idnits 2.17.1 draft-cam-winget-eap-fast-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2749. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2726. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2733. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2739. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 16, 2006) is 6399 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'NOTE1' is mentioned on line 1383, but not defined == Missing Reference: 'Note1' is mentioned on line 1386, but not defined -- Looks like a reference, but probably isn't: '20' on line 1425 -- Looks like a reference, but probably isn't: '16' on line 1427 -- Looks like a reference, but probably isn't: '0' on line 1468 -- Looks like a reference, but probably isn't: '40' on line 1430 == Missing Reference: 'SIMCK 1' is mentioned on line 2675, but not defined == Missing Reference: 'Crypto-Binding TLV' is mentioned on line 2704, but not defined == Missing Reference: 'Compound MAC' is mentioned on line 2713, but not defined ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 3268 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 4507 (Obsoleted by RFC 5077) == Outdated reference: A later version (-10) exists of draft-cam-winget-eap-fast-provisioning-02 -- Obsolete informational reference (is this intentional?): RFC 2716 (Obsoleted by RFC 5216) -- Obsolete informational reference (is this intentional?): RFC 4282 (Obsoleted by RFC 7542) Summary: 8 errors (**), 0 flaws (~~), 8 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group N. Cam-Winget 3 Internet-Draft D. McGrew 4 Expires: April 19, 2007 J. Salowey 5 H. Zhou 6 Cisco Systems 7 October 16, 2006 9 The Flexible Authentication via Secure Tunneling Extensible 10 Authentication Protocol Method (EAP-FAST) 11 draft-cam-winget-eap-fast-05.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on April 19, 2007. 38 Copyright Notice 40 Copyright (C) The Internet Society (2006). 42 Abstract 44 This document defines the Extensible Authentication Protocol (EAP) 45 based Flexible Authentication via Secure Tunneling (EAP-FAST) 46 protocol. EAP-FAST is an EAP method that enables secure 47 communication between a peer and a server by using the Transport 48 Layer Security (TLS) to establish a mutually authenticated tunnel. 50 Within the tunnel, Type-Length-Value (TLV) objects are used to convey 51 authentication related data between the peer and the EAP server. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 1.1 Specification Requirements . . . . . . . . . . . . . . . . 5 57 1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 58 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5 59 2.1 Architectural Model . . . . . . . . . . . . . . . . . . . 6 60 2.2 Protocol Layering Model . . . . . . . . . . . . . . . . . 7 61 3. EAP-FAST Protocol . . . . . . . . . . . . . . . . . . . . . . 7 62 3.1 Version Negotiation . . . . . . . . . . . . . . . . . . . 8 63 3.2 EAP-FAST Authentication Phase 1: Tunnel Establishment . . 9 64 3.2.1 TLS Session Resume using Server State . . . . . . . . 10 65 3.2.2 TLS Session Resume Using a PAC . . . . . . . . . . . . 10 66 3.2.3 Transition between Abbreviated and Full TLS 67 Handshake . . . . . . . . . . . . . . . . . . . . . . 11 68 3.3 EAP-FAST Authentication Phase 2: Tunneled 69 Authentication . . . . . . . . . . . . . . . . . . . . . . 12 70 3.3.1 EAP Sequences . . . . . . . . . . . . . . . . . . . . 12 71 3.3.2 Protected Termination and Acknowledged Result 72 Indication . . . . . . . . . . . . . . . . . . . . . . 13 73 3.4 Error Handling . . . . . . . . . . . . . . . . . . . . . . 14 74 3.4.1 TLS Layer Errors . . . . . . . . . . . . . . . . . . . 14 75 3.4.2 Phase 2 Errors . . . . . . . . . . . . . . . . . . . . 15 76 3.5 Fragmentation . . . . . . . . . . . . . . . . . . . . . . 15 77 4. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 16 78 4.1 EAP-FAST Message Format . . . . . . . . . . . . . . . . . 16 79 4.1.1 Authority ID Data . . . . . . . . . . . . . . . . . . 18 80 4.2 EAP-FAST TLV Format and Support . . . . . . . . . . . . . 19 81 4.2.1 General TLV Format . . . . . . . . . . . . . . . . . . 20 82 4.2.2 Result TLV . . . . . . . . . . . . . . . . . . . . . . 21 83 4.2.3 NAK TLV . . . . . . . . . . . . . . . . . . . . . . . 22 84 4.2.4 Error TLV . . . . . . . . . . . . . . . . . . . . . . 23 85 4.2.5 Vendor-Specific TLV . . . . . . . . . . . . . . . . . 24 86 4.2.6 EAP-Payload TLV . . . . . . . . . . . . . . . . . . . 25 87 4.2.7 Intermediate-Result TLV . . . . . . . . . . . . . . . 26 88 4.2.8 Crypto-Binding TLV . . . . . . . . . . . . . . . . . . 27 89 4.2.9 Request-Action TLV . . . . . . . . . . . . . . . . . . 29 90 4.3 Table of TLVs . . . . . . . . . . . . . . . . . . . . . . 30 91 5. Cryptographic Calculations . . . . . . . . . . . . . . . . . . 31 92 5.1 EAP-FAST Authentication Phase 1: Key Derivations . . . . . 31 93 5.2 Intermediate Compound Key Derivations . . . . . . . . . . 32 94 5.3 Computing the Compound MAC . . . . . . . . . . . . . . . . 33 95 5.4 EAP Master Session Key Generation . . . . . . . . . . . . 33 96 5.5 T-PRF . . . . . . . . . . . . . . . . . . . . . . . . . . 34 97 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 98 7. Security Considerations . . . . . . . . . . . . . . . . . . . 35 99 7.1 Mutual Authentication and Integrity Protection . . . . . . 36 100 7.2 Method Negotiation . . . . . . . . . . . . . . . . . . . . 36 101 7.3 Separation of Phase 1 and Phase 2 Servers . . . . . . . . 37 102 7.4 Mitigation of Known Vulnerabilities and Protocol 103 Deficiencies . . . . . . . . . . . . . . . . . . . . . . . 37 104 7.4.1 User Identity Protection and Verification . . . . . . 38 105 7.4.2 Dictionary Attack Resistance . . . . . . . . . . . . . 39 106 7.4.3 Protection against man-in-the-middle Attacks . . . . . 39 107 7.4.4 PAC binding to User Identity . . . . . . . . . . . . . 39 108 7.5 Protecting against Forged Clear Text EAP Packets . . . . . 39 109 7.6 Server Certificate Validation . . . . . . . . . . . . . . 40 110 7.7 Security Claims . . . . . . . . . . . . . . . . . . . . . 40 111 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 41 112 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41 113 9.1 Normative References . . . . . . . . . . . . . . . . . . . 41 114 9.2 Informative References . . . . . . . . . . . . . . . . . . 42 115 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 43 116 A. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 117 A.1 Successful Authentication . . . . . . . . . . . . . . . . 43 118 A.2 Failed Authentication . . . . . . . . . . . . . . . . . . 45 119 A.3 Full TLS Handshake using Certificate-based Cipher Suite . 46 120 A.4 Client authentication during Phase 1 with identity 121 privacy . . . . . . . . . . . . . . . . . . . . . . . . . 48 122 A.5 Fragmentation and Reassembly . . . . . . . . . . . . . . . 49 123 A.6 Sequence of EAP Methods . . . . . . . . . . . . . . . . . 51 124 A.7 Failed Crypto-binding . . . . . . . . . . . . . . . . . . 54 125 A.8 Sequence of EAP Method with Vendor-Specific TLV 126 Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 55 127 B. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 57 128 B.1 Key Derivation . . . . . . . . . . . . . . . . . . . . . . 57 129 B.2 Crypto-Binding MIC . . . . . . . . . . . . . . . . . . . . 59 130 Intellectual Property and Copyright Statements . . . . . . . . 60 132 1. Introduction 134 Network access solutions requiring user friendly and easily 135 deployable secure authentication mechanisms highlight the need for 136 strong mutual authentication protocols that enable the of use weaker 137 user credentials. This document defines an Extensible Authentication 138 Protocol (EAP) which consists of establishing a Transport Layer 139 Security (TLS) tunnel as defined in [RFC2246] or [RFC4346] and then 140 exchanging data in the form of type, length, value objects (TLV) to 141 perform further authentication. EAP-FAST supports the TLS extension 142 defined in [RFC4507] to support fast re-establishment of the secure 143 tunnel without having to maintain per-session state on the server. 144 [I-D.cam-winget-eap-fast-provisioning] defines EAP-FAST based 145 mechanisms to provision the credential for this extension which is 146 called a Protected Access Credential (PAC). 148 EAP-FAST's design motivations included: 150 o Mutual Authentication: an EAP Server must be able to verify the 151 identity and authenticity of the peer, and the peer must be able 152 to verify the authenticity of the EAP server. 154 o Immunity to passive dictionary attacks: many authentication 155 protocols require a password to be explicitly provided (either as 156 cleartext or hashed) by the peer to the EAP server; at minimum, 157 the communication of the weak credential (e.g. password) must be 158 immune from eavesdropping. 160 o Immunity to man-in-the-middle (MitM) attacks: in establishing a 161 mutually authenticated protected tunnel, the protocol must prevent 162 adversaries from successfully interjecting information into the 163 conversation between the peer and the EAP server. 165 o Flexibility to enable support for most password authentication 166 interfaces: as many different password interfaces (e.g. MSCHAP, 167 LDAP, OTP, etc) exist to authenticate a peer, the protocol must 168 provide this support seamlessly. 170 o Efficiency: specifically when using wireless media, peers will be 171 limited in computational and power resources. The protocol must 172 enable the network access communication to be computationally 173 lightweight. 175 With these motivational goals defined, further secondary design 176 criteria are imposed: 178 o Flexibility to extend the communications inside the tunnel: with 179 the growing complexity in network infrastructures the need to gain 180 authentication, authorization and accounting is also evolving. 181 For instance, there may be instances in which multiple existing 182 authentication protocols are required to achieve mutual 183 authentication. Similarly, different protected conversations may 184 be required to achieve the proper authorization once a peer has 185 successfully authenticated. 187 o Minimize the authentication server's per user authentication state 188 requirements: with large deployments, it is typical to have many 189 servers acting as the authentication servers for many peers. It 190 is also highly desirable for a peer to use the same shared secret 191 to secure a tunnel much the same way it uses the username and 192 password to gain access to the network. The protocol must 193 facilitate the use of a single strong shared secret by the peer 194 while enabling the servers to minimize the per user and device 195 state it must cache and manage. 197 1.1 Specification Requirements 199 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 200 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 201 document are to be interpreted as described in [RFC2119] . 203 1.2 Terminology 205 Much of the terminology in this document comes from [RFC3748]. 206 Additional terms are defined below: 208 Protected Access Credential (PAC) 210 Credentials distributed to a peer for future optimized network 211 authentication. The PAC consists of at most three components: a 212 shared secret, an opaque element and optionally other information. 213 The shared secret component contains the pre-shared key between 214 the peer and the authentication server. The opaque part is 215 provided to the peer and is presented to the authentication server 216 when the peer wishes to obtain access to network resources. 217 Finally, a PAC may optionally include other information that may 218 be useful to the peer. The opaque part of the PAC is the same 219 type of data as the ticket in [RFC4507] and the shared secret is 220 used to derive the TLS master secret. 222 2. Protocol Overview 224 EAP-FAST is an authentication protocol similar to EAP-TLS [RFC2716] 225 that enables mutual authentication and cryptographic context 226 establishment by using the TLS handshake protocol. EAP-FAST allows 227 for the established TLS tunnel to be used for further authentication 228 exchanges. EAP-FAST makes use of TLVs to carry out the inner 229 authentication exchanges. The tunnel is then used to protect weaker 230 inner authentication methods, which may be based on passwords, and to 231 communicate the results of the authentication. 233 EAP-FAST makes use of the TLS enhancements in [RFC4507] to enable an 234 optimized TLS tunnel session resume while minimizing server state. 235 The secret key used in EAP-FAST is referred to as the Protected 236 Access Credential key (or PAC-Key); the PAC-Key is used to mutually 237 authenticate the peer and the server when securing a tunnel. The 238 ticket is referred to as the Protected Access Credential opaque data 239 (or PAC-Opaque). The secret key and ticket used to establish the 240 tunnel may be provisioned through mechanisms that do not involve the 241 TLS handshake. It is RECOMMENDED that implementations support the 242 capability to distribute the ticket and secret key within the EAP- 243 FAST tunnel as specified in [I-D.cam-winget-eap-fast-provisioning]. 245 The EAP-FAST conversation is used to establish or resume an existing 246 session to typically establish network connectivity between a peer 247 and the network. Upon successful execution of EAP-FAST both EAP Peer 248 and EAP Server derive strong session key material which can then be 249 communicated to the network access server (NAS) for use in 250 establishing a link layer security association. 252 2.1 Architectural Model 254 The network architectural model for EAP-FAST usage is shown below: 256 +----------+ +----------+ +----------+ +----------+ 257 | | | | | | | Inner | 258 | Peer |<---->| Authen- |<---->| EAP-FAST |<---->| Method | 259 | | | ticator | | server | | server | 260 | | | | | | | | 261 +----------+ +----------+ +----------+ +----------+ 263 The entities depicted above are logical entities and may or may not 264 correspond to separate network components. For example, the EAP-FAST 265 server and inner method server might be a single entity; the 266 authenticator and EAP-FAST server might be a single entity; or, the 267 functions of the authenticator, EAP-FAST server and inner method 268 server might be combined into a single physical device. For example, 269 typical 802.11 deployments place the Authenticator in an access point 270 (AP) while a Radius Server may provide the EAP-FAST and inner method 271 server components. The above diagram illustrates the division of 272 labor among entities in a general manner and shows how a distributed 273 system might be constructed; however, actual systems might be 274 realized more simply. The security considerations Section 7.3 275 provides an additional discussion of the implications of separating 276 EAP-FAST server from the inner method server. 278 2.2 Protocol Layering Model 280 EAP-FAST packets are encapsulated within EAP, and EAP in turn, 281 requires a carrier protocol for transport. EAP-FAST packets 282 encapsulate TLS, which is then used to encapsulate user 283 authentication information. Thus, EAP-FAST messaging can be 284 described using a layered model, where each layer encapsulates the 285 layer beneath it. The following diagram clarifies the relationship 286 between protocols: 288 +---------------------------------------------------------------+ 289 | Inner EAP Method | Other TLV information | 290 |---------------------------------------------------------------| 291 | TLV Encapsulation (TLVs) | 292 |---------------------------------------------------------------| 293 | TLS | 294 |---------------------------------------------------------------| 295 | EAP-FAST | 296 |---------------------------------------------------------------| 297 | EAP | 298 |---------------------------------------------------------------| 299 | Carrier Protocol (EAPOL, RADIUS, Diameter, etc.) | 300 +---------------------------------------------------------------+ 302 The TLV layer is a payload with Type-Length-Value (TLV) Objects 303 defined in Section 4.2. The TLV objects are used to carry arbitrary 304 parameters between an EAP peer and an EAP server. All conversations 305 in the EAP-FAST protected tunnel must be encapsulated in a TLV layer. 307 Methods for encapsulating EAP within carrier protocols are already 308 defined. For example, IEEE 802.1X [IEEE.802-1X.2004] may be used to 309 transport EAP between the peer and the authenticator; RADIUS 310 [RFC3579] or Diameter [RFC4072] may be used to transport EAP between 311 the authenticator and the EAP-FAST server. 313 3. EAP-FAST Protocol 315 EAP-FAST authentication occurs in two phases. In the first phase, 316 EAP-FAST employs the TLS handshake to provide an authenticated key 317 exchange and to establish a protected tunnel. Once the tunnel is 318 established the second phase begins with the peer and server engaging 319 in further conversations to establish the required authentication and 320 authorization policies. The operation of the protocol including 321 phase 1 and phase 2 are the topic of this section. The format of 322 EAP-FAST messages is given in Section 4 and the cryptographic 323 calculations are given in Section 5. 325 3.1 Version Negotiation 327 EAP-FAST packets contain a three bit version field, following the TLS 328 Flags field, which enables EAP-FAST implementations to be backward 329 compatible with previous versions of the protocol. This 330 specification documents the EAP-FAST version 1 protocol; 331 implementations of this specification MUST use a version field set to 332 1. 334 Version negotiation proceeds as follows: 336 In the first EAP-Request sent with EAP type=EAP-FAST, the EAP 337 server must set the version field to the highest supported version 338 number. 340 If the EAP peer supports this version of the protocol, it MUST 341 respond with an EAP-Response of EAP type=EAP-FAST, and the version 342 number proposed by the EAP-FAST server. 344 If the EAP-FAST peer does not support this version, it responds 345 with an EAP-Response of EAP type=EAP-FAST and the highest 346 supported version number. 348 If the EAP-FAST server does not support the version number 349 proposed by the EAP-FAST peer, it terminates the conversation. 350 Otherwise the EAP-FAST conversation continues. 352 The version negotiation procedure guarantees that the EAP-FAST peer 353 and server will agree to the latest version supported by both 354 parties. If version negotiation fails, then use of EAP-FAST will not 355 be possible, and another mutually acceptable EAP method will need to 356 be negotiated if authentication is to proceed. 358 The EAP-FAST version is not protected by TLS; and hence can be 359 modified in transit. In order to detect modification of EAP-FAST 360 version, the peers MUST exchange the EAP-FAST version number received 361 during version negotiation using the Crypto-Binding TLV described in 362 Section 4.2.8. The receiver of the Crypto-Binding TLV MUST verify 363 that the version received in the Crypto-Binding TLV matches the 364 version sent by the receiver in the EAP-FAST version negotiation. 366 3.2 EAP-FAST Authentication Phase 1: Tunnel Establishment 368 EAP-FAST is based on TLS handshake [RFC2246] to establish an 369 authenticated and protected tunnel. The TLS version offered by the 370 peer and server MUST be TLS v1.0 or later. This version of the EAP- 371 FAST implementation MUST support the following TLS ciphersuites: 373 TLS_RSA_WITH_RC4_128_SHA 374 TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268] 375 TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC3268] 377 Other ciphersuites MAY be supported. It is RECOMMENDED that 378 anonymous ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA only 379 be used in the context of the provisioning described in [I-D.cam- 380 winget-eap-fast-provisioning]. During the EAP-FAST Phase 1 381 conversation the EAP-FAST endpoints MAY negotiate TLS compression. 383 The EAP server initiates the EAP-FAST conversation with an EAP 384 request containing an EAP-FAST/Start packet. This packet includes a 385 set Start (S) bit, the EAP-FAST version as specified in Section 3.1, 386 and an authority identity. The TLS payload in the initial packet is 387 empty. The authority identity (A-ID) is used to provide the peer a 388 hint of the server's identity which may be useful in helping the peer 389 select the appropriate credential to use. Assuming that the peer 390 supports EAP-FAST the conversation continues with the peer sending an 391 EAP-Response packet with EAP type of EAP-FAST with the start (s) bit 392 clear and the version as specified in Section 3.1. This message 393 encapsulates one or more TLS records containing the TLS handshake 394 messages. If the EAP-FAST version negotiation is successful then the 395 EAP-FAST conversation continues until the EAP server and EAP peer are 396 ready to enter phase 2. When the full TLS handshake is performed, 397 then the first payload of EAP-FAST Phase 2 MAY be sent along with 398 server finished handshake message to reduce the number of round 399 trips. 401 After the TLS session is established, another EAP exchange MAY occur 402 within the tunnel to authenticate the EAP peer. EAP-FAST 403 implementations MUST support client authentication during tunnel 404 establishment using the specified TLS ciphersuites specified in 405 Section 3.2. EAP-FAST implementations SHOULD also support the 406 immediate re-negotiation of a TLS session to initiate a new handshake 407 message exchange under the protection of the current ciphersuite. 408 This allows support for protection of the peer's identity. Note that 409 the EAP peer does not need to authenticate as part of the TLS 410 exchange, but can alternatively be authenticated through additional 411 EAP exchanges carried out in phase 2. 413 The EAP-FAST tunnel protects peer identity information from 414 disclosure outside the tunnel. Implementations that wish to provide 415 identity privacy for the peer identity must carefully consider what 416 information is disclosed outside the tunnel. 418 The following sections describe resuming a TLS session based on 419 server side or client side state. 421 3.2.1 TLS Session Resume using Server State 423 EAP-FAST session resumption is achieved in the same manner TLS 424 achieves session resume. To support session resumption, the server 425 and peer must minimally cache the Session ID, master secret and 426 ciphersuite. The peer attempts to resume a session by including a 427 valid Session ID from a previous handshake in its ClientHello 428 message. If the server finds a match for the Session ID and is 429 willing to establish a new connection using the specified session 430 state, the server will respond with the same session ID and proceed 431 with the EAP-FAST Authentication Phase 1 tunnel establishment based 432 on a TLS abbreviated handshake. After a successful conclusion of the 433 EAP-FAST Authentication Phase 1 conversation, the conversation then 434 continues on to phase 2. 436 3.2.2 TLS Session Resume Using a PAC 438 EAP-FAST supports the resumption of sessions based on client side 439 state using techniques described in [RFC4507]. This version of EAP- 440 FAST does not support the provisioning of a ticket through the use of 441 the SessionTicket handshake message. Instead it supports the 442 provisioning of a ticket called a Protected Access Credential (PAC) 443 as described in [I-D.cam-winget-eap-fast-provisioning]. 444 Implementations may provide additional ways to provision the PAC, 445 such as manual configuration. Since the PAC mentioned here is used 446 for establishing the TLS Tunnel, it is more specifically referred to 447 as the Tunnel PAC. The Tunnel PAC is a security credential provided 448 by the EAP server to a peer and comprised of: 450 1. PAC-Key: this is a 32-octet key used by the peer to establish the 451 EAP-FAST Phase 1 tunnel. This key is used to derive the TLS 452 premaster secret as described in Section 5.1. The PAC-Key is 453 randomly generated by the EAP Server to produce a strong entropy 454 32-octet key. The PAC-Key is a secret and MUST be treated 455 accordingly. For example a PAC-Key must be delivered protected 456 by a secure channel and stored securely. 458 2. PAC-Opaque: this is a variable length field that is sent to the 459 EAP Server during the EAP-FAST Phase 1 tunnel establishment. The 460 PAC-Opaque can only be interpreted by the EAP Server to recover 461 the required information for the server to validate the peer's 462 identity and authentication. For example, the PAC-Opaque 463 includes the PAC-Key and may contain the PAC's peer identity. 464 The PAC-Opaque format and contents are specific to the PAC 465 issuing server. The PAC-Opaque may be presented in the clear, so 466 an attacker MUST NOT be able to gain useful information from the 467 PAC-Opaque itself. The server issuing the PAC-Opaque must ensure 468 it is protected with strong cryptographic keys and algorithms. 470 3. PAC-Info: this is a variable length field used to provide at 471 minimum, the authority identity of PAC issuer. Other useful but 472 not mandatory information, such as the PAC-Key lifetime, may also 473 be conveyed by the PAC issuing server to the peer during PAC 474 provisioning or refreshment. 476 The use of the PAC is based on the SessionTicket extension defined in 477 [RFC4507]. The EAP Server initiates the EAP-FAST conversation as 478 normal. Upon receiving the A-ID from the server the peer checks to 479 see if it has an existing valid PAC-Key and PAC-Opaque for the 480 server. If it does then it obtains the PAC-Opaque and puts it in the 481 SessionTicket extension in the ClientHello. It is RECOMMENDED in 482 EAP-FAST that the peer include an empty session ID in a ClientHello 483 containing a PAC-Opaque. EAP-FAST does not currently support the 484 SessionTicket Handshake message so an empty SessionTicket extension 485 MUST NOT be included in the ClientHello. If the PAC-Opaque included 486 in SessionTicket extension is valid and EAP server permits the 487 abbreviated TLS handshake, it will select the ciphersuite allowed to 488 be used from information within the PAC and finish with the 489 abbreviated TLS handshake. If the server receives a Session ID and a 490 PAC-Opaque in the SessionTicket extension in a ClientHello it should 491 place the same Session ID in the ServerHello if it is resuming a 492 session based on the PAC-Opaque. The conversation then proceeds as 493 described in [RFC4507] until the handshake completes or a fatal error 494 occurs. After the abbreviated handshake completes the peer and 495 server are ready to commence phase 2. Note that when a PAC is used 496 the TLS master secret is calculated from the PAC-Key, client random 497 and server random as described in Section 5.1. 499 3.2.3 Transition between Abbreviated and Full TLS Handshake 501 If session resumption based on server side or client side state fails 502 the server can gracefully fall back to a full TLS handshake. If the 503 ServerHello received by the peer contains a empty Session ID or a 504 Session ID that is different than in the ClientHello the server may 505 be falling back to a full handshake. The peer can distinguish 506 Server's intent of negotiating full or abbreviated TLS handshake by 507 checking the next TLS handshake messages in the server response to 508 ClientHello. If ChangeCipherSpec follows the ServerHello in response 509 to the ClientHello, then the Server has accepted the session 510 resumption and intends to negotiate the abbreviated handshake. 511 Otherwise, the Server intends to negotiate the full TLS handshake. A 512 peer can request for a new PAC to be provisioned after the full TLS 513 handshake and mutual authentication of the peer and the server. In 514 order to facilitate the fall back to a full handshake the peer SHOULD 515 include ciphersuites that allow for a full handshake and possibly PAC 516 provisioning so the server can select one of this in case session 517 resumption fails. An example of the transition is shown in 518 Appendix A. 520 3.3 EAP-FAST Authentication Phase 2: Tunneled Authentication 522 The second portion of the EAP-FAST Authentication occurs immediately 523 after successful completion of phase 1. Phase 2 occurs even if both 524 peer and authenticator are authenticated in the phase 1 TLS 525 negotiation. Phase 2 MUST NOT occur if the Phase 1 TLS handshake 526 fails. Phase 2 consists of a series of requests and responses 527 encapsulated in TLV objects defined in Section 4.2. Phase 2 MUST 528 always end with a protected termination exchange described in 529 Section 3.3.2. The TLV exchange may include the execution of zero or 530 more EAP methods within the protected tunnel as described in 531 Section 3.3.1. A server MAY proceed directly to the protected 532 termination exchange if it does not wish to request further 533 authentication from the peer. However, the peer and server must not 534 assume that either will skip inner EAP methods or other TLV 535 exchanges. The peer may have roamed to a network which requires 536 conformance with a different authentication policy or the peer may 537 request the server take additional action through the use of the 538 Request-Action TLV. 540 3.3.1 EAP Sequences 542 EAP [RFC3748] prohibits use of multiple authentication methods within 543 a single EAP conversation in order to limit vulnerabilities to man- 544 in-the-middle attacks. EAP-FAST addresses man-in-the-middle attacks 545 through support for cryptographic protection of the inner EAP 546 exchange and cryptographic binding of the inner authentication 547 method(s) to the protected tunnel. EAP methods are executed serially 548 in a sequence. This version of EAP-FAST does not support initiating 549 multiple EAP methods simultaneously in parallel. The methods need 550 not be distinct. For example, EAP-TLS could be run twice as an inner 551 method, first using machine credentials followed by a second instance 552 using user credentials. 554 EAP method messages are carried within EAP-Payload TLVs defined in 555 Section 4.2.6. If more than one method is going to be executed in 556 the tunnel then upon method completion of a method a server MUST send 557 an Intermediate-Result TLV indicating the result. The peer MUST 558 respond to the Intermediate-Result TLV indicating its result. If the 559 result indicates success the Intermediate-Result TLV MUST be 560 accompanied by a Crypto-Binding TLV. The Crypto-Binding TLV is 561 further discussed in Section 4.2.8 and Section 5.3. The 562 Intermediate-Result TLVs can be included with other TLVs such as EAP- 563 Payload TLVs starting a new EAP conversation or with the Result TLV 564 used in the protected termination exchange. In the case of only one 565 EAP method is executed in the tunnel, the Intermediate-Result TLV 566 MUST NOT be sent with the Result TLV. In this case, the status of 567 the inner EAP method is represented by the final Result TLV, which 568 also represents the result of the whole EAP-FAST conversation. This 569 is to maintain backward compatibility with existing implementations. 571 If both peer and server indicate success then the method is 572 considered complete. If either indicates failure then the method is 573 considered failed. The result of failure of a EAP method does not 574 always imply a failure of the overall authentication. If one 575 authentication method fails the server may attempt to authenticate 576 the peer with a different method. 578 3.3.2 Protected Termination and Acknowledged Result Indication 580 A successful EAP-FAST phase 2 conversation MUST always end in a 581 successful Result TLV exchange. An EAP-FAST server may initiate the 582 Result TLV exchange without initiating any EAP conversation in EAP- 583 FAST Phase 2. After the final Result TLV exchange the TLS tunnel is 584 terminated and a clear text EAP-Success or EAP-Failure is sent by the 585 server. The format of the Result TLV is described in Section 4.2.2. 587 A server initiates a successful protected termination exchange by 588 sending a Result TLV indicating success. The server may send the 589 Result TLV along with an Intermediate-Result TLV and a Crypto-Binding 590 TLV. If the peer requires nothing more from the server it will 591 respond with a Result TLV indicating success accompanied by an 592 Intermediate-Result TLV and Crypto-Binding TLV if necessary. The 593 server then tears down the tunnel and sends a clear text EAP-Success. 595 If the peer receives a Result TLV indicating success from the server, 596 but its authentication policies are not satisfied (for example it 597 requires a particular authentication mechanism be run or it wants to 598 request a PAC) it may request further action from the server using 599 the Request-Action TLV. The Request-Action TLV is sent along with 600 the Result TLV indicating what EAP Success/Failure result peer would 601 expect if the requested action is not granted. The value of the 602 Request-Action TLV indicates what the peer would like to do next. 603 The format and values for the Request-Action TLV are defined in 604 Section 4.2.9. 606 Upon receiving the Request-Action TLV the server may process the 607 request or ignore it, based on its policy. If the server ignores the 608 request, it proceeds with termination of the tunnel and send the 609 clear text EAP Success or Failure message based on the value of the 610 peer's result TLV. If server honors and processes the request, it 611 continues with the requested action. The conversation completes with 612 a Result TLV exchange. The Result TLV may be included with the TLV 613 that completes the requested action. 615 Error handling for phase 2 is discussed in Section 3.4.2. 617 3.4 Error Handling 619 EAP-FAST uses the following error handling rules summarized below: 621 1. Errors in TLS layer are communicated via TLS alert messages in 622 all phases of EAP-FAST. 623 2. The Intermediate-Result TLVs indicate success or failure 624 indications of the individual EAP methods in EAP-FAST Phase 2. 625 Errors within the EAP conversation in Phase 2 are expected to be 626 handled by individual EAP methods. 627 3. Violations of the TLV rules are handled using Result TLVs 628 together with Error TLVs. 629 4. Tunnel compromised errors (errors caused by Crypto-Binding failed 630 or missing) are handled using Result TLVs and Error TLVs. 632 3.4.1 TLS Layer Errors 634 If the EAP-FAST server detects an error at any point in the TLS 635 Handshake or the TLS layer, the server SHOULD send an EAP-FAST 636 request encapsulating a TLS record containing the appropriate TLS 637 alert message rather than immediately terminating the conversation so 638 as to allow the peer to inform the user of the cause of the failure 639 and possibly allow for a restart of the conversation. The peer MUST 640 send an EAP-FAST response to an alert message. The EAP-Response 641 packet sent by the peer may encapsulate a TLS ClientHello handshake 642 message, in which case the EAP-FAST server MAY allow the EAP-FAST 643 conversation to be restarted, or it MAY contain an EAP-FAST response 644 with a zero length message, in which case the server MUST terminate 645 the conversation with an EAP-Failure packet. It is up to the EAP- 646 FAST server whether to allow restarts, and if so, how many times the 647 conversation can be restarted. An EAP-FAST Server implementing 648 restart capability SHOULD impose a limit on the number of restarts, 649 so as to protect against denial of service attacks. 651 If the EAP-FAST peer detects an error at any point in the TLS layer, 652 the EAP-FAST peer should send an EAP-FAST response encapsulating a 653 TLS record containing the appropriate TLS alert message. The server 654 may restart the conversation by sending an EAP-FAST request packet 655 encapsulating the TLS HelloRequest handshake message. The peer may 656 allow the EAP-FAST conversation to be restarted or it may terminate 657 the conversation by sending an EAP-FAST response with an zero length 658 message. 660 3.4.2 Phase 2 Errors 662 Any time the peer or the server finds a fatal error outside of the 663 TLS layer during phase 2 TLV processing it MUST send a Result TLV of 664 failure and an Error TLV with the appropriate error code. For errors 665 involving the processing the sequence of exchanges, such as a 666 violation of TLV rules (e.g., multiple EAP-Payload TLVs) the error 667 code is Unexpected_TLVs_Exchanged. For errors involving a tunnel 668 compromise the error-code is Tunnel_Compromise_Error. Upon sending a 669 Result TLV with a fatal Error TLV the sender terminates the TLS 670 tunnel. Note that a server will still wait for a message from the 671 peer after it sends a failure, however the server does not need to 672 process the contents of the response message. 674 If a server receives a Result TLV of failure with a fatal Error TLV 675 it SHOULD send a clear text EAP-Failure. If a peer receives a Result 676 TLV of failure it MUST respond with a Result TLV indicating failure. 677 If the server has sent a Result TLV of failure it ignores the peer 678 response and it SHOULD send a clear text EAP-Failure. 680 3.5 Fragmentation 682 A single TLS record may be up to 16384 octets in length, but a TLS 683 message may span multiple TLS records, and a TLS certificate message 684 may in principle be as long as 16MB. This is larger than the maximum 685 size for a message on most media types, therefore it is desirable to 686 support fragmentation. Note that in order to protect against 687 reassembly lockup and denial of service attacks, it may be desirable 688 for an implementation to set a maximum size for one such group of TLS 689 messages. Since a typical certificate chain is rarely longer than a 690 few thousand octets, and no other field is likely to be anywhere near 691 as long, a reasonable choice of maximum acceptable message length 692 might be 64 KB. This is still a fairly large message packet size so 693 an EAP-FAST implementation MUST provide its own support for 694 fragmentation and reassembly. 696 Since EAP is an lock-step protocol, fragmentation support can be 697 added in a simple manner. In EAP, fragments that are lost or damaged 698 in transit will be retransmitted, and since sequencing information is 699 provided by the Identifier field in EAP, there is no need for a 700 fragment offset field. 702 EAP-FAST fragmentation support is provided through addition of flag 703 bits within the EAP-Response and EAP-Request packets, as well as a 704 TLS Message Length field of four octets. Flags include the Length 705 included (L), More fragments (M), and EAP-FAST Start (S) bits. The L 706 flag is set to indicate the presence of the four octet TLS Message 707 Length field, and MUST be set for the first fragment of a fragmented 708 TLS message or set of messages. The M flag is set on all but the 709 last fragment. The S flag is set only within the EAP-FAST start 710 message sent from the EAP server to the peer. The TLS Message Length 711 field is four octets, and provides the total length of the TLS 712 message or set of messages that is being fragmented; this simplifies 713 buffer allocation. 715 When an EAP-FAST peer receives an EAP-Request packet with the M bit 716 set, it MUST respond with an EAP-Response with EAP-Type of EAP-FAST 717 and no data. This serves as a fragment ACK. The EAP server must 718 wait until it receives the EAP-Response before sending another 719 fragment. In order to prevent errors in processing of fragments, the 720 EAP server MUST increment the Identifier field for each fragment 721 contained within an EAP-Request, and the peer must include this 722 Identifier value in the fragment ACK contained within the EAP- 723 Response. Retransmitted fragments will contain the same Identifier 724 value. 726 Similarly, when the EAP-FAST server receives an EAP-Response with the 727 M bit set, it must respond with an EAP-Request with EAP-Type of EAP- 728 FAST and no data. This serves as a fragment ACK. The EAP peer MUST 729 wait until it receives the EAP-Request before sending another 730 fragment. In order to prevent errors in the processing of fragments, 731 the EAP server MUST increment the Identifier value for each fragment 732 ACK contained within an EAP-Request, and the peer MUST include this 733 Identifier value in the subsequent fragment contained within an EAP- 734 Response. 736 4. Message Formats 738 The following sections describe the message formats used in EAP-FAST. 739 The fields are transmitted from left to right in network byte order. 741 4.1 EAP-FAST Message Format 743 A summary of the EAP-FAST Request/Response packet format is shown 744 below. 746 0 1 2 3 747 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 748 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 749 | Code | Identifier | Length | 750 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 751 | Type | Flags | Ver | Message Length + 752 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 753 | Message Length | Data... + 754 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 756 Code 758 The code field is one octet in length defined as follows: 760 1 Request 761 2 Response 763 Identifier 765 The Identifier field is one octet and aids in matching 766 responses with requests. The Identifier field MUST be changed 767 on each Request packet. The Identifier field in the Response 768 packet MUST match the Identifier field from the corresponding 769 request. 771 Length 773 The Length field is two octets and indicates the length of the 774 EAP packet including the Code, Identifier, Length, Type, Flags, 775 Ver, Message Length and Data fields. Octets outside the range 776 of the Length field should be treated as Data Link Layer 777 padding and should be ignored on reception. 779 Type 781 43 for EAP-FAST 783 Flags 785 0 1 2 3 4 786 +-+-+-+-+-+ 787 |L M S R R| 788 +-+-+-+-+-+ 789 L Length included 790 M More fragments 791 S EAP-FAST start 792 R Reserved (must be zero) 794 L bit (length included) is set to indicate the presence of 795 the four octet Message Length field, and MUST be set for the 796 first fragment of a fragmented TLS message or set of 797 messages. The M bit (more fragments) is set on all but the 798 last fragment. The S bit (EAP-FAST Start) is set in an EAP- 799 FAST Start message. 801 Ver 803 This field contains the version of the protocol. This document 804 describes version 1 (001 in binary) of EAP-FAST. 806 Message Length 808 The Message Length field is four octets, and is present only if 809 the L bit is set. This field provides the total length of the 810 message that may be fragmented over the data fields of multiple 811 packets. 813 Data 815 In the case of a EAP-FAST Start request (i.e. when the S bit is 816 set) the Data field consists of the A-ID described in 817 Section 4.1.1. In other cases when the Data field is present 818 it consists of an encapsulated TLS packet in TLS record format. 819 An EAP-FAST packet with Flags and Version fields but with zero 820 length data field to used to indicate EAP-FAST acknowledgement 821 for either a fragmented message, a TLS Alert message or a TLS 822 Finished message. 824 4.1.1 Authority ID Data 826 0 1 2 3 827 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 828 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 829 | Type (0x04) | Length | 830 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 831 | ID 832 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 833 Type 835 The type field is two octets. It is set to 0x0004 for 836 Authority ID 838 Length 840 The Length filed is two octets, which contains the length of 841 the ID field in octets. 843 ID 845 Hint of the identity of the server. It should be unique across 846 the deployment. 848 4.2 EAP-FAST TLV Format and Support 850 The TLVs defined here are standard Type-Length-Value (TLV) objects. 851 The TLV objects could be used to carry arbitrary parameters between 852 EAP peer and EAP server within the protected TLS tunnel. 854 The EAP peer may not necessarily implement all the TLVs supported by 855 the EAP server. To allow for interoperability, TLVs are designed to 856 allow an EAP server to discover if a TLV is supported by the EAP 857 peer, using the NAK TLV. The mandatory bit in a TLV indicates 858 whether support of the TLV is required. If the peer or server does 859 not support a TLV marked mandatory, then it MUST send a NAK TLV in 860 the response, and all the other TLVs in the message MUST be ignored. 861 If an EAP peer or server finds an unsupported TLV which is marked as 862 optional, it can ignore the unsupported TLV. It MUST NOT send an NAK 863 TLV for a TLV that is not marked mandatory. 865 Note that a peer or server may support a TLV with the mandatory bit 866 set, but may not understand the contents. The appropriate response 867 to a supported TLV with content that is not understood is defined by 868 the individual TLV specification. 870 EAP implementations compliant with this specification MUST support 871 TLV exchanges, as well as processing of mandatory/optional settings 872 on the TLV. Implementations conforming to this specification MUST 873 support the following TLVs: 875 Result TLV 876 NAK TLV 877 Error TLV 878 EAP-Payload TLV 879 Intermediate-Result TLV 880 Crypto-Binding TLV 881 Request-Action TLV 883 4.2.1 General TLV Format 885 TLVs are defined as described below. The fields are transmitted from 886 left to right. 888 0 1 2 3 889 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 890 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 891 |M|R| TLV Type | Length | 892 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 893 | Value... 894 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 896 M 898 0 Optional TLV 899 1 Mandatory TLV 901 R 903 Reserved, set to zero (0) 905 TLV Type 907 A 14-bit field, denoting the TLV type. Allocated Types 908 include: 910 0 Reserved 911 1 Reserved 912 2 Reserved 913 3 Result TLV 914 4 NAK TLV 915 5 Error TLV 916 7 Vendor-Specific TLV 917 9 EAP-Payload TLV 918 10 Intermediate-Result TLV 919 11 PAC TLV [I-D.cam-winget-eap-fast-provisioning] 920 12 Crypto-Binding TLV 921 18 Server-Trusted-Root TLV [I-D.cam-winget-eap-fast- 922 provisioning] 923 19 Request-Action TLV 924 20 PKCS#7 TLV [I-D.cam-winget-eap-fast-provisioning] 926 Length 928 The length of the Value field in octets. 930 Value 932 The value of the TLV. 934 4.2.2 Result TLV 936 The Result TLV provides support for acknowledged success and failure 937 messages for protected termination within EAP-FAST. If the Status 938 field does not contain one of the known values, then the peer or EAP 939 server MUST treat this as a fatal error of Unexpected_TLVs_Exchanged. 940 The behavior of the Result TLV is further discussed in Section 3.3.2 941 and Section 3.4.2. An Result TLV indicating failure MUST NOT be 942 accompanied by the following TLVs: NAK, EAP-Payload TLV, or Crypto- 943 Binding TLV. Result TLV is defined as follows: 945 0 1 2 3 946 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 947 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 948 |M|R| TLV Type | Length | 949 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 950 | Status | 951 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 953 M 955 Mandatory, set to one (1) 957 R 959 Reserved, set to zero (0) 961 TLV Type 963 3 for Result TLV 965 Length 967 2 969 Status 971 The Status field is two octets. Values include: 973 1 Success 974 2 Failure 976 4.2.3 NAK TLV 978 The NAK TLV allows a peer to detect TLVs that are not supported by 979 the other peer. An EAP-FAST packet can contain 0 or more NAK TLVs. 980 A NAK TLV should not be accompanied by other TLVs. A NAK TLV MUST 981 NOT be sent in response to a message containing a Result TLV, instead 982 a Result TLV of failure should be sent indicating failure and an 983 Error TLV of Unexpected_TLVs_Exchanged. The NAK TLV is defined as 984 follows: 986 0 1 2 3 987 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 988 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 989 |M|R| TLV Type | Length | 990 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 991 | Vendor-Id | 992 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 993 | NAK-Type | TLVs.... 994 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 996 M 998 Mandatory, set to one (1) 1000 R 1002 Reserved, set to zero (0) 1004 TLV Type 1006 4 for NAK TLV 1008 Length 1010 >=6 1012 Vendor-Id 1014 The Vendor-Id field is four octets, and contains the Vendor-Id 1015 of the TLV that was not supported. The high-order octet is 0 1016 and the low-order 3 octets are the SMI Network Management 1017 Private Enterprise Code of the Vendor in network byte order. 1018 The Vendor-Id field MUST be zero for TLVs that are not Vendor- 1019 Specific TLVs. 1021 NAK-Type 1023 The NAK-Type field is two octets. The field contains the Type 1024 of the TLV that was not supported. A TLV of this Type MUST 1025 have been included in the previous packet. 1027 TLVs 1029 This field contains a list of TLVs, each of which MUST NOT have 1030 the mandatory bit set. These optional TLVs are for future 1031 extensibility to communicate why the offending TLV was 1032 determined to be unsupported. 1034 4.2.4 Error TLV 1036 The Error TLV allows an EAP peer or server to indicate errors to the 1037 other party. An EAP-FAST packet can contain 0 or more Error TLVs. 1038 The Error-Code field describes the type of error. Error Codes 1-999 1039 represent successful outcomes (informative messages), 1000-1999 1040 represent warnings, and codes 2000-2999 represent fatal errors. A 1041 fatal Error TLV MUST be accompanied by a Result TLV indicating 1042 failure and the conversation must be terminated as described in 1043 Section 3.4.2. The Error TLV is defined as follows: 1045 0 1 2 3 1046 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1047 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1048 |M|R| TLV Type | Length | 1049 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1050 | Error-Code | 1051 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1052 M 1054 Mandatory, set to one (1) 1056 R 1058 Reserved, set to zero (0) 1060 TLV Type 1062 5 for Error TLV 1064 Length 1066 4 1068 Error-Code 1070 The Error-Code field is four octets. Currently defined values 1071 for Error-Code include: 1073 2001 Tunnel_Compromise_Error 1074 2002 Unexpected_TLVs_Exchanged 1076 4.2.5 Vendor-Specific TLV 1078 The Vendor-Specific TLV is available to allow vendors to support 1079 their own extended attributes not suitable for general usage. A 1080 Vendor-Specific TLV attribute can contain one or more TLVs, referred 1081 to as Vendor TLVs. The TLV-type of a Vendor-TLV is defined by the 1082 vendor. All the Vendor TLVs inside a single Vendor-Specific TLV 1083 belong to the same vendor. The can be multiple Vendor-Specific TLVs 1084 from different vendors in the same message. 1086 Vendor TLVs may be optional or mandatory. Vendor TLVs sent with 1087 Result TLVs MUST be marked as optional. 1089 The Vendor-Specific TLV is defined as follows: 1091 0 1 2 3 1092 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1093 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1094 |M|R| TLV Type | Length | 1095 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1096 | Vendor-Id | 1097 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1098 | Vendor TLVs.... 1100 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1102 M 1104 0 or 1 1106 R 1108 Reserved, set to zero (0) 1110 TLV Type 1112 7 for Vendor Specific TLV 1114 Length 1116 >=4 1118 Vendor-Id 1120 The Vendor-Id field is four octets, and contains the Vendor-Id 1121 of the TLV. The high-order octet is 0 and the low-order 3 1122 octets are the SMI Network Management Private Enterprise Code 1123 of the Vendor in network byte order. 1125 Vendor TLVs 1127 This field is of indefinite length. It contains vendor- 1128 specific TLVs, in a format defined by the vendor. 1130 4.2.6 EAP-Payload TLV 1132 To allow piggybacking EAP request and response with other TLVs, the 1133 EAP-Payload TLV is defined, which includes an encapsulated EAP packet 1134 and a list of optional TLVs. The optional TLVs are provided for 1135 future extensibility to provide hints about the current EAP 1136 authentication. Only one EAP-Payload TLV is allowed in a message. 1137 The EAP-Payload TLV is defined as follows: 1139 0 1 2 3 1140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1142 |M|R| TLV Type | Length | 1143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1144 | EAP packet... 1145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1146 | TLVs... 1148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1150 M 1152 Mandatory, set to (1) 1154 R 1156 Reserved, set to zero (0) 1158 TLV Type 1160 9 for EAP-Payload TLV 1162 Length 1164 >=0 1166 EAP packet 1168 This field contains a complete EAP packet, including the EAP 1169 header (Code, Identifier, Length, Type) fields. The length of 1170 this field is determined by the Length field of the 1171 encapsulated EAP packet. 1173 TLVs 1175 This (optional) field contains a list of TLVs associated with 1176 the EAP packet field. The TLVs MUST NOT have the mandatory bit 1177 set. The total length of this field is equal to the Length 1178 field of the EAP-Payload TLV, minus the Length field in the EAP 1179 header of the EAP packet field. 1181 4.2.7 Intermediate-Result TLV 1183 The Intermediate-Result TLV provides support for acknowledged 1184 intermediate Success and Failure messages between multiple inner EAP 1185 methods within EAP. An Intermediate-Result TLV indicating success 1186 MUST be accompanied by a Crypto-Binding TLV. The optional TLVs 1187 associated with this TLV are provided for future extensibility to 1188 provide hints about the current result. The Intermediate-Result TLV 1189 is defined as follows: 1191 0 1 2 3 1192 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1194 |M|R| TLV Type | Length | 1195 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1196 | Status | TLVs... 1197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1199 M 1201 Mandatory, set to (1) 1203 R 1205 Reserved, set to zero (0) 1207 TLV Type 1209 10 for Intermediate-Result TLV 1211 Length 1213 >=2 1215 Status 1217 The Status field is two octets. Values include: 1219 1 Success 1220 2 Failure 1222 TLVs 1224 This (optional) field is of indeterminate length, and contains 1225 the TLVs associated with the Intermediate Result TLV. The TLVs 1226 in this field MUST NOT have the mandatory bit set. 1228 4.2.8 Crypto-Binding TLV 1230 The Crypto-Binding TLV is used to prove that both the peer and server 1231 participated in the tunnel establishment and sequence of 1232 authentications. It also provides verification of the EAP-FAST 1233 version negotiated before TLS tunnel establishment, see Section 3.1. 1235 The Crypto-Binding TLV MUST be included with Intermediate-Result TLV 1236 to perform Cryptographic Binding after each successful EAP method in 1237 a sequence of EAP methods. The Crypto-Binding TLV can be issued at 1238 other times as well. 1240 The Crypto-Binding TLV is valid only if the following checks pass: 1242 o The Crypto-Binding TLV version is supported 1243 o The MAC verifies correctly 1244 o The received version in the Crypto-Binding TLV matches the version 1245 sent by the receiver during the EAP version negotiation 1246 o The subtype is set to the correct value 1248 If any of the above checks fail then the TLV is invalid. An invalid 1249 Crypto-Binding TLV is a fatal error and is handled as described in 1250 Section 3.4.2 1252 The Crypto-Binding TLV is defined as follows: 1254 0 1 2 3 1255 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1257 |M|R| TLV Type | Length | 1258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1259 | Reserved | Version | Received Ver. | Sub-Type | 1260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1261 | | 1262 ~ Nonce ~ 1263 | | 1264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1265 | | 1266 ~ Compound MAC ~ 1267 | | 1268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1270 M 1272 Mandatory, set to (1) 1274 R 1276 Reserved, set to zero (0) 1278 TLV Type 1280 12 for Crypto-Binding TLV 1282 Length 1284 56 1286 Reserved 1288 Reserved, set to zero (0) 1290 Version 1292 The Version field is a single octet, which is set to the 1293 version of Crypto-Binding TLV the EAP method is using. For 1294 implementation compliant with this version of EAP-FAST, the 1295 version number MUST set to 1. 1297 Received Version 1299 The Received Version field is a single octet and MUST be set to 1300 the EAP version number received during version negotiation. 1301 Note that this field only provides protection against downgrade 1302 attacks where a version of EAP requiring support for this TLV 1303 is required on both sides. 1305 Sub-Type 1307 The Sub-Type field is one octet. Defined values are 1309 0 Binding Request 1310 1 Binding Response 1312 Nonce 1314 The Nonce field is 32 octets. It contains a 256 bit nonce that 1315 is temporally unique, used for compound MAC key derivation at 1316 each end. The nonce in a request MUST have its least 1317 significant bit set to 0 and the nonce in a response MUST have 1318 the same value as the request nonce except the least 1319 significant bit MUST be set to 1. 1321 Compound MAC 1323 The Compound MAC field is 20 octets. This can be the Server 1324 MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of 1325 the MAC is described in Section 5.3 1327 4.2.9 Request-Action TLV 1329 The Request-Action TLV MAY be sent by the peer along with a Result 1330 TLV in response to a server's successful Result TLV. It allows the 1331 peer to request the EAP server to negotiate additional EAP methods or 1332 process TLVs specified in the response packet. The server MAY ignore 1333 this TLV. 1335 The Request-Action TLV is defined as follows: 1337 0 1 2 3 1338 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1340 |M|R| TLV Type | Length | 1341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1342 | Action | 1343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1345 M 1347 Mandatory set to one (1) 1349 R 1351 Reserved, set to zero (0) 1353 TLV Type 1355 19 for Request-Action TLV 1357 Length 1359 2 1361 Action 1363 The Action field is two octets. Values include: 1365 1 Process-TLV 1366 2 Negotiate-EAP 1368 4.3 Table of TLVs 1370 The following table provides a guide to which TLVs may be found in 1371 which kinds of messages, and in what quantity. The messages are as 1372 follows: Request is an EAP-FAST Request, Response is an EAP-FAST 1373 Response, Success is a message containing a successful Result TLV, 1374 and Failure is a message containing a failed Result TLV. 1376 Request Response Success Failure TLVs 1377 0-1 0-1 0-1 0-1 Intermediate-Result 1378 0-1 0-1 0 0 EAP-Payload 1379 0-1 0-1 1 1 Result 1380 0-1 0-1 0-1 0-1 Crypto-Binding 1381 0+ 0+ 0+ 0+ Error 1382 0+ 0+ 0 0 NAK 1383 0+ 0+ 0+ 0+ Vendor-Specific [NOTE1] 1384 0 0-1 0-1 0-1 Request-Action 1386 [Note1] Vendor TLVs (included in Vendor-Specific TLVs) sent with a 1387 Result TLV MUST be marked as optional. 1389 The following table defines the meaning of the table entries in the 1390 sections below: 1392 0 This TLV MUST NOT be present in the message. 1394 0+ Zero or more instances of this TLV MAY be present in the message. 1396 0-1 Zero or one instance of this TLV MAY be present in the message. 1398 1 Exactly one instance of this TLV MUST be present in the message. 1400 5. Cryptographic Calculations 1402 5.1 EAP-FAST Authentication Phase 1: Key Derivations 1404 The EAP-FAST Authentication tunnel key is calculated similarly to the 1405 TLS key calculation with an additional 40 octets (referred to, as the 1406 session_key_seed) generated. The additional session_key_seed is used 1407 in the Session Key calculation in the EAP-FAST Tunneled 1408 Authentication conversation. 1410 To generate the key material required for EAP-FAST Authentication 1411 tunnel, the following construction from [RFC4346] is used: 1413 key_block = PRF(master_secret, "key expansion", 1414 server_random + client_random) 1416 where '+' denotes concatenation. 1418 The PRF function used to generate keying material is defined by 1419 [RFC4346]. 1421 For example, if the EAP-FAST Authentication employs 128bit RC4 and 1422 SHA1, the key_block is 112 octets long and is partitioned as follows: 1424 client_write_MAC_secret[20] 1425 server_write_MAC_secret[20] 1426 client_write_key[16] 1427 server_write_key[16] 1428 client_write_IV[0] 1429 server_write_IV[0] 1430 session_key_seed[40] 1432 The session_key_seed is used by the EAP-FAST Authentication Phase 2 1433 conversation to both cryptographically bind the inner method(s) to 1434 the tunnel as well as generate the resulting EAP-FAST session keys. 1435 The other quantities are used as they are defined in [RFC4346]. 1437 The master_secret is generated as specified in TLS unless a PAC is 1438 used to establish the TLS tunnel. When a PAC is used to establish 1439 the TLS tunnel, the master_secret is calculated from the specified 1440 client_random, server_random and PAC-Key as follows: 1442 master_secret = T-PRF(PAC-Key, "PAC to master secret label hash", 1443 server_random + client_random, 48) 1445 where T-PRF is described in Section 5.5. 1447 5.2 Intermediate Compound Key Derivations 1449 The session_key_seed derived as part of EAP-FAST phase 2 is used in 1450 EAP-FAST phase 2 to generate an Intermediate Compound Key (IMCK) used 1451 to verify the integrity of the TLS tunnel after each successful inner 1452 authentication and in the generation of Master Session Key (MSK) and 1453 Extended Master Session Key (EMSK) defined in [RFC3748]. Note that 1454 the IMCK must be recalculated after each successful inner EAP method. 1456 The first step in these calculations is the generation of the base 1457 compound key, IMCK[n] from the session_key_seed and any session keys 1458 derived from the successful execution of n inner EAP methods. The 1459 inner EAP method(s) may provide Master Session Keys, MSK1..MSKn, 1460 corresponding to inner methods 1 through n. The MSK is truncated at 1461 32 octets if it is longer than 32 octets or padded to a length of 32 1462 octets with zeros if it is less than 32 octets. If the ith inner 1463 method does not generate an MSK, then MSKi is set to zero (e.g. MSKi 1464 = 32 octets of 0x00s). If an inner method fails then it is not 1465 included in this calculation. The derivations of S-IMSK is as 1466 follow: 1468 S-IMCK[0] = session_key_seed 1469 For j = 1 to n-1 do 1470 IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 1471 MSK[j], 60) 1472 S-IMCK[j] = first 40 octets of IMCK[j] 1473 CMK[j] = last 20 octets of IMCK[j] 1475 where T-PRF is described in Section 5.5. 1477 5.3 Computing the Compound MAC 1479 For authentication methods that generate keying material, further 1480 protection against man-in-the-middle attacks is provided through 1481 cryptographically binding keying material established by both EAP- 1482 FAST Phase 1 and EAP-FAST Phase 2 conversations. After each 1483 successful inner EAP authentication, EAP MSKs are cryptographically 1484 combined with key material from EAP-FAST phase 1 to generate a 1485 compound session key, CMK. The CMK is used to calculate the Compound 1486 MAC as part of the Crypto-Binding TLV described in Section 4.2.8, 1487 which helps provide assurance that the same entities are involved all 1488 communications in EAP-FAST. During the calculation of the Compound- 1489 MAC the MAC field is filled with zeros. 1491 The Compound MAC computation is as follows: 1493 CMK = CMK[j] 1494 Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 1496 where j is the number of the last successfully executed inner EAP 1497 method. 1499 5.4 EAP Master Session Key Generation 1501 EAP-FAST Authentication assures the master session key (MSK) and 1502 Extended Master Session Key (EMSK) output from the EAP method are the 1503 result of all authentication conversations by generating an 1504 intermediate compound session key (IMCK). The IMCK is mutually 1505 derived by the peer and the server as described in Section 5.2 by 1506 combining the MSKs from inner EAP methods with key material from EAP- 1507 FAST phase 1. The resulting MSK and EMSK are generated as part of 1508 the IMCKn key hierarchy as follows: 1510 MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64) 1511 EMSK = T-PRF(S-IMCK[j], 1512 "Extended Session Key Generating Function", 64) 1514 where j is the number of the last successfully executed inner EAP 1515 method. 1517 The EMSK is typically only known to the EAP-FAST peer and server and 1518 is not provided to a third party. The derivation of additional keys 1519 and transportation of these keys to third party is outside the scope 1520 of this document. 1522 If no EAP methods have been negotiated inside the tunnel or no EAP 1523 methods have been successfully completed inside the tunnel, the MSK 1524 and EMSK will be generated directly from the session_key_seed meaning 1525 S-IMCK = session_key_seed. 1527 5.5 T-PRF 1529 EAP-FAST employs the following PRF prototype and definition: 1531 T-PRF = F(key, label, seed, outputlength) 1533 Where label is intended to be a unique label for each different use 1534 of the T-PRF. The outputlength parameter is a two octet value that 1535 is represented in big endian order. Also note that the seed value 1536 may be optional and may be omitted as in the case of the MSK 1537 derivation described in Section 5.4. 1539 To generate the desired outputlength octet length of key material, 1540 the T-PRF is calculated as follows: 1542 S = label + 0x00 + seed 1543 T-PRF output = T1 + T2 + T3 + ... + Tn 1544 T1 = HMAC-SHA1 (key, S + outputlength + 0x01) 1545 T2 = HMAC-SHA1 (key, T1 + S + outputlength + 0x02) 1546 T3 = HMAC-SHA1 (key, T2 + S + outputlength + 0x03) 1547 Tn = HMAC-SHA1 (key, Tn-1 + S + outputlength + 0xnn) 1549 Where '+' indicates concatenation. Each Ti generates 20-octets of 1550 keying material, the last Tn may be truncated to accommodate the 1551 desired length specified by outputlength. 1553 6. IANA Considerations 1555 This section provides guidance to the Internet Assigned Numbers 1556 Authority (IANA) regarding registration of values related to the EAP- 1557 FAST protocol, in accordance with BCP 26, [RFC2434]. 1559 EAP-FAST has already been assigned the EAP Method Type number 43. 1561 The document defines a registry for EAP-FAST TLV types, which may be 1562 assigned by Specification Required as defined in [RFC2434]. 1564 Section 4.2 defines the TLV types that initially populate the 1565 registry. A summary of the EAP-FAST TLV types is given below: 1567 0 Reserved 1568 1 Reserved 1569 2 Reserved 1570 3 Result TLV 1571 4 NAK TLV 1572 5 Error TLV 1573 7 Vendor-Specific TLV 1574 9 EAP-Payload TLV 1575 10 Intermediate-Result TLV 1576 11 PAC TLV [I-D.cam-winget-eap-fast-provisioning] 1577 12 Crypto-Binding TLV 1578 18 Server-Trusted-Root TLV [I-D.cam-winget-eap-fast-provisioning] 1579 19 Request-Action TLV 1580 20 PKCS#7 TLV [I-D.cam-winget-eap-fast-provisioning] 1582 The Error-TLV defined in section Section 4.2.4 requires an error- 1583 code. EAP-FAST Error-TLV error-codes are assigned based on 1584 specification required as defined in [RFC2434]. The initial list of 1585 error codes is as follows: 1587 2001 Tunnel_Compromise_Error 1588 2002 Unexpected_TLVs_Exchanged 1590 The Request-Action TLV defined in section Section 4.2.9 contains an 1591 action code which is assigned on a specification required basis as 1592 defined in [RFC2434]. The initial actions defined are: 1594 1 Process-TLV 1595 2 Negotiate-EAP 1597 The various values under Vendor-Specific TLV are assigned by Private 1598 Use and do not need to be assigned by IANA. 1600 7. Security Considerations 1602 EAP-FAST is designed with a focus on wireless media, where the medium 1603 itself is inherent to eavesdropping. Whereas in wired media, an 1604 attacker would have to gain physical access to the wired medium; 1605 wireless media enables anyone to capture information as it is 1606 transmitted over the air, enabling passive attacks. Thus, physical 1607 security can not be assumed and security vulnerabilities are far 1608 greater. The threat model used for the security evaluation of EAP- 1609 FAST is that defined in the EAP [RFC3748]. 1611 7.1 Mutual Authentication and Integrity Protection 1613 EAP-FAST as a whole, provides message and integrity protection by 1614 establishing a secure tunnel for protecting the authentication 1615 method(s). The confidentiality and integrity protection is that 1616 defined by TLS and provides the same security strengths afforded by 1617 TLS employing a strong entropy shared master secret. The integrity 1618 of the key generating authentication methods executed within the EAP- 1619 FAST tunnel is verified through the calculation of the Crypto-Binding 1620 TLV. This ensures that the tunnel endpoints are the same as the 1621 inner method endpoints. 1623 The Result TLV is protected and conveys the true Success or Failure 1624 of EAP-FAST and should be used as the indicator of its success or 1625 failure respectively. However, as EAP must terminate with a clear 1626 text EAP Success or Failure, a peer will also receive a clear text 1627 EAP success or failure. The received clear text EAP success or 1628 failure must match that received in the Result TLV; the peer SHOULD 1629 silently discard those clear text EAP success or failure messages 1630 that do not coincide with the status sent in the protected Result 1631 TLV. 1633 7.2 Method Negotiation 1635 As is true for any negotiated EAP protocol, NAK packets used to 1636 suggest an alternate authentication method are sent unprotected and 1637 as such, are subject to spoofing. During unprotected EAP method 1638 negotiation, NAK packets may be interjected as active attacks to 1639 negotiate down to a weaker form of authentication, such as EAP-MD5 1640 (which only provides one way authentication and does not derive a 1641 key). Both the peer and server should have a method selection policy 1642 that prevents them from negotiating down to weaker methods. Inner 1643 method negotiation resists attacks because it is protected by the 1644 mutually authenticated TLS tunnel established. Selection of EAP-FAST 1645 as an authentication method does not limit the potential inner 1646 authentication methods, so EAP-FAST should be selected when 1647 available. 1649 An attacker cannot readily determine the inner EAP method used, 1650 except perhaps by traffic analysis. It is also important that peer 1651 implementations limit the use of credentials with an unauthenticated 1652 or unauthorized server. 1654 7.3 Separation of Phase 1 and Phase 2 Servers 1656 Separation of the EAP-FAST Phase 1 from the Phase 2 conversation is 1657 not recommended. Allowing the Phase 1 conversation to be terminated 1658 at a different server than the Phase 2 conversation can introduce 1659 vulnerabilities if there is not a proper trust relationship and 1660 protection for the protocol between the two servers. Some 1661 vulnerabilities include: 1663 o Loss of identity protection 1664 o Offline dictionary attacks 1665 o Lack of policy enforcement 1667 There may be cases where a trust relationship exists between the 1668 phase 1 and phase 2 servers, such as on a campus or between two 1669 offices within the same company, where there is no danger in 1670 revealing the inner identity and credentials of the peer to entities 1671 between the two servers. In these cases, using a proxy solution 1672 without end to end protection of EAP-FAST MAY be used. The EAP-FAST 1673 encrypting/decrypting gateway SHOULD, at a minimum, provide support 1674 for IPsec or similar protection in order to provide confidentiality 1675 for the portion of the conversation between the gateway and the EAP 1676 server. 1678 7.4 Mitigation of Known Vulnerabilities and Protocol Deficiencies 1680 EAP-FAST addresses the known deficiencies and weaknesses in the EAP 1681 method. By employing a shared secret between the peer and server to 1682 establish a secured tunnel, EAP-FAST enables: 1684 o Per packet confidentiality and integrity protection 1685 o User identity protection 1686 o Better support for notification messages 1687 o Protected EAP inner method negotiation 1688 o Sequencing of EAP methods 1689 o Strong mutually derived master session keys 1690 o Acknowledged success/failure indication 1691 o Faster re-authentications through session resumption 1692 o Mitigation of dictionary attacks 1693 o Mitigation of man-in-the-middle attacks 1694 o Mitigation of some denial of service attacks 1696 It should be noted that EAP-FAST as in many other authentication 1697 protocols, a denial of service attack can be mounted by adversaries 1698 sending erroneous traffic to disrupt the protocol. This is a problem 1699 in many authentication or key agreement protocols and is so noted for 1700 EAP-FAST as well. 1702 EAP-FAST was designed with a focus on protected authentication 1703 methods that typically rely on weak credentials, such as password 1704 based secrets. To that extent, the EAP-FAST Authentication mitigates 1705 several vulnerabilities such as dictionary attacks by protecting the 1706 weak credential based authentication method. The protection is based 1707 on strong cryptographic algorithms in TLS to provide message 1708 confidentiality and integrity respectively. The keys derived for the 1709 protection relies on strong random challenges provided by both peer 1710 and server as well as an established key with strong entropy. 1711 Implementations should follow the recommendation in [RFC4086] when 1712 generating random numbers. 1714 7.4.1 User Identity Protection and Verification 1716 The initial identity request response exchange is sent in cleartext 1717 outside the protection of EAP-FAST. Typically the NAI [RFC4282] in 1718 the identity response is useful only for the realm information which 1719 is used to route the authentication requests to the right EAP server. 1720 This means that the identity response may contain an anonymous 1721 identity and just contain realm information. In other cases the 1722 identity exchange may be eliminated all together if there other means 1723 for establishing the destination realm of the request. In no case 1724 should an intermediary place any trust in the identity information in 1725 the identity response since it is unauthenticated an may not have any 1726 relevance to the authenticated identity. EAP-FAST implementations 1727 should not attempt to compare any identity disclosed in the initial 1728 cleartext EAP Identity response packet with those Identities 1729 authenticated in Phase 2 1731 Identity request-response exchanges send after the EAP-FAST tunnel is 1732 established are protected from modification and eavesdropping by 1733 attackers. 1735 Note that since TLS client certificates are sent in the clear, if 1736 identity protection is required, then it is possible for the TLS 1737 authentication to be re-negotiated after the first server 1738 authentication. To accomplish this, the server will typically not 1739 request a certificate in the server_hello, then after the 1740 server_finished message is sent, and before EAP-FAST Phase 2, the 1741 server MAY send a TLS hello_request. This allows the client to 1742 perform client authentication by sending a client_hello if it wants 1743 to, or send a no_renegotiation alert to the server indicating that it 1744 wants to continue with EAP-FAST Phase 2 instead. Assuming that the 1745 client permits renegotiation by sending a client_hello, then the 1746 server will respond with server_hello, a certificate and 1747 certificate_request messages. The client replies with certificate, 1748 client_key_exchange and certificate_verify messages. Since this re- 1749 negotiation occurs within the encrypted TLS channel, it does not 1750 reveal client certificate details. It is possible to perform 1751 certificate authentication using an EAP method (for example: EAP-TLS) 1752 within the TLS session in EAP-FAST Phase 2 instead of using TLS 1753 handshake renegotiation. 1755 7.4.2 Dictionary Attack Resistance 1757 EAP-FAST was designed with a focus on protected authentication 1758 methods that typically rely on weak credentials, such as password 1759 based secrets. EAP-FAST mitigates dictionary attacks by allowing the 1760 establishment of a mutually authenticated encrypted TLS tunnel 1761 providing confidentiality and integrity to protect the weak 1762 credential based authentication method. 1764 7.4.3 Protection against man-in-the-middle Attacks 1766 Allowing methods to be executed both with and without the protection 1767 of a secure tunnel opens up a possibility of a man-in-the-middle 1768 attack. To avoid man-in-the-middle attacks it is recommended to 1769 always deploy authentication methods with protection of EAP-FAST. 1770 EAP-FAST provides protection from man-in-the-middle attacks even if a 1771 deployment chooses to execute inner EAP methods both with and without 1772 EAP-FAST protection, EAP-FAST prevents this attack in two ways: 1774 1. By using the PAC-Key to mutually authenticate the peer and server 1775 during EAP-FAST authentication Phase 1 establishment of a secure 1776 tunnel 1777 2. By using the keys generated by the inner authentication method 1778 (if the inner methods are key generating) in the crypto-binding 1779 exchange and in the generation of the key material exported by 1780 the EAP method described in Section 5. 1782 7.4.4 PAC binding to User Identity 1784 A PAC may be bound to a user identity. A compliant implementation of 1785 EAP-FAST MUST validate that an identity obtained in the PAC-Opaque 1786 field matches at minimum one of the identities provided in the EAP- 1787 FAST Phase 2 authentication method. This validation provides another 1788 binding to ensure that the intended peer (based on identity) has 1789 successfully completed the EAP-FAST Phase 1 and proved identity in 1790 the Phase 2 conversations. 1792 7.5 Protecting against Forged Clear Text EAP Packets 1794 EAP Success and EAP Failure packets are in general sent in clear text 1795 and may be forged by an attacker without detection. Forged EAP 1796 Failure packets can be used to attempt to convince an EAP peer to 1797 disconnect. Forged EAP Success packets may be used to attempt to 1798 convince a peer that authentication has succeeded, even though the 1799 authenticator has not authenticated itself to the peer. 1801 By providing message confidentiality and integrity, EAP-FAST provides 1802 protection against these attacks. Once the peer and AS initiate the 1803 EAP-FAST Authentication Phase 2, compliant EAP-FAST implementations 1804 must silently discard all clear text EAP messages unless both the 1805 EAP-FAST peer and server have indicated success or failure using a 1806 protected mechanism. Protected mechanisms include TLS alert 1807 mechanism and the protected termination mechanism described in 1808 Section 3.3.2. 1810 The success/failure decisions within the EAP-FAST tunnel indicate the 1811 final decision of the EAP-FAST authentication conversation. After a 1812 success/failure result has been indicated by a protected mechanism, 1813 the EAP-FAST peer can process unprotected EAP success and EAP failure 1814 message; however the peer MUST ignore any unprotected EAP success or 1815 failure messages where the result does not match the result of the 1816 protected mechanism. 1818 To abide by [RFC3748], the server must send a clear text EAP Success 1819 or EAP Failure packet to terminate the EAP conversation. However, 1820 since EAP Success and EAP Failure packets are not retransmitted, the 1821 final packet may be lost. While an EAP-FAST protected EAP Success or 1822 EAP Failure packet should not be a final packet in an EAP-FAST 1823 conversation, it may occur based on the conditions stated above so an 1824 EAP peer should not rely upon the unprotected EAP success and failure 1825 messages. 1827 7.6 Server Certificate Validation 1829 As part of the TLS negotiation, the server presents a certificate to 1830 the peer. The peer MUST verify the validity of the EAP server 1831 certificate, and SHOULD also examine the EAP server name presented in 1832 the certificate, in order to determine whether the EAP server can be 1833 trusted. Please note that in the case where the EAP authentication 1834 is remoted, the EAP server will not reside on the same machine as the 1835 authenticator, and therefore the name in the EAP server's certificate 1836 cannot be expected to match that of the intended destination. In 1837 this case, a more appropriate test might be whether the EAP server's 1838 certificate is signed by a CA controlling the intended domain and 1839 whether the authenticator can be authorized by a server in that 1840 domain. 1842 7.7 Security Claims 1844 This section provides needed security claim requirement for EAP 1845 [RFC3748]. 1847 Auth. mechanism: Certificate based, shared secret based and 1848 various tunneled authentication mechanisms. 1849 Ciphersuite negotiation: Yes 1850 Mutual authentication: Yes 1851 Integrity protection: Yes, Any method executed within the EAP-FAST 1852 tunnel is integrity protected. The 1853 cleartext EAP headers outside the tunnel are 1854 not integrity protected. 1855 Replay protection: Yes 1856 Confidentiality: Yes 1857 Key derivation: Yes 1858 Key strength: TLS key strength, may be enhanced by binding 1859 keys with inner methods 1860 Dictionary attack prot.: Yes 1861 Fast reconnect: Yes 1862 Cryptographic binding: Yes 1863 Session independence: Yes 1864 Fragmentation: Yes 1865 Key Hierarchy: Yes 1866 Channel binding: No, but TLVs could be defined for this. 1868 8. Acknowledgements 1870 The EAP-FAST design and protocol specification is based on the ideas 1871 and hard efforts of Pad Jakkahalli, Mark Krischer, Doug Smith, and 1872 Glen Zorn of Cisco Systems, Inc. 1874 The TLV processing was inspired from work on PEAPv2 with Ashwin 1875 Palekar, Dan Smith and Simon Josefsson. Helpful review comments were 1876 provided by Russ Housley, Jari Arkko, Ilan Frenkel and Jeremy 1877 Steiglitz. 1879 9. References 1881 9.1 Normative References 1883 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1884 Requirement Levels", BCP 14, RFC 2119, March 1997. 1886 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 1887 RFC 2246, January 1999. 1889 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1890 IANA Considerations Section in RFCs", BCP 26, RFC 2434, 1891 October 1998. 1893 [RFC3268] Chown, P., "Advanced Encryption Standard (AES) 1894 Ciphersuites for Transport Layer Security (TLS)", 1895 RFC 3268, June 2002. 1897 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 1898 Levkowetz, "Extensible Authentication Protocol (EAP)", 1899 RFC 3748, June 2004. 1901 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 1902 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 1904 [RFC4507] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, 1905 "Transport Layer Security (TLS) Session Resumption without 1906 Server-Side State", RFC 4507, May 2006. 1908 9.2 Informative References 1910 [I-D.cam-winget-eap-fast-provisioning] 1911 Cam-Winget, N., "Dynamic Provisioning using EAP-FAST", 1912 draft-cam-winget-eap-fast-provisioning-02 (work in 1913 progress), March 2006. 1915 [IEEE.802-1X.2004] 1916 "Local and Metropolitan Area Networks: Port-Based Network 1917 Access Control", IEEE Standard 802.1X, December 2004. 1919 [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication 1920 Protocol", RFC 2716, October 1999. 1922 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication 1923 Dial In User Service) Support For Extensible 1924 Authentication Protocol (EAP)", RFC 3579, September 2003. 1926 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible 1927 Authentication Protocol (EAP) Application", RFC 4072, 1928 August 2005. 1930 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 1931 Requirements for Security", BCP 106, RFC 4086, June 2005. 1933 [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The 1934 Network Access Identifier", RFC 4282, December 2005. 1936 Authors' Addresses 1938 Nancy Cam-Winget 1939 Cisco Systems 1940 3625 Cisco Way 1941 San Jose, CA 95134 1942 US 1944 Email: ncamwing@cisco.com 1946 David McGrew 1947 Cisco Systems 1948 San Jose, CA 95134 1949 US 1951 Email: mcgrew@cisco.com 1953 Joseph Salowey 1954 Cisco Systems 1955 2901 3rd Ave 1956 Seattle, WA 98121 1957 US 1959 Email: jsalowey@cisco.com 1961 Hao Zhou 1962 Cisco Systems 1963 4125 Highlander Parkway 1964 Richfield, OH 44286 1965 US 1967 Email: hzhou@cisco.com 1969 Appendix A. Examples 1971 A.1 Successful Authentication 1973 The following exchanges show a successful EAP-FAST authentication 1974 with optional PAC refreshment, the conversation will appear as 1975 follows: 1977 Authenticating Peer Authenticator 1978 ------------------- ------------- 1979 <- EAP-Request/ 1980 Identity 1982 EAP-Response/ 1983 Identity (MyID1) -> 1985 <- EAP-Request/ 1986 EAP-Type=EAP-FAST, V=1 1987 (EAP-FAST Start, S bit set, A-ID) 1989 EAP-Response/ 1990 EAP-Type=EAP-FAST, V=1 1991 (TLS client_hello with 1992 PAC-Opaque in SessionTicket extension)-> 1994 <- EAP-Request/ 1995 EAP-Type=EAP-FAST, V=1 1996 (TLS server_hello, 1997 (TLS change_cipher_spec, 1998 TLS finished) 2000 EAP-Response/ 2001 EAP-Type=EAP-FAST, V=1 -> 2002 (TLS change_cipher_spec, 2003 TLS finished) 2005 TLS channel established 2006 (messages sent within the TLS channel) 2008 <- EAP Payload TLV, EAP-Request, 2009 EAP-GTC, Challenge 2011 EAP Payload TLV, EAP-Response, 2012 EAP-GTC, Response with both 2013 user name and password) -> 2015 optional additional exchanges (new pin mode, 2016 password change etc.) ... 2018 <- Intermediate-Result TLV (Success) 2019 Crypto-Binding TLV (Request) 2021 Intermediate-Result TLV (Success) 2022 Crypto-Binding TLV(Response) -> 2024 <- Result TLV (Success) 2025 (Optional PAC TLV) 2027 Result TLV (Success) 2028 (PAC TLV Acknowledgment) -> 2030 TLS channel torn down 2031 (messages sent in clear text) 2033 <- EAP-Success 2035 A.2 Failed Authentication 2037 The following exchanges show a failed EAP-FAST authentication due to 2038 wrong user credentials, the conversation will appear as follows: 2040 Authenticating Peer Authenticator 2041 ------------------- ------------- 2042 <- EAP-Request/ 2043 Identity 2045 EAP-Response/ 2046 Identity (MyID1) -> 2048 <- EAP-Request/ 2049 EAP-Type=EAP-FAST, V=1 2050 (EAP-FAST Start, S bit set, A-ID) 2052 EAP-Response/ 2053 EAP-Type=EAP-FAST, V=1 2054 (TLS client_hello with 2055 PAC-Opaque in SessionTicket extension)-> 2057 <- EAP-Request/ 2058 EAP-Type=EAP-FAST, V=1 2059 (TLS server_hello, 2060 (TLS change_cipher_spec, 2061 TLS finished) 2063 EAP-Response/ 2064 EAP-Type=EAP-FAST, V=1 -> 2065 (TLS change_cipher_spec, 2066 TLS finished) 2068 TLS channel established 2069 (messages sent within the TLS channel) 2070 <- EAP Payload TLV, EAP-Request, 2071 EAP-GTC, Challenge 2073 EAP Payload TLV, EAP-Response, 2074 EAP-GTC, Response with both 2075 user name and password) -> 2077 <- EAP Payload TLV, EAP-Request, 2078 EAP-GTC, error message 2080 EAP Payload TLV, EAP-Response, 2081 EAP-GTC, empty data packet to 2082 acknowledge unrecoverable error) -> 2084 <- Result TLV (Failure) 2086 Result TLV (Failure) -> 2088 TLS channel torn down 2089 (messages sent in clear text) 2091 <- EAP-Failure 2093 A.3 Full TLS Handshake using Certificate-based Cipher Suite 2095 In the case where an abbreviated TLS handshake is tried and failed 2096 and falls back to certificate based full TLS handshake occurs within 2097 EAP-FAST Phase 1, the conversation will appear as follows: 2099 Authenticating Peer Authenticator 2100 ------------------- ------------- 2101 <- EAP-Request/Identity 2102 EAP-Response/ 2103 Identity (MyID1) -> 2105 // Identity sent in the clear. May be a hint to help route 2106 the authentication request to EAP server, instead of the 2107 full user identity. 2109 <- EAP-Request/ 2110 EAP-Type=EAP-FAST, V=1 2111 (EAP-FAST Start, S bit set, A-ID) 2112 EAP-Response/ 2113 EAP-Type=EAP-FAST, V=1 2114 (TLS client_hello 2115 [PAC-Opaque extension])-> 2117 // Peer sends PAC-Opaque of Tunnel PAC along with a list of 2118 ciphersuites supported. If Server rejects the PAC- 2119 Opaque, if falls through to the full TLS handshake 2121 <- EAP-Request/ 2122 EAP-Type=EAP-FAST, V=1 2123 (TLS server_hello, 2124 TLS certificate, 2125 [TLS server_key_exchange,] 2126 [TLS certificate_request,] 2127 TLS server_hello_done) 2128 EAP-Response/ 2129 EAP-Type=EAP-FAST, V=1 2130 ([TLS certificate,] 2131 TLS client_key_exchange, 2132 [TLS certificate_verify,] 2133 TLS change_cipher_spec, 2134 TLS finished) -> 2135 <- EAP-Request/ 2136 EAP-Type=EAP-FAST, V=1 2137 (TLS change_cipher_spec, 2138 TLS finished, 2139 EAP-Payload-TLV[EAP-Request/ 2140 Identity]) 2142 // TLS channel established 2143 (messages sent within the TLS channel) 2145 // First EAP Payload TLV is piggybacked to the TLS Finished as 2146 Application Data and protected by the TLS tunnel 2148 EAP-Payload-TLV 2149 [EAP-Response/Identity (MyID2)]-> 2151 // identity protected by TLS. 2153 <- EAP-Payload-TLV 2154 [EAP-Request/EAP-Type=X] 2156 EAP-Payload-TLV 2157 [EAP-Response/EAP-Type=X] -> 2159 // Method X exchanges followed by Protected Termination 2161 <- Crypto-Binding TLV (Version=1, 2162 EAP-FAST Version=1, Nonce, 2163 CompoundMAC), 2164 Result TLV (Success) 2166 Crypto-Binding TLV (Version=1, 2167 EAP-FAST Version=1, Nonce, 2168 CompoundMAC), 2169 Result-TLV (Success) -> 2171 // TLS channel torn down 2172 (messages sent in clear text) 2174 <- EAP-Success 2176 A.4 Client authentication during Phase 1 with identity privacy 2178 In the case where a certificate based TLS handshake occurs within 2179 EAP-FAST Phase 1, and client certificate authentication and identity 2180 privacy is desired, the conversation will appear as follows: 2182 Authenticating Peer Authenticator 2183 ------------------- ------------- 2184 <- EAP-Request/Identity 2185 EAP-Response/ 2186 Identity (MyID1) -> 2188 // Identity sent in the clear. May be a hint to help route 2189 the authentication request to EAP server, instead of the 2190 full user identity. 2192 <- EAP-Request/ 2193 EAP-Type=EAP-FAST, V=1 2194 (EAP-FAST Start, S bit set, A-ID) 2195 EAP-Response/ 2196 EAP-Type=EAP-FAST, V=1 2197 (TLS client_hello)-> 2198 <- EAP-Request/ 2199 EAP-Type=EAP-FAST, V=1 2200 (TLS server_hello, 2201 TLS certificate, 2202 [TLS server_key_exchange,] 2203 [TLS certificate_request,] 2204 TLS server_hello_done) 2205 EAP-Response/ 2206 EAP-Type=EAP-FAST, V=1 2207 (TLS client_key_exchange, 2208 TLS change_cipher_spec, 2209 TLS finished) -> 2210 <- EAP-Request/ 2211 EAP-Type=EAP-FAST, V=1 2212 (TLS change_cipher_spec, 2213 TLS finished,TLS Hello-Request) 2215 // TLS channel established 2216 (messages sent within the TLS channel) 2218 // TLS Hello-Request is piggybacked to the TLS Finished as 2219 Handshake Data and protected by the TLS tunnel 2221 TLS client_hello -> 2223 <- TLS server_hello, 2224 TLS certificate, 2225 [TLS server_key_exchange,] 2226 [TLS certificate_request,] 2227 TLS server_hello_done 2228 [TLS certificate,] 2229 TLS client_key_exchange, 2230 [TLS certificate_verify,] 2231 TLS change_cipher_spec, 2232 TLS finished -> 2234 <- TLS change_cipher_spec, 2235 TLS finished, 2236 Result TLV (Success) 2238 Result-TLV (Success)) -> 2240 //TLS channel torn down 2241 (messages sent in clear text) 2243 <- EAP-Success 2245 A.5 Fragmentation and Reassembly 2247 In the case where EAP-FAST fragmentation is required, the 2248 conversation will appear as follows: 2250 Authenticating Peer Authenticator 2251 ------------------- ------------- 2252 <- EAP-Request/ 2253 Identity 2254 EAP-Response/ 2255 Identity (MyID) -> 2256 <- EAP-Request/ 2257 EAP-Type=EAP-FAST, V=1 2258 (EAP-FAST Start, S bit set, A-ID) 2260 EAP-Response/ 2261 EAP-Type=EAP-FAST, V=1 2262 (TLS client_hello)-> 2263 <- EAP-Request/ 2264 EAP-Type=EAP-FAST, V=1 2265 (TLS server_hello, 2266 TLS certificate, 2267 [TLS server_key_exchange,] 2268 [TLS certificate_request,] 2269 TLS server_hello_done) 2270 (Fragment 1: L, M bits set) 2272 EAP-Response/ 2273 EAP-Type=EAP-FAST, V=1 -> 2275 <- EAP-Request/ 2276 EAP-Type=EAP-FAST, V=1 2277 (Fragment 2: M bit set) 2278 EAP-Response/ 2279 EAP-Type=EAP-FAST, V=1 -> 2280 <- EAP-Request/ 2281 EAP-Type=EAP-FAST, V=1 2282 (Fragment 3) 2283 EAP-Response/ 2284 EAP-Type=EAP-FAST, V=1 2285 ([TLS certificate,] 2286 TLS client_key_exchange, 2287 [TLS certificate_verify,] 2288 TLS change_cipher_spec, 2289 TLS finished) 2290 (Fragment 1: L, M bits set)-> 2292 <- EAP-Request/ 2293 EAP-Type=EAP-FAST, V=1 2294 EAP-Response/ 2295 EAP-Type=EAP-FAST, V=1 2296 (Fragment 2)-> 2297 <- EAP-Request/ 2298 EAP-Type=EAP-FAST, V=1 2299 (TLS change_cipher_spec, 2300 TLS finished, 2301 [EAP-Payload-TLV[ 2302 EAP-Request/Identity]]) 2304 // TLS channel established 2305 (messages sent within the TLS channel) 2307 // First EAP Payload TLV is piggybacked to the TLS Finished as 2308 Application Data and protected by the TLS tunnel 2310 EAP-Payload-TLV 2311 [EAP-Response/Identity (MyID2)]-> 2313 // identity protected by TLS. 2315 <- EAP-Payload-TLV 2316 [EAP-Request/EAP-Type=X] 2318 EAP-Payload-TLV 2319 [EAP-Response/EAP-Type=X] -> 2321 // Method X exchanges followed by Protected Termination 2323 <- Crypto-Binding TLV (Version=1, 2324 EAP-FAST Version=1, Nonce, 2325 CompoundMAC), 2326 Result TLV (Success) 2328 Crypto-Binding TLV (Version=1, 2329 EAP-FAST Version=1, Nonce, 2330 CompoundMAC), 2331 Result-TLV (Success) -> 2333 // TLS channel torn down 2334 (messages sent in clear text) 2336 <- EAP-Success 2338 A.6 Sequence of EAP Methods 2340 Where EAP-FAST is negotiated, with a sequence of EAP method X 2341 followed by method Y, the conversation will occur as follows: 2343 Authenticating Peer Authenticator 2344 ------------------- ------------- 2345 <- EAP-Request/ 2346 Identity 2347 EAP-Response/ 2348 Identity (MyID1) -> 2349 <- EAP-Request/ 2350 EAP-Type=EAP-FAST, V=1 2351 (EAP-FAST Start, S bit set, A-ID) 2353 EAP-Response/ 2354 EAP-Type=EAP-FAST, V=1 2355 (TLS client_hello)-> 2356 <- EAP-Request/ 2357 EAP-Type=EAP-FAST, V=1 2358 (TLS server_hello, 2359 TLS certificate, 2360 [TLS server_key_exchange,] 2361 [TLS certificate_request,] 2362 TLS server_hello_done) 2363 EAP-Response/ 2364 EAP-Type=EAP-FAST, V=1 2365 ([TLS certificate,] 2366 TLS client_key_exchange, 2367 [TLS certificate_verify,] 2368 TLS change_cipher_spec, 2369 TLS finished) -> 2370 <- EAP-Request/ 2371 EAP-Type=EAP-FAST, V=1 2372 (TLS change_cipher_spec, 2373 TLS finished, 2374 EAP-Payload-TLV[ 2375 EAP-Request/Identity]) 2377 // TLS channel established 2378 (messages sent within the TLS channel) 2380 // First EAP Payload TLV is piggybacked to the TLS Finished as 2381 Application Data and protected by the TLS tunnel 2383 EAP-Payload-TLV 2384 [EAP-Response/Identity] -> 2386 <- EAP-Payload-TLV 2387 [EAP-Request/EAP-Type=X] 2389 EAP-Payload-TLV 2390 [EAP-Response/EAP-Type=X] -> 2392 // Optional additional X Method exchanges... 2394 <- EAP-Payload-TLV 2395 [EAP-Request/EAP-Type=X] 2397 EAP-Payload-TLV 2398 [EAP-Response/EAP-Type=X]-> 2400 <- Intermediate Result TLV (Success), 2401 Crypto-Binding TLV (Version=1 2402 EAP-FAST Version=1, Nonce, 2403 CompoundMAC), 2404 EAP Payload TLV [EAP-Type=Y], 2406 // Next EAP conversation started after successful completion 2407 of previous method X. The Intermediate-Result and Crypto- 2408 Binding TLVs are sent in next packet to minimize round- 2409 trips. In this example, identity request is not sent 2410 before negotiating EAP-Type=Y. 2412 // Compound MAC calculated using Keys generated from 2413 EAP methods X and the TLS tunnel. 2415 Intermediate Result TLV (Success), 2416 Crypto-Binding TLV (Version=1, 2417 EAP-FAST Version=1, Nonce, 2418 CompoundMAC), 2419 EAP-Payload-TLV [EAP-Type=Y] -> 2421 // Optional additional Y Method exchanges... 2423 <- EAP Payload TLV [ 2424 EAP-Type=Y] 2426 EAP Payload TLV 2427 [EAP-Type=Y] -> 2429 <- Intermediate-Result-TLV (Success), 2430 Crypto-Binding TLV (Version=1 2431 EAP-FAST Version=1, Nonce, 2432 CompoundMAC), 2433 Result TLV (Success) 2435 Intermediate-Result-TLV (Success), 2436 Crypto-Binding TLV (Version=1, 2437 EAP-FAST Version=1, Nonce, 2438 CompoundMAC), 2439 Result-TLV (Success) -> 2441 // Compound MAC calculated using Keys generated from EAP 2442 methods X and Y and the TLS tunnel. Compound Keys 2443 generated using Keys generated from EAP methods X and Y; 2444 and the TLS tunnel. 2446 // TLS channel torn down (messages sent in clear text) 2448 <- EAP-Success 2450 A.7 Failed Crypto-binding 2452 The following exchanges show a failed crypto-binding validation. The 2453 conversation will appear as follows: 2455 Authenticating Peer Authenticator 2456 ------------------- ------------- 2457 <- EAP-Request/ 2458 Identity 2459 EAP-Response/ 2460 Identity (MyID1) -> 2461 <- EAP-Request/ 2462 EAP-Type=EAP-FAST, V=1 2463 (EAP-FAST Start, S bit set, A-ID) 2465 EAP-Response/ 2466 EAP-Type=EAP-FAST, V=1 2467 (TLS client_hello without 2468 PAC-Opaque extension)-> 2469 <- EAP-Request/ 2470 EAP-Type=EAP-FAST, V=1 2471 (TLS Server Key Exchange 2472 TLS Server Hello Done) 2473 EAP-Response/ 2474 EAP-Type=EAP-FAST, V=1 -> 2475 (TLS Client Key Exchange 2476 TLS change_cipher_spec, 2477 TLS finished) 2479 <- EAP-Request/ 2480 EAP-Type=EAP-FAST, V=1 2481 (TLS change_cipher_spec 2482 TLS finished) 2483 EAP-Payload-TLV[ 2484 EAP-Request/Identity]) 2486 // TLS channel established 2487 (messages sent within the TLS channel) 2489 // First EAP Payload TLV is piggybacked to the TLS Finished as 2490 Application Data and protected by the TLS tunnel 2492 EAP-Payload TLV/ 2493 EAP Identity Response -> 2495 <- EAP Payload TLV, EAP-Request, 2496 (EAP-MSCHAPV2, Challenge) 2498 EAP Payload TLV, EAP-Response, 2499 (EAP-MSCHAPV2, Response) -> 2501 <- EAP Payload TLV, EAP-Request, 2502 (EAP-MSCHAPV2, Success Request) 2504 EAP Payload TLV, EAP-Response, 2505 (EAP-MSCHAPV2, Success Response) -> 2507 <- Crypto-Binding TLV (Version=1, 2508 EAP-FAST Version=1, Nonce, 2509 CompoundMAC), 2510 Result TLV (Success) 2512 Result TLV (Failure) 2513 Error TLV with 2514 (Error Code = 2001) -> 2516 // TLS channel torn down 2517 (messages sent in clear text) 2519 <- EAP-Failure 2521 A.8 Sequence of EAP Method with Vendor-Specific TLV Exchange 2523 Where EAP-FAST is negotiated, with a sequence of EAP method followed 2524 by Vendor-Specific TLV exchange, the conversation will occur as 2525 follows: 2527 Authenticating Peer Authenticator 2528 ------------------- ------------- 2529 <- EAP-Request/ 2530 Identity 2531 EAP-Response/ 2532 Identity (MyID1) -> 2533 <- EAP-Request/ 2534 EAP-Type=EAP-FAST, V=1 2535 (EAP-FAST Start, S bit set, A-ID) 2537 EAP-Response/ 2538 EAP-Type=EAP-FAST, V=1 2539 (TLS client_hello)-> 2540 <- EAP-Request/ 2541 EAP-Type=EAP-FAST, V=1 2542 (TLS server_hello, 2543 TLS certificate, 2544 [TLS server_key_exchange,] 2546 [TLS certificate_request,] 2547 TLS server_hello_done) 2549 EAP-Response/ 2550 EAP-Type=EAP-FAST, V=1 2551 ([TLS certificate,] 2552 TLS client_key_exchange, 2553 [TLS certificate_verify,] 2554 TLS change_cipher_spec, 2555 TLS finished) -> 2556 <- EAP-Request/ 2557 EAP-Type=EAP-FAST, V=1 2558 (TLS change_cipher_spec, 2559 TLS finished, 2560 EAP-Payload-TLV[ 2561 EAP-Request/Identity]) 2563 // TLS channel established 2564 (messages sent within the TLS channel) 2566 // First EAP Payload TLV is piggybacked to the TLS Finished as 2567 Application Data and protected by the TLS tunnel 2569 EAP-Payload-TLV 2570 [EAP-Response/Identity] -> 2572 <- EAP-Payload-TLV 2573 [EAP-Request/EAP-Type=X] 2575 EAP-Payload-TLV 2576 [EAP-Response/EAP-Type=X] -> 2578 <- EAP-Payload-TLV 2579 [EAP-Request/EAP-Type=X] 2581 EAP-Payload-TLV 2582 [EAP-Response/EAP-Type=X]-> 2584 <- Intermediate Result TLV (Success), 2585 Crypto-Binding TLV (Version=1 2586 EAP-FAST Version=1, Nonce, 2587 CompoundMAC), 2588 Vendor-Specific TLV, 2590 // Vendor Specific TLV exchange started after successful 2591 completion of previous method X. The Intermediate-Result 2592 and Crypto-Binding TLVs are sent with Vendor Specific TLV 2593 in next packet to minimize round-trips. 2595 // Compound MAC calculated using Keys generated from 2596 EAP methods X and the TLS tunnel. 2598 Intermediate Result TLV (Success), 2599 Crypto-Binding TLV (Version=1, 2600 EAP-FAST Version=1, Nonce, 2601 CompoundMAC), 2602 Vendor-Specific TLV -> 2604 // Optional additional Vendor-Specific TLV exchanges... 2606 <- Vendor-Specific TLV 2608 Vendor Specific TLV -> 2609 <- Result TLV (Success) 2611 Result-TLV (Success) -> 2613 // TLS channel torn down (messages sent in clear text) 2615 <- EAP-Success 2617 Appendix B. Test Vectors 2619 B.1 Key Derivation 2621 PAC KEY: 2623 0B 97 39 0F 37 51 78 09 81 1E FD 9C 6E 65 94 2B 2624 63 2C E9 53 89 38 08 BA 36 0B 03 7C D1 85 E4 14 2626 Server_hello Random 2628 3F FB 11 C4 6C BF A5 7A 54 40 DA E8 22 D3 11 D3 2629 F7 6D E4 1D D9 33 E5 93 70 97 EB A9 B3 66 F4 2A 2631 Client_hello Random 2633 00 00 00 02 6A 66 43 2A 8D 14 43 2C EC 58 2D 2F 2634 C7 9C 33 64 BA 04 AD 3A 52 54 D6 A5 79 AD 1E 00 2636 Master_secret = T-PRF(PAC-Key, 2637 "PAC to master secret label hash", 2638 server_random + Client_random, 2639 48) 2641 4A 1A 51 2C 01 60 BC 02 3C CF BC 83 3F 03 BC 64 2642 88 C1 31 2F 0B A9 A2 77 16 A8 D8 E8 BD C9 D2 29 2643 38 4B 7A 85 BE 16 4D 27 33 D5 24 79 87 B1 C5 A2 2645 Key_block = PRF(Master_secret, 2646 "key expansion", 2647 server_random + Client_random) 2649 59 59 BE 8E 41 3A 77 74 8B B2 E5 D3 60 AC 4D 35 2650 DF FB C8 1E 9C 24 9C 8B 0E C3 1D 72 C8 84 9D 57 2651 48 51 2E 45 97 6C 88 70 BE 5F 01 D3 64 E7 4C BB 2652 11 24 E3 49 E2 3B CD EF 7A B3 05 39 5D 64 8A 44 2653 11 B6 69 88 34 2E 8E 29 D6 4B 7D 72 17 59 28 05 2654 AF F9 B7 FF 66 6D A1 96 8F 0B 5E 06 46 7A 44 84 2655 64 C1 C8 0C 96 44 09 98 FF 92 A8 B4 C6 42 28 71 2657 Session Key Seed 2659 D6 4B 7D 72 17 59 28 05 AF F9 B7 FF 66 6D A1 96 2660 8F 0B 5E 06 46 7A 44 84 64 C1 C8 0C 96 44 09 98 2661 FF 92 A8 B4 C6 42 28 71 2663 IMCK = T-PRF(SKS, 2664 "Inner Methods Compound Keys", 2665 ISK, 2666 60) 2668 Note: ISK is 32 octets 0's. 2670 16 15 3C 3F 21 55 EF D9 7F 34 AE C8 1A 4E 66 80 2671 4C C3 76 F2 8A A9 6F 96 C2 54 5F 8C AB 65 02 E1 2672 18 40 7B 56 BE EA A7 C5 76 5D 8F 0B C5 07 C6 B9 2673 04 D0 69 56 72 8B 6B B8 15 EC 57 7B 2675 [SIMCK 1] 2676 16 15 3C 3F 21 55 EF D9 7F 34 AE C8 1A 4E 66 80 2677 4C C3 76 F2 8A A9 6F 96 C2 54 5F 8C AB 65 02 E1 2678 18 40 7B 56 BE EA A7 C5 2680 MSK = T-PRF(S-IMCKn, 2681 "Session Key Generating Function", 2682 64); 2684 4D 83 A9 BE 6F 8A 74 ED 6A 02 66 0A 63 4D 2C 33 2685 C2 DA 60 15 C6 37 04 51 90 38 63 DA 54 3E 14 B9 2686 27 99 18 1E 07 BF 0F 5A 5E 3C 32 93 80 8C 6C 49 2687 67 ED 24 FE 45 40 A0 59 5E 37 C2 E9 D0 5D 0A E3 2689 EMSK = T-PRF(S-IMCKn, 2690 "Extended Session Key Generating Function", 2691 64); 2693 3A D4 AB DB 76 B2 7F 3B EA 32 2C 2B 74 F4 28 55 2694 EF 2D BA 78 C9 57 2F 0D 06 CD 51 7C 20 93 98 A9 2695 76 EA 70 21 D7 0E 25 54 97 ED B2 8A F6 ED FD 0A 2696 2A E7 A1 58 90 10 50 44 B3 82 85 DB 06 14 D2 F9 2698 B.2 Crypto-Binding MIC 2700 [Compound MAC Key 1] 2701 76 5D 8F 0B C5 07 C6 B9 04 D0 69 56 72 8B 6B B8 2702 15 EC 57 7B 2704 [Crypto-Binding TLV] 2705 80 0C 00 38 00 01 01 00 D8 6A 8C 68 3C 32 31 A8 56 63 B6 40 21 FE 2706 21 14 4E E7 54 20 79 2D 42 62 C9 BF 53 7F 54 FD AC 58 43 24 6E 30 2707 92 17 6D CF E6 E0 69 EB 33 61 6A CC 05 C5 5B B7 2709 [Server Nonce] 2710 D8 6A 8C 68 3C 32 31 A8 56 63 B6 40 21 FE 21 14 2711 4E E7 54 20 79 2D 42 62 C9 BF 53 7F 54 FD AC 58 2713 [Compound MAC] 2714 43 24 6E 30 92 17 6D CF E6 E0 69 EB 33 61 6A CC 2715 05 C5 5B B7 2717 Intellectual Property Statement 2719 The IETF takes no position regarding the validity or scope of any 2720 Intellectual Property Rights or other rights that might be claimed to 2721 pertain to the implementation or use of the technology described in 2722 this document or the extent to which any license under such rights 2723 might or might not be available; nor does it represent that it has 2724 made any independent effort to identify any such rights. Information 2725 on the procedures with respect to rights in RFC documents can be 2726 found in BCP 78 and BCP 79. 2728 Copies of IPR disclosures made to the IETF Secretariat and any 2729 assurances of licenses to be made available, or the result of an 2730 attempt made to obtain a general license or permission for the use of 2731 such proprietary rights by implementers or users of this 2732 specification can be obtained from the IETF on-line IPR repository at 2733 http://www.ietf.org/ipr. 2735 The IETF invites any interested party to bring to its attention any 2736 copyrights, patents or patent applications, or other proprietary 2737 rights that may cover technology that may be required to implement 2738 this standard. Please address the information to the IETF at 2739 ietf-ipr@ietf.org. 2741 Disclaimer of Validity 2743 This document and the information contained herein are provided on an 2744 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2745 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2746 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2747 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2748 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2749 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2751 Copyright Statement 2753 Copyright (C) The Internet Society (2006). This document is subject 2754 to the rights, licenses and restrictions contained in BCP 78, and 2755 except as set forth therein, the authors retain all their rights. 2757 Acknowledgment 2759 Funding for the RFC Editor function is currently provided by the 2760 Internet Society.