1407 For example, problems (a), (c), and (e) occur in [IEEE-802.11], which
1408 utilizes peer and authenticator MAC addresses within the 4-way
1409 handshake. Problems (b) and (d) do not occur since [IEEE-802.11]
1410 only allows a virtual peer to utilize a single port.
1412 The following steps enable lower-layer identities to be securely
1413 verified by all parties:
1415 (f) Specify the lower-layer parameters used to identify the
1416 authenticator and peer. As noted earlier, endpoint or port
1417 identifiers are not recommended for identification of the
1418 authenticator or peer when it is possible for them to have
1421 (g) Communicate the lower-layer identities between the peer and
1422 authenticator within phase 0. This allows the peer and
1423 authenticator to determine the key scope if a key cache is
1426 (h) Communicate the lower-layer authenticator identity between the
1427 authenticator and backend authentication server within the NAS-
1428 Identifier Attribute.
1430 (i) Include the lower-layer identities within channel bindings (if
1431 supported) in phase 1a, ensuring that they are communicated
1432 between the EAP peer and server.
1434 (j) Support the integrity-protected exchange of identities within
1437 (k) Utilize the advertised lower-layer identities to enable the peer
1438 and authenticator to verify that keys are maintained within the
1441 2.3.1. Virtual Authenticators
1443 When a single physical authenticator advertises itself as multiple
1444 virtual authenticators, if the virtual authenticators do not maintain
1445 logically separate key caches, then by authenticating to one virtual
1446 authenticator, the peer can gain access to the other virtual
1447 authenticators sharing a key cache.
1458 Aboba, et al. Standards Track [Page 26]
1460 RFC 5247 EAP Key Management Framework August 2008
1463 For example, where a physical authenticator implements "Guest" and
1464 "Corporate Intranet" virtual authenticators, an attacker acting as a
1465 peer could authenticate with the "Guest" virtual authenticator and
1466 derive EAP keying material. If the "Guest" and "Corporate Intranet"
1467 virtual authenticators share a key cache, then the peer can utilize
1468 the EAP keying material derived for the "Guest" network to obtain
1469 access to the "Corporate Intranet" network.
1471 The following steps can be taken to mitigate this vulnerability:
1473 (a) Authenticators are REQUIRED to cache associated authorizations
1474 along with EAP keying material and parameters and to apply
1475 authorizations to the peer on each network access, regardless of
1476 which virtual authenticator is being accessed. This ensures
1477 that an attacker cannot obtain elevated privileges even where
1478 the key cache is shared between virtual authenticators, and a
1479 peer obtains access to one virtual authenticator utilizing a key
1480 cache entry created for use with another virtual authenticator.
1482 (b) It is RECOMMENDED that physical authenticators maintain separate
1483 key caches for each virtual authenticator. This ensures that a
1484 cache entry created for use with one virtual authenticator
1485 cannot be used for access to another virtual authenticator.
1486 Since a key cache entry can no longer be shared between virtual
1487 authentications, this step provides protection beyond that
1488 offered in (a). This is valuable in situations where
1489 authorizations are not used to enforce access limitations. For
1490 example, where access is limited using a filter installed on a
1491 router rather than using authorizations provided to the
1492 authenticator, a peer can gain unauthorized access to resources
1493 by exploiting a shared key cache entry.
1495 (c) It is RECOMMENDED that each virtual authenticator identify
1496 itself consistently to the peer and to the backend
1497 authentication server, so as to enable the peer to verify the
1498 authenticator identity via channel binding (see Section 5.3.3).
1500 (d) It is RECOMMENDED that each virtual authenticator identify
1501 itself distinctly, in order to enable the peer and backend
1502 authentication server to tell them apart. For example, this can
1503 be accomplished by utilizing a distinct value of the NAS-
1504 Identifier Attribute.
1506 2.4. Peer Identification
1508 As described in [RFC3748] Section 7.3, the peer identity provided in
1509 the EAP-Response/Identity can be different from the peer identities
1510 authenticated by the EAP method. For example, the identity provided
1514 Aboba, et al. Standards Track [Page 27]
1516 RFC 5247 EAP Key Management Framework August 2008
1519 in the EAP-Response/Identity can be a privacy identifier as described
1520 in "The Network Access Identifier" [RFC4282] Section 2. As noted in
1521 [RFC4284], it is also possible to utilize a Network Access Identifier
1522 (NAI) for the purposes of source routing; an NAI utilized for source
1523 routing is said to be "decorated" as described in [RFC4282] Section
1526 When the EAP peer provides the Network Access Identity (NAI) within
1527 the EAP-Response/Identity, as described in [RFC3579], the
1528 authenticator copies the NAI included in the EAP-Response/Identity
1529 into the User-Name Attribute included within the Access-Request. As
1530 the Access-Request is forwarded toward the backend authentication
1531 server, AAA proxies remove decoration from the NAI included in the
1532 User-Name Attribute; the NAI included within the
1533 EAP-Response/Identity encapsulated in the Access-Request remains
1534 unchanged. As a result, when the Access-Request arrives at the
1535 backend authentication server, the EAP-Response/Identity can differ
1536 from the User-Name Attribute (which can have some or all of the
1537 decoration removed). In the absence of a Peer-Id, the backend
1538 authentication server SHOULD use the contents of the User-Name
1539 Attribute, rather than the EAP-Response/Identity, as the peer
1542 It is possible for more than one Peer-Id to be exported by an EAP
1543 method. For example, a peer certificate can contain more than one
1544 peer identity; in a tunnel method, peer identities can be
1545 authenticated within both an outer and inner exchange, and these
1546 identities could be different in type and contents. For example, an
1547 outer exchange could provide a Peer-Id in the form of a Relative
1548 Distinguished Name (RDN), whereas an inner exchange could identify
1549 the peer via its NAI or MAC address. Where EAP keying material is
1550 determined solely from the outer exchange, only the outer Peer-Id(s)
1551 are exported; where the EAP keying material is determined from both
1552 the inner and outer exchanges, then both the inner and outer
1553 Peer-Id(s) are exported by the tunnel method.
1570 Aboba, et al. Standards Track [Page 28]
1572 RFC 5247 EAP Key Management Framework August 2008
1575 2.5. Server Identification
1577 It is possible for more than one Server-Id to be exported by an EAP
1578 method. For example, a server certificate can contain more than one
1579 server identity; in a tunnel method, server identities could be
1580 authenticated within both an outer and inner exchange, and these
1581 identities could be different in type and contents. For example, an
1582 outer exchange could provide a Server-Id in the form of an IP
1583 address, whereas an inner exchange could identify the server via its
1584 Fully-Qualified Domain Name (FQDN) or hostname. Where EAP keying
1585 material is determined solely from the outer exchange, only the outer
1586 Server-Id(s) are exported by the EAP method; where the EAP keying
1587 material is determined from both the inner and outer exchanges, then
1588 both the inner and outer Server-Id(s) are exported by the EAP method.
1590 As shown in Figure 3, an authenticator can be configured to
1591 communicate with multiple EAP servers; the EAP server that an
1592 authenticator communicates with can vary according to configuration
1593 and network and server availability. While the EAP peer can assume
1594 that all EAP servers within a realm have access to the credentials
1595 necessary to validate an authentication attempt, it cannot assume
1596 that all EAP servers share persistent state.
1598 Authenticators can be configured with different primary or secondary
1599 EAP servers, in order to balance the load. Also, the authenticator
1600 can dynamically determine the EAP server to which requests will be
1601 sent; in the event of a communication failure, the authenticator can
1602 fail over to another EAP server. For example, in Figure 3,
1603 Authenticator2 can be initially configured with EAP server1 as its
1604 primary backend authentication server, and EAP server2 as the backup,
1605 but if EAP server1 becomes unavailable, EAP server2 can become the
1608 In general, the EAP peer cannot direct an authentication attempt to a
1609 particular EAP server within a realm, this decision is made by AAA
1610 clients, nor can the peer determine with which EAP server it will be
1611 communicating, prior to the start of the EAP method conversation.
1612 The Server-Id is not included in the EAP-Request/Identity, and since
1613 the EAP server may be determined dynamically, it typically is not
1614 possible for the authenticator to advertise the Server-Id during the
1615 discovery phase. Some EAP methods do not export the Server-Id so
1616 that it is possible that the EAP peer will not learn with which
1617 server it was conversing after the EAP conversation completes
1620 As a result, an EAP peer, on connecting to a new authenticator or
1621 reconnecting to the same authenticator, can find itself communicating
1622 with a different EAP server. Fast reconnect, defined in [RFC3748]
1626 Aboba, et al. Standards Track [Page 29]
1628 RFC 5247 EAP Key Management Framework August 2008
1631 Section 7.2, can fail if the EAP server with which the peer
1632 communicates is not the same one with which it initially established
1633 a security association. For example, an EAP peer attempting an
1634 EAP-TLS session resume can find that the new EAP-TLS server will not
1635 have access to the TLS Master Key identified by the TLS Session-Id,
1636 and therefore the session resumption attempt will fail, requiring
1637 completion of a full EAP-TLS exchange.
1639 EAP methods that export the Server-Id MUST authenticate the server.
1640 However, not all EAP methods supporting mutual authentication provide
1641 a non-null Server-Id; some methods only enable the EAP peer to verify
1642 that the EAP server possesses a long-term secret, but do not provide
1643 the identity of the EAP server. In this case, the EAP peer will know
1644 that an authenticator has been authorized by an EAP server, but will
1645 not confirm the identity of the EAP server. Where the EAP method
1646 does not provide a Server-Id, the peer cannot identify the EAP server
1647 with which it generated keying material. This can make it difficult
1648 for the EAP peer to identify the location of a key possessed by that
1651 As noted in [RFC5216] Section 5.2, EAP methods supporting
1652 authentication using server certificates can determine the Server-Id
1653 from the subject or subjectAltName fields in the server certificate.
1654 Validating the EAP server identity can help the EAP peer to decide
1655 whether a specific EAP server is authorized. In some cases, such as
1656 where the certificate extensions defined in [RFC4334] are included in
1657 the server certificate, it can even be possible for the peer to
1658 verify some channel binding parameters from the server certificate.
1660 It is possible for problems to arise in situations where the EAP
1661 server identifies itself differently to the EAP peer and
1662 authenticator. For example, it is possible that the Server-Id
1663 exported by EAP methods will not be identical to the Fully Qualified
1664 Domain Name (FQDN) of the backend authentication server. Where
1665 certificate-based authentication is used within RADIUS or Diameter,
1666 it is possible that the subjectAltName used in the backend
1667 authentication server certificate will not be identical to the
1668 Server-Id or backend authentication server FQDN. This is not
1669 normally an issue in EAP, as the authenticator will be unaware of the
1670 identities used between the EAP peer and server. However, this can
1671 be an issue for key caching, if the authenticator is expected to
1672 locate a backend authentication server corresponding to a Server-Id
1673 provided by an EAP peer.
1675 Where the backend authentication server FQDN differs from the
1676 subjectAltName in the backend authentication server certificate, it
1677 is possible that the AAA client will not be able to determine whether
1678 it is talking to the correct backend authentication server. Where
1682 Aboba, et al. Standards Track [Page 30]
1684 RFC 5247 EAP Key Management Framework August 2008
1687 the Server-Id and backend authentication server FQDN differ, it is
1688 possible that the combination of the key scope (Peer-Id(s), Server-
1689 Id(s)) and EAP conversation identifier (Session-Id) will not be
1690 sufficient to determine where the key resides. For example, the
1691 authenticator can identify backend authentication servers by their IP
1692 address (as occurs in RADIUS), or using a Fully Qualified Domain Name
1693 (as in Diameter). If the Server-Id does not correspond to the IP
1694 address or FQDN of a known backend authentication server, then it may
1695 not be possible to locate which backend authentication server
1698 3. Security Association Management
1700 EAP, as defined in [RFC3748], supports key derivation, but does not
1701 provide for the management of lower-layer security associations.
1702 Missing functionality includes:
1704 (a) Security Association negotiation. EAP does not negotiate
1705 lower-layer unicast or multicast security associations,
1706 including cryptographic algorithms or traffic profiles. EAP
1707 methods only negotiate cryptographic algorithms for their own
1708 use, not for the underlying lower layers. EAP also does not
1709 negotiate the traffic profiles to be protected with the
1710 negotiated ciphersuites; in some cases the traffic to be
1711 protected can have lower-layer source and destination addresses
1712 different from the lower-layer peer or authenticator addresses.
1714 (b) Re-key. EAP does not support the re-keying of exported EAP
1715 keying material without EAP re-authentication, although EAP
1716 methods can support "fast reconnect" as defined in [RFC3748]
1719 (c) Key delete/install semantics. EAP does not synchronize
1720 installation or deletion of keying material on the EAP peer and
1723 (d) Lifetime negotiation. EAP does not support lifetime negotiation
1724 for exported EAP keying material, and existing EAP methods also
1725 do not support key lifetime negotiation.
1727 (e) Guaranteed TSK freshness. Without a post-EAP handshake, TSKs
1728 can be reused if EAP keying material is cached.
1730 These deficiencies are typically addressed via a post-EAP handshake
1731 known as the Secure Association Protocol.
1738 Aboba, et al. Standards Track [Page 31]
1740 RFC 5247 EAP Key Management Framework August 2008
1743 3.1. Secure Association Protocol
1745 Since neither EAP nor EAP methods provide for establishment of
1746 lower-layer security associations, it is RECOMMENDED that these
1747 facilities be provided within the Secure Association Protocol,
1750 (a) Entity Naming. A basic feature of a Secure Association Protocol
1751 is the explicit naming of the parties engaged in the exchange.
1752 Without explicit identification, the parties engaged in the
1753 exchange are not identified and the scope of the EAP keying
1754 parameters negotiated during the EAP exchange is undefined.
1756 (b) Mutual proof of possession of EAP keying material. During the
1757 Secure Association Protocol, the EAP peer and authenticator MUST
1758 demonstrate possession of the keying material transported
1759 between the backend authentication server and authenticator
1760 (e.g., MSK), in order to demonstrate that the peer and
1761 authenticator have been authorized. Since mutual proof of
1762 possession is not the same as mutual authentication, the peer
1763 cannot verify authenticator assertions (including the
1764 authenticator identity) as a result of this exchange.
1765 Authenticator identity verification is discussed in Section 2.3.
1767 (c) Secure capabilities negotiation. In order to protect against
1768 spoofing during the discovery phase, ensure selection of the
1769 "best" ciphersuite, and protect against forging of negotiated
1770 security parameters, the Secure Association Protocol MUST
1771 support secure capabilities negotiation. This includes the
1772 secure negotiation of usage modes, session parameters (such as
1773 security association identifiers (SAIDs) and key lifetimes),
1774 ciphersuites and required filters, including confirmation of
1775 security-relevant capabilities discovered during phase 0. The
1776 Secure Association Protocol MUST support integrity and replay
1777 protection of all capability negotiation messages.
1779 (d) Key naming and selection. Where key caching is supported, it is
1780 possible for the EAP peer and authenticator to share more than
1781 one key of a given type. As a result, the Secure Association
1782 Protocol MUST explicitly name the keys used in the proof of
1783 possession exchange, so as to prevent confusion when more than
1784 one set of keying material could potentially be used as the
1785 basis for the exchange. Use of the key naming mechanism
1786 described in Section 1.4.1 is RECOMMENDED.
1788 In order to support the correct processing of phase 2 security
1789 associations, the Secure Association (phase 2) protocol MUST
1790 support the naming of phase 2 security associations and
1794 Aboba, et al. Standards Track [Page 32]
1796 RFC 5247 EAP Key Management Framework August 2008
1799 associated transient session keys so that the correct set of
1800 transient session keys can be identified for processing a given
1801 packet. The phase 2 Secure Association Protocol also MUST
1802 support transient session key activation and SHOULD support
1803 deletion so that establishment and re-establishment of transient
1804 session keys can be synchronized between the parties.
1806 (e) Generation of fresh transient session keys (TSKs). Where the
1807 lower layer supports caching of keying material, the EAP peer
1808 lower layer can initiate a new session using keying material
1809 that was derived in a previous session. Were the TSKs to be
1810 derived solely from a portion of the exported EAP keying
1811 material, this would result in reuse of the session keys that
1812 could expose the underlying ciphersuite to attack.
1814 In lower layers where caching of keying material is supported,
1815 the Secure Association Protocol phase is REQUIRED, and MUST
1816 support the derivation of fresh unicast and multicast TSKs, even
1817 when the transported keying material provided by the backend
1818 authentication server is not fresh. This is typically supported
1819 via the exchange of nonces or counters, which are then mixed
1820 with the keying material in order to generate fresh unicast
1821 (phase 2a) and possibly multicast (phase 2b) session keys. By
1822 not using exported EAP keying material directly to protect data,
1823 the Secure Association Protocol protects it against compromise.
1825 (f) Key lifetime management. This includes explicit key lifetime
1826 negotiation or seamless re-key. EAP does not support the
1827 re-keying of EAP keying material without re-authentication, and
1828 existing EAP methods do not support key lifetime negotiation.
1829 As a result, the Secure Association Protocol MAY handle the
1830 re-key and determination of the key lifetime. Where key caching
1831 is supported, secure negotiation of key lifetimes is
1832 RECOMMENDED. Lower layers that support re-key, but not key
1833 caching, may not require key lifetime negotiation. For example,
1834 a difference between IKEv1 [RFC2409] and IKEv2 [RFC4306] is that
1835 in IKEv1 SA lifetimes were negotiated; in IKEv2, each end of the
1836 SA is responsible for enforcing its own lifetime policy on the
1837 SA and re-keying the SA when necessary.
1839 (g) Key state resynchronization. It is possible for the peer or
1840 authenticator to reboot or reclaim resources, clearing portions
1841 or all of the key cache. Therefore, key lifetime negotiation
1842 cannot guarantee that the key cache will remain synchronized,
1843 and it may not be possible for the peer to determine before
1844 attempting to use a key whether it exists within the
1845 authenticator cache. It is therefore RECOMMENDED for the EAP
1846 lower layer to provide a mechanism for key state
1850 Aboba, et al. Standards Track [Page 33]
1852 RFC 5247 EAP Key Management Framework August 2008
1855 resynchronization, either via the SAP or using a lower layer
1856 indication (see [RFC3748] Section 3.4). Where the peer and
1857 authenticator do not jointly possess a key with which to protect
1858 the resynchronization exchange, secure resynchronization is not
1859 possible, and alternatives (such as an initiation of EAP
1860 re-authentication after expiration of a timer) are needed to
1861 ensure timely resynchronization.
1863 (h) Key scope synchronization. To support key scope determination,
1864 the Secure Association Protocol SHOULD provide a mechanism by
1865 which the peer can determine the scope of the key cache on each
1866 authenticator and by which the authenticator can determine the
1867 scope of the key cache on a peer. This includes negotiation of
1868 restrictions on key usage.
1870 (i) Traffic profile negotiation. The traffic to be protected by a
1871 lower-layer security association will not necessarily have the
1872 same lower-layer source or destination address as the EAP peer
1873 and authenticator, and it is possible for the peer and
1874 authenticator to negotiate multiple security associations, each
1875 with a different traffic profile. Where this is the case, the
1876 profile of protected traffic SHOULD be explicitly negotiated.
1877 For example, in IKEv2 it is possible for an Initiator and
1878 Responder to utilize EAP for authentication, then negotiate a
1879 Tunnel Mode Security Association (SA), which permits passing of
1880 traffic originating from hosts other than the Initiator and
1881 Responder. Similarly, in IEEE 802.16e, a Subscriber Station
1882 (SS) can forward traffic to the Base Station (BS), which
1883 originates from the Local Area Network (LAN) to which it is
1884 attached. To enable this, Security Associations within IEEE
1885 802.16e are identified by the Connection Identifier (CID), not
1886 by the EAP peer and authenticator MAC addresses. In both IKEv2
1887 and IEEE 802.16e, multiple security associations can exist
1888 between the EAP peer and authenticator, each with their own
1889 traffic profile and quality of service parameters.
1891 (j) Direct operation. Since the phase 2 Secure Association Protocol
1892 is concerned with the establishment of security associations
1893 between the EAP peer and authenticator, including the derivation
1894 of transient session keys, only those parties have "a need to
1895 know" the transient session keys. The Secure Association
1896 Protocol MUST operate directly between the peer and
1897 authenticator and MUST NOT be passed-through to the backend
1898 authentication server or include additional parties.
1900 (k) Bi-directional operation. While some ciphersuites only require
1901 a single set of transient session keys to protect traffic in
1902 both directions, other ciphersuites require a unique set of
1906 Aboba, et al. Standards Track [Page 34]
1908 RFC 5247 EAP Key Management Framework August 2008
1911 transient session keys in each direction. The phase 2 Secure
1912 Association Protocol SHOULD provide for the derivation of
1913 unicast and multicast keys in each direction, so as not to
1914 require two separate phase 2 exchanges in order to create a
1915 bi-directional phase 2 security association. See [RFC3748]
1916 Section 2.4 for more discussion.
1920 Absent explicit specification within the lower layer, after the
1921 completion of phase 1b, transported keying material, and parameters
1922 are bound to the EAP peer and authenticator, but are not bound to a
1923 specific peer or authenticator port.
1925 While EAP keying material passed down to the lower layer is not
1926 intrinsically bound to particular authenticator and peer ports, TSKs
1927 MAY be bound to particular authenticator and peer ports by the Secure
1928 Association Protocol. However, a lower layer MAY also permit TSKs to
1929 be used on multiple peer and/or authenticator ports, provided that
1930 TSK freshness is guaranteed (such as by keeping replay counter state
1931 within the authenticator).
1933 In order to further limit the key scope, the following measures are
1936 (a) The lower layer MAY specify additional restrictions on key
1937 usage, such as limiting the use of EAP keying material and
1938 parameters on the EAP peer to the port over which the EAP
1939 conversation was conducted.
1941 (b) The backend authentication server and authenticator MAY
1942 implement additional attributes in order to further restrict the
1943 scope of keying material. For example, in IEEE 802.11, the
1944 backend authentication server can provide the authenticator with
1945 a list of authorized Called or Calling-Station-Ids and/or SSIDs
1946 for which keying material is valid.
1948 (c) Where the backend authentication server provides attributes
1949 restricting the key scope, it is RECOMMENDED that restrictions
1950 be securely communicated by the authenticator to the peer. This
1951 can be accomplished using the Secure Association Protocol, but
1952 also can be accomplished via the EAP method or the lower layer.
1954 3.3. Parent-Child Relationships
1956 When an EAP re-authentication takes place, new EAP keying material is
1957 exported by the EAP method. In EAP lower layers where EAP
1958 re-authentication eventually results in TSK replacement, the maximum
1962 Aboba, et al. Standards Track [Page 35]
1964 RFC 5247 EAP Key Management Framework August 2008
1967 lifetime of derived keying material (including TSKs) can be less than
1968 or equal to that of EAP keying material (MSK/EMSK), but it cannot be
1971 Where TSKs are derived from or are wrapped by exported EAP keying
1972 material, compromise of that exported EAP keying material implies
1973 compromise of TSKs. Therefore, if EAP keying material is considered
1974 stale, not only SHOULD EAP re-authentication be initiated, but also
1975 replacement of child keys, including TSKs.
1977 Where EAP keying material is used only for entity authentication but
1978 not for TSK derivation (as in IKEv2), compromise of exported EAP
1979 keying material does not imply compromise of the TSKs. Nevertheless,
1980 the compromise of EAP keying material could enable an attacker to
1981 impersonate an authenticator, so that EAP re-authentication and TSK
1982 re-key are RECOMMENDED.
1984 With respect to IKEv2, Section 5.2 of [RFC4718], "IKEv2
1985 Clarifications and Implementation Guidelines", states:
1987 Rekeying the IKE_SA and reauthentication are different concepts in
1988 IKEv2. Rekeying the IKE_SA establishes new keys for the IKE_SA
1989 and resets the Message ID counters, but it does not authenticate
1990 the parties again (no AUTH or EAP payloads are involved)... This
1991 means that reauthentication also establishes new keys for the
1992 IKE_SA and CHILD_SAs. Therefore while rekeying can be performed
1993 more often than reauthentication, the situation where
1994 "authentication lifetime" is shorter than "key lifetime" does not
1997 Child keys that are used frequently (such as TSKs that are used for
1998 traffic protection) can expire sooner than the exported EAP keying
1999 material on which they are dependent, so that it is advantageous to
2000 support re-key of child keys prior to EAP re-authentication. Note
2001 that deletion of the MSK/EMSK does not necessarily imply deletion of
2004 Failure to mutually prove possession of exported EAP keying material
2005 during the Secure Association Protocol exchange need not be grounds
2006 for deletion of keying material by both parties; rate-limiting Secure
2007 Association Protocol exchanges could be used to prevent a brute force
2018 Aboba, et al. Standards Track [Page 36]
2020 RFC 5247 EAP Key Management Framework August 2008
2023 3.4. Local Key Lifetimes
2025 The Transient EAP Keys (TEKs) are session keys used to protect the
2026 EAP conversation. The TEKs are internal to the EAP method and are
2027 not exported. TEKs are typically created during an EAP conversation,
2028 used until the end of the conversation and then discarded. However,
2029 methods can re-key TEKs during an EAP conversation.
2031 When using TEKs within an EAP conversation or across conversations,
2032 it is necessary to ensure that replay protection and key separation
2033 requirements are fulfilled. For instance, if a replay counter is
2034 used, TEK re-key MUST occur prior to wrapping of the counter.
2035 Similarly, TSKs MUST remain cryptographically separate from TEKs
2036 despite TEK re-keying or caching. This prevents TEK compromise from
2037 leading directly to compromise of the TSKs and vice versa.
2039 EAP methods MAY cache local EAP keying material (TEKs) that can
2040 persist for multiple EAP conversations when fast reconnect is used
2041 [RFC3748]. For example, EAP methods based on TLS (such as EAP-TLS
2042 [RFC5216]) derive and cache the TLS Master Secret, typically for
2043 substantial time periods. The lifetime of other local EAP keying
2044 material calculated within the EAP method is defined by the method.
2045 Note that in general, when using fast reconnect, there is no
2046 guarantee that the original long-term credentials are still in the
2047 possession of the peer. For instance, a smart-card holding the
2048 private key for EAP-TLS may have been removed. EAP servers SHOULD
2049 also verify that the long-term credentials are still valid, such as
2050 by checking that certificate used in the original authentication has
2053 3.5. Exported and Calculated Key Lifetimes
2055 The following mechanisms are available for communicating the lifetime
2056 of keying material between the EAP peer, server, and authenticator:
2058 AAA protocols (backend authentication server and authenticator)
2059 Lower-layer mechanisms (authenticator and peer)
2060 EAP method-specific negotiation (peer and server)
2062 Where the EAP method does not support the negotiation of the lifetime
2063 of exported EAP keying material, and a key lifetime negotiation
2064 mechanism is not provided by the lower layer, it is possible that
2065 there will not be a way for the peer to learn the lifetime of keying
2066 material. This can leave the peer uncertain of how long the
2067 authenticator will maintain keying material within the key cache. In
2068 this case the lifetime of keying material can be managed as a system
2069 parameter on the peer and authenticator; a default lifetime of 8
2070 hours is RECOMMENDED.
2074 Aboba, et al. Standards Track [Page 37]
2076 RFC 5247 EAP Key Management Framework August 2008
2079 3.5.1. AAA Protocols
2081 AAA protocols such as RADIUS [RFC2865] and Diameter [RFC4072] can be
2082 used to communicate the maximum key lifetime from the backend
2083 authentication server to the authenticator.
2085 The Session-Timeout Attribute is defined for RADIUS in [RFC2865] and
2086 for Diameter in [RFC4005]. Where EAP is used for authentication,
2087 [RFC3580] Section 3.17, indicates that a Session-Timeout Attribute
2088 sent in an Access-Accept along with a Termination-Action value of
2089 RADIUS-Request specifies the maximum number of seconds of service
2090 provided prior to EAP re-authentication.
2092 However, there is also a need to be able to specify the maximum
2093 lifetime of cached keying material. Where EAP pre-authentication is
2094 supported, cached keying material can be pre-established on the
2095 authenticator prior to session start and will remain there until
2096 expiration. EAP lower layers supporting caching of keying material
2097 MAY also persist that material after the end of a session, enabling
2098 the peer to subsequently resume communication utilizing the cached
2099 keying material. In these situations it can be desirable for the
2100 backend authentication server to specify the maximum lifetime of
2101 cached keying material.
2103 To accomplish this, [IEEE-802.11] overloads the Session-Timeout
2104 Attribute, assuming that it represents the maximum time after which
2105 transported keying material will expire on the authenticator,
2106 regardless of whether transported keying material is cached.
2108 An IEEE 802.11 authenticator receiving transported keying material is
2109 expected to initialize a timer to the Session-Timeout value, and once
2110 the timer expires, the transported keying material expires. Whether
2111 this results in session termination or EAP re-authentication is
2112 controlled by the value of the Termination-Action Attribute. Where
2113 EAP re-authentication occurs, the transported keying material is
2114 replaced, and with it, new calculated keys are put in place. Where
2115 session termination occurs, transported and derived keying material
2118 Overloading the Session-Timeout Attribute is problematic in
2119 situations where it is necessary to control the maximum session time
2120 and key lifetime independently. For example, it might be desirable
2121 to limit the lifetime of cached keying material to 5 minutes while
2122 permitting a user once authenticated to remain connected for up to an
2123 hour without re-authenticating. As a result, in the future,
2124 additional attributes can be specified to control the lifetime of
2125 cached keys; these attributes MAY modify the meaning of the
2126 Session-Timeout Attribute in specific circumstances.
2130 Aboba, et al. Standards Track [Page 38]
2132 RFC 5247 EAP Key Management Framework August 2008
2135 Since the TSK lifetime is often determined by authenticator
2136 resources, and the backend authentication server has no insight into
2137 the TSK derivation process by the principle of ciphersuite
2138 independence, it is not appropriate for the backend authentication
2139 server to manage any aspect of the TSK derivation process, including
2142 3.5.2. Lower-Layer Mechanisms
2144 Lower-layer mechanisms can be used to enable the lifetime of keying
2145 material to be negotiated between the peer and authenticator. This
2146 can be accomplished either using the Secure Association Protocol or
2147 within the lower-layer transport.
2149 Where TSKs are established as the result of a Secure Association
2150 Protocol exchange, it is RECOMMENDED that the Secure Association
2151 Protocol include support for TSK re-key. Where the TSK is taken
2152 directly from the MSK, there is no need to manage the TSK lifetime as
2153 a separate parameter, since the TSK lifetime and MSK lifetime are
2156 3.5.3. EAP Method-Specific Negotiation
2158 As noted in [RFC3748] Section 7.10:
2160 In order to provide keying material for use in a subsequently
2161 negotiated ciphersuite, an EAP method supporting key derivation
2162 MUST export a Master Session Key (MSK) of at least 64 octets, and
2163 an Extended Master Session Key (EMSK) of at least 64 octets. EAP
2164 Methods deriving keys MUST provide for mutual authentication
2165 between the EAP peer and the EAP Server.
2167 However, EAP does not itself support the negotiation of lifetimes for
2168 exported EAP keying material such as the MSK, EMSK, and IV.
2170 While EAP itself does not support lifetime negotiation, it would be
2171 possible to specify methods that do. However, systems that rely on
2172 key lifetime negotiation within EAP methods would only function with
2173 these methods. Also, there is no guarantee that the key lifetime
2174 negotiated within the EAP method would be compatible with backend
2175 authentication server policy. In the interest of method independence
2176 and compatibility with backend authentication server implementations,
2177 management of the lifetime of keying material SHOULD NOT be provided
2186 Aboba, et al. Standards Track [Page 39]
2188 RFC 5247 EAP Key Management Framework August 2008
2191 3.6. Key Cache Synchronization
2193 Key lifetime negotiation alone cannot guarantee key cache
2194 synchronization. Even where a lower-layer exchange is run
2195 immediately after EAP in order to determine the lifetime of keying
2196 material, it is still possible for the authenticator to purge all or
2197 part of the key cache prematurely (e.g., due to reboot or need to
2200 The lower layer can utilize the Discovery phase 0 to improve key
2201 cache synchronization. For example, if the authenticator manages the
2202 key cache by deleting the oldest key first, the relative creation
2203 time of the last key to be deleted could be advertised within the
2204 Discovery phase, enabling the peer to determine whether keying
2205 material had been prematurely expired from the authenticator key
2210 As noted in Section 2.1, EAP lower layers determine TSKs in different
2211 ways. Where exported EAP keying material is utilized in the
2212 derivation, encryption or authentication of TSKs, it is possible for
2213 EAP key generation to represent the weakest link.
2215 In order to ensure that methods produce EAP keying material of an
2216 appropriate symmetric key strength, it is RECOMMENDED that EAP
2217 methods utilizing public key cryptography choose a public key that
2218 has a cryptographic strength providing the required level of attack
2219 resistance. This is typically provided by configuring EAP methods,
2220 since there is no coordination between the lower layer and EAP method
2221 with respect to minimum required symmetric key strength.
2223 Section 5 of BCP 86 [RFC3766] offers advice on the required RSA or DH
2224 module and DSA subgroup size in bits, for a given level of attack
2225 resistance in bits. The National Institute for Standards and
2226 Technology (NIST) also offers advice on appropriate key sizes in
2242 Aboba, et al. Standards Track [Page 40]
2244 RFC 5247 EAP Key Management Framework August 2008
2249 The key wrap specified in [RFC2548], which is based on an MD5-based
2250 stream cipher, has known problems, as described in [RFC3579] Section
2251 4.3. RADIUS uses the shared secret for multiple purposes, including
2252 per-packet authentication and attribute hiding, considerable
2253 information is exposed about the shared secret with each packet.
2254 This exposes the shared secret to dictionary attacks. MD5 is used
2255 both to compute the RADIUS Response Authenticator and the
2256 Message-Authenticator Attribute, and concerns exist relating to the
2257 security of this hash [MD5Collision].
2259 As discussed in [RFC3579] Section 4.3, the security vulnerabilities
2260 of RADIUS are extensive, and therefore development of an alternative
2261 key wrap technique based on the RADIUS shared secret would not
2262 substantially improve security. As a result, [RFC3579] Section 4.2
2263 recommends running RADIUS over IPsec. The same approach is taken in
2264 Diameter EAP [RFC4072], which in Section 4.1.3 defines the
2265 EAP-Master-Session-Key Attribute-Value Pair (AVP) in clear-text, to
2266 be protected by IPsec or TLS.
2268 4. Handoff Vulnerabilities
2270 A handoff occurs when an EAP peer moves to a new authenticator.
2271 Several mechanisms have been proposed for reducing handoff latency
2272 within networks utilizing EAP. These include:
2274 EAP pre-authentication
2275 In EAP pre-authentication, an EAP peer pre-establishes EAP keying
2276 material with an authenticator prior to arrival. EAP
2277 pre-authentication only affects the timing of EAP authentication,
2278 but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b)
2279 exchanges; Discovery (phase 0) and Secure Association Protocol
2280 (phase 2) exchanges occur as described in Section 1.3. As a
2281 result, the primary benefit is to enable EAP authentication to be
2282 removed from the handoff critical path, thereby reducing latency.
2283 Use of EAP pre-authentication within IEEE 802.11 is described in
2284 [IEEE-802.11] and [8021XPreAuth].
2298 Aboba, et al. Standards Track [Page 41]
2300 RFC 5247 EAP Key Management Framework August 2008
2303 Proactive key distribution
2304 In proactive key distribution, keying material and authorizations
2305 are transported from the backend authentication server to a
2306 candidate authenticator in advance of a handoff. As a result, EAP
2307 (phase 1a) is not needed, but the Discovery (phase 0), and Secure
2308 Association Protocol exchanges (phase 2) are still necessary.
2309 Within the AAA exchange (phase 1b), authorization and key
2310 distribution functions are typically supported, but not
2311 authentication. Proactive key distribution is described in
2312 [MishraPro], [IEEE-03-084], and [HANDOFF].
2315 Caching of EAP keying material enables an EAP peer to re-attach to
2316 an authenticator without requiring EAP (phase 1a) or AAA (phase
2317 1b) exchanges. However, Discovery (phase 0) and Secure
2318 Association Protocol (phase 2) exchanges are still needed. Use of
2319 key caching within IEEE 802.11 is described in [IEEE-802.11].
2322 In context transfer schemes, keying material and authorizations
2323 are transferred between a previous authenticator and a new
2324 authenticator. This can occur in response to a handoff request by
2325 the EAP peer, or in advance, as in proactive key distribution. As
2326 a result, EAP (phase 1a) is eliminated, but not the Discovery
2327 (phase 0) or Secure Association Protocol exchanges (phase 2). If
2328 a secure channel can be established between the new and previous
2329 authenticator without assistance from the backend authentication
2330 server, then the AAA exchange (phase 1b) can be eliminated;
2331 otherwise, it is still needed, although it can be shortened.
2332 Context transfer protocols are described in [IEEE-802.11F] (now
2333 deprecated) and "Context Transfer Protocol (CXTP)" [RFC4067].
2334 "Fast Authentication Methods for Handovers between IEEE 802.11
2335 Wireless LANs" [Bargh] analyzes fast handoff techniques, including
2336 context transfer mechanisms.
2354 Aboba, et al. Standards Track [Page 42]
2356 RFC 5247 EAP Key Management Framework August 2008
2360 In token distribution schemes, the EAP peer is provided with a
2361 credential, subsequently enabling it to authenticate with one or
2362 more additional authenticators. During the subsequent
2363 authentications, EAP (phase 1a) is eliminated or shortened; the
2364 Discovery (phase 0) and Secure Association Protocol exchanges
2365 (phase 2) still occur, although the latter can be shortened. If
2366 the token includes authorizations and can be validated by an
2367 authenticator without assistance from the backend authentication
2368 server, then the AAA exchange (phase 1b) can be eliminated;
2369 otherwise, it is still needed, although it can be shortened.
2370 Token-based schemes, initially proposed in early versions of IEEE
2371 802.11i [IEEE-802.11i], are described in [Token], [Tokenk], and
2374 The sections that follow discuss the security vulnerabilities
2375 introduced by the above schemes.
2377 4.1. EAP Pre-Authentication
2379 EAP pre-authentication differs from a normal EAP conversation
2380 primarily with respect to the lower-layer encapsulation. For
2381 example, in [IEEE-802.11], EAP pre-authentication frames utilize a
2382 distinct Ethertype, but otherwise conforms to the encapsulation
2383 described in [IEEE-802.1X]. As a result, an EAP pre-authentication
2384 conversation differs little from the model described in Section 1.3,
2385 other than the introduction of a delay between phase 1 and phase 2.
2387 EAP pre-authentication relies on lower-layer mechanisms for discovery
2388 of candidate authenticators. Where discovery can provide information
2389 on candidate authenticators outside the immediate listening range,
2390 and the peer can determine whether it already possesses valid EAP
2391 keying material with candidate authenticators, the peer can avoid
2392 unnecessary EAP pre-authentications and can establish EAP keying
2393 material well in advance, regardless of the coverage overlap between
2394 authenticators. However, if the peer can only discover candidate
2395 authenticators within listening range and cannot determine whether it
2396 can reuse existing EAP keying material, then it is possible that the
2397 peer will not be able to complete EAP pre-authentication prior to
2398 connectivity loss or that it can pre-authenticate multiple times with
2399 the same authenticator, increasing backend authentication server
2402 Since a peer can complete EAP pre-authentication with an
2403 authenticator without eventually attaching to it, it is possible that
2404 phase 2 will not occur. In this case, an Accounting-Request
2405 signifying the start of service will not be sent, or will only be
2406 sent with a substantial delay after the completion of authentication.
2410 Aboba, et al. Standards Track [Page 43]
2412 RFC 5247 EAP Key Management Framework August 2008
2415 As noted in "IEEE 802.1X RADIUS Usage Guidelines" [RFC3580], the AAA
2416 exchange resulting from EAP pre-authentication differs little from an
2417 ordinary exchange described in "RADIUS Support for EAP" [RFC3579].
2418 For example, since in IEEE 802.11 [IEEE-802.11] an Association
2419 exchange does not occur prior to EAP pre-authentication, the SSID is
2420 not known by the authenticator at authentication time, so that an
2421 Access-Request cannot include the SSID within the Called-Station-Id
2422 attribute as described in [RFC3580] Section 3.20.
2424 Since only the absence of an SSID in the Called-Station-Id attribute
2425 distinguishes an EAP pre-authentication attempt, if the authenticator
2426 does not always include the SSID for a normal EAP authentication
2427 attempt, it is possible that the backend authentication server will
2428 not be able to determine whether a session constitutes an EAP
2429 pre-authentication attempt, potentially resulting in authorization or
2430 accounting problems. Where the number of simultaneous sessions is
2431 limited, the backend authentication server can refuse to authorize a
2432 valid EAP pre-authentication attempt or can enable the peer to engage
2433 in more simultaneous sessions than they are authorized for. Where
2434 EAP pre-authentication occurs with an authenticator which the peer
2435 never attaches to, it is possible that the backend accounting server
2436 will not be able to determine whether the absence of an
2437 Accounting-Request was due to packet loss or a session that never
2440 In order to enable pre-authentication requests to be handled more
2441 reliably, it is RECOMMENDED that AAA protocols explicitly identify
2442 EAP pre-authentication. In order to suppress unnecessary EAP
2443 pre-authentication exchanges, it is RECOMMENDED that authenticators
2444 unambiguously identify themselves as described in Section 2.3.
2446 4.2. Proactive Key Distribution
2448 In proactive key distribution schemes, the backend authentication
2449 server transports keying material and authorizations to an
2450 authenticator in advance of the arrival of the peer. The
2451 authenticators selected to receive the transported key material are
2452 selected based on past patterns of peer movement between
2453 authenticators known as the "neighbor graph". In order to reduce
2454 handoff latency, proactive key distribution schemes typically only
2455 demonstrate proof of possession of transported keying material
2456 between the EAP peer and authenticator. During a handoff, the
2457 backend authentication server is not provided with proof that the
2458 peer successfully authenticated to an authenticator; instead, the
2459 authenticator generates a stream of accounting messages without a
2460 corresponding set of authentication exchanges. As described in
2461 [MishraPro], knowledge of the neighbor graph can be established via
2462 static configuration or analysis of authentication exchanges. In
2466 Aboba, et al. Standards Track [Page 44]
2468 RFC 5247 EAP Key Management Framework August 2008
2471 order to prevent corruption of the neighbor graph, new neighbor graph
2472 entries can only be created as the result of a successful EAP
2473 exchange, and accounting packets with no corresponding authentication
2474 exchange need to be verified to correspond to neighbor graph entries
2475 (e.g., corresponding to handoffs between neighbors).
2477 In order to prevent compromise of one authenticator from resulting in
2478 compromise of other authenticators, cryptographic separation needs to
2479 be maintained between the keying material transported to each
2480 authenticator. However, even where cryptographic separation is
2481 maintained, an attacker compromising an authenticator can still
2482 disrupt the operation of other authenticators. As noted in [RFC3579]
2483 Section 4.3.7, in the absence of spoofing detection within the AAA
2484 infrastructure, it is possible for EAP authenticators to impersonate
2485 each other. By forging NAS identification attributes within
2486 authentication messages, an attacker compromising one authenticator
2487 could corrupt the neighbor graph, tricking the backend authentication
2488 server into transporting keying material to arbitrary authenticators.
2489 While this would not enable recovery of EAP keying material without
2490 breaking fundamental cryptographic assumptions, it could enable
2491 subsequent fraudulent accounting messages, or allow an attacker to
2492 disrupt service by increasing load on the backend authentication
2493 server or thrashing the authenticator key cache.
2495 Since proactive key distribution requires the distribution of derived
2496 keying material to candidate authenticators, the effectiveness of
2497 this scheme depends on the ability of backend authentication server
2498 to anticipate the movement of the EAP peer. Since proactive key
2499 distribution relies on backend authentication server knowledge of the
2500 neighbor graph, it is most applicable to intra-domain handoff
2501 scenarios. However, in inter-domain handoff, where there can be many
2502 authenticators, peers can frequently connect to authenticators that
2503 have not been previously encountered, making it difficult for the
2504 backend authentication server to derive a complete neighbor graph.
2506 Since proactive key distribution schemes typically require
2507 introduction of server-initiated messages as described in [RFC5176]
2508 and [HANDOFF], security issues described in [RFC5176] Section 6 are
2509 applicable, including authorization (Section 6.1) and replay
2510 detection (Section 6.3) problems.
2522 Aboba, et al. Standards Track [Page 45]
2524 RFC 5247 EAP Key Management Framework August 2008
2529 Fast handoff techniques that enable elimination of the AAA exchange
2530 (phase 1b) differ fundamentally from typical network access scenarios
2531 (dial-up, wired LAN, etc.) that include user authentication as well
2532 as authorization for the offered service. Where the AAA exchange
2533 (phase 1b) is omitted, authorizations and keying material are not
2534 provided by the backend authentication server, and as a result, they
2535 need to be supplied by other means. This section describes some of
2538 4.3.1. Key Transport
2540 Where transported keying material is not supplied by the backend
2541 authentication server, it needs to be provided by another party
2542 authorized to access that keying material. As noted in Section 1.5,
2543 only the EAP peer, authenticator, and server are authorized to
2544 possess transported keying material. Since EAP peers do not trust
2545 each other, if the backend authentication server does not supply
2546 transported keying material to a new authenticator, it can only be
2547 provided by a previous authenticator.
2549 As noted in Section 1.5, the goal of the EAP conversation is to
2550 derive session keys known only to the peer and the authenticator. If
2551 keying material is replicated between a previous authenticator and a
2552 new authenticator, then the previous authenticator can possess
2553 session keys used between the peer and new authenticator. Also, the
2554 new authenticator can possess session keys used between the peer and
2555 the previous authenticator.
2557 If a one-way function is used to derive the keying material to be
2558 transported to the new authenticator, then the new authenticator
2559 cannot possess previous session keys without breaking a fundamental
2560 cryptographic assumption.
2562 4.3.2. Authorization
2564 As a part of the authentication process, the backend authentication
2565 server determines the user's authorization profile and transmits the
2566 authorizations to the authenticator along with the transported keying
2567 material. Typically, the profile is determined based on the user
2568 identity, but a certificate presented by the user can also provide
2569 authorization information.
2571 The backend authentication server is responsible for making a user
2572 authorization decision, which requires answering the following
2578 Aboba, et al. Standards Track [Page 46]
2580 RFC 5247 EAP Key Management Framework August 2008
2583 (a) Is this a legitimate user of this network?
2585 (b) Is the user allowed to access this network?
2587 (c) Is the user permitted to access this network on this day and at
2590 (d) Is the user within the concurrent session limit?
2592 (e) Are there any fraud, credit limit, or other concerns that could
2593 lead to access denial?
2595 (f) If access is to be granted, what are the service parameters
2596 (mandatory tunneling, bandwidth, filters, and so on) to be
2597 provisioned for the user?
2599 While the authorization decision is, in principle, simple, the
2600 distributed decision making process can add complexity. Where
2601 brokers or proxies are involved, all of the AAA entities in the chain
2602 from the authenticator to the home backend authentication server are
2603 involved in the decision. For example, a broker can deny access even
2604 if the home backend authentication server would allow it, or a proxy
2605 can add authorizations (e.g., bandwidth limits).
2607 Decisions can be based on static policy definitions and profiles as
2608 well as dynamic state (e.g., time of day or concurrent session
2609 limits). In addition to the Accept/Reject decisions made by AAA
2610 entities, service parameters or constraints can be communicated to
2613 The criteria for Accept/Reject decisions or the reasons for choosing
2614 particular authorizations are typically not communicated to the
2615 authenticator, only the final result is. As a result, the
2616 authenticator has no way to know on what the decision was based. Was
2617 a set of authorization parameters sent because this service is always
2618 provided to the user, or was the decision based on the time of day
2619 and the capabilities of the authenticator?
2623 When the AAA exchange (phase 1b) is bypassed, several challenges
2624 arise in ensuring correct authorization:
2627 Bypassing the AAA exchange (phase 1b) SHOULD NOT enable a user to
2628 extend their network access or gain access to services they are
2634 Aboba, et al. Standards Track [Page 47]
2636 RFC 5247 EAP Key Management Framework August 2008
2639 Consideration of network-wide state
2640 Handoff techniques SHOULD NOT render the backend authentication
2641 server incapable of keeping track of network-wide state. For
2642 example, a backend authentication server can need to keep track of
2643 simultaneous user sessions.
2645 Elevation of privilege
2646 Backend authentication servers often perform conditional
2647 evaluation, in which the authorizations returned in an
2648 Access-Accept message are contingent on the authenticator or on
2649 dynamic state such as the time of day. In this situation,
2650 bypassing the AAA exchange could enable unauthorized access unless
2651 the restrictions are explicitly encoded within the authorizations
2652 provided by the backend authentication server.
2654 A handoff mechanism that provides proper authorization is said to be
2655 "correct". One condition for correctness is as follows:
2657 For a handoff to be "correct" it MUST establish on the new
2658 authenticator the same authorizations as would have been created
2659 had the new authenticator completed a AAA conversation with the
2660 backend authentication server.
2662 A properly designed handoff scheme will only succeed if it is
2663 "correct" in this way. If a successful handoff would establish
2664 "incorrect" authorizations, it is preferable for it to fail. Where
2665 the supported services differ between authenticators, a handoff that
2666 bypasses the backend authentication server is likely to fail.
2667 Section 1.1 of [RFC2865] states:
2669 A authenticator that does not implement a given service MUST NOT
2670 implement the RADIUS attributes for that service. For example, a
2671 authenticator that is unable to offer ARAP service MUST NOT
2672 implement the RADIUS attributes for ARAP. A authenticator MUST
2673 treat a RADIUS access-accept authorizing an unavailable service as
2674 an access-reject instead.
2676 This behavior applies to attributes that are known, but not
2677 implemented. For attributes that are unknown, Section 5 of [RFC2865]
2680 A RADIUS server MAY ignore Attributes with an unknown Type. A
2681 RADIUS client MAY ignore Attributes with an unknown Type.
2683 In order to perform a correct handoff, if a new authenticator is
2684 provided with RADIUS authorizations for a known but unavailable
2685 service, then it MUST process these authorizations the same way it
2686 would handle a RADIUS Access-Accept requesting an unavailable
2690 Aboba, et al. Standards Track [Page 48]
2692 RFC 5247 EAP Key Management Framework August 2008
2695 service; this MUST cause the handoff to fail. However, if a new
2696 authenticator is provided with authorizations including unknown
2697 attributes, then these attributes MAY be ignored. The definition of
2698 a "known but unsupported service" MUST encompass requests for
2699 unavailable security services. This includes vendor-specific
2700 attributes related to security, such as those described in [RFC2548].
2701 Although it can seem somewhat counter-intuitive, failure is indeed
2702 the "correct" result where a known but unsupported service is
2705 Presumably, a correctly configured backend authentication server
2706 would not request that an authenticator provide a service that it
2707 does not implement. This implies that if the new authenticator were
2708 to complete a AAA conversation, it would be likely to receive
2709 different service instructions. Failure of the handoff is the
2710 desired result since it will cause the new authenticator to go back
2711 to the backend server in order to receive the appropriate service
2714 Handoff mechanisms that bypass the backend authentication server are
2715 most likely to be successful when employed in a homogeneous
2716 deployment within a single administrative domain. In a heterogeneous
2717 deployment, the backend authentication server can return different
2718 authorizations depending on the authenticator making the request in
2719 order to make sure that the requested service is consistent with the
2720 authenticator capabilities. Where a backend authentication server
2721 would send different authorizations to the new authenticator than
2722 were sent to a previous authenticator, transferring authorizations
2723 between the previous authenticator and the new authenticator will
2724 result in incorrect authorization.
2726 Virtual LAN (VLAN) support is defined in [IEEE-802.1Q]; RADIUS
2727 support for dynamic VLANs is described in [RFC3580] and [RFC4675].
2728 If some authenticators support dynamic VLANs while others do not,
2729 then attributes present in the Access-Request (such as the
2730 NAS-Port-Type, NAS-IP-Address, NAS-IPv6-Address, and NAS-Identifier)
2731 could be examined by the backend authentication server to determine
2732 when VLAN attributes will be returned, and if so, which ones.
2733 However, if the backend authenticator is bypassed, then a handoff
2734 occurring between authenticators supporting different VLAN
2735 capabilities could result in a user obtaining access to an
2736 unauthorized VLAN (e.g., a user with access to a guest VLAN being
2737 given unrestricted access to the network).
2746 Aboba, et al. Standards Track [Page 49]
2748 RFC 5247 EAP Key Management Framework August 2008
2751 Similarly, it is preferable for a handoff between an authenticator
2752 providing confidentiality and another that does not to fail, since if
2753 the handoff were successful, the user would be moved from a secure to
2754 an insecure channel without permission from the backend
2755 authentication server.
2757 5. Security Considerations
2759 The EAP threat model is described in [RFC3748] Section 7.1. The
2760 security properties of EAP methods (known as "security claims") are
2761 described in [RFC3748] Section 7.2.1. EAP method requirements for
2762 applications such as Wireless LAN authentication are described in
2763 [RFC4017]. The RADIUS threat model is described in [RFC3579] Section
2764 4.1, and responses to these threats are described in [RFC3579],
2765 Sections 4.2 and 4.3.
2767 However, in addition to threats against EAP and AAA, there are other
2768 system level threats. In developing the threat model, it is assumed
2771 All traffic is visible to the attacker.
2772 The attacker can alter, forge, or replay messages.
2773 The attacker can reroute messages to another principal.
2774 The attacker can be a principal or an outsider.
2775 The attacker can compromise any key that is sufficiently old.
2777 Threats arising from these assumptions include:
2779 (a) An attacker can compromise or steal an EAP peer or
2780 authenticator, in an attempt to gain access to other EAP peers
2781 or authenticators or to obtain long-term secrets.
2783 (b) An attacker can attempt a downgrade attack in order to exploit
2784 known weaknesses in an authentication method or cryptographic
2787 (c) An attacker can try to modify or spoof packets, including
2788 Discovery or Secure Association Protocol frames, EAP or AAA
2791 (d) An attacker can attempt to induce an EAP peer, authenticator, or
2792 server to disclose keying material to an unauthorized party, or
2793 utilize keying material outside the context that it was intended
2796 (e) An attacker can alter, forge, or replay packets.
2802 Aboba, et al. Standards Track [Page 50]
2804 RFC 5247 EAP Key Management Framework August 2008
2807 (f) An attacker can cause an EAP peer, authenticator, or server to
2808 reuse a stale key. Use of stale keys can also occur
2809 unintentionally. For example, a poorly implemented backend
2810 authentication server can provide stale keying material to an
2811 authenticator, or a poorly implemented authenticator can reuse
2814 (g) An authenticated attacker can attempt to obtain elevated
2815 privilege in order to access information that it does not have
2818 (h) An attacker can attempt a man-in-the-middle attack in order to
2819 gain access to the network.
2821 (i) An attacker can compromise an EAP authenticator in an effort to
2822 commit fraud. For example, a compromised authenticator can
2823 provide incorrect information to the EAP peer and/or server via
2824 out-of-band mechanisms (such as via a AAA or lower-layer
2825 protocol). This includes impersonating another authenticator,
2826 or providing inconsistent information to the peer and EAP
2829 (j) An attacker can launch a denial-of-service attack against the
2830 EAP peer, authenticator, or backend authentication server.
2832 In order to address these threats, [RFC4962] Section 3 describes
2833 required and recommended security properties. The sections that
2834 follow analyze the compliance of EAP methods, AAA protocols, and
2835 Secure Association Protocols with those guidelines.
2837 5.1. Peer and Authenticator Compromise
2839 Requirement: In the event that an authenticator is compromised or
2840 stolen, an attacker can gain access to the network through that
2841 authenticator, or can obtain the credentials needed for the
2842 authenticator/AAA client to communicate with one or more backend
2843 authentication servers. Similarly, if a peer is compromised or
2844 stolen, an attacker can obtain credentials needed to communicate with
2845 one or more authenticators. A mandatory requirement from [RFC4962]
2848 Prevent the Domino effect
2850 Compromise of a single peer MUST NOT compromise keying material
2851 held by any other peer within the system, including session keys
2852 and long-term keys. Likewise, compromise of a single
2853 authenticator MUST NOT compromise keying material held by any
2854 other authenticator within the system. In the context of a key
2858 Aboba, et al. Standards Track [Page 51]
2860 RFC 5247 EAP Key Management Framework August 2008
2863 hierarchy, this means that the compromise of one node in the key
2864 hierarchy must not disclose the information necessary to
2865 compromise other branches in the key hierarchy. Obviously, the
2866 compromise of the root of the key hierarchy will compromise all of
2867 the keys; however, a compromise in one branch MUST NOT result in
2868 the compromise of other branches. There are many implications of
2869 this requirement; however, two implications deserve highlighting.
2870 First, the scope of the keying material must be defined and
2871 understood by all parties that communicate with a party that holds
2872 that keying material. Second, a party that holds keying material
2873 in a key hierarchy must not share that keying material with
2874 parties that are associated with other branches in the key
2877 Group keys are an obvious exception. Since all members of the
2878 group have a copy of the same key, compromise of any one of the
2879 group members will result in the disclosure of the group key.
2881 Some of the implications of the requirement are as follows:
2884 In order to be able to determine whether keying material has
2885 been shared, it is necessary for the identity of the EAP
2886 authenticator (NAS-Identifier) to be defined and understood by
2887 all parties that communicate with it. EAP lower-layer
2888 specifications such as [IEEE-802.11], [IEEE-802.16e],
2889 [IEEE-802.1X], IKEv2 [RFC4306], and PPP [RFC1661] do not involve
2892 AAA Credential Sharing
2893 AAA credentials (such as RADIUS shared secrets, IPsec pre-shared
2894 keys or certificates) MUST NOT be shared between AAA clients,
2895 since if one AAA client were compromised, this would enable an
2896 attacker to impersonate other AAA clients to the backend
2897 authentication server, or even to impersonate a backend
2898 authentication server to other AAA clients.
2900 Compromise of Long-Term Credentials
2901 An attacker obtaining keying material (such as TSKs, TEKs, or
2902 the MSK) MUST NOT be able to obtain long-term user credentials
2903 such as pre-shared keys, passwords, or private-keys without
2904 breaking a fundamental cryptographic assumption. The mandatory
2905 requirements of [RFC4017] Section 2.2 include generation of EAP
2906 keying material, capability to generate EAP keying material with
2907 128 bits of effective strength, resistance to dictionary
2908 attacks, shared state equivalence, and protection against
2909 man-in-the-middle attacks.
2914 Aboba, et al. Standards Track [Page 52]
2916 RFC 5247 EAP Key Management Framework August 2008
2919 5.2. Cryptographic Negotiation
2921 Mandatory requirements from [RFC4962] Section 3:
2923 Cryptographic algorithm independent
2925 The AAA key management protocol MUST be cryptographic algorithm
2926 independent. However, an EAP method MAY depend on a specific
2927 cryptographic algorithm. The ability to negotiate the use of a
2928 particular cryptographic algorithm provides resilience against
2929 compromise of a particular cryptographic algorithm. Algorithm
2930 independence is also REQUIRED with a Secure Association Protocol
2931 if one is defined. This is usually accomplished by including an
2932 algorithm identifier and parameters in the protocol, and by
2933 specifying the algorithm requirements in the protocol
2934 specification. While highly desirable, the ability to negotiate
2935 key derivation functions (KDFs) is not required. For
2936 interoperability, at least one suite of mandatory-to-implement
2937 algorithms MUST be selected. Note that without protection by
2938 IPsec as described in [RFC3579] Section 4.2, RADIUS [RFC2865] does
2939 not meet this requirement, since the integrity protection
2940 algorithm cannot be negotiated.
2942 This requirement does not mean that a protocol must support both
2943 public-key and symmetric-key cryptographic algorithms. It means
2944 that the protocol needs to be structured in such a way that
2945 multiple public-key algorithms can be used whenever a public-key
2946 algorithm is employed. Likewise, it means that the protocol needs
2947 to be structured in such a way that multiple symmetric-key
2948 algorithms can be used whenever a symmetric-key algorithm is
2951 Confirm ciphersuite selection
2953 The selection of the "best" ciphersuite SHOULD be securely
2954 confirmed. The mechanism SHOULD detect attempted roll-back
2957 EAP methods satisfying [RFC4017] Section 2.2 mandatory requirements
2958 and AAA protocols utilizing transmission-layer security are capable
2959 of addressing downgrade attacks. [RFC3748] Section 7.2.1 describes
2960 the "protected ciphersuite negotiation" security claim that refers to
2961 the ability of an EAP method to negotiate the ciphersuite used to
2962 protect the EAP method conversation, as well as to integrity protect
2963 the ciphersuite negotiation. [RFC4017] Section 2.2 requires EAP
2964 methods satisfying this security claim. Since TLS v1.2 [RFC5246] and
2965 IKEv2 [RFC4306] support negotiation of Key Derivation Functions
2966 (KDFs), EAP methods based on TLS or IKEv2 will, if properly designed,
2970 Aboba, et al. Standards Track [Page 53]
2972 RFC 5247 EAP Key Management Framework August 2008
2975 inherit this capability. However, negotiation of KDFs is not
2976 required by RFC 4962 [RFC4962], and EAP methods based on neither TLS
2977 nor IKEv2 typically do not support KDF negotiation.
2979 When AAA protocols utilize TLS [RFC5246] or IPsec [RFC4301] for
2980 transmission layer security, they can leverage the cryptographic
2981 algorithm negotiation support provided by IKEv2 [RFC4306] or TLS
2982 [RFC5246]. RADIUS [RFC3579] by itself does not support cryptographic
2983 algorithm negotiation and relies on MD5 for integrity protection,
2984 authentication, and confidentiality. Given the known weaknesses in
2985 MD5 [MD5Collision], this is undesirable, and can be addressed via use
2986 of RADIUS over IPsec, as described in [RFC3579] Section 4.2.
2988 To ensure against downgrade attacks within lower-layer protocols,
2989 algorithm independence is REQUIRED with lower layers using EAP for
2990 key derivation. For interoperability, at least one suite of
2991 mandatory-to-implement algorithms MUST be selected. Lower-layer
2992 protocols supporting EAP for key derivation SHOULD also support
2993 secure ciphersuite negotiation as well as KDF negotiation.
2995 As described in [RFC1968], PPP ECP does not support secure
2996 ciphersuite negotiation. While [IEEE-802.16e] and [IEEE-802.11]
2997 support ciphersuite negotiation for protection of data, they do not
2998 support negotiation of the cryptographic primitives used within the
2999 Secure Association Protocol, such as message integrity checks (MICs)
3002 5.3. Confidentiality and Authentication
3004 Mandatory requirements from [RFC4962] Section 3:
3006 Authenticate all parties
3008 Each party in the AAA key management protocol MUST be
3009 authenticated to the other parties with whom they communicate.
3010 Authentication mechanisms MUST maintain the confidentiality of any
3011 secret values used in the authentication process. When a secure
3012 association protocol is used to establish session keys, the
3013 parties involved in the secure association protocol MUST identify
3014 themselves using identities that are meaningful in the lower-layer
3015 protocol environment that will employ the session keys. In this
3016 situation, the authenticator and peer may be known by different
3017 identifiers in the AAA protocol environment and the lower-layer
3018 protocol environment, making authorization decisions difficult
3019 without a clear key scope. If the lower-layer identifier of the
3026 Aboba, et al. Standards Track [Page 54]
3028 RFC 5247 EAP Key Management Framework August 2008
3031 peer will be used to make authorization decisions, then the pair
3032 of identifiers associated with the peer MUST be authorized by the
3033 authenticator and/or the AAA server.
3035 AAA protocols, such as RADIUS [RFC2865] and Diameter [RFC3588],
3036 provide a mechanism for the identification of AAA clients; since
3037 the EAP authenticator and AAA client are always co-resident, this
3038 mechanism is applicable to the identification of EAP
3041 When multiple base stations and a "controller" (such as a WLAN
3042 switch) comprise a single EAP authenticator, the "base station
3043 identity" is not relevant; the EAP method conversation takes place
3044 between the EAP peer and the EAP server. Also, many base stations
3045 can share the same authenticator identity. The authenticator
3046 identity is important in the AAA protocol exchange and the secure
3047 association protocol conversation.
3049 Authentication mechanisms MUST NOT employ plaintext passwords.
3050 Passwords may be used provided that they are not sent to another
3051 party without confidentiality protection.
3053 Keying material confidentiality and integrity
3055 While preserving algorithm independence, confidentiality and
3056 integrity of all keying material MUST be maintained.
3058 Conformance to these requirements is analyzed in the sections that
3063 Per-packet authentication and integrity protection provides
3064 protection against spoofing attacks.
3066 Diameter [RFC3588] provides support for per-packet authentication and
3067 integrity protection via use of IPsec or TLS. RADIUS/EAP [RFC3579]
3068 provides for per-packet authentication and integrity protection via
3069 use of the Message-Authenticator Attribute.
3071 [RFC3748] Section 7.2.1 describes the "integrity protection" security
3072 claim and [RFC4017] Section 2.2 requires EAP methods supporting this
3075 In order to prevent forgery of Secure Association Protocol frames,
3076 per-frame authentication and integrity protection is RECOMMENDED on
3077 all messages. IKEv2 [RFC4306] supports per-frame integrity
3082 Aboba, et al. Standards Track [Page 55]
3084 RFC 5247 EAP Key Management Framework August 2008
3087 protection and authentication, as does the Secure Association
3088 Protocol defined in [IEEE-802.16e]. [IEEE-802.11] supports per-frame
3089 integrity protection and authentication on all messages within the
3090 4-way handshake except the first message. An attack leveraging this
3091 omission is described in [Analysis].
3093 5.3.2. Impersonation
3095 Both RADIUS [RFC2865] and Diameter [RFC3588] implementations are
3096 potentially vulnerable to a rogue authenticator impersonating another
3097 authenticator. While both protocols support mutual authentication
3098 between the AAA client/authenticator and the backend authentication
3099 server, the security mechanisms vary.
3101 In RADIUS, the shared secret used for authentication is determined by
3102 the source address of the RADIUS packet. However, when RADIUS
3103 Access-Requests are forwarded by a proxy, the NAS-IP-Address,
3104 NAS-Identifier, or NAS-IPv6-Address attributes received by the RADIUS
3105 server will not correspond to the source address. As noted in
3106 [RFC3579] Section 4.3.7, if the first-hop proxy does not check the
3107 NAS identification attributes against the source address in the
3108 Access-Request packet, it is possible for a rogue authenticator to
3109 forge NAS-IP-Address [RFC2865], NAS-IPv6-Address [RFC3162], or
3110 NAS-Identifier [RFC2865] attributes in order to impersonate another
3111 authenticator; attributes such as the Called-Station-Id [RFC2865] and
3112 Calling-Station-Id [RFC2865] can be forged as well. Among other
3113 things, this can result in messages (and transported keying material)
3114 being sent to the wrong authenticator.
3116 While [RFC3588] requires use of the Route-Record AVP, this utilizes
3117 Fully Qualified Domain Names (FQDNs), so that impersonation detection
3118 requires DNS A, AAAA, and PTR Resource Records (RRs) to be properly
3119 configured. As a result, Diameter is as vulnerable to this attack as
3120 RADIUS, if not more so. [RFC3579] Section 4.3.7 recommends
3121 mechanisms for impersonation detection; to prevent access to keying
3122 material by proxies without a "need to know", it is necessary to
3123 allow the backend authentication server to communicate with the
3124 authenticator directly, such as via the redirect functionality
3125 supported in [RFC3588].
3127 5.3.3. Channel Binding
3129 It is possible for a compromised or poorly implemented EAP
3130 authenticator to communicate incorrect information to the EAP peer
3131 and/or server. This can enable an authenticator to impersonate
3132 another authenticator or communicate incorrect information via
3133 out-of-band mechanisms (such as via AAA or the lower layer).
3138 Aboba, et al. Standards Track [Page 56]
3140 RFC 5247 EAP Key Management Framework August 2008
3143 Where EAP is used in pass-through mode, the EAP peer does not verify
3144 the identity of the pass-through authenticator within the EAP
3145 conversation. Within the Secure Association Protocol, the EAP peer
3146 and authenticator only demonstrate mutual possession of the
3147 transported keying material; they do not mutually authenticate. This
3148 creates a potential security vulnerability, described in [RFC3748]
3151 As described in [RFC3579] Section 4.3.7, it is possible for a
3152 first-hop AAA proxy to detect a AAA client attempting to impersonate
3153 another authenticator. However, it is possible for a pass-through
3154 authenticator acting as a AAA client to provide correct information
3155 to the backend authentication server while communicating misleading
3156 information to the EAP peer via the lower layer.
3158 For example, a compromised authenticator can utilize another
3159 authenticator's Called-Station-Id or NAS-Identifier in communicating
3160 with the EAP peer via the lower layer. Also, a pass-through
3161 authenticator acting as a AAA client can provide an incorrect peer
3162 Calling-Station-Id [RFC2865] [RFC3580] to the backend authentication
3163 server via the AAA protocol.
3165 As noted in [RFC3748] Section 7.15, this vulnerability can be
3166 addressed by EAP methods that support a protected exchange of channel
3167 properties such as endpoint identifiers, including (but not limited
3168 to): Called-Station-Id [RFC2865] [RFC3580], Calling-Station-Id
3169 [RFC2865] [RFC3580], NAS-Identifier [RFC2865], NAS-IP-Address
3170 [RFC2865], and NAS-IPv6-Address [RFC3162].
3172 Using such a protected exchange, it is possible to match the channel
3173 properties provided by the authenticator via out-of-band mechanisms
3174 against those exchanged within the EAP method. Typically, the EAP
3175 method imports channel binding parameters from the lower layer on the
3176 peer, and transmits them securely to the EAP server, which exports
3177 them to the lower layer or AAA layer. However, transport can occur
3178 from EAP server to peer, or can be bi-directional. On the side of
3179 the exchange (peer or server) where channel binding is verified, the
3180 lower layer or AAA layer passes the result of the verification (TRUE
3181 or FALSE) up to the EAP method. While the verification can be done
3182 either by the peer or the server, typically only the server has the
3183 knowledge to determine the correctness of the values, as opposed to
3184 merely verifying their equality. For further discussion, see
3187 It is also possible to perform channel binding without transporting
3188 data over EAP, as described in [EAP-CHANNEL]. In this approach the
3189 EAP method includes channel binding parameters in the calculation of
3190 exported EAP keying material, making it impossible for the peer and
3194 Aboba, et al. Standards Track [Page 57]
3196 RFC 5247 EAP Key Management Framework August 2008
3199 authenticator to complete the Secure Association Protocol if there is
3200 a mismatch in the channel binding parameters. However, this approach
3201 can only be applied where methods generating EAP keying material are
3202 used along with lower layers that utilize EAP keying material. For
3203 example, this mechanism would not enable verification of channel
3204 binding on wired IEEE 802 networks using [IEEE-802.1X].
3206 5.3.4. Mutual Authentication
3208 [RFC3748] Section 7.2.1 describes the "mutual authentication" and
3209 "dictionary attack resistance" claims, and [RFC4017] requires EAP
3210 methods satisfying these claims. EAP methods complying with
3211 [RFC4017] therefore provide for mutual authentication between the EAP
3214 [RFC3748] Section 7.2.1 also describes the "Cryptographic binding"
3215 security claim, and [RFC4017] Section 2.2 requires support for this
3216 claim. As described in [EAP-BINDING], EAP method sequences and
3217 compound authentication mechanisms can be subject to
3218 man-in-the-middle attacks. When such attacks are successfully
3219 carried out, the attacker acts as an intermediary between a victim
3220 and a legitimate authenticator. This allows the attacker to
3221 authenticate successfully to the authenticator, as well as to obtain
3222 access to the network.
3224 In order to prevent these attacks, [EAP-BINDING] recommends
3225 derivation of a compound key by which the EAP peer and server can
3226 prove that they have participated in the entire EAP exchange. Since
3227 the compound key MUST NOT be known to an attacker posing as an
3228 authenticator, and yet must be derived from EAP keying material, it
3229 MAY be desirable to derive the compound key from a portion of the
3230 EMSK. Where this is done, in order to provide proper key hygiene, it
3231 is RECOMMENDED that the compound key used for man-in-the-middle
3232 protection be cryptographically separate from other keys derived from
3235 Diameter [RFC3588] provides for per-packet authentication and
3236 integrity protection via IPsec or TLS, and RADIUS/EAP [RFC3579] also
3237 provides for per-packet authentication and integrity protection.
3238 Where the authenticator/AAA client and backend authentication server
3239 communicate directly and credible key wrap is used (see Section 3.8),
3240 this ensures that the AAA Key Transport (phase 1b) achieves its
3241 security objectives: mutually authenticating the AAA
3242 client/authenticator and backend authentication server and providing
3243 transported keying material to the EAP authenticator and to no other
3250 Aboba, et al. Standards Track [Page 58]
3252 RFC 5247 EAP Key Management Framework August 2008
3255 [RFC2607] Section 7 describes the security issues occurring when the
3256 authenticator/AAA client and backend authentication server do not
3257 communicate directly. Where a AAA intermediary is present (such as a
3258 RADIUS proxy or a Diameter agent), and data object security is not
3259 used, transported keying material can be recovered by an attacker in
3260 control of the intermediary. As discussed in Section 2.1, unless the
3261 TSKs are derived independently from EAP keying material (as in
3262 IKEv2), possession of transported keying material enables decryption
3263 of data traffic sent between the peer and the authenticator to whom
3264 the keying material was transported. It also allows the AAA
3265 intermediary to impersonate the authenticator or the peer. Since the
3266 peer does not authenticate to a AAA intermediary, it has no ability
3267 to determine whether it is authentic or authorized to obtain keying
3270 However, as long as transported keying material or keys derived from
3271 it are only utilized by a single authenticator, compromise of the
3272 transported keying material does not enable an attacker to
3273 impersonate the peer to another authenticator. Vulnerability to
3274 compromise of a AAA intermediary can be mitigated by implementation
3275 of redirect functionality, as described in [RFC3588] and [RFC4072].
3277 The Secure Association Protocol does not provide for mutual
3278 authentication between the EAP peer and authenticator, only mutual
3279 proof of possession of transported keying material. In order for the
3280 peer to verify the identity of the authenticator, mutual proof of
3281 possession needs to be combined with impersonation prevention and
3282 channel binding. Impersonation prevention (described in Section
3283 5.3.2) enables the backend authentication server to determine that
3284 the transported keying material has been provided to the correct
3285 authenticator. When utilized along with impersonation prevention,
3286 channel binding (described in Section 5.3.3) enables the EAP peer to
3287 verify that the EAP server has authorized the authenticator to
3288 possess the transported keying material. Completion of the Secure
3289 Association Protocol exchange demonstrates that the EAP peer and the
3290 authenticator possess the transported keying material.
3294 Mandatory requirement from [RFC4962] Section 3:
3296 Bind key to its context
3298 Keying material MUST be bound to the appropriate context. The
3299 context includes the following:
3301 o The manner in which the keying material is expected to be used.
3306 Aboba, et al. Standards Track [Page 59]
3308 RFC 5247 EAP Key Management Framework August 2008
3311 o The other parties that are expected to have access to the
3314 o The expected lifetime of the keying material. Lifetime of a
3315 child key SHOULD NOT be greater than the lifetime of its parent
3316 in the key hierarchy.
3318 Any party with legitimate access to keying material can determine
3319 its context. In addition, the protocol MUST ensure that all
3320 parties with legitimate access to keying material have the same
3321 context for the keying material. This requires that the parties
3322 are properly identified and authenticated, so that all of the
3323 parties that have access to the keying material can be determined.
3325 The context will include the peer and NAS identities in more than
3326 one form. One (or more) name form is needed to identify these
3327 parties in the authentication exchange and the AAA protocol.
3328 Another name form may be needed to identify these parties within
3329 the lower layer that will employ the session key.
3331 Within EAP, exported keying material (MSK, EMSK,IV) is bound to the
3332 Peer-Id(s) and Server-Id(s), which are exported along with the keying
3333 material. However, not all EAP methods support authenticated server
3334 identities (see Appendix A).
3336 Within the AAA protocol, transported keying material is destined for
3337 the EAP authenticator identified by the NAS-Identifier Attribute
3338 within the request, and is for use by the EAP peer identified by the
3339 Peer-Id(s), User-Name [RFC2865], or Chargeable User Identity (CUI)
3340 [RFC4372] attributes. The maximum lifetime of the transported keying
3341 material can be provided, as discussed in Section 3.5.1. Key usage
3342 restrictions can also be included as described in Section 3.2. Key
3343 lifetime issues are discussed in Sections 3.3, 3.4, and 3.5.
3347 Requirement: The Secure Association Protocol (phase 2) conversation
3348 may utilize different identifiers from the EAP conversation (phase
3349 1a), so that binding between the EAP and Secure Association Protocol
3350 identities is REQUIRED.
3352 Mandatory requirement from [RFC4962] Section 3:
3354 Peer and authenticator authorization
3356 Peer and authenticator authorization MUST be performed. These
3357 entities MUST demonstrate possession of the appropriate keying
3358 material, without disclosing it. Authorization is REQUIRED
3362 Aboba, et al. Standards Track [Page 60]
3364 RFC 5247 EAP Key Management Framework August 2008
3367 whenever a peer associates with a new authenticator. The
3368 authorization checking prevents an elevation of privilege attack,
3369 and it ensures that an unauthorized authenticator is detected.
3371 Authorizations SHOULD be synchronized between the peer, NAS, and
3372 backend authentication server. Once the AAA key management
3373 protocol exchanges are complete, all of these parties should hold
3374 a common view of the authorizations associated with the other
3377 In addition to authenticating all parties, key management
3378 protocols need to demonstrate that the parties are authorized to
3379 possess keying material. Note that proof of possession of keying
3380 material does not necessarily prove authorization to hold that
3381 keying material. For example, within an IEEE 802.11, the 4-way
3382 handshake demonstrates that both the peer and authenticator
3383 possess the same EAP keying material. However, by itself, this
3384 possession proof does not demonstrate that the authenticator was
3385 authorized by the backend authentication server to possess that
3386 keying material. As noted in [RFC3579] in Section 4.3.7, where
3387 AAA proxies are present, it is possible for one authenticator to
3388 impersonate another, unless each link in the AAA chain implements
3389 checks against impersonation. Even with these checks in place, an
3390 authenticator may still claim different identities to the peer and
3391 the backend authentication server. As described in [RFC3748]
3392 Section 7.15, channel binding is required to enable the peer to
3393 verify that the authenticator claim of identity is both consistent
3396 Recommendation from [RFC4962] Section 3:
3398 Authorization restriction
3400 If peer authorization is restricted, then the peer SHOULD be made
3401 aware of the restriction. Otherwise, the peer may inadvertently
3402 attempt to circumvent the restriction. For example, authorization
3403 restrictions in an IEEE 802.11 environment include:
3405 o Key lifetimes, where the keying material can only be used for a
3406 certain period of time;
3408 o SSID restrictions, where the keying material can only be used
3409 with a specific IEEE 802.11 SSID;
3411 o Called-Station-ID restrictions, where the keying material can
3412 only be used with a single IEEE 802.11 BSSID; and
3418 Aboba, et al. Standards Track [Page 61]
3420 RFC 5247 EAP Key Management Framework August 2008
3423 o Calling-Station-ID restrictions, where the keying material can
3424 only be used with a single peer IEEE 802 MAC address.
3426 As described in Section 2.3, consistent identification of the EAP
3427 authenticator enables the EAP peer to determine the scope of keying
3428 material provided to an authenticator, as well as to confirm with the
3429 backend authentication server that an EAP authenticator proving
3430 possession of EAP keying material during the Secure Association
3431 Protocol was authorized to obtain it.
3433 Within the AAA protocol, the authorization attributes are bound to
3434 the transported keying material. While the AAA exchange provides the
3435 AAA client/authenticator with authorizations relating to the EAP
3436 peer, neither the EAP nor AAA exchanges provide authorizations to the
3437 EAP peer. In order to ensure that all parties hold the same view of
3438 the authorizations, it is RECOMMENDED that the Secure Association
3439 Protocol enable communication of authorizations between the EAP
3440 authenticator and peer.
3442 In lower layers where the authenticator consistently identifies
3443 itself to the peer and backend authentication server and the EAP peer
3444 completes the Secure Association Protocol exchange with the same
3445 authenticator through which it completed the EAP conversation,
3446 authorization of the authenticator is demonstrated to the peer by
3447 mutual authentication between the peer and authenticator as discussed
3448 in the previous section. Identification issues are discussed in
3449 Sections 2.3, 2.4, and 2.5 and key scope issues are discussed in
3452 Where the EAP peer utilizes different identifiers within the EAP
3453 method and Secure Association Protocol conversations, peer
3454 authorization can be difficult to demonstrate to the authenticator
3455 without additional restrictions. This problem does not exist in
3456 IKEv2 where the Identity Payload is used for peer identification both
3457 within IKEv2 and EAP, and where the EAP conversation is
3458 cryptographically protected within IKEv2 binding the EAP and IKEv2
3459 exchanges. However, within [IEEE-802.11], the EAP peer identity is
3460 not used within the 4-way handshake, so that it is necessary for the
3461 authenticator to require that the EAP peer utilize the same MAC
3462 address for EAP authentication as for the 4-way handshake.
3474 Aboba, et al. Standards Track [Page 62]
3476 RFC 5247 EAP Key Management Framework August 2008
3479 5.6. Replay Protection
3481 Mandatory requirement from [RFC4962] Section 3:
3483 Replay detection mechanism
3485 The AAA key management protocol exchanges MUST be replay
3486 protected, including AAA, EAP and Secure Association Protocol
3487 exchanges. Replay protection allows a protocol message recipient
3488 to discard any message that was recorded during a previous
3489 legitimate dialogue and presented as though it belonged to the
3492 [RFC3748] Section 7.2.1 describes the "replay protection" security
3493 claim, and [RFC4017] Section 2.2 requires use of EAP methods
3494 supporting this claim.
3496 Diameter [RFC3588] provides support for replay protection via use of
3497 IPsec or TLS. "RADIUS Support for EAP" [RFC3579] protects against
3498 replay of keying material via the Request Authenticator. According
3499 to [RFC2865] Section 3:
3501 In Access-Request Packets, the Authenticator value is a 16 octet
3502 random number, called the Request Authenticator.
3504 However, some RADIUS packets are not replay protected. In
3505 Accounting, Disconnect, and Care-of Address (CoA)-Request packets,
3506 the Request Authenticator contains a keyed Message Integrity Code
3507 (MIC) rather than a nonce. The Response Authenticator in Accounting,
3508 Disconnect, and CoA-Response packets also contains a keyed MIC whose
3509 calculation does not depend on a nonce in either the Request or
3510 Response packets. Therefore, unless an Event-Timestamp attribute is
3511 included or IPsec is used, it is possible that the recipient will not
3512 be able to determine whether these packets have been replayed. This
3513 issue is discussed further in [RFC5176] Section 6.3.
3515 In order to prevent replay of Secure Association Protocol frames,
3516 replay protection is REQUIRED on all messages. [IEEE-802.11]
3517 supports replay protection on all messages within the 4-way
3518 handshake; IKEv2 [RFC4306] also supports this.
3530 Aboba, et al. Standards Track [Page 63]
3532 RFC 5247 EAP Key Management Framework August 2008
3537 Requirement: A session key SHOULD be considered compromised if it
3538 remains in use beyond its authorized lifetime. Mandatory requirement
3539 from [RFC4962] Section 3:
3541 Strong, fresh session keys
3543 While preserving algorithm independence, session keys MUST be
3544 strong and fresh. Each session deserves an independent session
3545 key. Fresh keys are required even when a long replay counter
3546 (that is, one that "will never wrap") is used to ensure that loss
3547 of state does not cause the same counter value to be used more
3548 than once with the same session key.
3550 Some EAP methods are capable of deriving keys of varying strength,
3551 and these EAP methods MUST permit the generation of keys meeting a
3552 minimum equivalent key strength. BCP 86 [RFC3766] offers advice
3553 on appropriate key sizes. The National Institute for Standards
3554 and Technology (NIST) also offers advice on appropriate key sizes
3557 A fresh cryptographic key is one that is generated specifically
3558 for the intended use. In this situation, a secure association
3559 protocol is used to establish session keys. The AAA protocol and
3560 EAP method MUST ensure that the keying material supplied as an
3561 input to session key derivation is fresh, and the secure
3562 association protocol MUST generate a separate session key for each
3563 session, even if the keying material provided by EAP is cached. A
3564 cached key persists after the authentication exchange has
3565 completed. For the AAA/EAP server, key caching can happen when
3566 state is kept on the server. For the NAS or client, key caching
3567 can happen when the NAS or client does not destroy keying material
3568 immediately following the derivation of session keys.
3570 Session keys MUST NOT be dependent on one another. Multiple
3571 session keys may be derived from a higher-level shared secret as
3572 long as a one-time value, usually called a nonce, is used to
3573 ensure that each session key is fresh. The mechanism used to
3574 generate session keys MUST ensure that the disclosure of one
3575 session key does not aid the attacker in discovering any other
3578 EAP, AAA, and the lower layer each bear responsibility for ensuring
3579 the use of fresh, strong session keys. EAP methods need to ensure
3580 the freshness and strength of EAP keying material provided as an
3581 input to session key derivation. [RFC3748] Section 7.10 states:
3586 Aboba, et al. Standards Track [Page 64]
3588 RFC 5247 EAP Key Management Framework August 2008
3591 EAP methods SHOULD ensure the freshness of the MSK and EMSK, even
3592 in cases where one party may not have a high quality random number
3593 generator. A RECOMMENDED method is for each party to provide a
3594 nonce of at least 128 bits, used in the derivation of the MSK and
3597 The contribution of nonces enables the EAP peer and server to ensure
3598 that exported EAP keying material is fresh.
3600 [RFC3748] Section 7.2.1 describes the "key strength" and "session
3601 independence" security claims, and [RFC4017] requires EAP methods
3602 supporting these claims as well as methods capable of providing
3603 equivalent key strength of 128 bits or greater. See Section 3.7 for
3604 more information on key strength.
3606 The AAA protocol needs to ensure that transported keying material is
3607 fresh and is not utilized outside its recommended lifetime. Replay
3608 protection is necessary for key freshness, but an attacker can
3609 deliver a stale (and therefore potentially compromised) key in a
3610 replay-protected message, so replay protection is not sufficient. As
3611 discussed in Section 3.5, the Session-Timeout Attribute enables the
3612 backend authentication server to limit the exposure of transported
3615 The EAP Session-Id, described in Section 1.4, enables the EAP peer,
3616 authenticator, and server to distinguish EAP conversations. However,
3617 unless the authenticator keeps track of EAP Session-Ids, the
3618 authenticator cannot use the Session-Id to guarantee the freshness of
3621 The Secure Association Protocol, described in Section 3.1, MUST
3622 generate a fresh session key for each session, even if the EAP keying
3623 material and parameters provided by methods are cached, or either the
3624 peer or authenticator lack a high entropy random number generator. A
3625 RECOMMENDED method is for the peer and authenticator to each provide
3626 a nonce or counter used in session key derivation. If a nonce is
3627 used, it is RECOMMENDED that it be at least 128 bits. While
3628 [IEEE-802.11] and IKEv2 [RFC4306] satisfy this requirement,
3629 [IEEE-802.16e] does not, since randomness is only contributed from
3642 Aboba, et al. Standards Track [Page 65]
3644 RFC 5247 EAP Key Management Framework August 2008
3647 5.8. Key Scope Limitation
3649 Mandatory requirement from [RFC4962] Section 3:
3653 Following the principle of least privilege, parties MUST NOT have
3654 access to keying material that is not needed to perform their
3655 role. A party has access to a particular key if it has access to
3656 all of the secret information needed to derive it.
3658 Any protocol that is used to establish session keys MUST specify
3659 the scope for session keys, clearly identifying the parties to
3660 whom the session key is available.
3662 Transported keying material is permitted to be accessed by the EAP
3663 peer, authenticator and server. The EAP peer and server derive EAP
3664 keying material during the process of mutually authenticating each
3665 other using the selected EAP method. During the Secure Association
3666 Protocol exchange, the EAP peer utilizes keying material to
3667 demonstrate to the authenticator that it is the same party that
3668 authenticated to the EAP server and was authorized by it. The EAP
3669 authenticator utilizes the transported keying material to prove to
3670 the peer not only that the EAP conversation was transported through
3671 it (this could be demonstrated by a man-in-the-middle), but that it
3672 was uniquely authorized by the EAP server to provide the peer with
3673 access to the network. Unique authorization can only be demonstrated
3674 if the EAP authenticator does not share the transported keying
3675 material with a party other than the EAP peer and server. TSKs are
3676 permitted to be accessed only by the EAP peer and authenticator (see
3677 Section 1.5); TSK derivation is discussed in Section 2.1. Since
3678 demonstration of authorization within the Secure Association Protocol
3679 exchange depends on possession of transported keying material, the
3680 backend authentication server can obtain TSKs unless it deletes the
3681 transported keying material after sending it.
3685 Mandatory requirement from [RFC4962] Section 3:
3689 AAA key management proposals require a robust key naming scheme,
3690 particularly where key caching is supported. The key name
3691 provides a way to refer to a key in a protocol so that it is clear
3692 to all parties which key is being referenced. Objects that cannot
3693 be named cannot be managed. All keys MUST be uniquely named, and
3694 the key name MUST NOT directly or indirectly disclose the keying
3698 Aboba, et al. Standards Track [Page 66]
3700 RFC 5247 EAP Key Management Framework August 2008
3703 material. If the key name is not based on the keying material,
3704 then one can be sure that it cannot be used to assist in a search
3707 EAP key names (defined in Section 1.4.1), along with the Peer-Id(s)
3708 and Server-Id(s), uniquely identify EAP keying material, and do not
3709 directly or indirectly expose EAP keying material.
3711 Existing AAA server implementations do not distribute key names along
3712 with the transported keying material. However, Diameter EAP
3713 [RFC4072] Section 4.1.4 defines the EAP-Key-Name AVP for the purpose
3714 of transporting the EAP Session-Id. Since the EAP-Key-Name AVP is
3715 defined within the RADIUS attribute space, it can be used either with
3718 Since the authenticator is not provided with the name of the
3719 transported keying material by existing backend authentication server
3720 implementations, existing Secure Association Protocols do not utilize
3721 EAP key names. For example, [IEEE-802.11] supports PMK caching; to
3722 enable the peer and authenticator to determine the cached PMK to
3723 utilize within the 4-way handshake, the PMK needs to be named. For
3724 this purpose, [IEEE-802.11] utilizes a PMK naming scheme that is
3725 based on the key. Since IKEv2 [RFC4306] does not cache transported
3726 keying material, it does not need to refer to transported keying
3729 5.10. Denial-of-Service Attacks
3731 Key caching can result in vulnerability to denial-of-service attacks.
3732 For example, EAP methods that create persistent state can be
3733 vulnerable to denial-of-service attacks on the EAP server by a rogue
3736 To address this vulnerability, EAP methods creating persistent state
3737 can limit the persistent state created by an EAP peer. For example,
3738 for each peer an EAP server can choose to limit persistent state to a
3739 few EAP conversations, distinguished by the EAP Session-Id. This
3740 prevents a rogue peer from denying access to other peers.
3742 Similarly, to conserve resources an authenticator can choose to limit
3743 the persistent state corresponding to each peer. This can be
3744 accomplished by limiting each peer to persistent state corresponding
3745 to a few EAP conversations, distinguished by the EAP Session-Id.
3747 Whether creation of new TSKs implies deletion of previously derived
3748 TSKs depends on the EAP lower layer. Where there is no implied
3749 deletion, the authenticator can choose to limit the number of TSKs
3750 and associated state that can be stored for each peer.
3754 Aboba, et al. Standards Track [Page 67]
3756 RFC 5247 EAP Key Management Framework August 2008
3761 6.1. Normative References
3763 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
3764 Requirement Levels", BCP 14, RFC 2119, March 1997.
3766 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
3767 H. Levkowetz, Ed., "Extensible Authentication Protocol
3768 (EAP)", RFC 3748, June 2004.
3770 [RFC4962] Housley, R. and B. Aboba, "Guidance for
3771 Authentication, Authorization, and Accounting (AAA)
3772 Key Management", BCP 132, RFC 4962, July 2007.
3774 6.2. Informative References
3776 [8021XPreAuth] Pack, S. and Y. Choi, "Pre-Authenticated Fast Handoff
3777 in a Public Wireless LAN Based on IEEE 802.1x Model",
3778 Proceedings of the IFIP TC6/WG6.8 Working Conference
3779 on Personal Wireless Communications, p.175-182,
3780 October 23-25, 2002.
3782 [Analysis] He, C. and J. Mitchell, "Analysis of the 802.11i 4-Way
3783 Handshake", Proceedings of the 2004 ACM Workshop on
3784 Wireless Security, pp. 43-50, ISBN: 1-58113-925-X.
3786 [Bargh] Bargh, M., Hulsebosch, R., Eertink, E., Prasad, A.,
3787 Wang, H. and P. Schoo, "Fast Authentication Methods
3788 for Handovers between IEEE 802.11 Wireless LANs",
3789 Proceedings of the 2nd ACM international workshop on
3790 Wireless mobile applications and services on WLAN
3791 hotspots, October, 2004.
3793 [GKDP] Dondeti, L., Xiang, J., and S. Rowles, "GKDP: Group
3794 Key Distribution Protocol", Work in Progress, March
3797 [He] He, C., Sundararajan, M., Datta, A. Derek, A. and J.
3798 C. Mitchell, "A Modular Correctness Proof of TLS and
3799 IEEE 802.11i", ACM Conference on Computer and
3800 Communications Security (CCS '05), November, 2005.
3810 Aboba, et al. Standards Track [Page 68]
3812 RFC 5247 EAP Key Management Framework August 2008
3815 [IEEE-802.11] Institute of Electrical and Electronics Engineers,
3816 "Information technology - Telecommunications and
3817 information exchange between systems - Local and
3818 metropolitan area networks - Specific Requirements
3819 Part 11: Wireless LAN Medium Access Control (MAC) and
3820 Physical Layer (PHY) Specifications", IEEE Standard
3823 [IEEE-802.1X] Institute of Electrical and Electronics Engineers,
3824 "Local and Metropolitan Area Networks: Port-Based
3825 Network Access Control", IEEE Standard 802.1X-2004,
3828 [IEEE-802.1Q] IEEE Standards for Local and Metropolitan Area
3829 Networks: Draft Standard for Virtual Bridged Local
3830 Area Networks, P802.1Q-2003, January 2003.
3832 [IEEE-802.11i] Institute of Electrical and Electronics Engineers,
3833 "Supplement to Standard for Telecommunications and
3834 Information Exchange Between Systems - LAN/MAN
3835 Specific Requirements - Part 11: Wireless LAN Medium
3836 Access Control (MAC) and Physical Layer (PHY)
3837 Specifications: Specification for Enhanced Security",
3838 IEEE 802.11i/D1, 2001.
3840 [IEEE-802.11F] Institute of Electrical and Electronics Engineers,
3841 "Recommended Practice for Multi-Vendor Access Point
3842 Interoperability via an Inter-Access Point Protocol
3843 Across Distribution Systems Supporting IEEE 802.11
3844 Operation", IEEE 802.11F, July 2003 (now deprecated).
3846 [IEEE-802.16e] Institute of Electrical and Electronics Engineers,
3847 "IEEE Standard for Local and Metropolitan Area
3848 Networks: Part 16: Air Interface for Fixed and Mobile
3849 Broadband Wireless Access Systems: Amendment for
3850 Physical and Medium Access Control Layers for Combined
3851 Fixed and Mobile Operations in Licensed Bands" IEEE
3852 802.16e, August 2005.
3854 [IEEE-03-084] Mishra, A., Shin, M., Arbaugh, W., Lee, I. and K.
3855 Jang, "Proactive Key Distribution to support fast and
3856 secure roaming", IEEE 802.11 Working Group, IEEE-03-
3857 084r1-I, http://www.ieee802.org/11/Documents/
3858 DocumentHolder/3-084.zip, January 2003.
3866 Aboba, et al. Standards Track [Page 69]
3868 RFC 5247 EAP Key Management Framework August 2008
3871 [EAP-SERVICE] Arkko, J. and P. Eronen, "Authenticated Service
3872 Information for the Extensible Authentication Protocol
3873 (EAP)", Work in Progress, October 2005.
3875 [SHORT-TERM] Friedman, A., Sheffer, Y., and A. Shaqed, "Short-Term
3876 Certificates", Work in Progress, June 2007.
3878 [HANDOFF] Arbaugh, W. and B. Aboba, "Handoff Extension to
3879 RADIUS", Work in Progress, October 2003.
3881 [EAP-CHANNEL] Ohba, Y., Parthasrathy, M., and M. Yanagiya, "Channel
3882 Binding Mechanism Based on Parameter Binding in Key
3883 Derivation", Work in Progress, June 2007.
3885 [EAP-BINDING] Puthenkulam, J., Lortz, V., Palekar, A., and D. Simon,
3886 "The Compound Authentication Binding Problem", Work in
3887 Progress, October 2003.
3889 [MD5Collision] Klima, V., "Tunnels in Hash Functions: MD5 Collisions
3890 Within a Minute", Cryptology ePrint Archive, March
3891 2006, http://eprint.iacr.org/2006/105.pdf
3893 [MishraPro] Mishra, A., Shin, M. and W. Arbaugh, "Pro-active Key
3894 Distribution using Neighbor Graphs", IEEE Wireless
3895 Communications, vol. 11, February 2004.
3897 [RFC1661] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)",
3898 STD 51, RFC 1661, July 1994.
3900 [RFC1968] Meyer, G., "The PPP Encryption Control Protocol
3901 (ECP)", RFC 1968, June 1996.
3903 [RFC2230] Atkinson, R., "Key Exchange Delegation Record for the
3904 DNS", RFC 2230, November 1997.
3906 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
3907 (IKE)", RFC 2409, November 1998.
3909 [RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone,
3910 D., and R. Wheeler, "A Method for Transmitting PPP
3911 Over Ethernet (PPPoE)", RFC 2516, February 1999.
3913 [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS
3914 Attributes", RFC 2548, March 1999.
3916 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and
3917 Policy Implementation in Roaming", RFC 2607, June
3922 Aboba, et al. Standards Track [Page 70]
3924 RFC 5247 EAP Key Management Framework August 2008
3927 [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication
3928 Protocol", RFC 2716, October 1999.
3930 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR
3931 for specifying the location of services (DNS SRV)",
3932 RFC 2782, February 2000.
3934 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
3935 Wellington, "Secret Key Transaction Authentication for
3936 DNS (TSIG)", RFC 2845, May 2000.
3938 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
3939 "Remote Authentication Dial In User Service (RADIUS)",
3940 RFC 2865, June 2000.
3942 [RFC3007] Wellington, B., "Secure Domain Name System (DNS)
3943 Dynamic Update", RFC 3007, November 2000.
3945 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
3946 RFC 3162, August 2001.
3948 [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney,
3949 "The Group Domain of Interpretation", RFC 3547, July
3952 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote
3953 Authentication Dial In User Service) Support For
3954 Extensible Authentication Protocol (EAP)", RFC 3579,
3957 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J.
3958 Roese, "IEEE 802.1X Remote Authentication Dial In User
3959 Service (RADIUS) Usage Guidelines", RFC 3580,
3962 [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and
3963 J. Arkko, "Diameter Base Protocol", RFC 3588,
3966 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
3967 Public Keys Used For Exchanging Symmetric Keys", BCP
3968 86, RFC 3766, April 2004.
3970 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and
3971 K. Norrman, "MIKEY: Multimedia Internet KEYing", RFC
3978 Aboba, et al. Standards Track [Page 71]
3980 RFC 5247 EAP Key Management Framework August 2008
3983 [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
3984 "Diameter Network Access Server Application", RFC
3987 [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible
3988 Authentication Protocol (EAP) Method Requirements for
3989 Wireless LANs", RFC 4017, March 2005.
3991 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and
3992 S. Rose, "DNS Security Introduction and Requirements",
3993 RFC 4033, March 2005.
3995 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and
3996 S. Rose, "Protocol Modifications for the DNS Security
3997 Extensions", RFC 4035, March 2005.
3999 [RFC4067] Loughney, J., Ed., Nakhjiri, M., Perkins, C., and R.
4000 Koodli, "Context Transfer Protocol (CXTP)", RFC 4067,
4003 [RFC4072] Eronen, P., Ed., Hiller, T., and G. Zorn, "Diameter
4004 Extensible Authentication Protocol (EAP) Application",
4005 RFC 4072, August 2005.
4007 [RFC4118] Yang, L., Zerfos, P., and E. Sadot, "Architecture
4008 Taxonomy for Control and Provisioning of Wireless
4009 Access Points (CAPWAP)", RFC 4118, June 2005.
4011 [RFC4186] Haverinen, H., Ed., and J. Salowey, Ed., "Extensible
4012 Authentication Protocol Method for Global System for
4013 Mobile Communications (GSM) Subscriber Identity
4014 Modules (EAP-SIM)", RFC 4186, January 2006.
4016 [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
4017 Protocol Method for 3rd Generation Authentication and
4018 Key Agreement (EAP-AKA)", RFC 4187, January 2006.
4020 [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
4021 Network Access Identifier", RFC 4282, December 2005.
4023 [RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen,
4024 "Identity Selection Hints for the Extensible
4025 Authentication Protocol (EAP)", RFC 4284, January
4028 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
4029 Internet Protocol", RFC 4301, December 2005.
4034 Aboba, et al. Standards Track [Page 72]
4036 RFC 5247 EAP Key Management Framework August 2008
4039 [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
4040 Protocol", RFC 4306, December 2005.
4042 [RFC4372] Adrangi, F., Lior, A., Korhonen, J., and J. Loughney,
4043 "Chargeable User Identity", RFC 4372, January 2006.
4045 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and
4046 Attributes Supporting Authentication in Point-to-Point
4047 Protocol (PPP) and Wireless Local Area Networks
4048 (WLAN)", RFC 4334, February 2006.
4050 [RFC4535] Harney, H., Meth, U., Colegrove, A., and G. Gross,
4051 "GSAKMP: Group Secure Association Key Management
4052 Protocol", RFC 4535, June 2006.
4054 [RFC4763] Vanderveen, M. and H. Soliman, "Extensible
4055 Authentication Protocol Method for Shared-secret
4056 Authentication and Key Establishment (EAP-SAKE)", RFC
4057 4763, November 2006.
4059 [RFC4675] Congdon, P., Sanchez, M., and B. Aboba, "RADIUS
4060 Attributes for Virtual LAN and Priority Support", RFC
4061 4675, September 2006.
4063 [RFC4718] Eronen, P. and P. Hoffman, "IKEv2 Clarifications and
4064 Implementation Guidelines", RFC 4718, October 2006.
4066 [RFC4764] Bersani, F. and H. Tschofenig, "The EAP-PSK Protocol:
4067 A Pre-Shared Key Extensible Authentication Protocol
4068 (EAP) Method", RFC 4764, January 2007.
4070 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
4071 Aboba, "Dynamic Authorization Extensions to Remote
4072 Authentication Dial In User Service (RADIUS)", RFC
4075 [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
4076 Authentication Protocol", RFC 5216, March 2008.
4078 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
4079 Security (TLS) Protocol Version 1.2", RFC 5246, August
4082 [SP800-57] National Institute of Standards and Technology,
4083 "Recommendation for Key Management", Special
4084 Publication 800-57, May 2006.
4090 Aboba, et al. Standards Track [Page 73]
4092 RFC 5247 EAP Key Management Framework August 2008
4095 [Token] Fantacci, R., Maccari, L., Pecorella, T., and F.
4096 Frosali, "A secure and performant token-based
4097 authentication for infrastructure and mesh 802.1X
4098 networks", IEEE Conference on Computer Communications,
4101 [Tokenk] Ohba, Y., Das, S., and A. Duttak, "Kerberized Handover
4102 Keying: A Media-Independent Handover Key Management
4103 Architecture", Mobiarch 2007.
4107 Thanks to Ashwin Palekar, Charlie Kaufman, and Tim Moore of
4108 Microsoft, Jari Arkko of Ericsson, Dorothy Stanley of Aruba Networks,
4109 Bob Moskowitz of TruSecure, Jesse Walker of Intel, Joe Salowey of
4110 Cisco, and Russ Housley of Vigil Security for useful feedback.
4146 Aboba, et al. Standards Track [Page 74]
4148 RFC 5247 EAP Key Management Framework August 2008
4151 Appendix A - Exported Parameters in Existing Methods
4153 This Appendix specifies Session-Id, Peer-Id, Server-Id and
4154 Key-Lifetime for EAP methods that have been published prior to this
4155 specification. Future EAP method specifications MUST include a
4156 definition of the Session-Id, Peer-Id and Server-Id (could be the
4157 null string). In the descriptions that follow, all fields comprising
4158 the Session-Id are assumed to be in network byte order.
4162 The EAP-Identity method is defined in [RFC3748]. It does not
4163 derive keys, and therefore does not define the Session-Id. The
4164 Peer-Id and Server-Id are the null string (zero length).
4168 The EAP-Notification method is defined in [RFC3748]. It does not
4169 derive keys and therefore does not define the Session-Id. The
4170 Peer-Id and Server-Id are the null string (zero length).
4174 The EAP-MD5-Challenge method is defined in [RFC3748]. It does not
4175 derive keys and therefore does not define the Session-Id. The
4176 Peer-Id and Server-Id are the null string (zero length).
4180 The EAP-GTC method is defined in [RFC3748]. It does not derive
4181 keys and therefore does not define the Session-Id. The Peer-Id
4182 and Server-Id are the null string (zero length).
4186 The EAP-OTP method is defined in [RFC3748]. It does not derive
4187 keys and therefore does not define the Session-Id. The Peer-Id
4188 and Server-Id are the null string (zero length).
4202 Aboba, et al. Standards Track [Page 75]
4204 RFC 5247 EAP Key Management Framework August 2008
4209 EAP-AKA is defined in [RFC4187]. The EAP-AKA Session-Id is the
4210 concatenation of the EAP Type Code (0x17) with the contents of the
4211 RAND field from the AT_RAND attribute, followed by the contents of
4212 the AUTN field in the AT_AUTN attribute:
4214 Session-Id = 0x17 || RAND || AUTN
4216 The Peer-Id is the contents of the Identity field from the
4217 AT_IDENTITY attribute, using only the Actual Identity Length
4218 octets from the beginning, however. Note that the contents are
4219 used as they are transmitted, regardless of whether the
4220 transmitted identity was a permanent, pseudonym, or fast EAP
4221 re-authentication identity. The Server-Id is the null string
4226 EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is the
4227 concatenation of the EAP Type Code (0x12) with the contents of the
4228 RAND field from the AT_RAND attribute, followed by the contents of
4229 the NONCE_MT field in the AT_NONCE_MT attribute:
4231 Session-Id = 0x12 || RAND || NONCE_MT
4233 The Peer-Id is the contents of the Identity field from the
4234 AT_IDENTITY attribute, using only the Actual Identity Length
4235 octets from the beginning, however. Note that the contents are
4236 used as they are transmitted, regardless of whether the
4237 transmitted identity was a permanent, pseudonym, or fast EAP
4238 re-authentication identity. The Server-Id is the null string
4243 EAP-PSK is defined in [RFC4764]. The EAP-PSK Session-Id is the
4244 concatenation of the EAP Type Code (0x2F) with the peer (RAND_P)
4245 and server (RAND_S) nonces:
4247 Session-Id = 0x2F || RAND_P || RAND_S
4249 The Peer-Id is the contents of the ID_P field and the Server-Id is
4250 the contents of the ID_S field.
4258 Aboba, et al. Standards Track [Page 76]
4260 RFC 5247 EAP Key Management Framework August 2008
4265 EAP-SAKE is defined in [RFC4763]. The EAP-SAKE Session-Id is the
4266 concatenation of the EAP Type Code (0x30) with the contents of the
4267 RAND_S field from the AT_RAND_S attribute, followed by the
4268 contents of the RAND_P field in the AT_RAND_P attribute:
4270 Session-Id = 0x30 || RAND_S || RAND_P
4272 Note that the EAP-SAKE Session-Id is not the same as the "Session
4273 ID" parameter chosen by the Server, which is sent in the first
4274 message, and replicated in subsequent messages. The Peer-Id is
4275 contained within the value field of the AT_PEERID attribute and
4276 the Server-Id, if available, is contained in the value field of
4277 the AT_SERVERID attribute.
4281 For EAP-TLS, the Peer-Id, Server-Id and Session-Id are defined in
4314 Aboba, et al. Standards Track [Page 77]
4316 RFC 5247 EAP Key Management Framework August 2008
4322 Microsoft Corporation
4326 EMail: bernarda@microsoft.com
4327 Phone: +1 425 706 6605
4328 Fax: +1 425 936 7329
4332 Microsoft Corporation
4336 EMail: dansimon@microsoft.com
4337 Phone: +1 425 706 6711
4338 Fax: +1 425 936 7329
4341 Nokia Research Center
4343 FIN-00045 Nokia Group
4346 EMail: pasi.eronen@nokia.com
4370 Aboba, et al. Standards Track [Page 78]
4372 RFC 5247 EAP Key Management Framework August 2008
4375 Full Copyright Statement
4377 Copyright (C) The IETF Trust (2008).
4379 This document is subject to the rights, licenses and restrictions
4380 contained in BCP 78, and except as set forth therein, the authors
4381 retain all their rights.
4383 This document and the information contained herein are provided on an
4384 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
4385 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
4386 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
4387 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
4388 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
4389 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
4391 Intellectual Property
4393 The IETF takes no position regarding the validity or scope of any
4394 Intellectual Property Rights or other rights that might be claimed to
4395 pertain to the implementation or use of the technology described in
4396 this document or the extent to which any license under such rights
4397 might or might not be available; nor does it represent that it has
4398 made any independent effort to identify any such rights. Information
4399 on the procedures with respect to rights in RFC documents can be
4400 found in BCP 78 and BCP 79.
4402 Copies of IPR disclosures made to the IETF Secretariat and any
4403 assurances of licenses to be made available, or the result of an
4404 attempt made to obtain a general license or permission for the use of
4405 such proprietary rights by implementers or users of this
4406 specification can be obtained from the IETF on-line IPR repository at
4407 http://www.ietf.org/ipr.
4409 The IETF invites any interested party to bring to its attention any
4410 copyrights, patents or patent applications, or other proprietary
4411 rights that may cover technology that may be required to implement
4412 this standard. Please address the information to the IETF at
4426 Aboba, et al. Standards Track [Page 79]