HOKEY Working Group T. Clancy Internet-Draft LTS Intended status: Informational April 29, 2007 Expires: October 31, 2007 HOKEY Re-authentication Protocol Plan draft-clancy-hokey-plan-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 31, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document describes a plan forward for incorporating the work of a variety of individual submissions to satisfy the HOKEY working group re-authentication problem statement into a single set of working-group documents. Clancy Expires October 31, 2007 [Page 1] Internet-Draft HOKEY Plan April 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. EAP Key Delivery Protocol Document . . . . . . . . . . . . . . 3 4. HOKEY Re-Auth Protocol Document . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 Intellectual Property and Copyright Statements . . . . . . . . . . 9 Clancy Expires October 31, 2007 [Page 2] Internet-Draft HOKEY Plan April 2007 1. Introduction Over the past several months, there have been three documents, each with different qualities and different levels of completeness, submitted as solutions documents for HOKEY re-authentication. EAP-ER [I-D.vidya-eap-er] describes a protocol for doing re- authentication in EAP by extending EAP with additional Packet Codes. These codes would allow a peer-initiated re-authentication request to be communicated to the HOKEY server, and a response returned. It also defines the necessary keying hierarchy to support re- authentication. The 3-party keying protocol document [I-D.ohba-hokey-3party-keydist-ps] describes both additional protocol requirements to movitave the use of a 3-party key distribution protocol, and a rough strawman for what such a protocol could look like. EAP-HR [I-D.nakhjiri-hokey-hierarchy] describes a protocol motivated by the 3-party keying document that uses method-based transport with a modified EAP-Success packet. Additionally, a keying hierarchy for re-authentication is presented. Each document has its strengths, and this document describes a plan for merging them into two working-group documents. The first document will describe EMSK service key delivery, and the second will describe the HOKEY re-authentication protocol. The plan expressed in this document represents a variety of compromises making up the consensus of the working group, as perceived by the chairs. 2. Terminology In this document, several words are used to signify the requirements of the specification. These words are often capitalized. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. EAP Key Delivery Protocol Document Any service that needs to obtain a USRK, DSRK, or DSUSRK [I-D.ietf-hokey-emsk-hierarchy] needs to execute some sort of protocol exchange with the EAP server to obtain that key. This exchange may be executed in conjunction with some other protocol action, or performed independently, depending on how the service Clancy Expires October 31, 2007 [Page 3] Internet-Draft HOKEY Plan April 2007 operates. The goal of this document is to describe a generic protocol that other protocols can use to obtain these root keys. This document will not, however, specify an actual transport, as each service may needs its own specialized transport. A generic AAA keyreq-based approach COULD be defined in this document. The fundamentals of the keying hierarchy necessary to support channel bindings, along with the protocol exchanges, will be based on EAP-HR 3-party key delivery protocol [I-D.nakhjiri-hokey-hierarchy], and the EAP-ER-Bootstrap protocol [I-D.vidya-eap-er]. EMSK **************|************* * +----------+----------+ * * | | | * * USRK DSRK IK * EMSK Hierarchy & * | <-- Key Delivery * +----------+----------+ * Documents * | ***|*** | * * DSUSRK * HRK * DSIK * ********** | ********* * +----------+----------+ * * | | | * * rMSK rMSK rIK * * <-- HOKEY Re-Auth **************************** Protocol Document Figure 1: EAP EMSK Keying Hierarchy Division The purpose of this document is to define the necessary USRKs and DSUSRKs for channel binding at each layer of the keying hierarchy (i.e. the IK and DSIK). Additionally, it shall define payloads, in the form of opaque blobs, that a transport protocol SHOULD carry if it requires strong security on key distribution. For example, if KH-X represents the identity of the key holder for key X, a 3-party protocol for a service that simply uses a USRK, inspired by [I-D.ohba-hokey-3party-keydist-ps], might look something like the following. First let's define a few functions: o SEC(K, M) = M || MIC_K(M) Clancy Expires October 31, 2007 [Page 4] Internet-Draft HOKEY Plan April 2007 o IDbind(id1, id2, id3, N, K) = SEC(K, id1 || id2 || id3 || N) o KeyTransport(K) = K or ENC(K), depending on service The IDbind(.) blob is a basic channel binding blob that binds three identities together with a nonce using a secret key. Using this building block, the protocol would look like: 1. peer -> KH-USRK: IDbind(peer, EAP Server, KH-USRK, NonceA, IK) 2. KH-USRK -> EAP Server: IDbind(peer, EAP Server, KH-USRK, NonceA, IK) 3. EAP Server -> KH-USRK: IDbind(peer, EAP Server, KH-USRK, NonceA+1, IK), KeyTransport(USRK) 4. KH-USRK -> peer: IDbind(peer, EAP Server, KH-USRK, NonceA+1, IK) This protocol binds the three identities with a fresh nonce, and returns the USRK to the service. For a service that utilizes a DSRK, the above exchange would be similar, but include additional payloads. 1. peer -> KH-DSUSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK) 2. KH-DSUSRK -> KH-DSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK) 3. KH-DSRK -> EAP Server: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK) 4. EAP Server -> KH-DSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA+1, IK), KeyTransport(DSRK) 5. KH-DSRK -> KH-DSUSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA+1, IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1, DSIK), KeyTransport(DSUSRK) 6. KH-DSUSRK -> peer: IDbind(peer, EAP Server, KH-DSRK, NonceA+1, IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1, DSIK) This is still a single round trip, just relayed through a variety of intermediate nodes. Note that if KH-DSRK already held the DSRK, the protocol would simplify to: 1. peer -> KH-DSUSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK) 2. KH-DSUSRK -> KH-DSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK) 3. KH-DSRK -> KH-DSUSRK: IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1, DSIK), KeyTransport(DSUSRK) 4. KH-DSUSRK -> peer: IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1, DSIK) Note that the peer doesn't need to know if the KH-DSRK already holds the DSRK. The initial message is the same. Clancy Expires October 31, 2007 [Page 5] Internet-Draft HOKEY Plan April 2007 If a particular service does not need the strong security properties of a 3-party key distribution protocol, the key holder identities in the request can be NULL, provided they are correct in the response packets. This provides basic channel binding properties, but not peer consent. Also a service may also elect to not use this protocol at all. It's provided as a set of building blocks whereby different services can use a common protocol to securely interact with EMSKs and DSRKs. The point of the above protocol example was not to provide a complete description, but illustrate what needs to be defined. In particular, formally defining something like the IDbind(.) and KeyTransport(.) primitives is necessary. These blobs can then be carried by any underlying protocol, including HOKEY. Currently only EAP-ER formally specifies a protocol for delivering the HRK to the HOKEY server. Consequently section 6.2 of the EAP-ER document [I-D.vidya-eap-er] will serve as a starting point for development of this protocol. It shall be generalized to work for an arbitrary USRK or DSUSRK, and also define the IK and DSIK in terms of the KDF specified by [I-D.ietf-hokey-emsk-hierarchy]. 4. HOKEY Re-Auth Protocol Document EAP-ER shall be adopted as a working group document to satisfy the HOKEY Re-Auth Protocol requirement, subject to a variety of caveats: o Its name shall be changed to the HOKEY protocol. o It shall include support for channel bindings by including the NAS ID of the authenticator and ID of the EAP server in the integrity protected portions of the EAP-ER response from the EAP server to the authenticator and peer. Reusing the IDbind(.) primitive in the previous protocol would be desirable. o A new, optional message shall be added to support authenticator- initiated re-authentication. This message shall be generalized such that it is a "new" version of the EAP-Request/Identity. o The EAP-Initiate/Reauth packet shall be converted into a "new" version of the EAP-Response/Identity. o The EAP-Finish/Reauth packet shall be converted into a "new" version of the EAP-Success. These "new" packet codes shall be designed in a generic fashion, such that they could be used by future EAP extensions. For example, the Identity codes could natively include network selection information, rather than embedding them into the prompt and client NAI fields. The "new" EAP-Success could include native support for protected results indication. Clancy Expires October 31, 2007 [Page 6] Internet-Draft HOKEY Plan April 2007 5. Security Considerations TBD. 6. IANA Considerations This document does not introduce any new IANA considerations. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 7.2. Informative References [I-D.ietf-hokey-emsk-hierarchy] Salowey, J., "Specification for the Derivation of Usage Specific Root Keys (USRK) from an Extended Master Session Key (EMSK)", draft-ietf-hokey-emsk-hierarchy-00 (work in progress), January 2007. [I-D.nakhjiri-hokey-hierarchy] Nakhjiri, M., "Keying and signaling for wireless access and handover using EAP (EAP-HR)", draft-nakhjiri-hokey-hierarchy-04 (work in progress), April 2007. [I-D.ohba-hokey-3party-keydist-ps] Ohba, Y., "Problem Statement and Requirements on a 3-Party Key Distribution Protocol for Handover Keying", draft-ohba-hokey-3party-keydist-ps-01 (work in progress), March 2007. [I-D.vidya-eap-er] Narayanan, V. and L. Dondeti, "EAP Extensions for Efficient Re-authentication", draft-vidya-eap-er-02 (work in progress), January 2007. Clancy Expires October 31, 2007 [Page 7] Internet-Draft HOKEY Plan April 2007 Author's Address T. Charles Clancy DoD Laboratory for Telecommunication Sciences 8080 Greenmead Drive College Park, MD USA Email: clancy@LTSnet.net Clancy Expires October 31, 2007 [Page 8] Internet-Draft HOKEY Plan April 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Clancy Expires October 31, 2007 [Page 9]