| draft-ietf-emu-rfc5448bis-09.txt | draft-ietf-emu-rfc5448bis.txt | |||
|---|---|---|---|---|
| Network Working Group J. Arkko | Network Working Group J. Arkko | |||
| Internet-Draft V. Lehtovirta | Internet-Draft V. Lehtovirta | |||
| Updates: 5448,4187 (if approved) V. Torvinen | Updates: 5448,4187 (if approved) V. Torvinen | |||
| Intended status: Informational Ericsson | Intended status: Informational Ericsson | |||
| Expires: July 15, 2021 P. Eronen | Expires: November 11, 2021 P. Eronen | |||
| Independent | Independent | |||
| January 11, 2021 | May 10, 2021 | |||
| Improved Extensible Authentication Protocol Method for 3GPP Mobile | Improved Extensible Authentication Protocol Method for 3GPP Mobile | |||
| Network Authentication and Key Agreement (EAP-AKA') | Network Authentication and Key Agreement (EAP-AKA') | |||
| draft-ietf-emu-rfc5448bis-09 | draft-ietf-emu-rfc5448bis-10 | |||
| Abstract | Abstract | |||
| The 3GPP Mobile Network Authentication and Key Agreement (AKA) is an | The 3GPP Mobile Network Authentication and Key Agreement (AKA) is an | |||
| authentication mechanism for devices wishing to access mobile | authentication mechanism for devices wishing to access mobile | |||
| networks. RFC 4187 (EAP-AKA) made the use of this mechanism possible | networks. RFC 4187 (EAP-AKA) made the use of this mechanism possible | |||
| within the Extensible Authentication Protocol (EAP) framework. RFC | within the Extensible Authentication Protocol (EAP) framework. RFC | |||
| 5448 (EAP-AKA') was an improved version of EAP-AKA. | 5448 (EAP-AKA') was an improved version of EAP-AKA. | |||
| This memo is the most recent specification of EAP-AKA', including, | This document is the most recent specification of EAP-AKA', | |||
| for instance, details and references about related to operating EAP- | including, for instance, details and references about related to | |||
| AKA' in 5G networks. | operating EAP-AKA' in 5G networks. | |||
| EAP-AKA' differs from EAP-AKA by providing a key derivation function | EAP-AKA' differs from EAP-AKA by providing a key derivation function | |||
| that binds the keys derived within the method to the name of the | that binds the keys derived within the method to the name of the | |||
| access network. The key derivation function has been defined in the | access network. The key derivation function has been defined in the | |||
| 3rd Generation Partnership Project (3GPP). EAP-AKA' allows its use | 3rd Generation Partnership Project (3GPP). EAP-AKA' allows its use | |||
| in EAP in an interoperable manner. EAP-AKA' also updates the | in EAP in an interoperable manner. EAP-AKA' also updates the | |||
| algorithm used in hash functions, as it employs SHA-256 / HMAC- | algorithm used in hash functions, as it employs SHA-256 / HMAC- | |||
| SHA-256 instead of SHA-1 / HMAC-SHA-1 as in EAP-AKA. | SHA-256 instead of SHA-1 / HMAC-SHA-1 as in EAP-AKA. | |||
| This version of EAP-AKA' specification specifies the protocol | This version of EAP-AKA' specification specifies the protocol | |||
| skipping to change at page 2, line 10 | skipping to change at page 2, line 10 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 15, 2021. | This Internet-Draft will expire on November 11, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 17 | skipping to change at page 3, line 17 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 34 | 8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 34 | 8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 34 | |||
| 8.3. Key Derivation Function Namespace . . . . . . . . . . . . 34 | 8.3. Key Derivation Function Namespace . . . . . . . . . . . . 34 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 37 | 9.2. Informative References . . . . . . . . . . . . . . . . . 37 | |||
| Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 40 | Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 40 | |||
| Appendix B. Changes to RFC 4187 . . . . . . . . . . . . . . . . 41 | Appendix B. Changes to RFC 4187 . . . . . . . . . . . . . . . . 41 | |||
| Appendix C. Changes from Previous Version of This Draft . . . . 41 | Appendix C. Changes from Previous Version of This Draft . . . . 41 | |||
| Appendix D. Importance of Explicit Negotiation . . . . . . . . . 44 | Appendix D. Importance of Explicit Negotiation . . . . . . . . . 45 | |||
| Appendix E. Test Vectors . . . . . . . . . . . . . . . . . . . . 45 | Appendix E. Test Vectors . . . . . . . . . . . . . . . . . . . . 46 | |||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 50 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 1. Introduction | 1. Introduction | |||
| The 3GPP Mobile Network Authentication and Key Agreement (AKA) is an | The 3GPP Mobile Network Authentication and Key Agreement (AKA) is an | |||
| authentication mechanism for devices wishing to access mobile | authentication mechanism for devices wishing to access mobile | |||
| networks. [RFC4187] (EAP-AKA) made the use of this mechanism | networks. [RFC4187] (EAP-AKA) made the use of this mechanism | |||
| possible within the Extensible Authentication Protocol (EAP) | possible within the Extensible Authentication Protocol (EAP) | |||
| framework [RFC3748]. | framework [RFC3748]. | |||
| [RFC5448] (EAP-AKA') was an improved version of EAP-AKA. EAP-AKA' | [RFC5448] (EAP-AKA') was an improved version of EAP-AKA. EAP-AKA' | |||
| was defined in RFC 5448 and updated EAP-AKA RFC 4187. | was defined in RFC 5448 and updated EAP-AKA RFC 4187. | |||
| This memo is the most recent specification of EAP-AKA', including, | This document is the most recent specification of EAP-AKA', | |||
| for instance, details and references about related to operating EAP- | including, for instance, details and references about related to | |||
| AKA' in 5G networks. RFC 5448 is not obsole, but the most recent and | operating EAP-AKA' in 5G networks. RFC 5448 is not obsole, but the | |||
| fully backwards compatible specification is in this memo. | most recent and fully backwards compatible specification is in this | |||
| document. | ||||
| EAP-AKA' is commonly implemented in mobile phones and network | EAP-AKA' is commonly implemented in mobile phones and network | |||
| equipment. It can be used for authentication to gain network access | equipment. It can be used for authentication to gain network access | |||
| via Wireless LAN networks and, with 5G, also directly to mobile | via Wireless LAN networks and, with 5G, also directly to mobile | |||
| networks. | networks. | |||
| EAP-AKA' differs from EAP-AKA by providing a different key derivation | EAP-AKA' differs from EAP-AKA by providing a different key derivation | |||
| function. This function binds the keys derived within the method to | function. This function binds the keys derived within the method to | |||
| the name of the access network. This limits the effects of | the name of the access network. This limits the effects of | |||
| compromised access network nodes and keys. EAP-AKA' also updates the | compromised access network nodes and keys. EAP-AKA' also updates the | |||
| skipping to change at page 5, line 5 | skipping to change at page 5, line 5 | |||
| o Update the requirements on generating pseudonym usernames and fast | o Update the requirements on generating pseudonym usernames and fast | |||
| re-authentication identities to ensure identity privacy. | re-authentication identities to ensure identity privacy. | |||
| o Describe what has been learned about any vulnerabilities in AKA or | o Describe what has been learned about any vulnerabilities in AKA or | |||
| EAP-AKA'. | EAP-AKA'. | |||
| o Describe the privacy and pervasive monitoring considerations | o Describe the privacy and pervasive monitoring considerations | |||
| related to EAP-AKA'. | related to EAP-AKA'. | |||
| o Summaries of the attributes have been added. | ||||
| Some of the updates are small. For instance, for the first update, | Some of the updates are small. For instance, for the first update, | |||
| the reference update does not change the 3GPP specification number, | the reference update does not change the 3GPP specification number, | |||
| only the version. But this reference is crucial in correct | only the version. But this reference is crucial in correct | |||
| calculation of the keys resulting from running the EAP-AKA' method, | calculation of the keys resulting from running the EAP-AKA' method, | |||
| so an update of the RFC with the newest version pointer may be | so an update of the RFC with the newest version pointer may be | |||
| warranted. | warranted. | |||
| Note: Any further updates in 3GPP specifications that affect, for | Note: Any further updates in 3GPP specifications that affect, for | |||
| instance, key derivation is something that EAP-AKA' | instance, key derivation is something that EAP-AKA' | |||
| implementations need to take into account. Upon such updates | implementations need to take into account. Upon such updates | |||
| skipping to change at page 5, line 27 | skipping to change at page 5, line 29 | |||
| It is an explicit non-goal of this draft to include any other | It is an explicit non-goal of this draft to include any other | |||
| technical modifications, addition of new features or other changes. | technical modifications, addition of new features or other changes. | |||
| The EAP-AKA' base protocol is stable and needs to stay that way. If | The EAP-AKA' base protocol is stable and needs to stay that way. If | |||
| there are any extensions or variants, those need to be proposed as | there are any extensions or variants, those need to be proposed as | |||
| standalone extensions or even as different authentication methods. | standalone extensions or even as different authentication methods. | |||
| The rest of this specification is structured as follows. Section 3 | The rest of this specification is structured as follows. Section 3 | |||
| defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to | defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to | |||
| prevent bidding down attacks from EAP-AKA'. Section 5 specifies | prevent bidding down attacks from EAP-AKA'. Section 5 specifies | |||
| requirements regarding the use of peer identities, including how EAP- | requirements regarding the use of peer identities, including how 5G | |||
| AKA' identifiers are used in 5G context. Section 6 specifies what | identifiers are used in the EAP-AKA' context. Section 6 specifies | |||
| parameters EAP-AKA' exports out of the method. Section 7 explains | what parameters EAP-AKA' exports out of the method. Section 7 | |||
| the security differences between EAP-AKA and EAP-AKA'. Section 8 | explains the security differences between EAP-AKA and EAP-AKA'. | |||
| describes the IANA considerations and Appendix A and Appendix B | Section 8 describes the IANA considerations and Appendix A and | |||
| explains what updates to RFC 5448 EAP-AKA' and RFC 4187 EAP-AKA have | Appendix B explains what updates to RFC 5448 EAP-AKA' and RFC 4187 | |||
| been made in this specification. Appendix D explains some of the | EAP-AKA have been made in this specification. Appendix D explains | |||
| design rationale for creating EAP-AKA'. Finally, Appendix E provides | some of the design rationale for creating EAP-AKA'. Finally, | |||
| test vectors. | Appendix E provides test vectors. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. EAP-AKA' | 3. EAP-AKA' | |||
| skipping to change at page 13, line 41 | skipping to change at page 13, line 41 | |||
| IK' and CK' are derived as specified in [TS-3GPP.33.402]. The | IK' and CK' are derived as specified in [TS-3GPP.33.402]. The | |||
| functions that derive IK' and CK' take the following parameters: | functions that derive IK' and CK' take the following parameters: | |||
| CK and IK produced by the AKA algorithm, and value of the Network | CK and IK produced by the AKA algorithm, and value of the Network | |||
| Name field comes from the AT_KDF_INPUT attribute (without length | Name field comes from the AT_KDF_INPUT attribute (without length | |||
| or padding). | or padding). | |||
| The value "EAP-AKA'" is an eight-characters-long ASCII string. It | The value "EAP-AKA'" is an eight-characters-long ASCII string. It | |||
| is used as is, without any trailing NUL characters. | is used as is, without any trailing NUL characters. | |||
| Identity is the peer identity as specified in Section 7 of | Identity is the peer identity as specified in Section 7 of | |||
| [RFC4187], and Section 5.3.2 in this memo for the 5G cases. | [RFC4187], and Section 5.3.2 in this document for the 5G cases. | |||
| When the server creates an AKA challenge and corresponding AUTN, | When the server creates an AKA challenge and corresponding AUTN, | |||
| CK, CK', IK, and IK' values, it MUST set the Authentication | CK, CK', IK, and IK' values, it MUST set the Authentication | |||
| Management Field (AMF) separation bit to 1 in the AKA algorithm | Management Field (AMF) separation bit to 1 in the AKA algorithm | |||
| [TS-3GPP.33.102]. Similarly, the peer MUST check that the AMF | [TS-3GPP.33.102]. Similarly, the peer MUST check that the AMF | |||
| separation bit is set to 1. If the bit is not set to 1, the peer | separation bit is set to 1. If the bit is not set to 1, the peer | |||
| behaves as if the AUTN had been incorrect and fails the | behaves as if the AUTN had been incorrect and fails the | |||
| authentication. | authentication. | |||
| On fast re-authentication, the following keys are calculated: | On fast re-authentication, the following keys are calculated: | |||
| skipping to change at page 16, line 52 | skipping to change at page 17, line 5 | |||
| (9) EAP-Response/AKA-Reauthentication, | (9) EAP-Response/AKA-Reauthentication, | |||
| (10) EAP-Response/AKA-Authentication-Reject, and | (10) EAP-Response/AKA-Authentication-Reject, and | |||
| (11) EAP-Response/AKA-Synchronization-Failure. | (11) EAP-Response/AKA-Synchronization-Failure. | |||
| The column denoted with "E" indicates whether the attribute is a | The column denoted with "E" indicates whether the attribute is a | |||
| nested attribute that MUST be included within AT_ENCR_DATA. | nested attribute that MUST be included within AT_ENCR_DATA. | |||
| In addition: | In addition,the numbered columns indicate the quantity of the | |||
| attribute within the message as follows: | ||||
| "0" indicates that the attribute MUST NOT be included in the | "0" indicates that the attribute MUST NOT be included in the | |||
| message, | message, | |||
| "1" indicates that the attribute MUST be included in the message, | "1" indicates that the attribute MUST be included in the message, | |||
| "0-1" indicates that the attribute is sometimes included in the | "0-1" indicates that the attribute is sometimes included in the | |||
| message, | message, | |||
| "0+" indicates that zero or more copies of the attribute MAY be | "0+" indicates that zero or more copies of the attribute MAY be | |||
| skipping to change at page 19, line 45 | skipping to change at page 19, line 45 | |||
| message. If the peer supports EAP-AKA', it compares the received | message. If the peer supports EAP-AKA', it compares the received | |||
| value to its own capabilities. If it turns out that both the server | value to its own capabilities. If it turns out that both the server | |||
| and peer would have been able to use EAP-AKA' and preferred it over | and peer would have been able to use EAP-AKA' and preferred it over | |||
| EAP-AKA, the peer behaves as if AUTN had been incorrect and fails the | EAP-AKA, the peer behaves as if AUTN had been incorrect and fails the | |||
| authentication (see Figure 3 of [RFC4187]). A peer not supporting | authentication (see Figure 3 of [RFC4187]). A peer not supporting | |||
| EAP-AKA' will simply ignore this attribute. In all cases, the | EAP-AKA' will simply ignore this attribute. In all cases, the | |||
| attribute is protected by the integrity mechanisms of EAP-AKA, so it | attribute is protected by the integrity mechanisms of EAP-AKA, so it | |||
| cannot be removed by a man-in-the-middle attacker. | cannot be removed by a man-in-the-middle attacker. | |||
| Note that we assume (Section 7) that EAP-AKA' is always stronger than | Note that we assume (Section 7) that EAP-AKA' is always stronger than | |||
| EAP-AKA. As a result, there is no need to prevent bidding "down" | EAP-AKA. As a result, this specification does not provide protection | |||
| attacks in the other direction, i.e., attackers forcing the endpoints | against bidding "down" attacks in the other direction, i.e., | |||
| to use EAP-AKA'. | attackers forcing the endpoints to use EAP-AKA'. | |||
| 4.1. Summary of Attributes for EAP-AKA | 4.1. Summary of Attributes for EAP-AKA | |||
| The appearance of the AT_BIDDING attribute in EAP-AKA exchanges is | The appearance of the AT_BIDDING attribute in EAP-AKA exchanges is | |||
| shown below, using the notation from Section 3.5: | shown below, using the notation from Section 3.5: | |||
| Attribute (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)(11) E | Attribute (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)(11) E | |||
| AT_BIDDING 0 0 1 0 0 0 0 0 0 0 0 N | AT_BIDDING 0 0 1 0 0 0 0 0 0 0 0 N | |||
| 5. Peer Identities | 5. Peer Identities | |||
| skipping to change at page 20, line 48 | skipping to change at page 20, line 48 | |||
| usernames. This specification extends this definition as follows. | usernames. This specification extends this definition as follows. | |||
| There are four types of usernames: | There are four types of usernames: | |||
| (1) Regular usernames. These are external names given to EAP-AKA' | (1) Regular usernames. These are external names given to EAP-AKA' | |||
| peers. The regular usernames are further subdivided into to | peers. The regular usernames are further subdivided into to | |||
| categories: | categories: | |||
| (a) Permanent usernames, for instance IMSI-based usernames. | (a) Permanent usernames, for instance IMSI-based usernames. | |||
| (b) Privacy-friendly temporary usernames, for instance 5G GUTI | (b) Privacy-friendly temporary usernames, for instance 5G GUTI | |||
| or 5G privacy identifiers (see Section 5.3.2). | (5G Globally Unique Temporary Identifier) or 5G privacy | |||
| identifiers (see Section 5.3.2), for instance SUCI | ||||
| (Subscription Concealed Identifier). | ||||
| (2) EAP-AKA' pseudonym usernames. For example, | (2) EAP-AKA' pseudonym usernames. For example, | |||
| 2s7ah6n9q@example.com might be a valid pseudonym identity. In | 2s7ah6n9q@example.com might be a valid pseudonym identity. In | |||
| this example, 2s7ah6n9q is the pseudonym username. | this example, 2s7ah6n9q is the pseudonym username. | |||
| (3) EAP-AKA' fast re-authentication usernames. For example, | (3) EAP-AKA' fast re-authentication usernames. For example, | |||
| 43953754@example.com might be a valid fast re-authentication | 43953754@example.com might be a valid fast re-authentication | |||
| identity and 43953754 the fast re-authentication username. | identity and 43953754 the fast re-authentication username. | |||
| The permanent, privacy-friendly temporary, and pseudonym usernames | The permanent, privacy-friendly temporary, and pseudonym usernames | |||
| skipping to change at page 22, line 35 | skipping to change at page 22, line 37 | |||
| o Transmitted from the peer to the server using EAP-AKA' messages | o Transmitted from the peer to the server using EAP-AKA' messages | |||
| instead of EAP-Response/Identity. In this case, the server | instead of EAP-Response/Identity. In this case, the server | |||
| includes an identity requesting attribute (AT_ANY_ID_REQ, | includes an identity requesting attribute (AT_ANY_ID_REQ, | |||
| AT_FULLAUTH_ID_REQ or AT_PERMANENT_ID_REQ) in the EAP-Request/AKA- | AT_FULLAUTH_ID_REQ or AT_PERMANENT_ID_REQ) in the EAP-Request/AKA- | |||
| Identity message; and the peer includes the AT_IDENTITY attribute, | Identity message; and the peer includes the AT_IDENTITY attribute, | |||
| which contains the peer's identity, in the EAP-Response/AKA- | which contains the peer's identity, in the EAP-Response/AKA- | |||
| Identity message. | Identity message. | |||
| The identity carried above may be a permanent identity, privacy | The identity carried above may be a permanent identity, privacy | |||
| friendly identity, pseudonym identity, or fast re-authentication | friendly identity, pseudonym identity, or fast re-authentication | |||
| identity as defined in this RFC. | identity as defined in Section 5.1. | |||
| 5G supports the concept of privacy identifiers, and it is important | 5G supports the concept of privacy identifiers, and it is important | |||
| for interoperability that the right type of identifier is used. | for interoperability that the right type of identifier is used. | |||
| 5G defines the SUbscription Permanent Identifier (SUPI) and | 5G defines the SUbscription Permanent Identifier (SUPI) and | |||
| SUbscription Concealed Identifier (SUCI) [TS-3GPP.23.501] | SUbscription Concealed Identifier (SUCI) [TS-3GPP.23.501] | |||
| [TS-3GPP.33.501] [TS-3GPP.23.003]. SUPI is globally unique and | [TS-3GPP.33.501] [TS-3GPP.23.003]. SUPI is globally unique and | |||
| allocated to each subscriber. However, it is only used internally in | allocated to each subscriber. However, it is only used internally in | |||
| the 5G network, and is privacy sensitive. The SUCI is a privacy | the 5G network, and is privacy sensitive. The SUCI is a privacy | |||
| preserving identifier containing the concealed SUPI, using public key | preserving identifier containing the concealed SUPI, using public key | |||
| skipping to change at page 23, line 49 | skipping to change at page 23, line 49 | |||
| For an example of the format of the identity, see Clause 2.2 of | For an example of the format of the identity, see Clause 2.2 of | |||
| [TS-3GPP.23.003]. | [TS-3GPP.23.003]. | |||
| In all other cases, the following applies: | In all other cases, the following applies: | |||
| The identity used in the key derivation formula MUST be exactly | The identity used in the key derivation formula MUST be exactly | |||
| the one sent in EAP-AKA' AT_IDENTITY attribute, if one was sent, | the one sent in EAP-AKA' AT_IDENTITY attribute, if one was sent, | |||
| regardless of the kind of identity that it may have been. If no | regardless of the kind of identity that it may have been. If no | |||
| AT_IDENTITY was sent, the identity MUST be the exactly the one | AT_IDENTITY was sent, the identity MUST be the exactly the one | |||
| sent in the generic EAP Identity exchange, if one was made. | sent in the generic EAP Identity exchange, if one was made. | |||
| Again, the identity MUST be used exactly as sent. | ||||
| If no identity was communicated inside EAP, then the identity is | If no identity was communicated inside EAP, then the identity is | |||
| the one communicated outside EAP in link layer messaging. | the one communicated outside EAP in link layer messaging. | |||
| In this case, the used identity MUST be the identity most recently | In this case, the used identity MUST be the identity most recently | |||
| communicated by the peer to the network, again regardless of what | communicated by the peer to the network, again regardless of what | |||
| type of identity it may have been. | type of identity it may have been. | |||
| 5.3.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute | 5.3.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute | |||
| skipping to change at page 24, line 47 | skipping to change at page 24, line 47 | |||
| identifier. | identifier. | |||
| For an example of an IMSI in NAI format, see [TS-3GPP.23.003] | For an example of an IMSI in NAI format, see [TS-3GPP.23.003] | |||
| Section 28.7.3. | Section 28.7.3. | |||
| Otherwise, the peer SHOULD employ IMSI, SUPI, or a NAI as it is | Otherwise, the peer SHOULD employ IMSI, SUPI, or a NAI as it is | |||
| configured to use. | configured to use. | |||
| 6. Exported Parameters | 6. Exported Parameters | |||
| The EAP-AKA' Session-Id is the concatenation of the EAP Type Code | When not using fast re-authentication, the EAP-AKA' Session-Id is the | |||
| (0x32, one byte) with the contents of the RAND field from the AT_RAND | concatenation of the EAP Type Code (0x32, one byte) with the contents | |||
| attribute, followed by the contents of the AUTN field in the AT_AUTN | of the RAND field from the AT_RAND attribute, followed by the | |||
| attribute: | contents of the AUTN field in the AT_AUTN attribute : | |||
| Session-Id = 0x32 || RAND || AUTN | Session-Id = 0x32 || RAND || AUTN | |||
| When using fast re-authentication, the EAP-AKA' Session-Id is the | When using fast re-authentication, the EAP-AKA' Session-Id is the | |||
| concatenation of the EAP Type Code (0x32) with the contents of the | concatenation of the EAP Type Code (0x32) with the contents of the | |||
| NONCE_S field from the AT_NONCE_S attribute, followed by the contents | NONCE_S field from the AT_NONCE_S attribute, followed by the contents | |||
| of the MAC field from the AT_MAC attribute from EAP-Request/AKA- | of the MAC field from the AT_MAC attribute from EAP-Request/AKA- | |||
| Reauthentication: | Reauthentication: | |||
| Session-Id = 0x32 || NONCE_S || MAC | Session-Id = 0x32 || NONCE_S || MAC | |||
| The Peer-Id is the contents of the Identity field from the | The Peer-Id is the contents of the Identity field from the | |||
| AT_IDENTITY attribute, using only the Actual Identity Length bytes | AT_IDENTITY attribute, using only the Actual Identity Length bytes | |||
| from the beginning. Note that the contents are used as they are | from the beginning. Note that the contents are used as they are | |||
| transmitted, regardless of whether the transmitted identity was a | transmitted, regardless of whether the transmitted identity was a | |||
| permanent, pseudonym, or fast EAP re-authentication identity. If no | permanent, pseudonym, or fast EAP re-authentication identity. If no | |||
| AT_IDENTITY attribute was exchanged, the exported Peer-Id is the | AT_IDENTITY attribute was exchanged, the exported Peer-Id is the | |||
| identity provided from the EAP Identity Response packet. If no EAP | identity provided from the EAP Identity Response packet. If no EAP | |||
| Identity Response was provided either, the exported Peer-Id is null | Identity Response was provided either, the exported Peer-Id is the | |||
| string (zero length). | null string (zero length). | |||
| The Server-Id is the null string (zero length). | The Server-Id is the null string (zero length). | |||
| 7. Security Considerations | 7. Security Considerations | |||
| A summary of the security properties of EAP-AKA' follows. These | A summary of the security properties of EAP-AKA' follows. These | |||
| properties are very similar to those in EAP-AKA. We assume that HMAC | properties are very similar to those in EAP-AKA. We assume that HMAC | |||
| SHA-256 is at least as secure as HMAC SHA-1 (see also [RFC6194]. | SHA-256 is at least as secure as HMAC SHA-1 (see also [RFC6194]. | |||
| This is called the SHA-256 assumption in the remainder of this | This is called the SHA-256 assumption in the remainder of this | |||
| section. Under this assumption, EAP-AKA' is at least as secure as | section. Under this assumption, EAP-AKA' is at least as secure as | |||
| skipping to change at page 26, line 12 | skipping to change at page 26, line 12 | |||
| Per assumptions in Section 4, there is no protection against | Per assumptions in Section 4, there is no protection against | |||
| bidding down attacks from EAP-AKA to EAP-AKA', should EAP-AKA' | bidding down attacks from EAP-AKA to EAP-AKA', should EAP-AKA' | |||
| somehow be considered less secure some day than EAP-AKA. Such | somehow be considered less secure some day than EAP-AKA. Such | |||
| protection was not provided in RFC 5448 implementations and | protection was not provided in RFC 5448 implementations and | |||
| consequently neither does this specification provide it. If such | consequently neither does this specification provide it. If such | |||
| support is needed, it would have to be added as a separate new | support is needed, it would have to be added as a separate new | |||
| feature. | feature. | |||
| In general, it is expected that the current negotiation | In general, it is expected that the current negotiation | |||
| capabilities in EAP-AKA' are sufficient for some types of | capabilities in EAP-AKA' are sufficient for some types of | |||
| extensions and cryptographic agility, including adding Perfect | extensions, including adding Perfect Forward Secrecy | |||
| Forward Secrecy ([I-D.ietf-emu-aka-pfs]) and perhaps others. But | ([I-D.ietf-emu-aka-pfs]) and perhaps others. But as with how EAP- | |||
| as with how EAP-AKA' itself came about, some larger changes may | AKA' itself came about, some larger changes may require a new EAP | |||
| require a new EAP method type. | method type. One example of such change would be the introduction | |||
| of new algorithms. | ||||
| Mutual authentication | Mutual authentication | |||
| Under the SHA-256 assumption, the properties of EAP-AKA' are at | Under the SHA-256 assumption, the properties of EAP-AKA' are at | |||
| least as good as those of EAP-AKA in this respect. Refer to | least as good as those of EAP-AKA in this respect. Refer to | |||
| [RFC4187], Section 12 for further details. | [RFC4187], Section 12 for further details. | |||
| Integrity protection | Integrity protection | |||
| Under the SHA-256 assumption, the properties of EAP-AKA' are at | Under the SHA-256 assumption, the properties of EAP-AKA' are at | |||
| skipping to change at page 28, line 35 | skipping to change at page 28, line 38 | |||
| 7.1. Privacy | 7.1. Privacy | |||
| [RFC6973] suggests that the privacy considerations of IETF protocols | [RFC6973] suggests that the privacy considerations of IETF protocols | |||
| be documented. | be documented. | |||
| The confidentiality properties of EAP-AKA' itself have been discussed | The confidentiality properties of EAP-AKA' itself have been discussed | |||
| above under "Confidentiality". | above under "Confidentiality". | |||
| EAP-AKA' uses several different types of identifiers to identify the | EAP-AKA' uses several different types of identifiers to identify the | |||
| authenticating peer. It is strongly RECOMMENDED to use the privacy- | authenticating peer. It is strongly RECOMMENDED to use the privacy- | |||
| friendly temporary or hidden identifiers, i.e., the 5G SUCI, | friendly temporary or hidden identifiers, i.e., the 5G GUTI or SUCI, | |||
| pseudonym usernames, and fast re-authentication usernames. The use | pseudonym usernames, and fast re-authentication usernames. The use | |||
| of permanent identifiers such as the IMSI or SUPI may lead to an | of permanent identifiers such as the IMSI or SUPI may lead to an | |||
| ability to track the peer and/or user associated with the peer. The | ability to track the peer and/or user associated with the peer. The | |||
| use of permanent identifiers such as the IMSI or SUPI is strongly NOT | use of permanent identifiers such as the IMSI or SUPI is strongly NOT | |||
| RECOMMENDED. | RECOMMENDED. | |||
| As discussed in Section 5.3, when authenticating to a 5G network, | As discussed in Section 5.3, when authenticating to a 5G network, | |||
| only the 5G SUCI identifier is normally used. The use of EAP-AKA' | only the SUCI identifier is normally used. The use of EAP-AKA' | |||
| pseudonyms in this situation is at best limited, because the 5G SUCI | pseudonyms in this situation is at best limited, because the SUCI | |||
| already provides a stronger mechanism. In fact, the re-use of the | already provides a stronger mechanism. In fact, the re-use of the | |||
| same pseudonym multiple times will result in a tracking opportunity | same pseudonym multiple times will result in a tracking opportunity | |||
| for observers that see the pseudonym pass by. To avoid this, the | for observers that see the pseudonym pass by. To avoid this, the | |||
| peer and server need to follow the guidelines given in Section 5.2. | peer and server need to follow the guidelines given in Section 5.2. | |||
| When authenticating to a 5G network, per Section 5.3.1, both the EAP- | When authenticating to a 5G network, per Section 5.3.1, both the EAP- | |||
| AKA' peer and server need to employ the permanent identifier, SUPI, | AKA' peer and server need to employ the permanent identifier, SUPI, | |||
| as an input to key derivation. However, this use of the SUPI is only | as an input to key derivation. However, this use of the SUPI is only | |||
| internal. As such, the SUPI need not be communicated in EAP | internal. As such, the SUPI need not be communicated in EAP | |||
| messages. Therefore, SUPI MUST NOT be communicated in EAP-AKA' when | messages. Therefore, SUPI MUST NOT be communicated in EAP-AKA' when | |||
| authenticating to a 5G network. | authenticating to a 5G network. | |||
| While the use of SUCI in 5G networks generally provides identity | While the use of SUCI in 5G networks generally provides identity | |||
| privacy, this is not true if the null-scheme encryption is used to | privacy, this is not true if the null-scheme encryption is used to | |||
| construct the SUCI (see [TS-3GPP.23.501] Annex C). The use of this | construct the SUCI (see [TS-3GPP.33.501] Annex C). The use of this | |||
| scheme turns the use of SUCI equivalent to the use of SUPI or IMSI. | scheme turns the use of SUCI equivalent to the use of SUPI or IMSI. | |||
| The use of the null scheme is NOT RECOMMENDED where identity privacy | The use of the null scheme is NOT RECOMMENDED where identity privacy | |||
| is important. | is important. | |||
| The use of fast re-authentication identities when authenticating to a | The use of fast re-authentication identities when authenticating to a | |||
| 5G network does not have the same problems as the use of pseudonyms, | 5G network does not have the same problems as the use of pseudonyms, | |||
| as long as the 5G authentication server generates the fast re- | as long as the 5G authentication server generates the fast re- | |||
| authentication identifiers in a proper manner specified in | authentication identifiers in a proper manner specified in | |||
| Section 5.2. | Section 5.2. | |||
| skipping to change at page 29, line 44 | skipping to change at page 29, line 48 | |||
| refuse to send the cleartext permanent identity if it believes | refuse to send the cleartext permanent identity if it believes | |||
| that the network should be able to recognize the pseudonym. | that the network should be able to recognize the pseudonym. | |||
| o When pseudonyms and fast re-authentication identities are used, | o When pseudonyms and fast re-authentication identities are used, | |||
| the peer relies on the properly created identifiers by the server. | the peer relies on the properly created identifiers by the server. | |||
| It is essential that an attacker cannot link a privacy-friendly | It is essential that an attacker cannot link a privacy-friendly | |||
| identifier to the user in any way or determine that two | identifier to the user in any way or determine that two | |||
| identifiers belong to the same user as outlined in Section 5.2. | identifiers belong to the same user as outlined in Section 5.2. | |||
| The pseudonym usernames and fast re-authentication identities MUST | The pseudonym usernames and fast re-authentication identities MUST | |||
| also not be used for other purposes (e.g. in other protocols). | NOT be used for other purposes (e.g., in other protocols). | |||
| If the peer and server cannot guarantee that 5G SUCI can be used or | If the peer and server cannot guarantee that SUCI can be used or | |||
| pseudonyms will available, generated properly, and maintained | pseudonyms will be available, generated properly, and maintained | |||
| reliably, and identity privacy is required then additional protection | reliably, and identity privacy is required then additional protection | |||
| from an external security mechanism such as tunneled EAP methods may | from an external security mechanism such as tunneled EAP methods such | |||
| be used. The benefits and the security considerations of using an | as TTLS [RFC5281] or TEAP [RFC7170] may be used. The benefits and | |||
| external security mechanism with EAP-AKA are beyond the scope of this | the security considerations of using an external security mechanism | |||
| document. | with EAP-AKA are beyond the scope of this document. | |||
| Finally, as with other EAP methods, even when privacy-friendly | Finally, as with other EAP methods, even when privacy-friendly | |||
| identifiers or EAP tunneling is used, typically the domain part of an | identifiers or EAP tunneling is used, typically the domain part of an | |||
| identifier (e.g., the home operator) is visible to external parties. | identifier (e.g., the home operator) is visible to external parties. | |||
| 7.2. Discovered Vulnerabilities | 7.2. Discovered Vulnerabilities | |||
| There have been no published attacks that violate the primary secrecy | There have been no published attacks that violate the primary secrecy | |||
| or authentication properties defined for Authentication and Key | or authentication properties defined for Authentication and Key | |||
| Agreement (AKA) under the originally assumed trust model. The same | Agreement (AKA) under the originally assumed trust model. The same | |||
| is true of EAP-AKA'. | is true of EAP-AKA'. | |||
| However, there have been attacks when a different trust model is in | However, there have been attacks when a different trust model is in | |||
| use, with characteristics not originally provided by the design, or | use, with characteristics not originally provided by the design, or | |||
| when participants in the protocol leak information to outsiders on | when participants in the protocol leak information to outsiders on | |||
| purpose, and there has been some privacy-related attacks. | purpose, and there have been some privacy-related attacks. | |||
| For instance, the original AKA protocol does not prevent supplying | For instance, the original AKA protocol does not prevent supplying | |||
| keys by an insider to a third party as done in, e.g., by Mjolsnes and | keys by an insider to a third party as done in, e.g., by Mjolsnes and | |||
| Tsay in [MT2012] where a serving network lets an authentication run | Tsay in [MT2012] where a serving network lets an authentication run | |||
| succeed, but then misuses the session keys to send traffic on the | succeed, but then misuses the session keys to send traffic on the | |||
| authenticated user's behalf. This particular attack is not different | authenticated user's behalf. This particular attack is not different | |||
| from any on-path entity (such as a router) pretending to send | from any on-path entity (such as a router) pretending to send | |||
| traffic, but the general issue of insider attacks can be a problem, | traffic, but the general issue of insider attacks can be a problem, | |||
| particularly in a large group of collaborating operators. | particularly in a large group of collaborating operators. | |||
| skipping to change at page 31, line 11 | skipping to change at page 31, line 13 | |||
| serving network may request large numbers of authentication runs for | serving network may request large numbers of authentication runs for | |||
| a particular subscriber from a home network. While resynchronization | a particular subscriber from a home network. While resynchronization | |||
| process can help recover from this, eventually it is possible to | process can help recover from this, eventually it is possible to | |||
| exhaust the sequence number space and render the subscriber's card | exhaust the sequence number space and render the subscriber's card | |||
| unusable. This attack is possible for both native AKA and EAP-AKA'. | unusable. This attack is possible for both native AKA and EAP-AKA'. | |||
| However, it requires the collaboration of a serving network in an | However, it requires the collaboration of a serving network in an | |||
| attack. It is recommended that EAP-AKA' implementations provide | attack. It is recommended that EAP-AKA' implementations provide | |||
| means to track, detect, and limit excessive authentication attempts | means to track, detect, and limit excessive authentication attempts | |||
| to combat this problem. | to combat this problem. | |||
| There has also been attacks related to the use of AKA without the | There have also been attacks related to the use of AKA without the | |||
| generated session keys (e.g., [BT2013]). Some of those attacks | generated session keys (e.g., [BT2013]). Some of those attacks | |||
| relate to the use of originally man-in-the-middle vulnerable HTTP | relate to the use of originally man-in-the-middle vulnerable HTTP | |||
| Digest AKAv1 [RFC3310]. This has since then been corrected in | Digest AKAv1 [RFC3310]. This has since then been corrected in | |||
| [RFC4169]. The EAP-AKA' protocol uses session keys and provides | [RFC4169]. The EAP-AKA' protocol uses session keys and provides | |||
| channel binding, and as such, is resistant to the above attacks | channel binding, and as such, is resistant to the above attacks | |||
| except where the protocol participants leak information to outsiders. | except where the protocol participants leak information to outsiders. | |||
| Basin et al [Basin2018] have performed formal analysis and concluded | Basin et al [Basin2018] have performed formal analysis and concluded | |||
| that the AKA protocol would have benefited from additional security | that the AKA protocol would have benefited from additional security | |||
| requirements, such as key confirmation. | requirements, such as key confirmation. | |||
| skipping to change at page 32, line 17 | skipping to change at page 32, line 17 | |||
| short messages or make phone calls to the intended victim and observe | short messages or make phone calls to the intended victim and observe | |||
| the air-interface (e.g., [Kune2012] and [Shaik2016]). Hussain et. | the air-interface (e.g., [Kune2012] and [Shaik2016]). Hussain et. | |||
| al. demonstrated a slightly more sophisticated version of the attack | al. demonstrated a slightly more sophisticated version of the attack | |||
| that exploits the fact that 4G paging protocol uses the IMSI to | that exploits the fact that 4G paging protocol uses the IMSI to | |||
| calculate the paging timeslot [Hussain2019]. As this attack is | calculate the paging timeslot [Hussain2019]. As this attack is | |||
| outside AKA, it does not impact EAP-AKA'. | outside AKA, it does not impact EAP-AKA'. | |||
| Finally, bad implementations of EAP-AKA' may not produce pseudonym | Finally, bad implementations of EAP-AKA' may not produce pseudonym | |||
| usernames or fast re-authentication identities in a manner that is | usernames or fast re-authentication identities in a manner that is | |||
| sufficiently secure. While it is not a problem with the protocol | sufficiently secure. While it is not a problem with the protocol | |||
| itself, recommendations from Section 5.2 need to be followed to avoid | itself, following the recommendations in Section 5.2 mitigate this | |||
| this. | concern. | |||
| 7.3. Pervasive Monitoring | 7.3. Pervasive Monitoring | |||
| As required by [RFC7258], work on IETF protocols needs to consider | As required by [RFC7258], work on IETF protocols needs to consider | |||
| the effects of pervasive monitoring and mitigate them when possible. | the effects of pervasive monitoring and mitigate them when possible. | |||
| As described Section 7.2, after the publication of RFC 5448, new | As described in Section 7.2, after the publication of RFC 5448, new | |||
| information has come to light regarding the use of pervasive | information has come to light regarding the use of pervasive | |||
| monitoring techniques against many security technologies, including | monitoring techniques against many security technologies, including | |||
| AKA-based authentication. | AKA-based authentication. | |||
| For AKA, these attacks relate to theft of the long-term shared secret | For AKA, these attacks relate to theft of the long-term shared secret | |||
| key material stored on the cards. Such attacks are conceivable, for | key material stored on the cards. Such attacks are conceivable, for | |||
| instance, during the manufacturing process of cards, through coercion | instance, during the manufacturing process of cards, through coercion | |||
| of the card manufacturers, or during the transfer of cards and | of the card manufacturers, or during the transfer of cards and | |||
| associated information to an operator. Since the publication of | associated information to an operator. Since the publication of | |||
| reports about such attacks, manufacturing and provisioning processes | reports about such attacks, manufacturing and provisioning processes | |||
| have gained much scrutiny and have improved. | have gained much scrutiny and have improved. | |||
| In particular, it is crucial that manufacturers limit access to the | In particular, it is crucial that manufacturers limit access to the | |||
| secret information and the cards only to necessary systems and | secret information and the cards only to necessary systems and | |||
| personnel. It is also crucial that secure mechanisms be used to | personnel. It is also crucial that secure mechanisms be used to | |||
| communicate the secrets between the manufacturer and the operator | store and communicate the secrets between the manufacturer and the | |||
| that adopts those cards for their customers. | operator that adopts those cards for their customers. | |||
| Beyond these operational considerations, there are also technical | Beyond these operational considerations, there are also technical | |||
| means to improve resistance to these attacks. One approach is to | means to improve resistance to these attacks. One approach is to | |||
| provide Perfect Forwards Secrecy (PFS). This would prevent any | provide Perfect Forward Secrecy (PFS). This would prevent any | |||
| passive attacks merely based on the long-term secrets and observation | passive attacks merely based on the long-term secrets and observation | |||
| of traffic. Such a mechanism can be defined as a backwards- | of traffic. Such a mechanism can be defined as a backwards- | |||
| compatible extension of EAP-AKA', and is pursued separately from this | compatible extension of EAP-AKA', and is pursued separately from this | |||
| specification [I-D.ietf-emu-aka-pfs]. Alternatively, EAP-AKA' | specification [I-D.ietf-emu-aka-pfs]. Alternatively, EAP-AKA' | |||
| authentication can be run inside a PFS-capable tunneled | authentication can be run inside a PFS-capable tunneled | |||
| authentication method. In any case, the use of some PFS-capable | authentication method. In any case, the use of some PFS-capable | |||
| mechanism is recommended. | mechanism is recommended. | |||
| 7.4. Security Properties of Binding Network Names | 7.4. Security Properties of Binding Network Names | |||
| skipping to change at page 38, line 24 | skipping to change at page 38, line 24 | |||
| [RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari, | [RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari, | |||
| "Network Discovery and Selection Problem", RFC 5113, | "Network Discovery and Selection Problem", RFC 5113, | |||
| DOI 10.17487/RFC5113, January 2008, <https://www.rfc- | DOI 10.17487/RFC5113, January 2008, <https://www.rfc- | |||
| editor.org/info/rfc5113>. | editor.org/info/rfc5113>. | |||
| [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible | [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible | |||
| Authentication Protocol (EAP) Key Management Framework", | Authentication Protocol (EAP) Key Management Framework", | |||
| RFC 5247, DOI 10.17487/RFC5247, August 2008, | RFC 5247, DOI 10.17487/RFC5247, August 2008, | |||
| <https://www.rfc-editor.org/info/rfc5247>. | <https://www.rfc-editor.org/info/rfc5247>. | |||
| [RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication | ||||
| Protocol Tunneled Transport Layer Security Authenticated | ||||
| Protocol Version 0 (EAP-TTLSv0)", RFC 5281, | ||||
| DOI 10.17487/RFC5281, August 2008, <https://www.rfc- | ||||
| editor.org/info/rfc5281>. | ||||
| [RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved | [RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved | |||
| Extensible Authentication Protocol Method for 3rd | Extensible Authentication Protocol Method for 3rd | |||
| Generation Authentication and Key Agreement (EAP-AKA')", | Generation Authentication and Key Agreement (EAP-AKA')", | |||
| RFC 5448, DOI 10.17487/RFC5448, May 2009, | RFC 5448, DOI 10.17487/RFC5448, May 2009, | |||
| <https://www.rfc-editor.org/info/rfc5448>. | <https://www.rfc-editor.org/info/rfc5448>. | |||
| [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | |||
| Considerations for the SHA-0 and SHA-1 Message-Digest | Considerations for the SHA-0 and SHA-1 Message-Digest | |||
| Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | |||
| <https://www.rfc-editor.org/info/rfc6194>. | <https://www.rfc-editor.org/info/rfc6194>. | |||
| [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., | [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., | |||
| Morris, J., Hansen, M., and R. Smith, "Privacy | Morris, J., Hansen, M., and R. Smith, "Privacy | |||
| Considerations for Internet Protocols", RFC 6973, | Considerations for Internet Protocols", RFC 6973, | |||
| DOI 10.17487/RFC6973, July 2013, <https://www.rfc- | DOI 10.17487/RFC6973, July 2013, <https://www.rfc- | |||
| editor.org/info/rfc6973>. | editor.org/info/rfc6973>. | |||
| [RFC7170] Zhou, H., Cam-Winget, N., Salowey, J., and S. Hanna, | ||||
| "Tunnel Extensible Authentication Protocol (TEAP) Version | ||||
| 1", RFC 7170, DOI 10.17487/RFC7170, May 2014, | ||||
| <https://www.rfc-editor.org/info/rfc7170>. | ||||
| [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an | [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an | |||
| Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May | Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May | |||
| 2014, <https://www.rfc-editor.org/info/rfc7258>. | 2014, <https://www.rfc-editor.org/info/rfc7258>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| [I-D.ietf-emu-aka-pfs] | [I-D.ietf-emu-aka-pfs] | |||
| Arkko, J., Norrman, K., and V. Torvinen, "Perfect-Forward | Ericsson, Ericsson, and Ericsson, "Perfect-Forward Secrecy | |||
| Secrecy for the Extensible Authentication Protocol Method | for the Extensible Authentication Protocol Method for | |||
| for Authentication and Key Agreement (EAP-AKA' PFS)", | Authentication and Key Agreement (EAP-AKA' PFS)", draft- | |||
| draft-ietf-emu-aka-pfs-05 (work in progress), October | ietf-emu-aka-pfs-05 (work in progress), October 2020. | |||
| 2020. | ||||
| [Heist2015] | [Heist2015] | |||
| Scahill, J. and J. Begley, "The great SIM heist", February | Scahill, J. and J. Begley, "The great SIM heist", February | |||
| 2015, in https://firstlook.org/theintercept/2015/02/19/ | 2015, in https://firstlook.org/theintercept/2015/02/19/ | |||
| great-sim-heist/ . | great-sim-heist/ . | |||
| [MT2012] Mjolsnes, S. and J-K. Tsay, "A vulnerability in the UMTS | [MT2012] Mjolsnes, S. and J-K. Tsay, "A vulnerability in the UMTS | |||
| and LTE authentication and key agreement protocols", | and LTE authentication and key agreement protocols", | |||
| October 2012, in Proceedings of the 6th international | October 2012, in Proceedings of the 6th international | |||
| conference on Mathematical Methods, Models and | conference on Mathematical Methods, Models and | |||
| skipping to change at page 44, line 46 | skipping to change at page 45, line 5 | |||
| o Clarified that the Section 5.2 text does not impact backwards | o Clarified that the Section 5.2 text does not impact backwards | |||
| compatibility. | compatibility. | |||
| o Corrected the characterization of the attack from [ZF2005]. | o Corrected the characterization of the attack from [ZF2005]. | |||
| o Mentioned 5G GUTIs as one possible 5G-identifier in Section 5.1. | o Mentioned 5G GUTIs as one possible 5G-identifier in Section 5.1. | |||
| o Updated the references to Release 16. These specifications are | o Updated the references to Release 16. These specifications are | |||
| stable in 3GPP. | stable in 3GPP. | |||
| Version -10 is the final version and made changes per IESG and | ||||
| directorate review comments. These changes were editorial. One | ||||
| duplicate requirement in Section 5.3.1 was removed, and some | ||||
| references were added for tunnel methods discussion in Section 7.1. | ||||
| The language about exported parameters was clarified in Section 6. | ||||
| Appendix D. Importance of Explicit Negotiation | Appendix D. Importance of Explicit Negotiation | |||
| Choosing between the traditional and revised AKA key derivation | Choosing between the traditional and revised AKA key derivation | |||
| functions is easy when their use is unambiguously tied to a | functions is easy when their use is unambiguously tied to a | |||
| particular radio access network, e.g., Long Term Evolution (LTE) as | particular radio access network, e.g., Long Term Evolution (LTE) as | |||
| defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined | defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined | |||
| by 3GPP2. There is no possibility for interoperability problems if | by 3GPP2. There is no possibility for interoperability problems if | |||
| this radio access network is always used in conjunction with new | this radio access network is always used in conjunction with new | |||
| protocols that cannot be mixed with the old ones; clients will always | protocols that cannot be mixed with the old ones; clients will always | |||
| know whether they are connecting to the old or new system. | know whether they are connecting to the old or new system. | |||
| skipping to change at page 50, line 16 | skipping to change at page 51, line 16 | |||
| provided much of the text for Section 7.1. Karl Norrman was the | provided much of the text for Section 7.1. Karl Norrman was the | |||
| source of much of the information in Section 7.2. | source of much of the information in Section 7.2. | |||
| Acknowledgments | Acknowledgments | |||
| The authors would like to thank Guenther Horn, Joe Salowey, Mats | The authors would like to thank Guenther Horn, Joe Salowey, Mats | |||
| Naslund, Adrian Escott, Brian Rosenberg, Laksminath Dondeti, Ahmad | Naslund, Adrian Escott, Brian Rosenberg, Laksminath Dondeti, Ahmad | |||
| Muhanna, Stefan Rommer, Miguel Garcia, Jan Kall, Ankur Agarwal, Jouni | Muhanna, Stefan Rommer, Miguel Garcia, Jan Kall, Ankur Agarwal, Jouni | |||
| Malinen, John Mattsson, Jesus De Gregorio, Brian Weis, Russ Housley, | Malinen, John Mattsson, Jesus De Gregorio, Brian Weis, Russ Housley, | |||
| Alfred Hoenes, Anand Palanigounder, Michael Richardsson, Roman | Alfred Hoenes, Anand Palanigounder, Michael Richardsson, Roman | |||
| Danyliw, Dan Romascanu, Kyle Rose, Marcus Wong, Kalle Jarvinen, | Danyliw, Dan Romascanu, Kyle Rose, Benjamin Kaduk, Alissa Cooper, | |||
| Daniel Migault, and Mohit Sethi for their in-depth reviews and | Erik Kline, Murray Kucherawy, Robert Wilton, Warren Kumari, Andreas | |||
| interesting discussions in this problem space. | Kunz, Marcus Wong, Kalle Jarvinen, Daniel Migault, and Mohit Sethi | |||
| for their in-depth reviews and interesting discussions in this | ||||
| problem space. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jari Arkko | Jari Arkko | |||
| Ericsson | Ericsson | |||
| Jorvas 02420 | Jorvas 02420 | |||
| Finland | Finland | |||
| Email: jari.arkko@piuha.net | Email: jari.arkko@piuha.net | |||
| End of changes. 35 change blocks. | ||||
| 70 lines changed or deleted | 94 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||