| draft-arkko-eap-rfc5448bis-01.txt | draft-arkko-eap-rfc5448bis.txt | |||
|---|---|---|---|---|
| Network Working Group J. Arkko | Network Working Group J. Arkko | |||
| Internet-Draft V. Lehtovirta | Internet-Draft V. Lehtovirta | |||
| Obsoletes: 5448 (if approved) V. Torvinen | Obsoletes: 5448 (if approved) V. Torvinen | |||
| Intended status: Informational Ericsson | Updates: 4187 (if approved) Ericsson | |||
| Expires: September 6, 2018 P. Eronen | Intended status: Informational P. Eronen | |||
| Nokia | Expires: December 3, 2018 Nokia | |||
| March 5, 2018 | June 2018 | |||
| Improved Extensible Authentication Protocol Method for 3rd Generation | Improved Extensible Authentication Protocol Method for 3rd Generation | |||
| Authentication and Key Agreement (EAP-AKA') | Authentication and Key Agreement (EAP-AKA') | |||
| draft-arkko-eap-rfc5448bis-01 | draft-ietf-emu-rfc5448bis-01 | |||
| Abstract | Abstract | |||
| This specification defines a new EAP method, EAP-AKA', a small | This specification defines a new EAP method, EAP-AKA', a small | |||
| revision of the EAP-AKA method. The change is a new key derivation | revision of the EAP-AKA method. The change is a new key derivation | |||
| function that binds the keys derived within the method to the name of | function that binds the keys derived within the method to the name of | |||
| the access network. The new key derivation mechanism has been | the access network. The new key derivation mechanism has been | |||
| defined in the 3rd Generation Partnership Project (3GPP). This | defined in the 3rd Generation Partnership Project (3GPP). This | |||
| specification allows its use in EAP in an interoperable manner. In | specification allows its use in EAP in an interoperable manner. In | |||
| addition, EAP-AKA' employs SHA-256 instead of SHA-1. | addition, EAP-AKA' employs SHA-256 instead of SHA-1. | |||
| skipping to change at page 1, line 47 | skipping to change at page 1, line 47 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 6, 2018. | This Internet-Draft will expire on December 3, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 29 | skipping to change at page 2, line 29 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . 7 | 3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . 11 | 3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . 13 | 3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . 13 | 3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . 13 | 3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . 14 | 3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 14 | 4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 15 | |||
| 5. Identifier Usage in 5G . . . . . . . . . . . . . . . . . . . 16 | 5. Identifier Usage in 5G . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 17 | 5.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute 17 | 5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute 18 | |||
| 6. Exported Parameters . . . . . . . . . . . . . . . . . . . . . 18 | 6. Exported Parameters . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 7.1. Security Properties of Binding Network Names . . . . . . 21 | 7.1. Security Properties of Binding Network Names . . . . . . 21 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 22 | 8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 22 | 8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 23 | |||
| 8.3. Key Derivation Function Namespace . . . . . . . . . . . . 23 | 8.3. Key Derivation Function Namespace . . . . . . . . . . . . 23 | |||
| 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 | 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 | 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 23 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 24 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 25 | 11.2. Informative References . . . . . . . . . . . . . . . . . 25 | |||
| Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 26 | Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 27 | |||
| Appendix B. Changes from RFC 4187 to RFC 5448 . . . . . . . . . 26 | Appendix B. Changes from RFC 4187 to RFC 5448 . . . . . . . . . 27 | |||
| Appendix C. Importance of Explicit Negotiation . . . . . . . . . 26 | Appendix C. Changes from Previous Version of This Draft . . . . 27 | |||
| Appendix D. Test Vectors . . . . . . . . . . . . . . . . . . . . 27 | Appendix D. Importance of Explicit Negotiation . . . . . . . . . 28 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | Appendix E. Test Vectors . . . . . . . . . . . . . . . . . . . . 29 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | ||||
| 1. Introduction | 1. Introduction | |||
| This specification defines a new Extensible Authentication Protocol | This specification defines a new Extensible Authentication Protocol | |||
| (EAP)[RFC3748] method, EAP-AKA', a small revision of the EAP-AKA | (EAP)[RFC3748] method, EAP-AKA', a small revision of the EAP-AKA | |||
| method originally defined in [RFC4187]. What is new in EAP-AKA' is | method originally defined in [RFC4187]. What is new in EAP-AKA' is | |||
| that it has a new key derivation function, specified in | that it has a new key derivation function, specified in | |||
| [TS-3GPP.33.402]. This function binds the keys derived within the | [TS-3GPP.33.402]. This function binds the keys derived within the | |||
| method to the name of the access network. This limits the effects of | method to the name of the access network. This limits the effects of | |||
| compromised access network nodes and keys. This specification | compromised access network nodes and keys. This specification | |||
| skipping to change at page 3, line 35 | skipping to change at page 3, line 36 | |||
| change of the key derivation must be unambiguous to both sides in the | change of the key derivation must be unambiguous to both sides in the | |||
| protocol. That is, it must not be possible to accidentally connect | protocol. That is, it must not be possible to accidentally connect | |||
| old equipment to new equipment and get the key derivation wrong or | old equipment to new equipment and get the key derivation wrong or | |||
| attempt to use wrong keys without getting a proper error message. | attempt to use wrong keys without getting a proper error message. | |||
| The change must also be secure against bidding down attacks that | The change must also be secure against bidding down attacks that | |||
| attempt to force the participants to use the least secure mechanism. | attempt to force the participants to use the least secure mechanism. | |||
| This specification therefore introduces a variant of the EAP-AKA | This specification therefore introduces a variant of the EAP-AKA | |||
| method, called EAP-AKA'. This method can employ the derived keys CK' | method, called EAP-AKA'. This method can employ the derived keys CK' | |||
| and IK' from the 3GPP specification and updates the used hash | and IK' from the 3GPP specification and updates the used hash | |||
| function to SHA-256 [FIPS.180-2.2002]. But it is otherwise | function to SHA-256 [FIPS.180-4]. But it is otherwise equivalent to | |||
| equivalent to RFC 4187. Given that a different EAP method type value | RFC 4187. Given that a different EAP method type value is used for | |||
| is used for EAP-AKA and EAP-AKA', a mutually supported method may be | EAP-AKA and EAP-AKA', a mutually supported method may be negotiated | |||
| negotiated using the standard mechanisms in EAP [RFC3748]. | using the standard mechanisms in EAP [RFC3748]. | |||
| Note: Appendix C explains why it is important to be explicit about | Note: Appendix D explains why it is important to be explicit about | |||
| the change of semantics for the keys, and why other approaches | the change of semantics for the keys, and why other approaches | |||
| would lead to severe interoperability problems. | would lead to severe interoperability problems. | |||
| This version of the EAP-AKA' specification is an update to RFC 5448. | This version of the EAP-AKA' specification is obsoletes RFC 5448. | |||
| The update consists of three things: | The changes consist of three things: | |||
| o Update the reference on how the Network Name field is constructed | o Update the reference on how the Network Name field is constructed | |||
| in the protocol. The update helps ensure that EAP-AKA' becomes | in the protocol. The update helps ensure that EAP-AKA' becomes | |||
| compatible with 5G deployments as well. RFC 5448 referred to the | compatible with 5G deployments as well. RFC 5448 referred to the | |||
| 2008 version of that reference ([TS-3GPP.24.302]) and this update | Release 8 version of [TS-3GPP.24.302] and this update points to | |||
| points to the 5G version of that reference. | the first 5G version, Release 15. | |||
| o Specify how EAP and EAP-AKA' use identifiers in 5G, as additional | o Specify how EAP and EAP-AKA' use identifiers in 5G, as additional | |||
| identifiers are introduced, and for interoperability, it is | identifiers are introduced, and for interoperability, it is | |||
| important that implementations use the right ones. | important that implementations use the right ones. | |||
| o Specify session identifiers and other exported parameters, as | o Specify session identifiers and other exported parameters, as | |||
| those were not specified in [RFC5448] despite requirements set | those were not specified in [RFC5448] despite requirements set | |||
| forward in [RFC5247] to do so. Also, while [RFC5247] specified | forward in [RFC5247] to do so. Also, while [RFC5247] specified | |||
| session identifiers for EAP-AKA, it only did so for the full | session identifiers for EAP-AKA, it only did so for the full | |||
| authentication case, not for the case of fast re-authentication. | authentication case, not for the case of fast re-authentication. | |||
| skipping to change at page 4, line 50 | skipping to change at page 5, line 4 | |||
| The EAP-AKA' base protocol is stable and needs to stay that way. If | The EAP-AKA' base protocol is stable and needs to stay that way. If | |||
| there are any extensions or variants, those need to be proposed as | there are any extensions or variants, those need to be proposed as | |||
| standalone extensions or even as different authentication methods. | standalone extensions or even as different authentication methods. | |||
| The rest of this specification is structured as follows. Section 3 | The rest of this specification is structured as follows. Section 3 | |||
| defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to | defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to | |||
| prevent bidding down attacks from EAP-AKA'. Section 7 explains the | prevent bidding down attacks from EAP-AKA'. Section 7 explains the | |||
| security differences between EAP-AKA and EAP-AKA'. Section 8 | security differences between EAP-AKA and EAP-AKA'. Section 8 | |||
| describes the IANA considerations and Appendix A and Appendix B | describes the IANA considerations and Appendix A and Appendix B | |||
| explains what updates to RFC 5448 AKA' and RFC 4187 EAP-AKA have been | explains what updates to RFC 5448 AKA' and RFC 4187 EAP-AKA have been | |||
| made in this specification. Appendix C explains some of the design | made in this specification. Appendix D explains some of the design | |||
| rationale for creating EAP-AKA' Finally, Appendix D provides test | rationale for creating EAP-AKA' Finally, Appendix E provides test | |||
| vectors. | vectors. | |||
| Editor's Note: The publication of this RFC depends on its | Editor's Note: The publication of this RFC depends on its | |||
| normative references [TS-3GPP.24.302] and [TS-3GPP.33.501] from | normative references [TS-3GPP.24.302] and [TS-3GPP.33.501] | |||
| 3GPP reaching their final Release 15 status at 3GPP. This is | reaching a stable status for Release 15, as indicated by 3GPP. | |||
| expected to happen shortly. The RFC Editor should check with the | This is expected to happen shortly. The RFC Editor should check | |||
| 3GPP liaisons that this has happened. RFC Editor: Please delete | with the 3GPP liaisons that this has happened. RFC Editor: Please | |||
| this note upon publication of this specification as an RFC. | delete this note upon publication of this specification as an RFC. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| document are to be interpreted as described in [RFC2119]. | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | ||||
| capitals, as shown here. | ||||
| 3. EAP-AKA' | 3. EAP-AKA' | |||
| EAP-AKA' is a new EAP method that follows the EAP-AKA specification | EAP-AKA' is a new EAP method that follows the EAP-AKA specification | |||
| [RFC4187] in all respects except the following: | [RFC4187] in all respects except the following: | |||
| o It uses the Type code 50, not 23 (which is used by EAP-AKA). | o It uses the Type code 50, not 23 (which is used by EAP-AKA). | |||
| o It carries the AT_KDF_INPUT attribute, as defined in Section 3.1, | o It carries the AT_KDF_INPUT attribute, as defined in Section 3.1, | |||
| to ensure that both the peer and server know the name of the | to ensure that both the peer and server know the name of the | |||
| access network. | access network. | |||
| o It supports key derivation function negotiation via the AT_KDF | o It supports key derivation function negotiation via the AT_KDF | |||
| attribute (Section 3.2) to allow for future extensions. | attribute (Section 3.2) to allow for future extensions. | |||
| o It calculates keys as defined in Section 3.3, not as defined in | o It calculates keys as defined in Section 3.3, not as defined in | |||
| EAP-AKA. | EAP-AKA. | |||
| o It employs SHA-256 [FIPS.180-2.2002], not SHA-1 [FIPS.180-1.1995] | o It employs SHA-256, not SHA-1 [FIPS.180-4] (Section 3.4). | |||
| (Section 3.4). | ||||
| Figure 1 shows an example of the authentication process. Each | Figure 1 shows an example of the authentication process. Each | |||
| message AKA'-Challenge and so on represents the corresponding message | message AKA'-Challenge and so on represents the corresponding message | |||
| from EAP-AKA, but with EAP-AKA' Type code. The definition of these | from EAP-AKA, but with EAP-AKA' Type code. The definition of these | |||
| messages, along with the definition of attributes AT_RAND, AT_AUTN, | messages, along with the definition of attributes AT_RAND, AT_AUTN, | |||
| AT_MAC, and AT_RES can be found in [RFC4187]. | AT_MAC, and AT_RES can be found in [RFC4187]. | |||
| Peer Server | Peer Server | |||
| | EAP-Request/Identity | | | EAP-Request/Identity | | |||
| |<-------------------------------------------------------| | |<-------------------------------------------------------| | |||
| skipping to change at page 11, line 34 | skipping to change at page 12, line 5 | |||
| AT_MAC had been incorrect and fail the authentication. | AT_MAC had been incorrect and fail the authentication. | |||
| 3.3. Key Generation | 3.3. Key Generation | |||
| Both the peer and server MUST derive the keys as follows. | Both the peer and server MUST derive the keys as follows. | |||
| AT_KDF set to 1 | AT_KDF set to 1 | |||
| In this case, MK is derived and used as follows: | In this case, MK is derived and used as follows: | |||
| MK = PRF'(IK'|CK',"EAP-AKA'"|Identity) | MK = PRF'(IK'|CK',"EAP-AKA'"|Identity) | |||
| K_encr = MK[0..127] | K_encr = MK[0..127] | |||
| K_aut = MK[128..383] | K_aut = MK[128..383] | |||
| K_re = MK[384..639] | K_re = MK[384..639] | |||
| MSK = MK[640..1151] | MSK = MK[640..1151] | |||
| EMSK = MK[1152..1663] | EMSK = MK[1152..1663] | |||
| Here [n..m] denotes the substring from bit n to m. PRF' is a new | Here [n..m] denotes the substring from bit n to m. PRF' is a new | |||
| pseudo-random function specified in Section 3.4. The first 1664 | pseudo-random function specified in Section 3.4. The first 1664 | |||
| bits from its output are used for K_encr (encryption key, 128 | bits from its output are used for K_encr (encryption key, 128 | |||
| bits), K_aut (authentication key, 256 bits), K_re (re- | bits), K_aut (authentication key, 256 bits), K_re (re- | |||
| authentication key, 256 bits), MSK (Master Session Key, 512 bits), | authentication key, 256 bits), MSK (Master Session Key, 512 bits), | |||
| and EMSK (Extended Master Session Key, 512 bits). These keys are | and EMSK (Extended Master Session Key, 512 bits). These keys are | |||
| used by the subsequent EAP-AKA' process. K_encr is used by the | used by the subsequent EAP-AKA' process. K_encr is used by the | |||
| AT_ENCR_DATA attribute, and K_aut by the AT_MAC attribute. K_re | AT_ENCR_DATA attribute, and K_aut by the AT_MAC attribute. K_re | |||
| is used later in this section. MSK and EMSK are outputs from a | is used later in this section. MSK and EMSK are outputs from a | |||
| skipping to change at page 12, line 27 | skipping to change at page 12, line 45 | |||
| When the server creates an AKA challenge and corresponding AUTN, | When the server creates an AKA challenge and corresponding AUTN, | |||
| CK, CK', IK, and IK' values, it MUST set the Authentication | CK, CK', IK, and IK' values, it MUST set the Authentication | |||
| Management Field (AMF) separation bit to 1 in the AKA algorithm | Management Field (AMF) separation bit to 1 in the AKA algorithm | |||
| [TS-3GPP.33.102]. Similarly, the peer MUST check that the AMF | [TS-3GPP.33.102]. Similarly, the peer MUST check that the AMF | |||
| separation bit is set to 1. If the bit is not set to 1, the peer | separation bit is set to 1. If the bit is not set to 1, the peer | |||
| behaves as if the AUTN had been incorrect and fails the | behaves as if the AUTN had been incorrect and fails the | |||
| authentication. | authentication. | |||
| On fast re-authentication, the following keys are calculated: | On fast re-authentication, the following keys are calculated: | |||
| MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S) | MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S) | |||
| MSK = MK[0..511] | MSK = MK[0..511] | |||
| EMSK = MK[512..1023] | EMSK = MK[512..1023] | |||
| MSK and EMSK are the resulting 512-bit keys, taking the first 1024 | MSK and EMSK are the resulting 512-bit keys, taking the first 1024 | |||
| bits from the result of PRF'. Note that K_encr and K_aut are not | bits from the result of PRF'. Note that K_encr and K_aut are not | |||
| re-derived on fast re-authentication. K_re is the re- | re-derived on fast re-authentication. K_re is the re- | |||
| authentication key from the preceding full authentication and | authentication key from the preceding full authentication and | |||
| stays unchanged over any fast re-authentication(s) that may happen | stays unchanged over any fast re-authentication(s) that may happen | |||
| based on it. The value "EAP-AKA' re-auth" is a sixteen- | based on it. The value "EAP-AKA' re-auth" is a sixteen- | |||
| characters-long ASCII string, again represented without any | characters-long ASCII string, again represented without any | |||
| trailing NUL characters. Identity is the fast re-authentication | trailing NUL characters. Identity is the fast re-authentication | |||
| identity, counter is the value from the AT_COUNTER attribute, | identity, counter is the value from the AT_COUNTER attribute, | |||
| skipping to change at page 13, line 26 | skipping to change at page 13, line 45 | |||
| The peer behaves as if the AUTN had been incorrect and MUST fail | The peer behaves as if the AUTN had been incorrect and MUST fail | |||
| the authentication. | the authentication. | |||
| If the peer supports a given key derivation function but is unwilling | If the peer supports a given key derivation function but is unwilling | |||
| to perform it for policy reasons, it refuses to calculate the keys | to perform it for policy reasons, it refuses to calculate the keys | |||
| and behaves as explained in Section 3.2. | and behaves as explained in Section 3.2. | |||
| 3.4. Hash Functions | 3.4. Hash Functions | |||
| EAP-AKA' uses SHA-256 [FIPS.180-2.2002], not SHA-1 [FIPS.180-1.1995] | EAP-AKA' uses SHA-256, not SHA-1 (see [FIPS.180-4]) as in EAP-AKA. | |||
| as in EAP-AKA. This requires a change to the pseudo-random function | This requires a change to the pseudo-random function (PRF) as well as | |||
| (PRF) as well as the AT_MAC and AT_CHECKCODE attributes. | the AT_MAC and AT_CHECKCODE attributes. | |||
| 3.4.1. PRF' | 3.4.1. PRF' | |||
| The PRF' construction is the same one IKEv2 uses (see Section 2.13 of | The PRF' construction is the same one IKEv2 uses (see Section 2.13 of | |||
| [RFC4306]). The function takes two arguments. K is a 256-bit value | [RFC4306]). The function takes two arguments. K is a 256-bit value | |||
| and S is an octet string of arbitrary length. PRF' is defined as | and S is an octet string of arbitrary length. PRF' is defined as | |||
| follows: | follows: | |||
| PRF'(K,S) = T1 | T2 | T3 | T4 | ... | PRF'(K,S) = T1 | T2 | T3 | T4 | ... | |||
| skipping to change at page 14, line 30 | skipping to change at page 15, line 4 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | AT_CHECKCODE | Length | Reserved | | | AT_CHECKCODE | Length | Reserved | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| | Checkcode (0 or 32 bytes) | | | Checkcode (0 or 32 bytes) | | |||
| | | | | | | |||
| | | | | | | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Second, the checkcode is a hash value, calculated with SHA-256 | Second, the checkcode is a hash value, calculated with SHA-256 | |||
| [FIPS.180-2.2002], over the data specified in Section 10.13 of | [FIPS.180-4], over the data specified in Section 10.13 of [RFC4187]. | |||
| [RFC4187]. | ||||
| 4. Bidding Down Prevention for EAP-AKA | 4. Bidding Down Prevention for EAP-AKA | |||
| As discussed in [RFC3748], negotiation of methods within EAP is | As discussed in [RFC3748], negotiation of methods within EAP is | |||
| insecure. That is, a man-in-the-middle attacker may force the | insecure. That is, a man-in-the-middle attacker may force the | |||
| endpoints to use a method that is not the strongest that they both | endpoints to use a method that is not the strongest that they both | |||
| support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be | support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be | |||
| negotiated via EAP. | negotiated via EAP. | |||
| In order to prevent such attacks, this RFC specifies a new mechanism | In order to prevent such attacks, this RFC specifies a new mechanism | |||
| skipping to change at page 17, line 17 | skipping to change at page 17, line 37 | |||
| from many generations and several connectivity options via 5G and | from many generations and several connectivity options via 5G and | |||
| other mechanisms, implementations and the EAP-AKA' specification need | other mechanisms, implementations and the EAP-AKA' specification need | |||
| to prepare for many different situations, including sometimes having | to prepare for many different situations, including sometimes having | |||
| to communicate identities within EAP. | to communicate identities within EAP. | |||
| The following sections propose one way of clarifying which | The following sections propose one way of clarifying which | |||
| identifiers are used and how. However, other answers are also | identifiers are used and how. However, other answers are also | |||
| possible (e.g., always use the permanent identity). Further | possible (e.g., always use the permanent identity). Further | |||
| discussion on this point is welcome! | discussion on this point is welcome! | |||
| TBD... needs an update per newest 3GPP TSes... | ||||
| 5.1. Key Derivation | 5.1. Key Derivation | |||
| In EAP-AKA', the peer identity is used in the Section 3.3 key | In EAP-AKA', the peer identity is used in the Section 3.3 key | |||
| derivation formula. The identity used in this formula MUST be | derivation formula. The identity used in this formula MUST be | |||
| exactly the one sent in EAP-AKA' AT_IDENTITY attribute, if one was | exactly the one sent in EAP-AKA' AT_IDENTITY attribute, if one was | |||
| sent, regardless of the kind of identity that it may have been. If | sent, regardless of the kind of identity that it may have been. If | |||
| no AT_IDENTITY was sent, the identity MUST be the exactly the one | no AT_IDENTITY was sent, the identity MUST be the exactly the one | |||
| sent in the generic EAP Identity exchange, if one was made. Again, | sent in the generic EAP Identity exchange, if one was made. Again, | |||
| the identity MUST be used exactly as sent. | the identity MUST be used exactly as sent. | |||
| skipping to change at page 18, line 24 | skipping to change at page 18, line 44 | |||
| other networks is for further discussion. Discussion of this topic | other networks is for further discussion. Discussion of this topic | |||
| is again welcome! | is again welcome! | |||
| 6. Exported Parameters | 6. Exported Parameters | |||
| The EAP-AKA' Session-Id is the concatenation of the EAP Type Code | The EAP-AKA' Session-Id is the concatenation of the EAP Type Code | |||
| (50, one octet) with the contents of the RAND field from the AT_RAND | (50, one octet) with the contents of the RAND field from the AT_RAND | |||
| attribute, followed by the contents of the AUTN field in the AT_AUTN | attribute, followed by the contents of the AUTN field in the AT_AUTN | |||
| attribute: | attribute: | |||
| Session-Id = 50 || RAND || AUTN | Session-Id = 50 || RAND || AUTN | |||
| When using fast re-authentication, the EAP-AKA' Session-Id is the | When using fast re-authentication, the EAP-AKA' Session-Id is the | |||
| concatenation of the EAP Type Code (50) with the contents of the | concatenation of the EAP Type Code (50) with the contents of the | |||
| NONCE_S field from the AT_NONCE_S attribute, followed by the contents | NONCE_S field from the AT_NONCE_S attribute, followed by the contents | |||
| of the MAC field from the AT_MAC attribute from EAP-Request/AKA- | of the MAC field from the AT_MAC attribute from EAP-Request/AKA- | |||
| Reauthentication: | Reauthentication: | |||
| Session-Id = 50 || NONCE_S || MAC | Session-Id = 50 || NONCE_S || MAC | |||
| The Peer-Id is the contents of the Identity field from the | The Peer-Id is the contents of the Identity field from the | |||
| AT_IDENTITY attribute, using only the Actual Identity Length octets | AT_IDENTITY attribute, using only the Actual Identity Length octets | |||
| from the beginning. Note that the contents are used as they are | from the beginning. Note that the contents are used as they are | |||
| transmitted, regardless of whether the transmitted identity was a | transmitted, regardless of whether the transmitted identity was a | |||
| permanent, pseudonym, or fast EAP re-authentication identity. The | permanent, pseudonym, or fast EAP re-authentication identity. The | |||
| Server-Id is the null string (zero length). | Server-Id is the null string (zero length). | |||
| 7. Security Considerations | 7. Security Considerations | |||
| skipping to change at page 23, line 11 | skipping to change at page 23, line 35 | |||
| Finally, a new Attribute Type value (136) in the skippable range has | Finally, a new Attribute Type value (136) in the skippable range has | |||
| been assigned for AT_BIDDING (Section 4). | been assigned for AT_BIDDING (Section 4). | |||
| 8.3. Key Derivation Function Namespace | 8.3. Key Derivation Function Namespace | |||
| IANA has also created a new namespace for EAP-AKA' AT_KDF Key | IANA has also created a new namespace for EAP-AKA' AT_KDF Key | |||
| Derivation Function Values. This namespace exists under the EAP-AKA | Derivation Function Values. This namespace exists under the EAP-AKA | |||
| and EAP-SIM Parameters registry. The initial contents of this | and EAP-SIM Parameters registry. The initial contents of this | |||
| namespace are given below; new values can be created through the | namespace are given below; new values can be created through the | |||
| Specification Required policy [RFC5226]. | Specification Required policy [RFC8126]. | |||
| Value Description Reference | Value Description Reference | |||
| --------- ---------------------- --------------- | --------- ---------------------- --------------- | |||
| 0 Reserved [RFC 5448] | 0 Reserved [RFC 5448] | |||
| 1 EAP-AKA' with CK'/IK' [RFC 5448] | 1 EAP-AKA' with CK'/IK' [RFC 5448] | |||
| 2-65535 Unassigned | 2-65535 Unassigned | |||
| 9. Contributors | 9. Contributors | |||
| The test vectors in Appendix C were provided by Yogendra Pal and | The test vectors in Appendix C were provided by Yogendra Pal and | |||
| Jouni Malinen, based on two independent implementations of this | Jouni Malinen, based on two independent implementations of this | |||
| specification. | specification. | |||
| Jouni Malinen provided suggested text for Section 6. | Jouni Malinen provided suggested text for Section 6. | |||
| skipping to change at page 23, line 52 | skipping to change at page 24, line 30 | |||
| Specification Group Services and System Aspects; 3G | Specification Group Services and System Aspects; 3G | |||
| Security; Security architecture and procedures for 5G | Security; Security architecture and procedures for 5G | |||
| System; (Release 15)", 3GPP Technical Specification | System; (Release 15)", 3GPP Technical Specification | |||
| 23.501, December 2017. | 23.501, December 2017. | |||
| [TS-3GPP.24.302] | [TS-3GPP.24.302] | |||
| 3GPP, "3rd Generation Partnership Project; Technical | 3GPP, "3rd Generation Partnership Project; Technical | |||
| Specification Group Core Network and Terminals; Access to | Specification Group Core Network and Terminals; Access to | |||
| the 3GPP Evolved Packet Core (EPC) via non-3GPP access | the 3GPP Evolved Packet Core (EPC) via non-3GPP access | |||
| networks; Stage 3; (Release 15)", 3GPP Draft Technical | networks; Stage 3; (Release 15)", 3GPP Draft Technical | |||
| Specification 24.302, September 2017. | Specification 24.302, June 2018. | |||
| [TS-3GPP.33.102] | [TS-3GPP.33.102] | |||
| 3GPP, "3rd Generation Partnership Project; Technical | 3GPP, "3rd Generation Partnership Project; Technical | |||
| Specification Group Services and System Aspects; 3G | Specification Group Services and System Aspects; 3G | |||
| Security; Security architecture (Release 8)", 3GPP | Security; Security architecture (Release 15)", 3GPP Draft | |||
| Technical Specification 33.102, December 2008. | Technical Specification 33.102, June 2018. | |||
| [TS-3GPP.33.402] | [TS-3GPP.33.402] | |||
| 3GPP, "3GPP System Architecture Evolution (SAE); Security | 3GPP, "3GPP System Architecture Evolution (SAE); Security | |||
| aspects of non-3GPP accesses; Release 8", 3GPP Technical | aspects of non-3GPP accesses (Release 15)", 3GPP Draft | |||
| Specification 33.402, December 2008. | Technical Specification 33.402, June 2018. | |||
| [TS-3GPP.33.501] | [TS-3GPP.33.501] | |||
| 3GPP, "3rd Generation Partnership Project; Technical | 3GPP, "3rd Generation Partnership Project; Technical | |||
| Specification Group Services and System Aspects; 3G | Specification Group Services and System Aspects; 3G | |||
| Security; Security architecture and procedures for 5G | Security; Security architecture and procedures for 5G | |||
| System; Release 15", 3GPP Technical Specification 33.501, | System (Release 15)", 3GPP Draft Technical Specification | |||
| August 2017. | 33.501, June 2018. | |||
| [FIPS.180-2.2002] | [FIPS.180-4] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-2, August 2002, <http:// | Hash Standard", FIPS PUB 180-4, August 2015, | |||
| csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>. | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.180-4.pdf>. | ||||
| [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||
| Hashing for Message Authentication", RFC 2104, DOI | Hashing for Message Authentication", RFC 2104, | |||
| 10.17487/RFC2104, February 1997, <https://www.rfc- | DOI 10.17487/RFC2104, February 1997, <https://www.rfc- | |||
| editor.org/info/rfc2104>. | editor.org/info/rfc2104>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, <https://www.rfc-editor.org/info/ | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. | [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. | |||
| Levkowetz, Ed., "Extensible Authentication Protocol | Levkowetz, Ed., "Extensible Authentication Protocol | |||
| (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, <https: | (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, | |||
| //www.rfc-editor.org/info/rfc3748>. | <https://www.rfc-editor.org/info/rfc3748>. | |||
| [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication | [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication | |||
| Protocol Method for 3rd Generation Authentication and Key | Protocol Method for 3rd Generation Authentication and Key | |||
| Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187, | Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187, | |||
| January 2006, <https://www.rfc-editor.org/info/rfc4187>. | January 2006, <https://www.rfc-editor.org/info/rfc4187>. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| IANA Considerations Section in RFCs", RFC 5226, DOI | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| 10.17487/RFC5226, May 2008, <https://www.rfc-editor.org/ | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| info/rfc5226>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| 11.2. Informative References | 11.2. Informative References | |||
| [TS-3GPP.23.003] | [TS-3GPP.23.003] | |||
| 3GPP, "3rd Generation Partnership Project; Technical | 3GPP, "3rd Generation Partnership Project; Technical | |||
| Specification Group Core Network and Terminals; Numbering, | Specification Group Core Network and Terminals; Numbering, | |||
| addressing and identification (Release 8)", 3GPP Technical | addressing and identification (Release 15)", 3GPP Draft | |||
| Specification 23.003, December 2008. | Technical Specification 23.003, June 2018. | |||
| [TS-3GPP.35.208] | [TS-3GPP.35.208] | |||
| 3GPP, "3rd Generation Partnership Project; Technical | 3GPP, "3rd Generation Partnership Project; Technical | |||
| Specification Group Services and System Aspects; 3G | Specification Group Services and System Aspects; 3G | |||
| Security; Specification of the MILENAGE Algorithm Set: An | Security; Specification of the MILENAGE Algorithm Set: An | |||
| example algorithm set for the 3GPP authentication and key | example algorithm set for the 3GPP authentication and key | |||
| generation functions f1, f1*, f2, f3, f4, f5 and f5*; | generation functions f1, f1*, f2, f3, f4, f5 and f5*; | |||
| Document 4: Design Conformance Test Data (Release 8)", | Document 4: Design Conformance Test Data (Release 14)", | |||
| 3GPP Technical Specification 35.208, December 2008. | 3GPP Technical Specification 35.208, March 2017. | |||
| [FIPS.180-1.1995] | [FIPS.180-1] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-1, April 1995, | Hash Standard", FIPS PUB 180-1, April 1995, | |||
| <http://www.itl.nist.gov/fipspubs/fip180-1.htm>. | <http://www.itl.nist.gov/fipspubs/fip180-1.htm>. | |||
| [FIPS.180-2] | ||||
| National Institute of Standards and Technology, "Secure | ||||
| Hash Standard", FIPS PUB 180-2, August 2002, | ||||
| <http://csrc.nist.gov/publications/fips/fips180-2/ | ||||
| fips180-2.pdf>. | ||||
| [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible | [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible | |||
| Authentication Protocol Method for Global System for | Authentication Protocol Method for Global System for | |||
| Mobile Communications (GSM) Subscriber Identity Modules | Mobile Communications (GSM) Subscriber Identity Modules | |||
| (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, | (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4186>. | <https://www.rfc-editor.org/info/rfc4186>. | |||
| [RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen, "Identity | [RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen, "Identity | |||
| Selection Hints for the Extensible Authentication Protocol | Selection Hints for the Extensible Authentication Protocol | |||
| (EAP)", RFC 4284, DOI 10.17487/RFC4284, January 2006, | (EAP)", RFC 4284, DOI 10.17487/RFC4284, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4284>. | <https://www.rfc-editor.org/info/rfc4284>. | |||
| [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) | [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) | |||
| Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005, | Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005, | |||
| <https://www.rfc-editor.org/info/rfc4306>. | <https://www.rfc-editor.org/info/rfc4306>. | |||
| [RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari, | [RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari, | |||
| "Network Discovery and Selection Problem", RFC 5113, DOI | "Network Discovery and Selection Problem", RFC 5113, | |||
| 10.17487/RFC5113, January 2008, <https://www.rfc- | DOI 10.17487/RFC5113, January 2008, <https://www.rfc- | |||
| editor.org/info/rfc5113>. | editor.org/info/rfc5113>. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | ||||
| IANA Considerations Section in RFCs", RFC 5226, | ||||
| DOI 10.17487/RFC5226, May 2008, <https://www.rfc- | ||||
| editor.org/info/rfc5226>. | ||||
| [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible | [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible | |||
| Authentication Protocol (EAP) Key Management Framework", | Authentication Protocol (EAP) Key Management Framework", | |||
| RFC 5247, DOI 10.17487/RFC5247, August 2008, <https://www | RFC 5247, DOI 10.17487/RFC5247, August 2008, | |||
| .rfc-editor.org/info/rfc5247>. | <https://www.rfc-editor.org/info/rfc5247>. | |||
| [RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved | [RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved | |||
| Extensible Authentication Protocol Method for 3rd | Extensible Authentication Protocol Method for 3rd | |||
| Generation Authentication and Key Agreement (EAP-AKA')", | Generation Authentication and Key Agreement (EAP-AKA')", | |||
| RFC 5448, DOI 10.17487/RFC5448, May 2009, <https://www | RFC 5448, DOI 10.17487/RFC5448, May 2009, | |||
| .rfc-editor.org/info/rfc5448>. | <https://www.rfc-editor.org/info/rfc5448>. | |||
| Appendix A. Changes from RFC 5448 | Appendix A. Changes from RFC 5448 | |||
| The changes consist first of all, referring to a newer version of | The changes consist first of all, referring to a newer version of | |||
| [TS-3GPP.24.302]. The new version includes an updated definition of | [TS-3GPP.24.302]. The new version includes an updated definition of | |||
| the Network Name field, to include 5G. | the Network Name field, to include 5G. | |||
| Secondly, identifier usage for 5G has been specified in Section 5. | Secondly, identifier usage for 5G has been specified in Section 5. | |||
| Thirdly, exported parameters for EAP-AKA' have been defined in | Thirdly, exported parameters for EAP-AKA' have been defined in | |||
| Section 6, as required by [RFC5247], including the definition of | Section 6, as required by [RFC5247], including the definition of | |||
| those parameters for both full authentication and fast re- | those parameters for both full authentication and fast re- | |||
| authentication. | authentication. | |||
| Finally, the references to [RFC2119], [RFC5226], [FIPS.180-1] and | ||||
| [FIPS.180-2] have been updated to their most recent versions and | ||||
| language in this document changed accordingly. Similarly, references | ||||
| to all 3GPP technical specifications have been updated to their 5G | ||||
| (Release 15) versions or otherwise most recent version when there has | ||||
| not been a 5G-related update. | ||||
| Appendix B. Changes from RFC 4187 to RFC 5448 | Appendix B. Changes from RFC 4187 to RFC 5448 | |||
| The changes to RFC 4187 relate only to the bidding down prevention | The changes to RFC 4187 relate only to the bidding down prevention | |||
| support defined in Section 4. In particular, this document does not | support defined in Section 4. In particular, this document does not | |||
| change how the Master Key (MK) is calculated in RFC 4187 (it uses CK | change how the Master Key (MK) is calculated in RFC 4187 (it uses CK | |||
| and IK, not CK' and IK'); neither is any processing of the AMF bit | and IK, not CK' and IK'); neither is any processing of the AMF bit | |||
| added to RFC 4187. | added to RFC 4187. | |||
| Appendix C. Importance of Explicit Negotiation | Appendix C. Changes from Previous Version of This Draft | |||
| RFC Editor: Please delete this section at the time of publication. | ||||
| The -00 version of the working group draft is merely a republication | ||||
| of an earlier individual draft. | ||||
| The -01 version of the working group clarifies updates relationship | ||||
| to RFC 4187, clarifies language relating to obsoleting RFC 5448, | ||||
| clarifies when the 3GPP references are expected to be stable, updates | ||||
| several past references to their more recently published versions, | ||||
| and some minor editorial changes. | ||||
| Appendix D. Importance of Explicit Negotiation | ||||
| Choosing between the traditional and revised AKA key derivation | Choosing between the traditional and revised AKA key derivation | |||
| functions is easy when their use is unambiguously tied to a | functions is easy when their use is unambiguously tied to a | |||
| particular radio access network, e.g., Long Term Evolution (LTE) as | particular radio access network, e.g., Long Term Evolution (LTE) as | |||
| defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined | defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined | |||
| by 3GPP2. There is no possibility for interoperability problems if | by 3GPP2. There is no possibility for interoperability problems if | |||
| this radio access network is always used in conjunction with new | this radio access network is always used in conjunction with new | |||
| protocols that cannot be mixed with the old ones; clients will always | protocols that cannot be mixed with the old ones; clients will always | |||
| know whether they are connecting to the old or new system. | know whether they are connecting to the old or new system. | |||
| skipping to change at page 27, line 23 | skipping to change at page 29, line 5 | |||
| requests, or server configuration does not match expectations. It | requests, or server configuration does not match expectations. It | |||
| also does not help to assume that the EAP client and server are | also does not help to assume that the EAP client and server are | |||
| running a particular release of 3GPP network specifications. Network | running a particular release of 3GPP network specifications. Network | |||
| vendors often provide features from future releases early or do not | vendors often provide features from future releases early or do not | |||
| provide all features of the current release. And obviously, there | provide all features of the current release. And obviously, there | |||
| are many EAP and even some EAP-AKA implementations that are not | are many EAP and even some EAP-AKA implementations that are not | |||
| bundled with the 3GPP network offerings. In general, these | bundled with the 3GPP network offerings. In general, these | |||
| approaches are expected to lead to hard-to-diagnose problems and | approaches are expected to lead to hard-to-diagnose problems and | |||
| increased support calls. | increased support calls. | |||
| Appendix D. Test Vectors | Appendix E. Test Vectors | |||
| Test vectors are provided below for four different cases. The test | Test vectors are provided below for four different cases. The test | |||
| vectors may be useful for testing implementations. In the first two | vectors may be useful for testing implementations. In the first two | |||
| cases, we employ the Milenage algorithm and the algorithm | cases, we employ the Milenage algorithm and the algorithm | |||
| configuration parameters (the subscriber key K and operator algorithm | configuration parameters (the subscriber key K and operator algorithm | |||
| variant configuration value OP) from test set 19 in [TS-3GPP.35.208]. | variant configuration value OP) from test set 19 in [TS-3GPP.35.208]. | |||
| The last two cases use artificial values as the output of AKA, and is | The last two cases use artificial values as the output of AKA, and is | |||
| useful only for testing the computation of values within EAP-AKA', | useful only for testing the computation of values within EAP-AKA', | |||
| not AKA itself. | not AKA itself. | |||
| End of changes. 49 change blocks. | ||||
| 95 lines changed or deleted | 133 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||