< draft-bersani-eap-psk-08.txt   draft-bersani-eap-psk-09.txt >
EAP F. Bersani EAP F. Bersani
Internet-Draft France Telecom R&D Internet-Draft France Telecom R&D
Expires: August 5, 2005 H. Tschofenig Expires: February 10, 2006 H. Tschofenig
Siemens AG Siemens AG
February 2005 August 9, 2005
The EAP-PSK Protocol: a Pre-Shared Key EAP Method The EAP-PSK Protocol: a Pre-Shared Key EAP Method
draft-bersani-eap-psk-08 draft-bersani-eap-psk-09
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 5, 2005. This Internet-Draft will expire on February 10, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document specifies EAP-PSK, an Extensible Authentication This document specifies EAP-PSK, an Extensible Authentication
Protocol (EAP) method for mutual authentication and session key Protocol (EAP) method for mutual authentication and session key
derivation using a Pre-Shared Key (PSK). derivation using a Pre-Shared Key (PSK).
skipping to change at page 3, line 6 skipping to change at page 3, line 6
5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 44 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 44
5.1 Allocation of an EAP-Request/Response Type for EAP-PSK . . 44 5.1 Allocation of an EAP-Request/Response Type for EAP-PSK . . 44
5.2 Allocation of EXT Type numbers . . . . . . . . . . . . . . 44 5.2 Allocation of EXT Type numbers . . . . . . . . . . . . . . 44
6. Security Considerations . . . . . . . . . . . . . . . . . . . 46 6. Security Considerations . . . . . . . . . . . . . . . . . . . 46
6.1 Mutual Authentication . . . . . . . . . . . . . . . . . . 46 6.1 Mutual Authentication . . . . . . . . . . . . . . . . . . 46
6.2 Protected Result Indications . . . . . . . . . . . . . . . 46 6.2 Protected Result Indications . . . . . . . . . . . . . . . 46
6.3 Integrity Protection . . . . . . . . . . . . . . . . . . . 47 6.3 Integrity Protection . . . . . . . . . . . . . . . . . . . 47
6.4 Replay Protection . . . . . . . . . . . . . . . . . . . . 47 6.4 Replay Protection . . . . . . . . . . . . . . . . . . . . 47
6.5 Reflection attacks . . . . . . . . . . . . . . . . . . . . 48 6.5 Reflection attacks . . . . . . . . . . . . . . . . . . . . 48
6.6 Dictionary Attacks . . . . . . . . . . . . . . . . . . . . 48 6.6 Dictionary Attacks . . . . . . . . . . . . . . . . . . . . 48
6.7 Key Derivation . . . . . . . . . . . . . . . . . . . . . . 48 6.7 Key Derivation . . . . . . . . . . . . . . . . . . . . . . 49
6.8 Denial of Service Resistance . . . . . . . . . . . . . . . 50 6.8 Denial of Service Resistance . . . . . . . . . . . . . . . 50
6.9 Session Independence . . . . . . . . . . . . . . . . . . . 51 6.9 Session Independence . . . . . . . . . . . . . . . . . . . 51
6.10 Exposition of the PSK . . . . . . . . . . . . . . . . . . 51 6.10 Exposition of the PSK . . . . . . . . . . . . . . . . . . 51
6.11 Fragmentation . . . . . . . . . . . . . . . . . . . . . . 51 6.11 Fragmentation . . . . . . . . . . . . . . . . . . . . . . 51
6.12 Channel Binding . . . . . . . . . . . . . . . . . . . . . 52 6.12 Channel Binding . . . . . . . . . . . . . . . . . . . . . 52
6.13 Fast Reconnect . . . . . . . . . . . . . . . . . . . . . . 52 6.13 Fast Reconnect . . . . . . . . . . . . . . . . . . . . . . 52
6.14 Identity Protection . . . . . . . . . . . . . . . . . . . 52 6.14 Identity Protection . . . . . . . . . . . . . . . . . . . 52
6.15 Protected Ciphersuite Negotiation . . . . . . . . . . . . 54 6.15 Protected Ciphersuite Negotiation . . . . . . . . . . . . 54
6.16 Confidentiality . . . . . . . . . . . . . . . . . . . . . 54 6.16 Confidentiality . . . . . . . . . . . . . . . . . . . . . 54
6.17 Cryptographic Binding . . . . . . . . . . . . . . . . . . 54 6.17 Cryptographic Binding . . . . . . . . . . . . . . . . . . 54
skipping to change at page 47, line 44 skipping to change at page 47, line 44
practice to rely on external mechanism to ensure synchronization, practice to rely on external mechanism to ensure synchronization,
unless this is an explicit property of the external mechanism). unless this is an explicit property of the external mechanism).
6.3 Integrity Protection 6.3 Integrity Protection
EAP-PSK provides integrity protection thanks to the Tag of its EAP-PSK provides integrity protection thanks to the Tag of its
protected channel (see Section 2.2.3). protected channel (see Section 2.2.3).
6.4 Replay Protection 6.4 Replay Protection
EAP-PSK provides replay protection thanks to the Nonce N of its EAP-PSK provides replay protection of its mutual authentication part
protected channel (see Section 2.2.3). This nonce is initialized to thanks to the use of random numbers RAND_S and RAND_P. Since RAND_S
0 by the server and monotonically incremented by one by the party is 128 bit long, one expects to have to record 2**64 (i.e.
that receives a valide EAP-PSK message. For instance, after approximately 1.84*10**19) EAP-PSK successful authentication before
receiving from the server a valid EAP-PSK message with Nonce set to an authentication can be replayed. Hence, EAP-PSK provides replay
x, the peer will answer with an EAP-PSK message with Nonce set to x+1 protection of its mutual authentication part as long as RAND_S and
and wait for an EAP-PSK message with Nonce set to x+2. A RAND_P are chosen at random, randomness is critical for security.
retransmission of the server's message with Nonce set to x, would
cause the peer EAP layer to resend the message in which Nonce was set EAP-PSK provides replay protection during the conversation of the
to x+1, which would be transparent to the EAP-PSK layer. protected channel thanks to the Nonce N of its protected channel (see
Section 2.2.3). This nonce is initialized to 0 by the server and
monotonically incremented by one by the party that receives a valide
EAP-PSK message. For instance, after receiving from the server a
valid EAP-PSK message with Nonce set to x, the peer will answer with
an EAP-PSK message with Nonce set to x+1 and wait for an EAP-PSK
message with Nonce set to x+2. A retransmission of the server's
message with Nonce set to x, would cause the peer EAP layer to resend
the message in which Nonce was set to x+1, which would be transparent
to the EAP-PSK layer.
The EAP peer must check that the Nonce is indeed initialized to 0 by The EAP peer must check that the Nonce is indeed initialized to 0 by
the server. the server.
6.5 Reflection attacks 6.5 Reflection attacks
EAP-PSK provides protection against reflection attacks in case of an EAP-PSK provides protection against reflection attacks in case of an
extended authentication because: extended authentication because:
o It integrity protects the EAP header (which contains the o It integrity protects the EAP header (which contains the
skipping to change at page 58, line 39 skipping to change at page 58, line 39
for the Advanced Encryption Standard (AES)", Federal Information for the Advanced Encryption Standard (AES)", Federal Information
Processing Standards (FIPS) 197, November 2001. Processing Standards (FIPS) 197, November 2001.
[8] National Institute of Standards and Technology, "Recommendation [8] National Institute of Standards and Technology, "Recommendation
for Block Cipher Modes of Operation: The CMAC Mode for for Block Cipher Modes of Operation: The CMAC Mode for
Authentication", Special Publication (SP) 800-38B, May 2005. Authentication", Special Publication (SP) 800-38B, May 2005.
9.2 Informative References 9.2 Informative References
[9] Aboba, B., "Extensible Authentication Protocol (EAP) Key [9] Aboba, B., "Extensible Authentication Protocol (EAP) Key
Management Framework", draft-ietf-eap-keying-06 (work in Management Framework", draft-ietf-eap-keying-07 (work in
progress), April 2005. progress), July 2005.
[10] Aboba, B., "The Network Access Identifier", [10] Aboba, B., "The Network Access Identifier",
draft-arkko-roamops-rfc2486bis-02 (work in progress), draft-arkko-roamops-rfc2486bis-02 (work in progress),
July 2004. July 2004.
[11] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., [11] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P.,
Shiino, H., Zorn, G., Dommety, G., Perkins, C., Patil, B., Shiino, H., Zorn, G., Dommety, G., Perkins, C., Patil, B.,
Mitton, D., Manning, S., Beadles, M., Walsh, P., Chen, X., Mitton, D., Manning, S., Beadles, M., Walsh, P., Chen, X.,
Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim, B., Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim, B.,
Hirschman, B., Hsu, R., Xu, Y., Campbell, E., Baba, S., and E. Hirschman, B., Hsu, R., Xu, Y., Campbell, E., Baba, S., and E.
skipping to change at page 59, line 15 skipping to change at page 59, line 15
[12] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol", [12] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol",
RFC 2716, October 1999. RFC 2716, October 1999.
[13] Arkko, J. and H. Haverinen, "Extensible Authentication Protocol [13] Arkko, J. and H. Haverinen, "Extensible Authentication Protocol
Method for 3rd Generation Authentication and Key Agreement Method for 3rd Generation Authentication and Key Agreement
(EAP-AKA)", draft-arkko-pppext-eap-aka-15 (work in progress), (EAP-AKA)", draft-arkko-pppext-eap-aka-15 (work in progress),
December 2004. December 2004.
[14] Arkko, J. and P. Eronen, "Authenticated Service Information for [14] Arkko, J. and P. Eronen, "Authenticated Service Information for
the Extensible Authentication Protocol (EAP)", the Extensible Authentication Protocol (EAP)",
draft-arkko-eap-service-identity-auth-02 (work in progress), draft-arkko-eap-service-identity-auth-03 (work in progress),
May 2005. July 2005.
[15] Bellare, M. and P. Rogaway, "Entity Authentication and Key [15] Bellare, M. and P. Rogaway, "Entity Authentication and Key
Distribution", CRYPTO 93, Springer-Verlag LNCS 773, 1994. Distribution", CRYPTO 93, Springer-Verlag LNCS 773, 1994.
[16] Bellare, M., Pointcheval, D., and P. Rogaway, "Authenticated [16] Bellare, M., Pointcheval, D., and P. Rogaway, "Authenticated
Key Exchange Secure Against Dictionary attacks", Key Exchange Secure Against Dictionary attacks",
EUROCRYPT 00, Springer-Verlag LNCS 1807, 2000. EUROCRYPT 00, Springer-Verlag LNCS 1807, 2000.
[17] Bersani, F., "EAP shared key methods: a tentative synthesis of [17] Bersani, F., "EAP shared key methods: a tentative synthesis of
those proposed so far", those proposed so far",
skipping to change at page 62, line 6 skipping to change at page 62, line 6
RFC 1661, July 1994. RFC 1661, July 1994.
[49] Simpson, W., "PPP Challenge Handshake Authentication Protocol [49] Simpson, W., "PPP Challenge Handshake Authentication Protocol
(CHAP)", RFC 1994, August 1996. (CHAP)", RFC 1994, August 1996.
[50] Stanley, D., Walker, J., and B. Aboba, "EAP Method Requirements [50] Stanley, D., Walker, J., and B. Aboba, "EAP Method Requirements
for Wireless LANs", draft-walker-ieee802-req-04 (work in for Wireless LANs", draft-walker-ieee802-req-04 (work in
progress), August 2004. progress), August 2004.
[51] Tschofenig, H., "EAP IKEv2 Method (EAP-IKEv2)", [51] Tschofenig, H., "EAP IKEv2 Method (EAP-IKEv2)",
draft-tschofenig-eap-ikev2-06 (work in progress), May 2005. draft-tschofenig-eap-ikev2-07 (work in progress), July 2005.
[52] Walker, J. and R. Housley, "The EAP Archie Protocol", [52] Walker, J. and R. Housley, "The EAP Archie Protocol",
draft-jwalker-eap-archie-01 (work in progress), June 2003. draft-jwalker-eap-archie-01 (work in progress), June 2003.
[53] Wi-Fi Alliance, "Wi-Fi Protected Access, version 2.0", [53] Wi-Fi Alliance, "Wi-Fi Protected Access, version 2.0",
April 2003. April 2003.
[54] Wright, J., "Weaknesses in LEAP Challenge/Response", Defcon 03, [54] Wright, J., "Weaknesses in LEAP Challenge/Response", Defcon 03,
August 2003. August 2003.
 End of changes. 9 change blocks. 
20 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/