| draft-ietf-emu-aka-pfs-04.txt | draft-arkko-eap-aka-pfs.txt | |||
|---|---|---|---|---|
| Network Working Group J. Arkko | Network Working Group J. Arkko | |||
| Internet-Draft K. Norrman | Internet-Draft K. Norrman | |||
| Updates: RFC5448 (if approved) V. Torvinen | Updates: RFC5448 (if approved) V. Torvinen | |||
| Intended status: Informational Ericsson | Intended status: Informational Ericsson | |||
| Expires: November 26, 2020 May 25, 2020 | Expires: May 3, 2021 October 30, 2020 | |||
| Perfect-Forward Secrecy for the Extensible Authentication Protocol | Perfect-Forward Secrecy for the Extensible Authentication Protocol | |||
| Method for Authentication and Key Agreement (EAP-AKA' PFS) | Method for Authentication and Key Agreement (EAP-AKA' PFS) | |||
| draft-ietf-emu-aka-pfs-04 | draft-ietf-emu-aka-pfs-05 | |||
| Abstract | Abstract | |||
| Many different attacks have been reported as part of revelations | Many different attacks have been reported as part of revelations | |||
| associated with pervasive surveillance. Some of the reported attacks | associated with pervasive surveillance. Some of the reported attacks | |||
| involved compromising smart cards, such as attacking SIM card | involved compromising smart cards, such as attacking SIM card | |||
| manufacturers and operators in an effort to compromise shared secrets | manufacturers and operators in an effort to compromise shared secrets | |||
| stored on these cards. Since the publication of those reports, | stored on these cards. Since the publication of those reports, | |||
| manufacturing and provisioning processes have gained much scrutiny | manufacturing and provisioning processes have gained much scrutiny | |||
| and have improved. However, the danger of resourceful attackers for | and have improved. However, the danger of resourceful attackers for | |||
| skipping to change at page 1, line 49 | skipping to change at page 1, line 49 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 26, 2020. | This Internet-Draft will expire on May 3, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 51 | skipping to change at page 2, line 51 | |||
| 6.5.6. EAP-Response/AKA'-Reauthentication . . . . . . . . . 17 | 6.5.6. EAP-Response/AKA'-Reauthentication . . . . . . . . . 17 | |||
| 6.5.7. EAP-Response/AKA'-Synchronization-Failure . . . . . . 18 | 6.5.7. EAP-Response/AKA'-Synchronization-Failure . . . . . . 18 | |||
| 6.5.8. EAP-Response/AKA'-Authentication-Reject . . . . . . . 18 | 6.5.8. EAP-Response/AKA'-Authentication-Reject . . . . . . . 18 | |||
| 6.5.9. EAP-Response/AKA'-Client-Error . . . . . . . . . . . 18 | 6.5.9. EAP-Response/AKA'-Client-Error . . . . . . . . . . . 18 | |||
| 6.5.10. EAP-Request/AKA'-Notification . . . . . . . . . . . . 18 | 6.5.10. EAP-Request/AKA'-Notification . . . . . . . . . . . . 18 | |||
| 6.5.11. EAP-Response/AKA'-Notification . . . . . . . . . . . 18 | 6.5.11. EAP-Response/AKA'-Notification . . . . . . . . . . . 18 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 23 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 23 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 23 | 9.2. Informative References . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 25 | Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 25 | |||
| Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 25 | Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 26 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 1. Introduction | 1. Introduction | |||
| Many different attacks have been reported as part of revelations | Many different attacks have been reported as part of revelations | |||
| associated with pervasive surveillance. Some of the reported attacks | associated with pervasive surveillance. Some of the reported attacks | |||
| involved compromising smart cards, such as attacking SIM card | involved compromising smart cards, such as attacking SIM card | |||
| manufacturers and operators in an effort to compromise shared secrets | manufacturers and operators in an effort to compromise shared secrets | |||
| stored on these cards. Such attacks are conceivable, for instance, | stored on these cards. Such attacks are conceivable, for instance, | |||
| during the manufacturing process of cards, or during the transfer of | during the manufacturing process of cards, or during the transfer of | |||
| skipping to change at page 11, line 44 | skipping to change at page 11, line 44 | |||
| [RFC4187]. | [RFC4187]. | |||
| Value | Value | |||
| This value is the sender's ECDHE public value. It is calculated | This value is the sender's ECDHE public value. It is calculated | |||
| as follows: | as follows: | |||
| * For X25519/Curve25519, the length of this value is 32 bytes, | * For X25519/Curve25519, the length of this value is 32 bytes, | |||
| encoded in binary as specified [RFC7748] Section 6.1. | encoded in binary as specified [RFC7748] Section 6.1. | |||
| * For P-256, the length of this value is 32 bytes, encoded in | * For P-256, the length of this value is 33 bytes, encoded in | |||
| binary as specified in [FIPS186-4]. | binary as specified in [FIPS186-4], using the compressed form | |||
| from Section 2.7.1 of [SEC2]. | ||||
| To retain the security of the keys, the sender SHALL generate a | To retain the security of the keys, the sender SHALL generate a | |||
| fresh value for each run of the protocol. | fresh value for each run of the protocol. | |||
| 6.2. AT_KDF_PFS | 6.2. AT_KDF_PFS | |||
| The AT_KDF_PFS indicates the used or desired key generation function, | The AT_KDF_PFS indicates the used or desired key generation function, | |||
| if the Perfect Forward Secrecy extension is taken into use. It will | if the Perfect Forward Secrecy extension is taken into use. It will | |||
| also at the same time indicate the used or desired ECDHE group. A | also at the same time indicate the used or desired ECDHE group. A | |||
| new attribute is needed to carry this information, as AT_KDF carries | new attribute is needed to carry this information, as AT_KDF carries | |||
| skipping to change at page 23, line 47 | skipping to change at page 23, line 47 | |||
| [I-D.ietf-emu-rfc5448bis] | [I-D.ietf-emu-rfc5448bis] | |||
| Arkko, J., Lehtovirta, V., Torvinen, V., and P. Eronen, | Arkko, J., Lehtovirta, V., Torvinen, V., and P. Eronen, | |||
| "Improved Extensible Authentication Protocol Method for | "Improved Extensible Authentication Protocol Method for | |||
| 3GPP Mobile Network Authentication and Key Agreement (EAP- | 3GPP Mobile Network Authentication and Key Agreement (EAP- | |||
| AKA')", draft-ietf-emu-rfc5448bis-07 (work in progress), | AKA')", draft-ietf-emu-rfc5448bis-07 (work in progress), | |||
| March 2020. | March 2020. | |||
| [FIPS186-4] | [FIPS186-4] | |||
| NIST, , "Digital Signature Standard (DSS)", July 2013. | NIST, , "Digital Signature Standard (DSS)", July 2013. | |||
| [SEC2] Certicom Research, , "SEC 2: Recommended Elliptic Curve | ||||
| Domain Parameters", September 2000. | ||||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible | [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible | |||
| Authentication Protocol Method for Global System for | Authentication Protocol Method for Global System for | |||
| Mobile Communications (GSM) Subscriber Identity Modules | Mobile Communications (GSM) Subscriber Identity Modules | |||
| (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, | (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4186>. | <https://www.rfc-editor.org/info/rfc4186>. | |||
| [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS | [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS | |||
| Authentication Protocol", RFC 5216, DOI 10.17487/RFC5216, | Authentication Protocol", RFC 5216, DOI 10.17487/RFC5216, | |||
| skipping to change at page 24, line 32 | skipping to change at page 24, line 34 | |||
| Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May | Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May | |||
| 2014, <https://www.rfc-editor.org/info/rfc7258>. | 2014, <https://www.rfc-editor.org/info/rfc7258>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| [I-D.ietf-emu-eap-tls13] | [I-D.ietf-emu-eap-tls13] | |||
| Mattsson, J. and M. Sethi, "Using EAP-TLS with TLS 1.3", | Mattsson, J. and M. Sethi, "Using EAP-TLS with TLS 1.3", | |||
| draft-ietf-emu-eap-tls13-09 (work in progress), March | draft-ietf-emu-eap-tls13-11 (work in progress), October | |||
| 2020. | 2020. | |||
| [TrustCom2015] | [TrustCom2015] | |||
| Arkko, J., Norrman, K., Naslund, M., and B. Sahlin, "A | Arkko, J., Norrman, K., Naslund, M., and B. Sahlin, "A | |||
| USIM compatible 5G AKA protocol with perfect forward | USIM compatible 5G AKA protocol with perfect forward | |||
| secrecy", August 2015 in Proceedings of the TrustCom 2015, | secrecy", August 2015 in Proceedings of the TrustCom 2015, | |||
| IEEE. | IEEE. | |||
| [Heist2015] | [Heist2015] | |||
| Scahill, J. and J. Begley, "The great SIM heist", February | Scahill, J. and J. Begley, "The great SIM heist", February | |||
| 2015, in https://firstlook.org/theintercept/2015/02/19/ | 2015, in https://firstlook.org/theintercept/2015/02/19/ | |||
| great-sim-heist/ . | great-sim-heist/ . | |||
| [DOW1992] Diffie, W., vanOorschot, P., and M. Wiener, | [DOW1992] Diffie, W., vanOorschot, P., and M. Wiener, | |||
| "Authentication and Authenticated Key Exchanges", June | "Authentication and Authenticated Key Exchanges", June | |||
| 1992, in Designs, Codes and Cryptography 2 (2): pp. | 1992, in Designs, Codes and Cryptography 2 (2): pp. | |||
| 107-125. | 107-125. | |||
| Appendix A. Change Log | Appendix A. Change Log | |||
| The -05 version of the WG draft takes into account feedback from the | ||||
| working group list, about the number of bytes needed to encode P-256 | ||||
| values. | ||||
| The -04 version of the WG draft takes into account feedback from the | The -04 version of the WG draft takes into account feedback from the | |||
| May 2020 WG interim meeting, correcting the reference to the NIST | May 2020 WG interim meeting, correcting the reference to the NIST | |||
| P-256 specification. | P-256 specification. | |||
| The -03 version of the WG draft is first of all a refresh; there are | The -03 version of the WG draft is first of all a refresh; there are | |||
| no issues that we think need addressing, beyond the one for which | no issues that we think need addressing, beyond the one for which | |||
| there is a suggestion in -03: The specification now suggests an | there is a suggestion in -03: The specification now suggests an | |||
| alternate group/curve as an optional one besides X25519. The | alternate group/curve as an optional one besides X25519. The | |||
| specific choice of particular groups and algorithms is still up to | specific choice of particular groups and algorithms is still up to | |||
| the working group. | the working group. | |||
| skipping to change at page 26, line 11 | skipping to change at page 26, line 18 | |||
| document came out of the TrustCom paper [TrustCom2015], whose authors | document came out of the TrustCom paper [TrustCom2015], whose authors | |||
| were J. Arkko, K. Norrman, M. Naslund, and B. Sahlin. This | were J. Arkko, K. Norrman, M. Naslund, and B. Sahlin. This | |||
| document uses also a lot of material from [RFC4187] by J. Arkko and | document uses also a lot of material from [RFC4187] by J. Arkko and | |||
| H. Haverinen as well as [RFC5448] by J. Arkko, V. Lehtovirta, and | H. Haverinen as well as [RFC5448] by J. Arkko, V. Lehtovirta, and | |||
| P. Eronen. | P. Eronen. | |||
| The authors would also like to thank Tero Kivinen, John Mattsson, | The authors would also like to thank Tero Kivinen, John Mattsson, | |||
| Mohit Sethi, Vesa Lehtovirta, Russ Housley, Sean Turner, Eliot Lear, | Mohit Sethi, Vesa Lehtovirta, Russ Housley, Sean Turner, Eliot Lear, | |||
| Joseph Salowey, Kathleen Moriarty, Zhang Fu, Bengt Sahlin, Ben | Joseph Salowey, Kathleen Moriarty, Zhang Fu, Bengt Sahlin, Ben | |||
| Campbell, Prajwol Kumar Nakarmi, Goran Rune, Tim Evans, Helena Vahidi | Campbell, Prajwol Kumar Nakarmi, Goran Rune, Tim Evans, Helena Vahidi | |||
| Mazinani, Anand R. Prasad, and many other people at the IETF, GSMA | Mazinani, Anand R. Prasad, Rene Struik, and many other people at the | |||
| and 3GPP groups for interesting discussions in this problem space. | IETF, GSMA and 3GPP groups for interesting discussions in this | |||
| problem space. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jari Arkko | Jari Arkko | |||
| Ericsson | Ericsson | |||
| Jorvas 02420 | Jorvas 02420 | |||
| Finland | Finland | |||
| Email: jari.arkko@piuha.net | Email: jari.arkko@piuha.net | |||
| End of changes. 10 change blocks. | ||||
| 10 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||