< draft-clancy-emu-eap-shared-secret-00.txt   draft-clancy-emu-eap-shared-secret-01.txt >
EMU Working Group T. Clancy EMU Working Group T. Clancy
Internet-Draft LTS Internet-Draft LTS
Expires: November 27, 2006 H. Tschofenig Expires: December 28, 2006 H. Tschofenig
Siemens Siemens
May 26, 2006 June 26, 2006
EAP Generalized Pre-Shared Key (EAP-GPSK) EAP Generalized Pre-Shared Key (EAP-GPSK)
draft-clancy-emu-eap-shared-secret-00.txt draft-clancy-emu-eap-shared-secret-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 27, 2006. This Internet-Draft will expire on December 28, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This Internet Draft defines an Extensible Authentication Protocol This Internet Draft defines an Extensible Authentication Protocol
method called EAP Generalized Pre-Shared Key (EAP-GPSK). This method method called EAP Generalized Pre-Shared Key (EAP-GPSK). This method
is a lightweight shared-key authentication protocol supporting mutual is a lightweight shared-key authentication protocol supporting mutual
authentication and key derivation. authentication and key derivation.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . 9 4. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . . 11
6. Ciphersuites Processing Rules . . . . . . . . . . . . . . . . 13 6. Ciphersuites Processing Rules . . . . . . . . . . . . . . . . 13
6.1. Ciphersuite #1 . . . . . . . . . . . . . . . . . . . . . . 13 6.1. Ciphersuite #1 . . . . . . . . . . . . . . . . . . . . . . 13
6.1.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 13 6.1.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 13
6.1.2. Integrity . . . . . . . . . . . . . . . . . . . . . . 13 6.1.2. Integrity . . . . . . . . . . . . . . . . . . . . . . 13
6.1.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 14 6.1.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 14
6.2. Ciphersuite #2 . . . . . . . . . . . . . . . . . . . . . . 14 6.2. Ciphersuite #2 . . . . . . . . . . . . . . . . . . . . . . 14
6.2.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 14 6.2.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 14
skipping to change at page 4, line 40 skipping to change at page 4, line 40
EAP-GPSK has been designed in a threat model where the attacker EAP-GPSK has been designed in a threat model where the attacker
has full control over the communication channel. This is the EAP has full control over the communication channel. This is the EAP
threat model that is presented in Section 7.1 of [RFC3748]. Thus, threat model that is presented in Section 7.1 of [RFC3748]. Thus,
it is particularly suited for wireless or battery powered devices. it is particularly suited for wireless or battery powered devices.
Efficiency: Efficiency:
EAP-GPSK does not make use of public key cryptography and fully EAP-GPSK does not make use of public key cryptography and fully
relies of symmetric cryptography. The restriction on symmetric relies of symmetric cryptography. The restriction on symmetric
cryptographic computations allow for low computational overhead. cryptographic computations allows for low computational overhead.
Hence, EAP-GPSK is lightweight and well suited for any type of Hence, EAP-GPSK is lightweight and well suited for any type of
device, especially those with little processing power and memory. device, especially those with little processing power and memory.
Flexibility: Flexibility:
EAP-GPSK offers cryptographic flexibility. At the beginning, the EAP-GPSK offers cryptographic flexibility. At the beginning, the
EAP server selects a set of cryptographic algorithms and key EAP server selects a set of cryptographic algorithms and key
sizes, a so called ciphersuite. The current version of EAP-GPSK sizes, a so called ciphersuite. The current version of EAP-GPSK
comprises two ciphersuites, but additional ones can be easily comprises two ciphersuites, but additional ones can be easily
added. added.
skipping to change at page 5, line 29 skipping to change at page 5, line 29
are to be interpreted as described in [RFC2119]. are to be interpreted as described in [RFC2119].
This section describes the various variables and functions used in This section describes the various variables and functions used in
the EAP-GPSK method. the EAP-GPSK method.
Variables: Variables:
PD_Payload_X: PD_Payload_X:
Data carried within the X-th protected data payload Data carried within the X-th protected data payload
CSuite_List:
An octet array listing available ciphersuites (variable length) An octet array listing available ciphersuites (variable length)
CSuite_Sel: CSuite_Sel:
Ciphersuite selected by the client (1 octet or 7 octets) Ciphersuite selected by the client (1 octet or 7 octets)
ID_Client: ID_Client:
Client NAI [RFC2486bis] Client NAI [RFC2486bis]
ID_Server: ID_Server:
Server identity as an opaque blog. Server identity as an opaque blob.
KS: KS:
Integer representing the key size in octets of the selected Integer representing the key size in octets of the selected
ciphersuite CSuite_Sel ciphersuite CSuite_Sel
RAND_Client: RAND_Client:
Random integer generated by the client (256 bits) Random integer generated by the client (256 bits)
skipping to change at page 6, line 48 skipping to change at page 6, line 48
Function that returns the length of input X in octets, encoded as Function that returns the length of input X in octets, encoded as
a 16-bit integer in network byte order a 16-bit integer in network byte order
MAC_X(Y): MAC_X(Y):
Keyed message authentication code computed over Y with symmetric Keyed message authentication code computed over Y with symmetric
key X key X
SEC_X(Y): SEC_X(Y):
Securing of message Y with key X, by computing Y || MAC_X(Y) SEC is a function that provides integrity protection based on the
chosen ciphersuite. The function SEC uses the algorithm defined
by the selected ciphersuite and applies it to the message content
Y with key X. As an output the message returns Y concatenated with
MAC_X(Y).
X[A..B]: X[A..B]:
Notation representing octets A through B of octet array X Notation representing octets A through B of octet array X
The following abbreviations are used for the keying material: The following abbreviations are used for the keying material:
PK: PK:
Session key generated from the MK and used during protocol Session key generated from the MK and used during protocol
skipping to change at page 8, line 33 skipping to change at page 8, line 35
| | | | | | | |
| | EAP-Response/GPSK-4 | | | | EAP-Response/GPSK-4 | |
| |------------------------------------>| | | |------------------------------------>| |
| | | | | | | |
| | EAP-Success or EAP-Failure | | | | EAP-Success or EAP-Failure | |
| |<------------------------------------| | | |<------------------------------------| |
+--------+ +--------+ +--------+ +--------+
EAP-GPSK performs mutual authentication between EAP peer ("Client") EAP-GPSK performs mutual authentication between EAP peer ("Client")
and EAP server ("Server") based on a pre-shared key (PSK). The and EAP server ("Server") based on a pre-shared key (PSK). The
protocol consists two EAP message exchanges, in which both sides protocol consists of two EAP message exchanges, in which both sides
o exchange nonces and their identities and o exchange nonces and their identities and
o compute and exchange a Message Authentication Code (MAC) over the o compute and exchange a Message Authentication Code (MAC) over the
previously exchanged values, keyed with the pre-shared key. This previously exchanged values, keyed with the pre-shared key. This
MAC is considered as proof of possession of the pre-shared key. MAC is considered as proof of possession of the pre-shared key.
The full EAP-GPSK protocol is as follows: The full EAP-GPSK protocol is as follows:
GPSK-1: GPSK-1:
skipping to change at page 9, line 19 skipping to change at page 9, line 24
GPSK-4: GPSK-4:
[ SEC_SK(ENC_PK(PD_Payload_3)) ] [ SEC_SK(ENC_PK(PD_Payload_3)) ]
The EAP server begins EAP-GPSK creating a random number RAND_Server The EAP server begins EAP-GPSK creating a random number RAND_Server
and by encoding the supported ciphersuites into CSuite_List. A and by encoding the supported ciphersuites into CSuite_List. A
ciphersuite consists of an encryption algorithm, a key derivation ciphersuite consists of an encryption algorithm, a key derivation
function and a message authentication code. function and a message authentication code.
In GPSK-1, the EAP peer sends its identity ID_Server, a random number In GPSK-1, the EAP server sends its identity ID_Server, a random
RAND_Server and the identifier of the chosen ciphersuite. The number RAND_Server and the identifier of the chosen ciphersuite. The
decision which ciphersuite to use is policy-dependent and therefore decision which ciphersuite to use is policy-dependent and therefore
outside the scope of this document. outside the scope of this document.
In GPSK-2, the peer sends its identity ID_Client, a random number In GPSK-2, the peer sends its identity ID_Client, a random number
RAND_Client. Furthermore, it repeats the received parameters of the RAND_Client. Furthermore, it repeats the received parameters of the
GPSK-1 message and computes a Message Authentication Code over all GPSK-1 message and computes a Message Authentication Code over all
these parameters. these parameters.
The EAP server verifies the received Message Authentication Code. In The EAP server verifies the received Message Authentication Code. In
case of successful verification, the EAP server computes a Message case of successful verification, the EAP server computes a Message
skipping to change at page 11, line 40 skipping to change at page 11, line 40
+---------+ +---------+ +----------+ +----------+ +---------+ +---------+ +----------+ +----------+
Figure 2: EAP-GPSK Key Derivation Figure 2: EAP-GPSK Key Derivation
5. Ciphersuites 5. Ciphersuites
The design of EAP-GPSK allows cryptographic algorithms and key sizes, The design of EAP-GPSK allows cryptographic algorithms and key sizes,
called ciphersuite, to be negotiated during the protocol run. The called ciphersuite, to be negotiated during the protocol run. The
ability to specify block-based and hash-based ciphersuites is ability to specify block-based and hash-based ciphersuites is
offered. Extensibility is provided with the introduction of new offered. Extensibility is provided with the introduction of new
ciphersuites; this document specifies an initial set. The Code field ciphersuites; this document specifies an initial set. The CSuite/
in Figure 3 uniquely identifies a ciphersuite. Specifier column in Figure 3 uniquely identifies a ciphersuite.
If Code=254 is used, a vendor-specific ciphersuite is encoded. In For a vendor-specific ciphersuite the first three octets are the
this case, the following six octets identify the ciphersuite. The vendor-specific OID, and the last three octets are vendor assigned
first three octets are the vendor-specific OID, and the last three for the specific ciphersuite.
octets are vendor assigned.
The following ciphersuites are specified in this document: The following ciphersuites are specified in this document:
+-----------+----+-------------+---------------+--------------------+ +-----------+----+-------------+---------------+--------------------+
| CSuite/ | KS | Encryption | Integrity | Key Derivation | | CSuite/ | KS | Encryption | Integrity | Key Derivation |
| Specifier | | | | Function | | Specifier | | | | Function |
+-----------+----+-------------+---------------+--------------------+ +-----------+----+-------------+---------------+--------------------+
| 0x000001 | 16 | AES-EAX-128 | AES-CMAC-128 | GKDF-128 | | 0x000001 | 16 | AES-EAX-128 | AES-CMAC-128 | GKDF-128 |
+-----------+----+-------------+---------------+--------------------+ +-----------+----+-------------+---------------+--------------------+
| 0x000002 | 32 | NULL | HMAC-SHA256 | GKDF-256 | | 0x000002 | 32 | NULL | HMAC-SHA256 | GKDF-256 |
skipping to change at page 12, line 26 skipping to change at page 12, line 26
Ciphersuite 1, which is based on AES as a cryptographic primitive, is Ciphersuite 1, which is based on AES as a cryptographic primitive, is
mandatory to implement. mandatory to implement.
Each ciphersuite needs to specify a key derivation function. The Each ciphersuite needs to specify a key derivation function. The
ciphersuites defined in this document make use of the Generalized Key ciphersuites defined in this document make use of the Generalized Key
Distribution Function (GKDF). Future ciphersuites can use any other Distribution Function (GKDF). Future ciphersuites can use any other
formally specified KDF that takes as arguments a key and a seed or formally specified KDF that takes as arguments a key and a seed or
entropy value, and produces at least 1024+2*KS bits of output. entropy value, and produces at least 1024+2*KS bits of output.
If GKDF is invoked by a MAC-based ciphersuite, then the variable If GKDF is invoked by a MAC-based ciphersuite, then the variable
"size" contains the MAC output size. In case of a block cipher-based "size" contains the MAC output size in octets. In case of a block
ciphersuite, "size" contains the block size in octets. cipher-based ciphersuite, "size" contains the block size in octets.
GKDF has the following structure: GKDF has the following structure:
GKDF-X(Y, Z) GKDF-X(Y, Z)
X length, in octets, of the desired output X length, in octets, of the desired output
Y secret key used to protect the computation Y secret key used to protect the computation
Z data specific for the protocol run Z data specific for the protocol run
GKDF-X (Y, Z) GKDF-X (Y, Z)
{ {
n = int( X / size ) + 1; /* determine number of n = int( X / size - 1 ) + 1; /* determine number of
output blocks */ output blocks */
M_0 = ""; M_0 = "";
result = ""; result = "";
for i=1 to n { for i=1 to n {
M_i = MAC_Y (M_{i-1} || Z || i || X); M_i = MAC_Y (M_{i-1} || Z || i || X);
result = result || M_i; result = result || M_i;
} }
return truncate (result; X) return truncate (result; X)
} }
Note that the variables 'i' and 'X' in M_i are represented as 16-bit
values in network byte order.
6. Ciphersuites Processing Rules 6. Ciphersuites Processing Rules
6.1. Ciphersuite #1 6.1. Ciphersuite #1
6.1.1. Encryption 6.1.1. Encryption
With this ciphersuite all cryptography is built around a single With this ciphersuite all cryptography is built around a single
cryptographic primitive, AES-128. Within the protected data frames, cryptographic primitive, AES-128. Within the protected data frames,
AES-128 is used in EAX mode of operation. Ciphersuite 1 makes use of AES-128 is used in EAX mode of operation. Ciphersuite 1 makes use of
skipping to change at page 15, line 48 skipping to change at page 16, line 4
| Code | Identifier | Length | | Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | OP-Code | | | Type | OP-Code | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| | | |
... Payload ... ... Payload ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5 Figure 5
The Code, Identifier, Length, and Type fields are all part of the EAP The Code, Identifier, Length, and Type fields are all part of the EAP
header, and defined in [RFC3748]. IANA has allocated EAP Method Type header, and defined in [RFC3748]. IANA has allocated EAP Method Type
XX for EAP-GPSK, thus the Type field in the EAP header MUST be XX. XX for EAP-GPSK, thus the Type field in the EAP header MUST be XX.
The OP-Code field is one of four values: The OP-Code field is one of four values:
o 0x01 : GPSK-1 o 0x01 : GPSK-1
o 0x02 : GPSK-2 o 0x02 : GPSK-2
o 0x03 : GPSK-3 o 0x03 : GPSK-3
o 0x04 : GPSK-4 o 0x04 : GPSK-4
7.2. Ciphersuite Formatting 7.2. Ciphersuite Formatting
Ciphersuites are encoded as 6-octet arrays. The first three octets Ciphersuites are encoded as 6-octet arrays. The first three octets
indicate the CSuite/Vendor field. For vendor-specific ciphersuites, indicate the CSuite/Vendor field. For vendor-specific ciphersuites,
this represents the vendor OID. The last three octets indicate the this represents the vendor OID. The last three octets indicate the
CSuite/Specifier field, which identifies the particular ciphersuite. CSuite/Specifier field, which identifies the particular ciphersuite.
The 3-byte CSuite/Vendor value 0x000000 indiciates ciphersuites The 3-byte CSuite/Vendor value 0x000000 indicates ciphersuites
allocated by the IETF. allocated by the IETF.
Graphically, they are represented as Graphically, they are represented as
--- bit offset ---> --- bit offset --->
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CSuite/Vendor = 0x000000 or OID | | CSuite/Vendor = 0x000000 or OID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 17, line 16 skipping to change at page 17, line 16
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| length(ID_Server) | | | length(ID_Server) | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| | | |
... ID_Server ... ... ID_Server ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
... 256-bit RAND_Server ... ... 32-octet RAND_Server ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| length(CSuite_List) | | | length(CSuite_List) | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| | | |
... CSuite_List ... ... CSuite_List ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: GPSK-1 Payload Figure 7: GPSK-1 Payload
skipping to change at page 19, line 21 skipping to change at page 19, line 21
| | | |
... 32-octet RAND_Client ... ... 32-octet RAND_Client ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
... 32-octet RAND_Server ... ... 32-octet RAND_Server ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CSuite_Sel | | CSuite_Sel |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | length(PD_Payload_1) | | | length(PD_Payload_2) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
... optional PD_Payload_2 ... ... optional PD_Payload_2 ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
... KS-octet payload MAC ... ... KS-octet payload MAC ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 21, line 30 skipping to change at page 21, line 30
o 0x000000 : Reserved o 0x000000 : Reserved
o 0x000001 : Channel Binding Data o 0x000001 : Channel Binding Data
o 0x000002 : Protected Results Indication o 0x000002 : Protected Results Indication
o 0x000003 : Extra KDF Data o 0x000003 : Extra KDF Data
o 0x000004 through 0xFFFFFF : Unallocated o 0x000004 through 0xFFFFFF : Unallocated
Definition of channel binding data is outside the scope of this Definition of channel binding data is outside the scope of this
document. These protected payloads can be used to carry such data document. These protected payloads can be used to carry such data
once it has been formally specified. once it has been formally specified.
Definition of the protected results indiciation field is outside the Definition of the protected results indication field is outside the
scope of this document. It could be used to indicate the success or scope of this document. It could be used to indicate the success or
failure of both authentication and authorization in a secure way. failure of both authentication and authorization in a secure way.
The Extra KDF Data field specifies an arbitrary amount of additional The Extra KDF Data field specifies an arbitrary amount of additional
data, represented as KDFData_Client and KDFData_Server, and is used data, represented as KDFData_Client and KDFData_Server, and is used
in the derivation of the MSK and EMSK exported by GPSK to EAP. It in the derivation of the MSK and EMSK exported by GPSK to EAP. It
can be used to extensibly bind data into the key derivation process. can be used to extensibly bind data into the key derivation process.
KDFData_Server can ONLY be specified in PD_Payload_2. KDFData_Client KDFData_Server can ONLY be specified in PD_Payload_2. KDFData_Client
can only be bound to data specified in PD_Payload_3. If multiple can only be bound to data specified in PD_Payload_3. If multiple
skipping to change at page 24, line 33 skipping to change at page 24, line 33
keys used by other protocols, otherwise the security of EAP-GPSK may keys used by other protocols, otherwise the security of EAP-GPSK may
be compromised. be compromised.
8.11. Fragmentation 8.11. Fragmentation
EAP-GPSK does not support fragmentation and reassembly since the EAP-GPSK does not support fragmentation and reassembly since the
message size is kept small. message size is kept small.
8.12. Channel Binding 8.12. Channel Binding
Channel binding is accomplished through the protected data blocks. This document enables the ability to exchange channel binding
information. It does not, however, define the encoding of channel
binding information in the document.
8.13. Fast Reconnect 8.13. Fast Reconnect
EAP-GPSK does not provide the fast reconnect capability since this EAP-GPSK does not provide the fast reconnect capability since this
method is already at the lower limit of the number of roundtrips and method is already at the lower limit of the number of roundtrips and
the cryptographic operations. the cryptographic operations.
8.14. Identity Protection 8.14. Identity Protection
Identity protection is not specified in this document. Extensions Identity protection is not specified in this document. Extensions
skipping to change at page 26, line 21 skipping to change at page 26, line 21
o David McGrew o David McGrew
o Joe Salowey o Joe Salowey
o Sharma Suman o Sharma Suman
o Hannes Tschofenig o Hannes Tschofenig
o Jesse Walker o Jesse Walker
Finally, we would like to thank Thomas Otto for this review, feedback Finally, we would like to thank Thomas Otto for this review, feedback
and text input. and text input.
11. Acknowledgment 11. Acknowledgment
Add your name here. We would like to thank Jouni Malinen and Bernard Aboba for their
comments in June 2006.
12. Open Issues 12. Open Issues
The list of open issues can be found at: The list of open issues can be found at:
http://www.tschofenig.com:8080/eap-gpsk/ http://www.tschofenig.com:8080/eap-gpsk/
A first prototype implementation by Jouni Malinen can be found at:
http://hostap.epitest.fi/releases/snapshots/
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997. Requirement Levels", March 1997.
[RFC2486bis] [RFC2486bis]
Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", Network Access Identifier",
skipping to change at page 26, line 45 skipping to change at page 27, line 4
[RFC2486bis] [RFC2486bis]
Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", Network Access Identifier",
draft-ietf-radext-rfc2486bis-06 (work in progress), draft-ietf-radext-rfc2486bis-06 (work in progress),
July 2005. July 2005.
[RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 [RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, September 2001. (SHA1)", RFC 3174, September 2001.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004. RFC 3748, June 2004.
13.2. Informative References 13.2. Informative References
[I-D.clancy-eap-pax] [I-D.clancy-eap-pax]
Clancy, C. and W. Arbaugh, "EAP Password Authenticated Clancy, C. and W. Arbaugh, "EAP Password Authenticated
Exchange", draft-clancy-eap-pax-06 (work in progress), Exchange", draft-clancy-eap-pax-07 (work in progress),
January 2006. June 2006.
[I-D.bersani-eap-psk] [I-D.bersani-eap-psk]
Tschofenig, H. and F. Bersani, "The EAP-PSK Protocol: a Tschofenig, H. and F. Bersani, "The EAP-PSK Protocol: a
Pre-Shared Key EAP Method", draft-bersani-eap-psk-10 (work Pre-Shared Key EAP Method", draft-bersani-eap-psk-11 (work
in progress), February 2006. in progress), June 2006.
[I-D.otto-emu-eap-tls-psk] [I-D.otto-emu-eap-tls-psk]
Otto, T. and H. Tschofenig, "The EAP-TLS-PSK Otto, T. and H. Tschofenig, "The EAP-TLS-PSK
Authentication Protocol", draft-otto-emu-eap-tls-psk-00 Authentication Protocol", draft-otto-emu-eap-tls-psk-00
(work in progress), April 2006. (work in progress), April 2006.
[I-D.vanderveen-eap-sake] [I-D.vanderveen-eap-sake]
Vanderveen, M. and H. Soliman, "Extensible Authentication Vanderveen, M. and H. Soliman, "Extensible Authentication
Protocol Method for Shared-secret Authentication and Key Protocol Method for Shared-secret Authentication and Key
Establishment (EAP-SAKE)", draft-vanderveen-eap-sake-02 Establishment (EAP-SAKE)", draft-vanderveen-eap-sake-02
 End of changes. 27 change blocks. 
31 lines changed or deleted 44 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/