draft-ietf-emu-rfc5448bis-00.txt   draft-arkko-eap-rfc5448bis.txt 
Network Working Group J. Arkko Network Working Group J. Arkko
Internet-Draft V. Lehtovirta Internet-Draft V. Lehtovirta
Obsoletes: 5448 (if approved) V. Torvinen Obsoletes: 5448 (if approved) V. Torvinen
Intended status: Informational Ericsson Updates: 4187 (if approved) Ericsson
Expires: December 27, 2018 P. Eronen Intended status: Informational P. Eronen
Nokia Expires: January 3, 2019 Nokia
June 25, 2018 July 2, 2018
Improved Extensible Authentication Protocol Method for 3rd Generation Improved Extensible Authentication Protocol Method for 3rd Generation
Authentication and Key Agreement (EAP-AKA') Authentication and Key Agreement (EAP-AKA')
draft-ietf-emu-rfc5448bis-00 draft-ietf-emu-rfc5448bis-01
Abstract Abstract
This specification defines a new EAP method, EAP-AKA', a small This specification defines a new EAP method, EAP-AKA', a small
revision of the EAP-AKA method. The change is a new key derivation revision of the EAP-AKA method. The change is a new key derivation
function that binds the keys derived within the method to the name of function that binds the keys derived within the method to the name of
the access network. The new key derivation mechanism has been the access network. The new key derivation mechanism has been
defined in the 3rd Generation Partnership Project (3GPP). This defined in the 3rd Generation Partnership Project (3GPP). This
specification allows its use in EAP in an interoperable manner. In specification allows its use in EAP in an interoperable manner. In
addition, EAP-AKA' employs SHA-256 instead of SHA-1. addition, EAP-AKA' employs SHA-256 instead of SHA-1.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 27, 2018. This Internet-Draft will expire on January 3, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . 7 3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . 7
3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . 11 3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . 12
3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . 13 3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . 14
3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . 14 3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . 14
3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . 14 3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . 14
3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . 14 3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . 14
4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 15 4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 15
5. Identifier Usage in 5G . . . . . . . . . . . . . . . . . . . 16 5. Identifier Usage in 5G . . . . . . . . . . . . . . . . . . . 16
5.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 17 5.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 17
5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute 18 5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute 18
6. Exported Parameters . . . . . . . . . . . . . . . . . . . . . 18 6. Exported Parameters . . . . . . . . . . . . . . . . . . . . . 19
7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19
7.1. Security Properties of Binding Network Names . . . . . . 21 7.1. Security Properties of Binding Network Names . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 23 8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 23
8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 23 8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 23
8.3. Key Derivation Function Namespace . . . . . . . . . . . . 23 8.3. Key Derivation Function Namespace . . . . . . . . . . . . 23
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 24
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
11.1. Normative References . . . . . . . . . . . . . . . . . . 24 11.1. Normative References . . . . . . . . . . . . . . . . . . 24
11.2. Informative References . . . . . . . . . . . . . . . . . 25 11.2. Informative References . . . . . . . . . . . . . . . . . 26
Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 26 Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 27
Appendix B. Changes from RFC 4187 to RFC 5448 . . . . . . . . . 27 Appendix B. Changes from RFC 4187 to RFC 5448 . . . . . . . . . 27
Appendix C. Changes from Previous Version of This Draft . . . . 27 Appendix C. Changes from Previous Version of This Draft . . . . 28
Appendix D. Importance of Explicit Negotiation . . . . . . . . . 27 Appendix D. Importance of Explicit Negotiation . . . . . . . . . 28
Appendix E. Test Vectors . . . . . . . . . . . . . . . . . . . . 28 Appendix E. Test Vectors . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
This specification defines a new Extensible Authentication Protocol This specification defines a new Extensible Authentication Protocol
(EAP)[RFC3748] method, EAP-AKA', a small revision of the EAP-AKA (EAP)[RFC3748] method, EAP-AKA', a small revision of the EAP-AKA
method originally defined in [RFC4187]. What is new in EAP-AKA' is method originally defined in [RFC4187]. What is new in EAP-AKA' is
that it has a new key derivation function, specified in that it has a new key derivation function, specified in
[TS-3GPP.33.402]. This function binds the keys derived within the [TS-3GPP.33.402]. This function binds the keys derived within the
method to the name of the access network. This limits the effects of method to the name of the access network. This limits the effects of
compromised access network nodes and keys. This specification compromised access network nodes and keys. This specification
skipping to change at page 3, line 36 skipping to change at page 3, line 36
change of the key derivation must be unambiguous to both sides in the change of the key derivation must be unambiguous to both sides in the
protocol. That is, it must not be possible to accidentally connect protocol. That is, it must not be possible to accidentally connect
old equipment to new equipment and get the key derivation wrong or old equipment to new equipment and get the key derivation wrong or
attempt to use wrong keys without getting a proper error message. attempt to use wrong keys without getting a proper error message.
The change must also be secure against bidding down attacks that The change must also be secure against bidding down attacks that
attempt to force the participants to use the least secure mechanism. attempt to force the participants to use the least secure mechanism.
This specification therefore introduces a variant of the EAP-AKA This specification therefore introduces a variant of the EAP-AKA
method, called EAP-AKA'. This method can employ the derived keys CK' method, called EAP-AKA'. This method can employ the derived keys CK'
and IK' from the 3GPP specification and updates the used hash and IK' from the 3GPP specification and updates the used hash
function to SHA-256 [FIPS.180-2.2002]. But it is otherwise function to SHA-256 [FIPS.180-4]. But it is otherwise equivalent to
equivalent to RFC 4187. Given that a different EAP method type value RFC 4187. Given that a different EAP method type value is used for
is used for EAP-AKA and EAP-AKA', a mutually supported method may be EAP-AKA and EAP-AKA', a mutually supported method may be negotiated
negotiated using the standard mechanisms in EAP [RFC3748]. using the standard mechanisms in EAP [RFC3748].
Note: Appendix D explains why it is important to be explicit about Note: Appendix D explains why it is important to be explicit about
the change of semantics for the keys, and why other approaches the change of semantics for the keys, and why other approaches
would lead to severe interoperability problems. would lead to severe interoperability problems.
This version of the EAP-AKA' specification is an update to RFC 5448. This version of the EAP-AKA' specification obsoletes RFC 5448. The
The update consists of three things: changes consist of three things:
o Update the reference on how the Network Name field is constructed o Update the reference on how the Network Name field is constructed
in the protocol. The update helps ensure that EAP-AKA' becomes in the protocol. The update helps ensure that EAP-AKA' becomes
compatible with 5G deployments as well. RFC 5448 referred to the compatible with 5G deployments as well. RFC 5448 referred to the
2008 version of that reference ([TS-3GPP.24.302]) and this update Release 8 version of [TS-3GPP.24.302] and this update points to
points to the 5G version of that reference. the first 5G version, Release 15.
o Specify how EAP and EAP-AKA' use identifiers in 5G, as additional o Specify how EAP and EAP-AKA' use identifiers in 5G, as additional
identifiers are introduced, and for interoperability, it is identifiers are introduced, and for interoperability, it is
important that implementations use the right ones. important that implementations use the right ones.
o Specify session identifiers and other exported parameters, as o Specify session identifiers and other exported parameters, as
those were not specified in [RFC5448] despite requirements set those were not specified in [RFC5448] despite requirements set
forward in [RFC5247] to do so. Also, while [RFC5247] specified forward in [RFC5247] to do so. Also, while [RFC5247] specified
session identifiers for EAP-AKA, it only did so for the full session identifiers for EAP-AKA, it only did so for the full
authentication case, not for the case of fast re-authentication. authentication case, not for the case of fast re-authentication.
skipping to change at page 5, line 9 skipping to change at page 5, line 9
defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to
prevent bidding down attacks from EAP-AKA'. Section 7 explains the prevent bidding down attacks from EAP-AKA'. Section 7 explains the
security differences between EAP-AKA and EAP-AKA'. Section 8 security differences between EAP-AKA and EAP-AKA'. Section 8
describes the IANA considerations and Appendix A and Appendix B describes the IANA considerations and Appendix A and Appendix B
explains what updates to RFC 5448 AKA' and RFC 4187 EAP-AKA have been explains what updates to RFC 5448 AKA' and RFC 4187 EAP-AKA have been
made in this specification. Appendix D explains some of the design made in this specification. Appendix D explains some of the design
rationale for creating EAP-AKA' Finally, Appendix E provides test rationale for creating EAP-AKA' Finally, Appendix E provides test
vectors. vectors.
Editor's Note: The publication of this RFC depends on its Editor's Note: The publication of this RFC depends on its
normative references [TS-3GPP.24.302] and [TS-3GPP.33.501] from normative references [TS-3GPP.24.302] and [TS-3GPP.33.501]
3GPP reaching their final Release 15 status at 3GPP. This is reaching a stable status for Release 15, as indicated by 3GPP.
expected to happen shortly. The RFC Editor should check with the This is expected to happen shortly. The RFC Editor should check
3GPP liaisons that this has happened. RFC Editor: Please delete with the 3GPP liaisons that this has happened. RFC Editor: Please
this note upon publication of this specification as an RFC. delete this note upon publication of this specification as an RFC.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. EAP-AKA' 3. EAP-AKA'
EAP-AKA' is a new EAP method that follows the EAP-AKA specification EAP-AKA' is a new EAP method that follows the EAP-AKA specification
[RFC4187] in all respects except the following: [RFC4187] in all respects except the following:
o It uses the Type code 50, not 23 (which is used by EAP-AKA). o It uses the Type code 50, not 23 (which is used by EAP-AKA).
o It carries the AT_KDF_INPUT attribute, as defined in Section 3.1, o It carries the AT_KDF_INPUT attribute, as defined in Section 3.1,
to ensure that both the peer and server know the name of the to ensure that both the peer and server know the name of the
access network. access network.
o It supports key derivation function negotiation via the AT_KDF o It supports key derivation function negotiation via the AT_KDF
attribute (Section 3.2) to allow for future extensions. attribute (Section 3.2) to allow for future extensions.
o It calculates keys as defined in Section 3.3, not as defined in o It calculates keys as defined in Section 3.3, not as defined in
EAP-AKA. EAP-AKA.
o It employs SHA-256 [FIPS.180-2.2002], not SHA-1 [FIPS.180-1.1995] o It employs SHA-256, not SHA-1 [FIPS.180-4] (Section 3.4).
(Section 3.4).
Figure 1 shows an example of the authentication process. Each Figure 1 shows an example of the authentication process. Each
message AKA'-Challenge and so on represents the corresponding message message AKA'-Challenge and so on represents the corresponding message
from EAP-AKA, but with EAP-AKA' Type code. The definition of these from EAP-AKA, but with EAP-AKA' Type code. The definition of these
messages, along with the definition of attributes AT_RAND, AT_AUTN, messages, along with the definition of attributes AT_RAND, AT_AUTN,
AT_MAC, and AT_RES can be found in [RFC4187]. AT_MAC, and AT_RES can be found in [RFC4187].
Peer Server Peer Server
| EAP-Request/Identity | | EAP-Request/Identity |
|<-------------------------------------------------------| |<-------------------------------------------------------|
skipping to change at page 8, line 18 skipping to change at page 8, line 18
Network Name Network Name
This field contains the network name of the access network for This field contains the network name of the access network for
which the authentication is being performed. The name does not which the authentication is being performed. The name does not
include any terminating null characters. Because the length of include any terminating null characters. Because the length of
the entire attribute must be a multiple of 4 bytes, the sender the entire attribute must be a multiple of 4 bytes, the sender
pads the name with 1, 2, or 3 bytes of all zero bits when pads the name with 1, 2, or 3 bytes of all zero bits when
necessary. necessary.
Only the server sends the AT_KDF_INPUT attribute. Per Only the server sends the AT_KDF_INPUT attribute. The value is sent
as specified in [TS-3GPP.24.302] for non-3GPP access networks, and as
specified in [TS-3GPP.33.501] for 5G access networks. Per
[TS-3GPP.33.402], the server always verifies the authorization of a [TS-3GPP.33.402], the server always verifies the authorization of a
given access network to use a particular name before sending it to given access network to use a particular name before sending it to
the peer over EAP-AKA'. The value of the AT_KDF_INPUT attribute from the peer over EAP-AKA'. The value of the AT_KDF_INPUT attribute from
the server MUST be non-empty. If it is empty, the peer behaves as if the server MUST be non-empty. If it is empty, the peer behaves as if
AUTN had been incorrect and authentication fails. See Section 3 and AUTN had been incorrect and authentication fails. See Section 3 and
Figure 3 of [RFC4187] for an overview of how authentication failures Figure 3 of [RFC4187] for an overview of how authentication failures
are handled. are handled.
Note: Currently, [TS-3GPP.24.302] or [TS-3GPP.33.501] specify
separate values. The former specifies what is called "Access
Network ID" and the latter specifies what is called "Serving
Network Name". However, from an EAP-AKA' perspective both occupy
the same field, and need to be distinghuishable from each other.
Currently specified values are distinguishable, but it would be
useful that this be specified explicitly in the 3GPP
specifications.
In addition, the peer MAY check the received value against its own In addition, the peer MAY check the received value against its own
understanding of the network name. Upon detecting a discrepancy, the understanding of the network name. Upon detecting a discrepancy, the
peer either warns the user and continues, or fails the authentication peer either warns the user and continues, or fails the authentication
process. More specifically, the peer SHOULD have a configurable process. More specifically, the peer SHOULD have a configurable
policy that it can follow under these circumstances. If the policy policy that it can follow under these circumstances. If the policy
indicates that it can continue, the peer SHOULD log a warning message indicates that it can continue, the peer SHOULD log a warning message
or display it to the user. If the peer chooses to proceed, it MUST or display it to the user. If the peer chooses to proceed, it MUST
use the network name as received in the AT_KDF_INPUT attribute. If use the network name as received in the AT_KDF_INPUT attribute. If
the policy indicates that the authentication should fail, the peer the policy indicates that the authentication should fail, the peer
behaves as if AUTN had been incorrect and authentication fails. behaves as if AUTN had been incorrect and authentication fails.
skipping to change at page 13, line 45 skipping to change at page 14, line 7
The peer behaves as if the AUTN had been incorrect and MUST fail The peer behaves as if the AUTN had been incorrect and MUST fail
the authentication. the authentication.
If the peer supports a given key derivation function but is unwilling If the peer supports a given key derivation function but is unwilling
to perform it for policy reasons, it refuses to calculate the keys to perform it for policy reasons, it refuses to calculate the keys
and behaves as explained in Section 3.2. and behaves as explained in Section 3.2.
3.4. Hash Functions 3.4. Hash Functions
EAP-AKA' uses SHA-256 [FIPS.180-2.2002], not SHA-1 [FIPS.180-1.1995] EAP-AKA' uses SHA-256, not SHA-1 (see [FIPS.180-4]) as in EAP-AKA.
as in EAP-AKA. This requires a change to the pseudo-random function This requires a change to the pseudo-random function (PRF) as well as
(PRF) as well as the AT_MAC and AT_CHECKCODE attributes. the AT_MAC and AT_CHECKCODE attributes.
3.4.1. PRF' 3.4.1. PRF'
The PRF' construction is the same one IKEv2 uses (see Section 2.13 of The PRF' construction is the same one IKEv2 uses (see Section 2.13 of
[RFC4306]). The function takes two arguments. K is a 256-bit value [RFC4306]). The function takes two arguments. K is a 256-bit value
and S is an octet string of arbitrary length. PRF' is defined as and S is an octet string of arbitrary length. PRF' is defined as
follows: follows:
PRF'(K,S) = T1 | T2 | T3 | T4 | ... PRF'(K,S) = T1 | T2 | T3 | T4 | ...
skipping to change at page 15, line 4 skipping to change at page 15, line 16
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_CHECKCODE | Length | Reserved | | AT_CHECKCODE | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Checkcode (0 or 32 bytes) | | Checkcode (0 or 32 bytes) |
| | | |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Second, the checkcode is a hash value, calculated with SHA-256 Second, the checkcode is a hash value, calculated with SHA-256
[FIPS.180-2.2002], over the data specified in Section 10.13 of [FIPS.180-4], over the data specified in Section 10.13 of [RFC4187].
[RFC4187].
4. Bidding Down Prevention for EAP-AKA 4. Bidding Down Prevention for EAP-AKA
As discussed in [RFC3748], negotiation of methods within EAP is As discussed in [RFC3748], negotiation of methods within EAP is
insecure. That is, a man-in-the-middle attacker may force the insecure. That is, a man-in-the-middle attacker may force the
endpoints to use a method that is not the strongest that they both endpoints to use a method that is not the strongest that they both
support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be
negotiated via EAP. negotiated via EAP.
In order to prevent such attacks, this RFC specifies a new mechanism In order to prevent such attacks, this RFC specifies a new mechanism
skipping to change at page 17, line 34 skipping to change at page 17, line 43
in the AT_IDENTITY attribute -- specify which identifiers should in the AT_IDENTITY attribute -- specify which identifiers should
be filled in. be filled in.
In 5G, the normal mode of operation is that identifiers are only In 5G, the normal mode of operation is that identifiers are only
transmitted outside EAP. However, in a system involving terminals transmitted outside EAP. However, in a system involving terminals
from many generations and several connectivity options via 5G and from many generations and several connectivity options via 5G and
other mechanisms, implementations and the EAP-AKA' specification need other mechanisms, implementations and the EAP-AKA' specification need
to prepare for many different situations, including sometimes having to prepare for many different situations, including sometimes having
to communicate identities within EAP. to communicate identities within EAP.
The following sections propose one way of clarifying which The following sections clarify which identifiers are used and how.
identifiers are used and how. However, other answers are also
possible (e.g., always use the permanent identity). Further
discussion on this point is welcome!
5.1. Key Derivation 5.1. Key Derivation
In EAP-AKA', the peer identity is used in the Section 3.3 key In EAP-AKA', the peer identity is used in the Section 3.3 key
derivation formula. The identity used in this formula MUST be derivation formula.
exactly the one sent in EAP-AKA' AT_IDENTITY attribute, if one was
sent, regardless of the kind of identity that it may have been. If
no AT_IDENTITY was sent, the identity MUST be the exactly the one
sent in the generic EAP Identity exchange, if one was made. Again,
the identity MUST be used exactly as sent.
Alternative specification: This could also require that the SUPI If the AT_KDF_INPUT parameter contains the prefix "5G:", the AT_KDF
identity be always used, regardless of what identity was sent. parameter has the value 1, and this authentication is not a fast re-
authentication, then the peer identity used in the key derivation
MUST be the 5G SUPI for the peer. This rule applies to all full EAP-
AKA' authentication processes, even if the peer sent some other
identifier at a lower layer or as a response to an EAP Identity
Request or if no identity was sent.
If no identity was communicated inside EAP, then the identity is the In all other cases, the following applies:
one communicated outside EAP in link layer messaging.
In this case, the used identity MUST be the identity most recently The identity used in the key derivation formula MUST be exactly
communicated by the peer to the network, again regardless of what the one sent in EAP-AKA' AT_IDENTITY attribute, if one was sent,
type of identity it may have been. regardless of the kind of identity that it may have been. If no
AT_IDENTITY was sent, the identity MUST be the exactly the one
sent in the generic EAP Identity exchange, if one was made.
Again, the identity MUST be used exactly as sent.
If no identity was communicated inside EAP, then the identity is
the one communicated outside EAP in link layer messaging.
In this case, the used identity MUST be the identity most recently
communicated by the peer to the network, again regardless of what
type of identity it may have been.
5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute 5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute
The EAP authentication option is only available in 5G when the new 5G The EAP authentication option is only available in 5G when the new 5G
core network is also in use. However, in other networks an EAP-AKA' core network is also in use. However, in other networks an EAP-AKA'
peer may be connecting to other types of networks and existing peer may be connecting to other types of networks and existing
equipment. equipment.
When the EAP peer is connecting to a 5G access network and uses the When the EAP peer is connecting to a 5G access network and uses the
5G core network signalling mechanisms, it MUST assume that the EAP 5G core network signalling mechanisms, it can assume that the EAP
server is in a 5G network. In that situation, the EAP peer SHOULD server is in a 5G network. The EAP level identity exchanges are not
generally used in this case, but if there is, the EAP peer SHOULD
employ only the privacy preserving SUCI identifier within EAP (either employ only the privacy preserving SUCI identifier within EAP (either
in EAP Identity Response or EAP-AKA' AT_IDENTITY attribute). in EAP Identity Response or EAP-AKA' AT_IDENTITY attribute).
Similarly, if the peer is explicitly communicating through mechanisms Similarly, if the peer is explicitly communicating through mechanisms
developed for 5G to connect to 5G networks over WLAN, it MUST assume developed for 5G to connect to 5G networks over WLAN, it MUST assume
that the EAP server is in a 5G network, and again employ the SUCI that the EAP server is in a 5G network, and again employ the SUCI
within EAP. within EAP.
Otherwise, the peer SHOULD employ IMSI or SUPI as it is configured to Otherwise, the peer SHOULD employ IMSI, SUPI, or a NAI as it is
use. configured to use.
The use of fast re-authentication and pseudonym identifiers in 5G or
other networks is for further discussion. Discussion of this topic
is again welcome!
6. Exported Parameters 6. Exported Parameters
The EAP-AKA' Session-Id is the concatenation of the EAP Type Code The EAP-AKA' Session-Id is the concatenation of the EAP Type Code
(50, one octet) with the contents of the RAND field from the AT_RAND (50, one octet) with the contents of the RAND field from the AT_RAND
attribute, followed by the contents of the AUTN field in the AT_AUTN attribute, followed by the contents of the AUTN field in the AT_AUTN
attribute: attribute:
Session-Id = 50 || RAND || AUTN Session-Id = 50 || RAND || AUTN
skipping to change at page 23, line 35 skipping to change at page 23, line 48
Finally, a new Attribute Type value (136) in the skippable range has Finally, a new Attribute Type value (136) in the skippable range has
been assigned for AT_BIDDING (Section 4). been assigned for AT_BIDDING (Section 4).
8.3. Key Derivation Function Namespace 8.3. Key Derivation Function Namespace
IANA has also created a new namespace for EAP-AKA' AT_KDF Key IANA has also created a new namespace for EAP-AKA' AT_KDF Key
Derivation Function Values. This namespace exists under the EAP-AKA Derivation Function Values. This namespace exists under the EAP-AKA
and EAP-SIM Parameters registry. The initial contents of this and EAP-SIM Parameters registry. The initial contents of this
namespace are given below; new values can be created through the namespace are given below; new values can be created through the
Specification Required policy [RFC5226]. Specification Required policy [RFC8126].
Value Description Reference Value Description Reference
--------- ---------------------- --------------- --------- ---------------------- ---------------
0 Reserved [RFC 5448] 0 Reserved [RFC 5448]
1 EAP-AKA' with CK'/IK' [RFC 5448] 1 EAP-AKA' with CK'/IK' [RFC 5448]
2-65535 Unassigned 2-65535 Unassigned
9. Contributors 9. Contributors
The test vectors in Appendix C were provided by Yogendra Pal and The test vectors in Appendix C were provided by Yogendra Pal and
Jouni Malinen, based on two independent implementations of this Jouni Malinen, based on two independent implementations of this
specification. specification.
Jouni Malinen provided suggested text for Section 6. Jouni Malinen provided suggested text for Section 6.
skipping to change at page 24, line 30 skipping to change at page 24, line 44
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Security architecture and procedures for 5G Security; Security architecture and procedures for 5G
System; (Release 15)", 3GPP Technical Specification System; (Release 15)", 3GPP Technical Specification
23.501, December 2017. 23.501, December 2017.
[TS-3GPP.24.302] [TS-3GPP.24.302]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Access to Specification Group Core Network and Terminals; Access to
the 3GPP Evolved Packet Core (EPC) via non-3GPP access the 3GPP Evolved Packet Core (EPC) via non-3GPP access
networks; Stage 3; (Release 15)", 3GPP Draft Technical networks; Stage 3; (Release 15)", 3GPP Draft Technical
Specification 24.302, September 2017. Specification 24.302, June 2018.
[TS-3GPP.33.102] [TS-3GPP.33.102]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Security architecture (Release 8)", Security; Security architecture (Release 15)", 3GPP Draft
3GPP Technical Specification 33.102, December 2008. Technical Specification 33.102, June 2018.
[TS-3GPP.33.402] [TS-3GPP.33.402]
3GPP, "3GPP System Architecture Evolution (SAE); Security 3GPP, "3GPP System Architecture Evolution (SAE); Security
aspects of non-3GPP accesses; Release 8", 3GPP Technical aspects of non-3GPP accesses (Release 15)", 3GPP Draft
Specification 33.402, December 2008. Technical Specification 33.402, June 2018.
[TS-3GPP.33.501] [TS-3GPP.33.501]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Security architecture and procedures for 5G Security; Security architecture and procedures for 5G
System; Release 15", 3GPP Technical Specification 33.501, System (Release 15)", 3GPP Draft Technical Specification
August 2017. 33.501, June 2018.
[FIPS.180-2.2002] [FIPS.180-4]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, Hash Standard", FIPS PUB 180-4, August 2015,
<http://csrc.nist.gov/publications/fips/fips180-2/ <https://nvlpubs.nist.gov/nistpubs/FIPS/
fips180-2.pdf>. NIST.FIPS.180-4.pdf>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, <https://www.rfc- DOI 10.17487/RFC2104, February 1997, <https://www.rfc-
editor.org/info/rfc2104>. editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
skipping to change at page 25, line 31 skipping to change at page 25, line 43
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>. <https://www.rfc-editor.org/info/rfc3748>.
[RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
Protocol Method for 3rd Generation Authentication and Key Protocol Method for 3rd Generation Authentication and Key
Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187, Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187,
January 2006, <https://www.rfc-editor.org/info/rfc4187>. January 2006, <https://www.rfc-editor.org/info/rfc4187>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
IANA Considerations Section in RFCs", RFC 5226, Writing an IANA Considerations Section in RFCs", BCP 26,
DOI 10.17487/RFC5226, May 2008, <https://www.rfc- RFC 8126, DOI 10.17487/RFC8126, June 2017,
editor.org/info/rfc5226>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References 11.2. Informative References
[TS-3GPP.23.003] [TS-3GPP.23.003]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Numbering, Specification Group Core Network and Terminals; Numbering,
addressing and identification (Release 8)", 3GPP Technical addressing and identification (Release 15)", 3GPP Draft
Specification 23.003, December 2008. Technical Specification 23.003, June 2018.
[TS-3GPP.35.208] [TS-3GPP.35.208]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Specification of the MILENAGE Algorithm Set: An Security; Specification of the MILENAGE Algorithm Set: An
example algorithm set for the 3GPP authentication and key example algorithm set for the 3GPP authentication and key
generation functions f1, f1*, f2, f3, f4, f5 and f5*; generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 4: Design Conformance Test Data (Release 8)", Document 4: Design Conformance Test Data (Release 14)",
3GPP Technical Specification 35.208, December 2008. 3GPP Technical Specification 35.208, March 2017.
[FIPS.180-1.1995] [FIPS.180-1]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, April 1995, Hash Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>. <http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[FIPS.180-2]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002,
<http://csrc.nist.gov/publications/fips/fips180-2/
fips180-2.pdf>.
[RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible
Authentication Protocol Method for Global System for Authentication Protocol Method for Global System for
Mobile Communications (GSM) Subscriber Identity Modules Mobile Communications (GSM) Subscriber Identity Modules
(EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006,
<https://www.rfc-editor.org/info/rfc4186>. <https://www.rfc-editor.org/info/rfc4186>.
[RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen, "Identity [RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen, "Identity
Selection Hints for the Extensible Authentication Protocol Selection Hints for the Extensible Authentication Protocol
(EAP)", RFC 4284, DOI 10.17487/RFC4284, January 2006, (EAP)", RFC 4284, DOI 10.17487/RFC4284, January 2006,
<https://www.rfc-editor.org/info/rfc4284>. <https://www.rfc-editor.org/info/rfc4284>.
[RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005, Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005,
<https://www.rfc-editor.org/info/rfc4306>. <https://www.rfc-editor.org/info/rfc4306>.
[RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari, [RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari,
"Network Discovery and Selection Problem", RFC 5113, "Network Discovery and Selection Problem", RFC 5113,
DOI 10.17487/RFC5113, January 2008, <https://www.rfc- DOI 10.17487/RFC5113, January 2008, <https://www.rfc-
editor.org/info/rfc5113>. editor.org/info/rfc5113>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226,
DOI 10.17487/RFC5226, May 2008, <https://www.rfc-
editor.org/info/rfc5226>.
[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible
Authentication Protocol (EAP) Key Management Framework", Authentication Protocol (EAP) Key Management Framework",
RFC 5247, DOI 10.17487/RFC5247, August 2008, RFC 5247, DOI 10.17487/RFC5247, August 2008,
<https://www.rfc-editor.org/info/rfc5247>. <https://www.rfc-editor.org/info/rfc5247>.
[RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved [RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved
Extensible Authentication Protocol Method for 3rd Extensible Authentication Protocol Method for 3rd
Generation Authentication and Key Agreement (EAP-AKA')", Generation Authentication and Key Agreement (EAP-AKA')",
RFC 5448, DOI 10.17487/RFC5448, May 2009, RFC 5448, DOI 10.17487/RFC5448, May 2009,
<https://www.rfc-editor.org/info/rfc5448>. <https://www.rfc-editor.org/info/rfc5448>.
skipping to change at page 27, line 5 skipping to change at page 27, line 34
[TS-3GPP.24.302]. The new version includes an updated definition of [TS-3GPP.24.302]. The new version includes an updated definition of
the Network Name field, to include 5G. the Network Name field, to include 5G.
Secondly, identifier usage for 5G has been specified in Section 5. Secondly, identifier usage for 5G has been specified in Section 5.
Thirdly, exported parameters for EAP-AKA' have been defined in Thirdly, exported parameters for EAP-AKA' have been defined in
Section 6, as required by [RFC5247], including the definition of Section 6, as required by [RFC5247], including the definition of
those parameters for both full authentication and fast re- those parameters for both full authentication and fast re-
authentication. authentication.
Finally, the references to [RFC2119], [RFC5226], [FIPS.180-1] and
[FIPS.180-2] have been updated to their most recent versions and
language in this document changed accordingly. Similarly, references
to all 3GPP technical specifications have been updated to their 5G
(Release 15) versions or otherwise most recent version when there has
not been a 5G-related update.
Appendix B. Changes from RFC 4187 to RFC 5448 Appendix B. Changes from RFC 4187 to RFC 5448
The changes to RFC 4187 relate only to the bidding down prevention The changes to RFC 4187 relate only to the bidding down prevention
support defined in Section 4. In particular, this document does not support defined in Section 4. In particular, this document does not
change how the Master Key (MK) is calculated in RFC 4187 (it uses CK change how the Master Key (MK) is calculated in RFC 4187 (it uses CK
and IK, not CK' and IK'); neither is any processing of the AMF bit and IK, not CK' and IK'); neither is any processing of the AMF bit
added to RFC 4187. added to RFC 4187.
Appendix C. Changes from Previous Version of This Draft Appendix C. Changes from Previous Version of This Draft
RFC Editor: Please delete this section at the time of publication. RFC Editor: Please delete this section at the time of publication.
The -00 version of the working group draft is merely a republication The -00 version of the working group draft is merely a republication
of the individaul draft. A version with technical changes is of an earlier individual draft.
forthcoming.
The -01 version of the working group clarifies updates relationship
to RFC 4187, clarifies language relating to obsoleting RFC 5448,
clarifies when the 3GPP references are expected to be stable, updates
several past references to their more recently published versions,
specifies what identifiers should be used in key derivation formula
for 5G, specifies how to construct the network name in manner that is
compatible with both 5G and previous versions, and has some minor
editorial changes.
Appendix D. Importance of Explicit Negotiation Appendix D. Importance of Explicit Negotiation
Choosing between the traditional and revised AKA key derivation Choosing between the traditional and revised AKA key derivation
functions is easy when their use is unambiguously tied to a functions is easy when their use is unambiguously tied to a
particular radio access network, e.g., Long Term Evolution (LTE) as particular radio access network, e.g., Long Term Evolution (LTE) as
defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined
by 3GPP2. There is no possibility for interoperability problems if by 3GPP2. There is no possibility for interoperability problems if
this radio access network is always used in conjunction with new this radio access network is always used in conjunction with new
protocols that cannot be mixed with the old ones; clients will always protocols that cannot be mixed with the old ones; clients will always
 End of changes. 43 change blocks. 
90 lines changed or deleted 135 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/