rfc5448.txt   draft-arkko-eap-rfc5448bis.txt 
Network Working Group J. Arkko Network Working Group J. Arkko
Request for Comments: 5448 V. Lehtovirta Internet-Draft V. Lehtovirta
Updates: 4187 Ericsson Obsoletes: 5448 (if approved) V. Torvinen
Category: Informational P. Eronen Updates: 4187 (if approved) Ericsson
Nokia Intended status: Informational P. Eronen
May 2009 Expires: January 3, 2019 Nokia
July 2, 2018
Improved Extensible Authentication Protocol Method for Improved Extensible Authentication Protocol Method for 3rd Generation
3rd Generation Authentication and Key Agreement (EAP-AKA') Authentication and Key Agreement (EAP-AKA')
draft-ietf-emu-rfc5448bis-01
Abstract
This specification defines a new EAP method, EAP-AKA', a small
revision of the EAP-AKA method. The change is a new key derivation
function that binds the keys derived within the method to the name of
the access network. The new key derivation mechanism has been
defined in the 3rd Generation Partnership Project (3GPP). This
specification allows its use in EAP in an interoperable manner. In
addition, EAP-AKA' employs SHA-256 instead of SHA-1.
This specification also updates RFC 4187 EAP-AKA to prevent bidding
down attacks from EAP-AKA'.
This version of the EAP-AKA' specification updates a reference to
constructing one field in the protocol, so that EAP-AKA' becomes
compatible with 5G deployments as well.
Status of This Memo Status of This Memo
This memo provides information for the Internet community. It does This Internet-Draft is submitted in full conformance with the
not specify an Internet standard of any kind. Distribution of this provisions of BCP 78 and BCP 79.
memo is unlimited.
Copyright Notice Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Copyright (c) 2009 IETF Trust and the persons identified as the Internet-Drafts are draft documents valid for a maximum of six months
document authors. All rights reserved. and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This document is subject to BCP 78 and the IETF Trust's Legal This Internet-Draft will expire on January 3, 2019.
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Copyright Notice
This specification defines a new EAP method, EAP-AKA', which is a Copyright (c) 2018 IETF Trust and the persons identified as the
small revision of the EAP-AKA (Extensible Authentication Protocol document authors. All rights reserved.
Method for 3rd Generation Authentication and Key Agreement) method.
The change is a new key derivation function that binds the keys
derived within the method to the name of the access network. The new
key derivation mechanism has been defined in the 3rd Generation
Partnership Project (3GPP). This specification allows its use in EAP
in an interoperable manner. In addition, EAP-AKA' employs SHA-256
instead of SHA-1.
This specification also updates RFC 4187, EAP-AKA, to prevent bidding This document is subject to BCP 78 and the IETF Trust's Legal
down attacks from EAP-AKA'. Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . 7
3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . . 10 3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . 12
3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . . 12 3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . 14
3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . 14
3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . 14
3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . . 13 3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . 14
4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 14 4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 15
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. Identifier Usage in 5G . . . . . . . . . . . . . . . . . . . 16
5.1. Security Properties of Binding Network Names . . . . . . . 18 5.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 17
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute 18
6.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . . 19 6. Exported Parameters . . . . . . . . . . . . . . . . . . . . . 19
6.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6.3. Key Derivation Function Namespace . . . . . . . . . . . . 19 7.1. Security Properties of Binding Network Names . . . . . . 22
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 8.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . 23
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 8.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 23
9.1. Normative References . . . . . . . . . . . . . . . . . . . 20 8.3. Key Derivation Function Namespace . . . . . . . . . . . . 23
9.2. Informative References . . . . . . . . . . . . . . . . . . 21 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 24
Appendix A. Changes from RFC 4187 . . . . . . . . . . . . . . . . 23 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24
Appendix B. Importance of Explicit Negotiation . . . . . . . . . 23 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 24 11.1. Normative References . . . . . . . . . . . . . . . . . . 24
11.2. Informative References . . . . . . . . . . . . . . . . . 26
Appendix A. Changes from RFC 5448 . . . . . . . . . . . . . . . 27
Appendix B. Changes from RFC 4187 to RFC 5448 . . . . . . . . . 27
Appendix C. Changes from Previous Version of This Draft . . . . 28
Appendix D. Importance of Explicit Negotiation . . . . . . . . . 28
Appendix E. Test Vectors . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
This specification defines a new Extensible Authentication Protocol This specification defines a new Extensible Authentication Protocol
(EAP)[RFC3748] method, EAP-AKA', which is a small revision of the (EAP)[RFC3748] method, EAP-AKA', a small revision of the EAP-AKA
EAP-AKA method originally defined in [RFC4187]. What is new in EAP- method originally defined in [RFC4187]. What is new in EAP-AKA' is
AKA' is that it has a new key derivation function, specified in that it has a new key derivation function, specified in
[3GPP.33.402]. This function binds the keys derived within the [TS-3GPP.33.402]. This function binds the keys derived within the
method to the name of the access network. This limits the effects of method to the name of the access network. This limits the effects of
compromised access network nodes and keys. This specification compromised access network nodes and keys. This specification
defines the EAP encapsulation for AKA when the new key derivation defines the EAP encapsulation for AKA when the new key derivation
mechanism is in use. mechanism is in use.
3GPP has defined a number of applications for the revised AKA 3GPP has defined a number of applications for the revised AKA
mechanism, some based on native encapsulation of AKA over 3GPP radio mechanism, some based on native encapsulation of AKA over 3GPP radio
access networks and others based on the use of EAP. access networks and others based on the use of EAP.
For making the new key derivation mechanisms usable in EAP-AKA, For making the new key derivation mechanisms usable in EAP-AKA,
skipping to change at page 3, line 14 skipping to change at page 3, line 36
change of the key derivation must be unambiguous to both sides in the change of the key derivation must be unambiguous to both sides in the
protocol. That is, it must not be possible to accidentally connect protocol. That is, it must not be possible to accidentally connect
old equipment to new equipment and get the key derivation wrong or old equipment to new equipment and get the key derivation wrong or
attempt to use wrong keys without getting a proper error message. attempt to use wrong keys without getting a proper error message.
The change must also be secure against bidding down attacks that The change must also be secure against bidding down attacks that
attempt to force the participants to use the least secure mechanism. attempt to force the participants to use the least secure mechanism.
This specification therefore introduces a variant of the EAP-AKA This specification therefore introduces a variant of the EAP-AKA
method, called EAP-AKA'. This method can employ the derived keys CK' method, called EAP-AKA'. This method can employ the derived keys CK'
and IK' from the 3GPP specification and updates the used hash and IK' from the 3GPP specification and updates the used hash
function to SHA-256 [FIPS.180-2.2002]. But it is otherwise function to SHA-256 [FIPS.180-4]. But it is otherwise equivalent to
equivalent to RFC 4187. Given that a different EAP method type value RFC 4187. Given that a different EAP method type value is used for
is used for EAP-AKA and EAP-AKA', a mutually supported method may be EAP-AKA and EAP-AKA', a mutually supported method may be negotiated
negotiated using the standard mechanisms in EAP [RFC3748]. using the standard mechanisms in EAP [RFC3748].
Note: Appendix B explains why it is important to be explicit about Note: Appendix D explains why it is important to be explicit about
the change of semantics for the keys, and why other approaches the change of semantics for the keys, and why other approaches
would lead to severe interoperability problems. would lead to severe interoperability problems.
This version of the EAP-AKA' specification obsoletes RFC 5448. The
changes consist of three things:
o Update the reference on how the Network Name field is constructed
in the protocol. The update helps ensure that EAP-AKA' becomes
compatible with 5G deployments as well. RFC 5448 referred to the
Release 8 version of [TS-3GPP.24.302] and this update points to
the first 5G version, Release 15.
o Specify how EAP and EAP-AKA' use identifiers in 5G, as additional
identifiers are introduced, and for interoperability, it is
important that implementations use the right ones.
o Specify session identifiers and other exported parameters, as
those were not specified in [RFC5448] despite requirements set
forward in [RFC5247] to do so. Also, while [RFC5247] specified
session identifiers for EAP-AKA, it only did so for the full
authentication case, not for the case of fast re-authentication.
Arguably, the updates are small. For the first update, the 3GPP
specification number for the updated calculation has not changed,
only the version. But this reference is crucial in correct
calculation of the keys resulting from running the EAP-AKA' method,
so an update of the RFC with the newest version pointer may be
warranted. As always, feedback is welcome on that point as well as
on any other topic within this document.
Note: It is an open issue whether this update should refer to only
the 5G version of the definition, or be explicit that any further
update of that specification is something that EAP-AKA'
implementations should take into account. Note that one should
keep in mind that specification being automatically updated is
different from implementations taking notice of new things.
The second update is needed to ensure that implementations use the
correct identifiers in the context of 5G, as it introduces additional
privacy-protected identifiers, and it is no longer clear which
identifiers are used in EAP-AKA'.
The third update is necessary in order to fix a problem in previous
RFCs.
It is an explicit non-goal of this draft to include any other
technical modifications, addition of new features or other changes.
The EAP-AKA' base protocol is stable and needs to stay that way. If
there are any extensions or variants, those need to be proposed as
standalone extensions or even as different authentication methods.
The rest of this specification is structured as follows. Section 3 The rest of this specification is structured as follows. Section 3
defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to defines the EAP-AKA' method. Section 4 adds support to EAP-AKA to
prevent bidding down attacks from EAP-AKA'. Section 5 explains the prevent bidding down attacks from EAP-AKA'. Section 7 explains the
security differences between EAP-AKA and EAP-AKA'. Section 6 security differences between EAP-AKA and EAP-AKA'. Section 8
describes the IANA considerations and Appendix A explains what describes the IANA considerations and Appendix A and Appendix B
updates to RFC 4187 EAP-AKA have been made in this specification. explains what updates to RFC 5448 AKA' and RFC 4187 EAP-AKA have been
Appendix B explains some of the design rationale for creating EAP- made in this specification. Appendix D explains some of the design
AKA'. Finally, Appendix C provides test vectors. rationale for creating EAP-AKA' Finally, Appendix E provides test
vectors.
Editor's Note: The publication of this RFC depends on its
normative references [TS-3GPP.24.302] and [TS-3GPP.33.501]
reaching a stable status for Release 15, as indicated by 3GPP.
This is expected to happen shortly. The RFC Editor should check
with the 3GPP liaisons that this has happened. RFC Editor: Please
delete this note upon publication of this specification as an RFC.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. EAP-AKA' 3. EAP-AKA'
EAP-AKA' is a new EAP method that follows the EAP-AKA specification EAP-AKA' is a new EAP method that follows the EAP-AKA specification
[RFC4187] in all respects except the following: [RFC4187] in all respects except the following:
o It uses the Type code 50, not 23 (which is used by EAP-AKA). o It uses the Type code 50, not 23 (which is used by EAP-AKA).
o It carries the AT_KDF_INPUT attribute, as defined in Section 3.1, o It carries the AT_KDF_INPUT attribute, as defined in Section 3.1,
to ensure that both the peer and server know the name of the to ensure that both the peer and server know the name of the
access network. access network.
o It supports key derivation function negotiation via the AT_KDF o It supports key derivation function negotiation via the AT_KDF
attribute (Section 3.2) to allow for future extensions. attribute (Section 3.2) to allow for future extensions.
o It calculates keys as defined in Section 3.3, not as defined in o It calculates keys as defined in Section 3.3, not as defined in
EAP-AKA. EAP-AKA.
o It employs SHA-256 [FIPS.180-2.2002], not SHA-1 [FIPS.180-1.1995] o It employs SHA-256, not SHA-1 [FIPS.180-4] (Section 3.4).
(Section 3.4).
Figure 1 shows an example of the authentication process. Each Figure 1 shows an example of the authentication process. Each
message AKA'-Challenge and so on represents the corresponding message message AKA'-Challenge and so on represents the corresponding message
from EAP-AKA, but with EAP-AKA' Type code. The definition of these from EAP-AKA, but with EAP-AKA' Type code. The definition of these
messages, along with the definition of attributes AT_RAND, AT_AUTN, messages, along with the definition of attributes AT_RAND, AT_AUTN,
AT_MAC, and AT_RES can be found in [RFC4187]. AT_MAC, and AT_RES can be found in [RFC4187].
Peer Server Peer Server
| EAP-Request/Identity | | EAP-Request/Identity |
|<-------------------------------------------------------| |<-------------------------------------------------------|
skipping to change at page 7, line 21 skipping to change at page 8, line 18
Network Name Network Name
This field contains the network name of the access network for This field contains the network name of the access network for
which the authentication is being performed. The name does not which the authentication is being performed. The name does not
include any terminating null characters. Because the length of include any terminating null characters. Because the length of
the entire attribute must be a multiple of 4 bytes, the sender the entire attribute must be a multiple of 4 bytes, the sender
pads the name with 1, 2, or 3 bytes of all zero bits when pads the name with 1, 2, or 3 bytes of all zero bits when
necessary. necessary.
Only the server sends the AT_KDF_INPUT attribute. Per [3GPP.33.402], Only the server sends the AT_KDF_INPUT attribute. The value is sent
the server always verifies the authorization of a given access as specified in [TS-3GPP.24.302] for non-3GPP access networks, and as
network to use a particular name before sending it to the peer over specified in [TS-3GPP.33.501] for 5G access networks. Per
EAP-AKA'. The value of the AT_KDF_INPUT attribute from the server [TS-3GPP.33.402], the server always verifies the authorization of a
MUST be non-empty. If it is empty, the peer behaves as if AUTN had given access network to use a particular name before sending it to
been incorrect and authentication fails. See Section 3 and Figure 3 the peer over EAP-AKA'. The value of the AT_KDF_INPUT attribute from
of [RFC4187] for an overview of how authentication failures are the server MUST be non-empty. If it is empty, the peer behaves as if
handled. AUTN had been incorrect and authentication fails. See Section 3 and
Figure 3 of [RFC4187] for an overview of how authentication failures
are handled.
Note: Currently, [TS-3GPP.24.302] or [TS-3GPP.33.501] specify
separate values. The former specifies what is called "Access
Network ID" and the latter specifies what is called "Serving
Network Name". However, from an EAP-AKA' perspective both occupy
the same field, and need to be distinghuishable from each other.
Currently specified values are distinguishable, but it would be
useful that this be specified explicitly in the 3GPP
specifications.
In addition, the peer MAY check the received value against its own In addition, the peer MAY check the received value against its own
understanding of the network name. Upon detecting a discrepancy, the understanding of the network name. Upon detecting a discrepancy, the
peer either warns the user and continues, or fails the authentication peer either warns the user and continues, or fails the authentication
process. More specifically, the peer SHOULD have a configurable process. More specifically, the peer SHOULD have a configurable
policy that it can follow under these circumstances. If the policy policy that it can follow under these circumstances. If the policy
indicates that it can continue, the peer SHOULD log a warning message indicates that it can continue, the peer SHOULD log a warning message
or display it to the user. If the peer chooses to proceed, it MUST or display it to the user. If the peer chooses to proceed, it MUST
use the network name as received in the AT_KDF_INPUT attribute. If use the network name as received in the AT_KDF_INPUT attribute. If
the policy indicates that the authentication should fail, the peer the policy indicates that the authentication should fail, the peer
behaves as if AUTN had been incorrect and authentication fails. behaves as if AUTN had been incorrect and authentication fails.
The Network Name field contains a UTF-8 string. This string MUST be The Network Name field contains a UTF-8 string. This string MUST be
constructed as specified in [3GPP.24.302] for "Access Network constructed as specified in [TS-3GPP.24.302] for "Access Network
Identity". The string is structured as fields separated by colons Identity". The string is structured as fields separated by colons
(:). The algorithms and mechanisms to construct the identity string (:). The algorithms and mechanisms to construct the identity string
depend on the used access technology. depend on the used access technology.
On the network side, the network name construction is a configuration On the network side, the network name construction is a configuration
issue in an access network and an authorization check in the issue in an access network and an authorization check in the
authentication server. On the peer, the network name is constructed authentication server. On the peer, the network name is constructed
based on the local observations. For instance, the peer knows which based on the local observations. For instance, the peer knows which
access technology it is using on the link, it can see information in access technology it is using on the link, it can see information in
a link-layer beacon, and so on. The construction rules specify how a link-layer beacon, and so on. The construction rules specify how
this information maps to an access network name. Typically, the this information maps to an access network name. Typically, the
network name consists of the name of the access technology, or the network name consists of the name of the access technology, or the
name of the access technology followed by some operator identifier name of the access technology followed by some operator identifier
that was advertised in a link-layer beacon. In all cases, that was advertised in a link-layer beacon. In all cases,
[3GPP.24.302] is the normative specification for the construction in [TS-3GPP.24.302] is the normative specification for the construction
both the network and peer side. If the peer policy allows running in both the network and peer side. If the peer policy allows running
EAP-AKA' over an access technology for which that specification does EAP-AKA' over an access technology for which that specification does
not provide network name construction rules, the peer SHOULD rely not provide network name construction rules, the peer SHOULD rely
only on the information from the AT_KDF_INPUT attribute and not only on the information from the AT_KDF_INPUT attribute and not
perform a comparison. perform a comparison.
If a comparison of the locally determined network name and the one If a comparison of the locally determined network name and the one
received over EAP-AKA' is performed on the peer, it MUST be done as received over EAP-AKA' is performed on the peer, it MUST be done as
follows. First, each name is broken down to the fields separated by follows. First, each name is broken down to the fields separated by
colons. If one of the names has more colons and fields than the colons. If one of the names has more colons and fields than the
other one, the additional fields are ignored. The remaining other one, the additional fields are ignored. The remaining
skipping to change at page 8, line 31 skipping to change at page 9, line 40
equal character by character. This algorithm allows a prefix match equal character by character. This algorithm allows a prefix match
where the peer would be able to match "", "FOO", and "FOO:BAR" where the peer would be able to match "", "FOO", and "FOO:BAR"
against the value "FOO:BAR" received from the server. This against the value "FOO:BAR" received from the server. This
capability is important in order to allow possible updates to the capability is important in order to allow possible updates to the
specifications that dictate how the network names are constructed. specifications that dictate how the network names are constructed.
For instance, if a peer knows that it is running on access technology For instance, if a peer knows that it is running on access technology
"FOO", it can use the string "FOO" even if the server uses an "FOO", it can use the string "FOO" even if the server uses an
additional, more accurate description, e.g., "FOO:BAR", that contains additional, more accurate description, e.g., "FOO:BAR", that contains
more information. more information.
The allocation procedures in [3GPP.24.302] ensure that conflicts The allocation procedures in [TS-3GPP.24.302] ensure that conflicts
potentially arising from using the same name in different types of potentially arising from using the same name in different types of
networks are avoided. The specification also has detailed rules networks are avoided. The specification also has detailed rules
about how a client can determine these based on information available about how a client can determine these based on information available
to the client, such as the type of protocol used to attach to the to the client, such as the type of protocol used to attach to the
network, beacons sent out by the network, and so on. Information network, beacons sent out by the network, and so on. Information
that the client cannot directly observe (such as the type or version that the client cannot directly observe (such as the type or version
of the home network) is not used by this algorithm. of the home network) is not used by this algorithm.
The AT_KDF_INPUT attribute MUST be sent and processed as explained The AT_KDF_INPUT attribute MUST be sent and processed as explained
above when AT_KDF attribute has the value 1. Future definitions of above when AT_KDF attribute has the value 1. Future definitions of
skipping to change at page 11, line 5 skipping to change at page 12, line 20
In this case, MK is derived and used as follows: In this case, MK is derived and used as follows:
MK = PRF'(IK'|CK',"EAP-AKA'"|Identity) MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
K_encr = MK[0..127] K_encr = MK[0..127]
K_aut = MK[128..383] K_aut = MK[128..383]
K_re = MK[384..639] K_re = MK[384..639]
MSK = MK[640..1151] MSK = MK[640..1151]
EMSK = MK[1152..1663] EMSK = MK[1152..1663]
Here [n..m] denotes the substring from bit n to m. PRF' is a new Here [n..m] denotes the substring from bit n to m. PRF' is a new
pseudo-random function specified in Section 3.4. The first 1664 bits pseudo-random function specified in Section 3.4. The first 1664
from its output are used for K_encr (encryption key, 128 bits), K_aut bits from its output are used for K_encr (encryption key, 128
(authentication key, 256 bits), K_re (re-authentication key, 256 bits), K_aut (authentication key, 256 bits), K_re (re-
bits), MSK (Master Session Key, 512 bits), and EMSK (Extended Master authentication key, 256 bits), MSK (Master Session Key, 512 bits),
Session Key, 512 bits). These keys are used by the subsequent and EMSK (Extended Master Session Key, 512 bits). These keys are
EAP-AKA' process. K_encr is used by the AT_ENCR_DATA attribute, and used by the subsequent EAP-AKA' process. K_encr is used by the
K_aut by the AT_MAC attribute. K_re is used later in this section. AT_ENCR_DATA attribute, and K_aut by the AT_MAC attribute. K_re
MSK and EMSK are outputs from a successful EAP method run [RFC3748]. is used later in this section. MSK and EMSK are outputs from a
successful EAP method run [RFC3748].
IK' and CK' are derived as specified in [3GPP.33.402]. The functions IK' and CK' are derived as specified in [TS-3GPP.33.402]. The
that derive IK' and CK' take the following parameters: CK and IK functions that derive IK' and CK' take the following parameters:
produced by the AKA algorithm, and value of the Network Name field CK and IK produced by the AKA algorithm, and value of the Network
comes from the AT_KDF_INPUT attribute (without length or padding) . Name field comes from the AT_KDF_INPUT attribute (without length
or padding) .
The value "EAP-AKA'" is an eight-characters-long ASCII string. It is The value "EAP-AKA'" is an eight-characters-long ASCII string. It
used as is, without any trailing NUL characters. is used as is, without any trailing NUL characters.
Identity is the peer identity as specified in Section 7 of [RFC4187]. Identity is the peer identity as specified in Section 7 of
[RFC4187].
When the server creates an AKA challenge and corresponding AUTN, CK, When the server creates an AKA challenge and corresponding AUTN,
CK', IK, and IK' values, it MUST set the Authentication Management CK, CK', IK, and IK' values, it MUST set the Authentication
Field (AMF) separation bit to 1 in the AKA algorithm [3GPP.33.102]. Management Field (AMF) separation bit to 1 in the AKA algorithm
Similarly, the peer MUST check that the AMF separation bit is set to [TS-3GPP.33.102]. Similarly, the peer MUST check that the AMF
1. If the bit is not set to 1, the peer behaves as if the AUTN had separation bit is set to 1. If the bit is not set to 1, the peer
been incorrect and fails the authentication. behaves as if the AUTN had been incorrect and fails the
authentication.
On fast re-authentication, the following keys are calculated: On fast re-authentication, the following keys are calculated:
MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S) MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S)
MSK = MK[0..511] MSK = MK[0..511]
EMSK = MK[512..1023] EMSK = MK[512..1023]
MSK and EMSK are the resulting 512-bit keys, taking the first 1024 MSK and EMSK are the resulting 512-bit keys, taking the first 1024
bits from the result of PRF'. Note that K_encr and K_aut are not bits from the result of PRF'. Note that K_encr and K_aut are not
re-derived on fast re-authentication. K_re is the re-authentication re-derived on fast re-authentication. K_re is the re-
key from the preceding full authentication and stays unchanged over authentication key from the preceding full authentication and
any fast re-authentication(s) that may happen based on it. The value stays unchanged over any fast re-authentication(s) that may happen
"EAP-AKA' re-auth" is a sixteen- characters-long ASCII string, again based on it. The value "EAP-AKA' re-auth" is a sixteen-
represented without any trailing NUL characters. Identity is the characters-long ASCII string, again represented without any
fast re-authentication identity, counter is the value from the trailing NUL characters. Identity is the fast re-authentication
AT_COUNTER attribute, identity, counter is the value from the AT_COUNTER attribute,
NONCE_S is the nonce value from the AT_NONCE_S attribute, all as NONCE_S is the nonce value from the AT_NONCE_S attribute, all as
specified in Section 7 of [RFC4187]. To prevent the use of specified in Section 7 of [RFC4187]. To prevent the use of
compromised keys in other places, it is forbidden to change the compromised keys in other places, it is forbidden to change the
network name when going from the full to the fast re-authentication network name when going from the full to the fast re-
process. The peer SHOULD NOT attempt fast re-authentication when it authentication process. The peer SHOULD NOT attempt fast re-
knows that the network name in the current access network is authentication when it knows that the network name in the current
different from the one in the initial, full authentication. Upon access network is different from the one in the initial, full
seeing a re-authentication request with a changed network name, the authentication. Upon seeing a re-authentication request with a
server SHOULD behave as if the re-authentication identifier had been changed network name, the server SHOULD behave as if the re-
unrecognized, and fall back to full authentication. The server authentication identifier had been unrecognized, and fall back to
observes the change in the name by comparing where the fast full authentication. The server observes the change in the name
re-authentication and full authentication EAP transactions were by comparing where the fast re-authentication and full
received at the Authentication, Authorization, and Accounting (AAA) authentication EAP transactions were received at the
protocol level. Authentication, Authorization, and Accounting (AAA) protocol
level.
AT_KDF has any other value AT_KDF has any other value
Future variations of key derivation functions may be defined, and Future variations of key derivation functions may be defined, and
they will be represented by new values of AT_KDF. If the peer they will be represented by new values of AT_KDF. If the peer
does not recognize the value, it cannot calculate the keys and does not recognize the value, it cannot calculate the keys and
behaves as explained in Section 3.2. behaves as explained in Section 3.2.
AT_KDF is missing AT_KDF is missing
The peer behaves as if the AUTN had been incorrect and MUST fail The peer behaves as if the AUTN had been incorrect and MUST fail
the authentication. the authentication.
If the peer supports a given key derivation function but is unwilling If the peer supports a given key derivation function but is unwilling
to perform it for policy reasons, it refuses to calculate the keys to perform it for policy reasons, it refuses to calculate the keys
and behaves as explained in Section 3.2. and behaves as explained in Section 3.2.
3.4. Hash Functions 3.4. Hash Functions
EAP-AKA' uses SHA-256 [FIPS.180-2.2002], not SHA-1 [FIPS.180-1.1995] EAP-AKA' uses SHA-256, not SHA-1 (see [FIPS.180-4]) as in EAP-AKA.
as in EAP-AKA. This requires a change to the pseudo-random function This requires a change to the pseudo-random function (PRF) as well as
(PRF) as well as the AT_MAC and AT_CHECKCODE attributes. the AT_MAC and AT_CHECKCODE attributes.
3.4.1. PRF' 3.4.1. PRF'
The PRF' construction is the same one IKEv2 uses (see Section 2.13 of The PRF' construction is the same one IKEv2 uses (see Section 2.13 of
[RFC4306]). The function takes two arguments. K is a 256-bit value [RFC4306]). The function takes two arguments. K is a 256-bit value
and S is an octet string of arbitrary length. PRF' is defined as and S is an octet string of arbitrary length. PRF' is defined as
follows: follows:
PRF'(K,S) = T1 | T2 | T3 | T4 | ... PRF'(K,S) = T1 | T2 | T3 | T4 | ...
skipping to change at page 13, line 47 skipping to change at page 15, line 18
| AT_CHECKCODE | Length | Reserved | | AT_CHECKCODE | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Checkcode (0 or 32 bytes) | | Checkcode (0 or 32 bytes) |
| | | |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Second, the checkcode is a hash value, calculated with SHA-256 Second, the checkcode is a hash value, calculated with SHA-256
[FIPS.180-2.2002], over the data specified in Section 10.13 of [FIPS.180-4], over the data specified in Section 10.13 of [RFC4187].
[RFC4187].
4. Bidding Down Prevention for EAP-AKA 4. Bidding Down Prevention for EAP-AKA
As discussed in [RFC3748], negotiation of methods within EAP is As discussed in [RFC3748], negotiation of methods within EAP is
insecure. That is, a man-in-the-middle attacker may force the insecure. That is, a man-in-the-middle attacker may force the
endpoints to use a method that is not the strongest that they both endpoints to use a method that is not the strongest that they both
support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be
negotiated via EAP. negotiated via EAP.
In order to prevent such attacks, this RFC specifies a new mechanism In order to prevent such attacks, this RFC specifies a new mechanism
for EAP-AKA that allows the endpoints to securely discover the for EAP-AKA that allows the endpoints to securely discover the
capabilities of each other. This mechanism comes in the form of the capabilities of each other. This mechanism comes in the form of the
AT_BIDDING attribute. This allows both endpoints to communicate AT_BIDDING attribute. This allows both endpoints to communicate
their desire and support for EAP-AKA' when exchanging EAP-AKA their desire and support for EAP-AKA' when exchanging EAP-AKA
messages. This attribute is not included in EAP-AKA' messages as messages. This attribute is not included in EAP-AKA' messages as
defined in this RFC. It is only included in EAP-AKA messages. This defined in this RFC. It is only included in EAP-AKA messages. This
is based on the assumption that EAP-AKA' is always preferable (see is based on the assumption that EAP-AKA' is always preferable (see
Section 5). If during the EAP-AKA authentication process it is Section 7). If during the EAP-AKA authentication process it is
discovered that both endpoints would have been able to use EAP-AKA', discovered that both endpoints would have been able to use EAP-AKA',
the authentication process SHOULD be aborted, as a bidding down the authentication process SHOULD be aborted, as a bidding down
attack may have happened. attack may have happened.
The format of the AT_BIDDING attribute is shown below. The format of the AT_BIDDING attribute is shown below.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_BIDDING | Length |D| Reserved | | AT_BIDDING | Length |D| Reserved |
skipping to change at page 15, line 19 skipping to change at page 16, line 30
The server sends this attribute in the EAP-Request/AKA-Challenge The server sends this attribute in the EAP-Request/AKA-Challenge
message. If the peer supports EAP-AKA', it compares the received message. If the peer supports EAP-AKA', it compares the received
value to its own capabilities. If it turns out that both the server value to its own capabilities. If it turns out that both the server
and peer would have been able to use EAP-AKA' and preferred it over and peer would have been able to use EAP-AKA' and preferred it over
EAP-AKA, the peer behaves as if AUTN had been incorrect and fails the EAP-AKA, the peer behaves as if AUTN had been incorrect and fails the
authentication (see Figure 3 of [RFC4187]). A peer not supporting authentication (see Figure 3 of [RFC4187]). A peer not supporting
EAP-AKA' will simply ignore this attribute. In all cases, the EAP-AKA' will simply ignore this attribute. In all cases, the
attribute is protected by the integrity mechanisms of EAP-AKA, so it attribute is protected by the integrity mechanisms of EAP-AKA, so it
cannot be removed by a man-in-the-middle attacker. cannot be removed by a man-in-the-middle attacker.
Note that we assume (Section 5) that EAP-AKA' is always stronger than Note that we assume (Section 7) that EAP-AKA' is always stronger than
EAP-AKA. As a result, there is no need to prevent bidding "down" EAP-AKA. As a result, there is no need to prevent bidding "down"
attacks in the other direction, i.e., attackers forcing the endpoints attacks in the other direction, i.e., attackers forcing the endpoints
to use EAP-AKA'. to use EAP-AKA'.
5. Security Considerations 5. Identifier Usage in 5G
In EAP-AKA', the peer identity may be communicated to the server in
one of three ways:
o As a part of link layer establishment procedures, externally to
EAP.
o With the EAP-Response/Identity message in the beginning of the EAP
exchange, but before the selection of EAP-AKA'.
o Transmitted from the peer to the server using EAP-AKA messages
instead of EAP-Response/Identity. In this case, the server
includes an identity requesting attribute (AT_ANY_ID_REQ,
AT_FULLAUTH_ID_REQ or AT_PERMANENT_ID_REQ) in the EAP-Request/AKA-
Identity message; and the peer includes the AT_IDENTITY attribute,
which contains the peer's identity, in the EAP-Response/AKA-
Identity message.
The identity carried above may be a permanent identity or a pseudonym
identity or fast re-authentication identity as defined in this RFC.
In networks where EAP is the only part handling such pseudonym or
fast re-authentication identities, this usage is clear. However, 5G
supports the concept of pseudonym or privacy identifiers, and it is
important for interoperability that the right type of identifiers are
used in the right place.
5G defines the SUbscription Permanent Identifier (SUPI) and
SUbscription Concealed Identifier (SUCI) [TS-3GPP.23.501]
[TS-3GPP.33.501]. SUPI is globally unique and allocated to each
subscriber. However, it is only used internally in the 5G network,
and is privacy sensitive. The SUCI is a privacy preserving
identifier containing the concealed SUPI, using public key
cryptography to encrypt the SUPI.
Given the choice between these two types of identifiers, two areas
need further specification in EAP-AKA' to ensure that different
implementations understand each other and stay interoperable:
o Where identifiers are used within EAP-AKA' -- such as key
derivation -- specify what values exactly should be used, to avoid
ambiguity.
o Where identifiers are carried within EAP-AKA' packets -- such as
in the AT_IDENTITY attribute -- specify which identifiers should
be filled in.
In 5G, the normal mode of operation is that identifiers are only
transmitted outside EAP. However, in a system involving terminals
from many generations and several connectivity options via 5G and
other mechanisms, implementations and the EAP-AKA' specification need
to prepare for many different situations, including sometimes having
to communicate identities within EAP.
The following sections clarify which identifiers are used and how.
5.1. Key Derivation
In EAP-AKA', the peer identity is used in the Section 3.3 key
derivation formula.
If the AT_KDF_INPUT parameter contains the prefix "5G:", the AT_KDF
parameter has the value 1, and this authentication is not a fast re-
authentication, then the peer identity used in the key derivation
MUST be the 5G SUPI for the peer. This rule applies to all full EAP-
AKA' authentication processes, even if the peer sent some other
identifier at a lower layer or as a response to an EAP Identity
Request or if no identity was sent.
In all other cases, the following applies:
The identity used in the key derivation formula MUST be exactly
the one sent in EAP-AKA' AT_IDENTITY attribute, if one was sent,
regardless of the kind of identity that it may have been. If no
AT_IDENTITY was sent, the identity MUST be the exactly the one
sent in the generic EAP Identity exchange, if one was made.
Again, the identity MUST be used exactly as sent.
If no identity was communicated inside EAP, then the identity is
the one communicated outside EAP in link layer messaging.
In this case, the used identity MUST be the identity most recently
communicated by the peer to the network, again regardless of what
type of identity it may have been.
5.2. EAP Identity Response and EAP-AKA' AT_IDENTITY Attribute
The EAP authentication option is only available in 5G when the new 5G
core network is also in use. However, in other networks an EAP-AKA'
peer may be connecting to other types of networks and existing
equipment.
When the EAP peer is connecting to a 5G access network and uses the
5G core network signalling mechanisms, it can assume that the EAP
server is in a 5G network. The EAP level identity exchanges are not
generally used in this case, but if there is, the EAP peer SHOULD
employ only the privacy preserving SUCI identifier within EAP (either
in EAP Identity Response or EAP-AKA' AT_IDENTITY attribute).
Similarly, if the peer is explicitly communicating through mechanisms
developed for 5G to connect to 5G networks over WLAN, it MUST assume
that the EAP server is in a 5G network, and again employ the SUCI
within EAP.
Otherwise, the peer SHOULD employ IMSI, SUPI, or a NAI as it is
configured to use.
6. Exported Parameters
The EAP-AKA' Session-Id is the concatenation of the EAP Type Code
(50, one octet) with the contents of the RAND field from the AT_RAND
attribute, followed by the contents of the AUTN field in the AT_AUTN
attribute:
Session-Id = 50 || RAND || AUTN
When using fast re-authentication, the EAP-AKA' Session-Id is the
concatenation of the EAP Type Code (50) with the contents of the
NONCE_S field from the AT_NONCE_S attribute, followed by the contents
of the MAC field from the AT_MAC attribute from EAP-Request/AKA-
Reauthentication:
Session-Id = 50 || NONCE_S || MAC
The Peer-Id is the contents of the Identity field from the
AT_IDENTITY attribute, using only the Actual Identity Length octets
from the beginning. Note that the contents are used as they are
transmitted, regardless of whether the transmitted identity was a
permanent, pseudonym, or fast EAP re-authentication identity. The
Server-Id is the null string (zero length).
7. Security Considerations
A summary of the security properties of EAP-AKA' follows. These A summary of the security properties of EAP-AKA' follows. These
properties are very similar to those in EAP-AKA. We assume that SHA- properties are very similar to those in EAP-AKA. We assume that
256 is at least as secure as SHA-1. This is called the SHA-256 SHA-256 is at least as secure as SHA-1. This is called the SHA-256
assumption in the remainder of this section. Under this assumption, assumption in the remainder of this section. Under this assumption,
EAP-AKA' is at least as secure as EAP-AKA. EAP-AKA' is at least as secure as EAP-AKA.
If the AT_KDF attribute has value 1, then the security properties of If the AT_KDF attribute has value 1, then the security properties of
EAP-AKA' are as follows: EAP-AKA' are as follows:
Protected ciphersuite negotiation Protected ciphersuite negotiation
EAP-AKA' has no ciphersuite negotiation mechanisms. It does have EAP-AKA' has no ciphersuite negotiation mechanisms. It does have
a negotiation mechanism for selecting the key derivation a negotiation mechanism for selecting the key derivation
skipping to change at page 16, line 49 skipping to change at page 20, line 49
K_aut, K_re), the MSK, and the EMSK are cryptographically K_aut, K_re), the MSK, and the EMSK are cryptographically
separate. If we make the assumption that SHA-256 behaves as a separate. If we make the assumption that SHA-256 behaves as a
pseudo-random function, an attacker is incapable of deriving any pseudo-random function, an attacker is incapable of deriving any
non-trivial information about any of these keys based on the other non-trivial information about any of these keys based on the other
keys. An attacker also cannot calculate the pre-shared secret keys. An attacker also cannot calculate the pre-shared secret
from IK, CK, IK', CK', K_encr, K_aut, K_re, MSK, or EMSK by any from IK, CK, IK', CK', K_encr, K_aut, K_re, MSK, or EMSK by any
practically feasible means. practically feasible means.
EAP-AKA' adds an additional layer of key derivation functions EAP-AKA' adds an additional layer of key derivation functions
within itself to protect against the use of compromised keys. within itself to protect against the use of compromised keys.
This is discussed further in Section 5.1. This is discussed further in Section 7.1.
EAP-AKA' uses a pseudo-random function modeled after the one used EAP-AKA' uses a pseudo-random function modeled after the one used
in IKEv2 [RFC4306] together with SHA-256. in IKEv2 [RFC4306] together with SHA-256.
Key strength Key strength
See above. See above.
Dictionary attack resistance Dictionary attack resistance
skipping to change at page 18, line 12 skipping to change at page 22, line 12
attributes can be used to add channel binding support in the attributes can be used to add channel binding support in the
future, if required. future, if required.
However, including the Network Name field in the AKA' algorithms However, including the Network Name field in the AKA' algorithms
(which are also used for other purposes than EAP-AKA') provides a (which are also used for other purposes than EAP-AKA') provides a
form of cryptographic separation between different network names, form of cryptographic separation between different network names,
which resembles channel bindings. However, the network name does which resembles channel bindings. However, the network name does
not typically identify the EAP (pass-through) authenticator. See not typically identify the EAP (pass-through) authenticator. See
the following section for more discussion. the following section for more discussion.
5.1. Security Properties of Binding Network Names 7.1. Security Properties of Binding Network Names
The ability of EAP-AKA' to bind the network name into the used keys The ability of EAP-AKA' to bind the network name into the used keys
provides some additional protection against key leakage to provides some additional protection against key leakage to
inappropriate parties. The keys used in the protocol are specific to inappropriate parties. The keys used in the protocol are specific to
a particular network name. If key leakage occurs due to an accident, a particular network name. If key leakage occurs due to an accident,
access node compromise, or another attack, the leaked keys are only access node compromise, or another attack, the leaked keys are only
useful when providing access with that name. For instance, a useful when providing access with that name. For instance, a
malicious access point cannot claim to be network Y if it has stolen malicious access point cannot claim to be network Y if it has stolen
keys from network X. Obviously, if an access point is compromised, keys from network X. Obviously, if an access point is compromised,
the malicious node can still represent the compromised node. As a the malicious node can still represent the compromised node. As a
result, neither EAP-AKA' nor any other extension can prevent such result, neither EAP-AKA' nor any other extension can prevent such
attacks; however, the binding to a particular name limits the attacks; however, the binding to a particular name limits the
attacker's choices, allows better tracking of attacks, makes it attacker's choices, allows better tracking of attacks, makes it
possible to identify compromised networks, and applies good possible to identify compromised networks, and applies good
cryptographic hygiene. cryptographic hygiene.
The server receives the EAP transaction from a given access network The server receives the EAP transaction from a given access network,
and verifies that the claim from the access network corresponds to and verifies that the claim from the access network corresponds to
the name that this access network should be using. It becomes the name that this access network should be using. It becomes
impossible for an access network to claim over AAA that it is another impossible for an access network to claim over AAA that it is another
access network. In addition, if the peer checks that the information access network. In addition, if the peer checks that the information
it has received locally over the network-access link layer matches it has received locally over the network-access link layer matches
with the information the server has given it via EAP-AKA', it becomes with the information the server has given it via EAP-AKA', it becomes
impossible for the access network to tell one story to the AAA impossible for the access network to tell one story to the AAA
network and another one to the peer. These checks prevent some network and another one to the peer. These checks prevent some
"lying NAS" (Network Access Server) attacks. For instance, a roaming "lying NAS" (Network Access Server) attacks. For instance, a roaming
partner, R, might claim that it is the home network H in an effort to partner, R, might claim that it is the home network H in an effort to
skipping to change at page 19, line 4 skipping to change at page 23, line 4
other alternative networks, such as H. other alternative networks, such as H.
Any attacker who gets hold of the keys CK and IK, produced by the AKA Any attacker who gets hold of the keys CK and IK, produced by the AKA
algorithm, can compute the keys CK' and IK' and, hence, the Master algorithm, can compute the keys CK' and IK' and, hence, the Master
Key (MK) according to the rules in Section 3.3. The attacker could Key (MK) according to the rules in Section 3.3. The attacker could
then act as a lying NAS. In 3GPP systems in general, the keys CK and then act as a lying NAS. In 3GPP systems in general, the keys CK and
IK have been distributed to, for instance, nodes in a visited access IK have been distributed to, for instance, nodes in a visited access
network where they may be vulnerable. In order to reduce this risk, network where they may be vulnerable. In order to reduce this risk,
the AKA algorithm MUST be computed with the AMF separation bit set to the AKA algorithm MUST be computed with the AMF separation bit set to
1, and the peer MUST check that this is indeed the case whenever it 1, and the peer MUST check that this is indeed the case whenever it
runs EAP-AKA'. Furthermore, [3GPP.33.402] requires that no CK or IK runs EAP-AKA'. Furthermore, [TS-3GPP.33.402] requires that no CK or
keys computed in this way ever leave the home subscriber system. IK keys computed in this way ever leave the home subscriber system.
The additional security benefits obtained from the binding depend The additional security benefits obtained from the binding depend
obviously on the way names are assigned to different access networks. obviously on the way names are assigned to different access networks.
This is specified in [3GPP.24.302]. See also [3GPP.23.003]. This is specified in [TS-3GPP.24.302]. See also [TS-3GPP.23.003].
Ideally, the names allow separating each different access technology, Ideally, the names allow separating each different access technology,
each different access network, and each different NAS within a each different access network, and each different NAS within a
domain. If this is not possible, the full benefits may not be domain. If this is not possible, the full benefits may not be
achieved. For instance, if the names identify just an access achieved. For instance, if the names identify just an access
technology, use of compromised keys in a different technology can be technology, use of compromised keys in a different technology can be
prevented, but it is not possible to prevent their use by other prevented, but it is not possible to prevent their use by other
domains or devices using the same technology. domains or devices using the same technology.
6. IANA Considerations 8. IANA Considerations
6.1. Type Value 8.1. Type Value
EAP-AKA' has the EAP Type value 50 in the Extensible Authentication EAP-AKA' has the EAP Type value 50 in the Extensible Authentication
Protocol (EAP) Registry under Method Types. Per Section 6.2 of Protocol (EAP) Registry under Method Types. Per Section 6.2 of
[RFC3748], this allocation can be made with Designated Expert and [RFC3748], this allocation can be made with Designated Expert and
Specification Required. Specification Required.
6.2. Attribute Type Values 8.2. Attribute Type Values
EAP-AKA' shares its attribute space and subtypes with EAP-SIM EAP-AKA' shares its attribute space and subtypes with EAP-SIM
[RFC4186] and EAP-AKA [RFC4187]. No new registries are needed. [RFC4186] and EAP-AKA [RFC4187]. No new registries are needed.
However, a new Attribute Type value (23) in the non-skippable range However, a new Attribute Type value (23) in the non-skippable range
has been assigned for AT_KDF_INPUT (Section 3.1) in the EAP-AKA and has been assigned for AT_KDF_INPUT (Section 3.1) in the EAP-AKA and
EAP-SIM Parameters registry under Attribute Types. EAP-SIM Parameters registry under Attribute Types.
Also, a new Attribute Type value (24) in the non-skippable range has Also, a new Attribute Type value (24) in the non-skippable range has
been assigned for AT_KDF (Section 3.2). been assigned for AT_KDF (Section 3.2).
Finally, a new Attribute Type value (136) in the skippable range has Finally, a new Attribute Type value (136) in the skippable range has
been assigned for AT_BIDDING (Section 4). been assigned for AT_BIDDING (Section 4).
6.3. Key Derivation Function Namespace 8.3. Key Derivation Function Namespace
IANA has also created a new namespace for EAP-AKA' AT_KDF Key IANA has also created a new namespace for EAP-AKA' AT_KDF Key
Derivation Function Values. This namespace exists under the EAP-AKA Derivation Function Values. This namespace exists under the EAP-AKA
and EAP-SIM Parameters registry. The initial contents of this and EAP-SIM Parameters registry. The initial contents of this
namespace are given below; new values can be created through the namespace are given below; new values can be created through the
Specification Required policy [RFC5226]. Specification Required policy [RFC8126].
Value Description Reference Value Description Reference
--------- ---------------------- --------------- --------- ---------------------- ---------------
0 Reserved [RFC5448] 0 Reserved [RFC 5448]
1 EAP-AKA' with CK'/IK' [RFC5448] 1 EAP-AKA' with CK'/IK' [RFC 5448]
2-65535 Unassigned 2-65535 Unassigned
7. Contributors 9. Contributors
The test vectors in Appendix C were provided by Yogendra Pal and The test vectors in Appendix C were provided by Yogendra Pal and
Jouni Malinen, based on two independent implementations of this Jouni Malinen, based on two independent implementations of this
specification. specification.
8. Acknowledgments Jouni Malinen provided suggested text for Section 6.
10. Acknowledgments
The authors would like to thank Guenther Horn, Joe Salowey, Mats The authors would like to thank Guenther Horn, Joe Salowey, Mats
Naslund, Adrian Escott, Brian Rosenberg, Laksminath Dondeti, Ahmad Naslund, Adrian Escott, Brian Rosenberg, Laksminath Dondeti, Ahmad
Muhanna, Stefan Rommer, Miguel Garcia, Jan Kall, Ankur Agarwal, Jouni Muhanna, Stefan Rommer, Miguel Garcia, Jan Kall, Ankur Agarwal, Jouni
Malinen, Brian Weis, Russ Housley, and Alfred Hoenes for their in- Malinen, Brian Weis, Russ Housley, Alfred Hoenes, Vesa Torvinen,
depth reviews and interesting discussions in this problem space. Anand Palanigounder, and Mohit Sethi for their in-depth reviews and
interesting discussions in this problem space.
9. References 11. References
9.1. Normative References 11.1. Normative References
[3GPP.24.302] 3GPP, "3rd Generation Partnership Project; [TS-3GPP.23.501]
Technical Specification Group Core Network and 3GPP, "3rd Generation Partnership Project; Technical
Terminals; Access to the 3GPP Evolved Packet Core Specification Group Services and System Aspects; 3G
(EPC) via non-3GPP access networks; Stage 3; Security; Security architecture and procedures for 5G
(Release 8)", 3GPP Technical Specification 24.302, System; (Release 15)", 3GPP Technical Specification
December 2008. 23.501, December 2017.
[3GPP.33.102] 3GPP, "3rd Generation Partnership Project; [TS-3GPP.24.302]
Technical Specification Group Services and System 3GPP, "3rd Generation Partnership Project; Technical
Aspects; 3G Security; Security architecture Specification Group Core Network and Terminals; Access to
(Release 8)", 3GPP Technical Specification 33.102, the 3GPP Evolved Packet Core (EPC) via non-3GPP access
December 2008. networks; Stage 3; (Release 15)", 3GPP Draft Technical
Specification 24.302, June 2018.
[3GPP.33.402] 3GPP, "3GPP System Architecture Evolution (SAE); [TS-3GPP.33.102]
Security aspects of non-3GPP accesses; Release 8", 3GPP, "3rd Generation Partnership Project; Technical
3GPP Technical Specification 33.402, Specification Group Services and System Aspects; 3G
December 2008. Security; Security architecture (Release 15)", 3GPP Draft
Technical Specification 33.102, June 2018.
[FIPS.180-2.2002] National Institute of Standards and Technology, [TS-3GPP.33.402]
"Secure Hash Standard", FIPS PUB 180-2, 3GPP, "3GPP System Architecture Evolution (SAE); Security
August 2002, <http://csrc.nist.gov/publications/ aspects of non-3GPP accesses (Release 15)", 3GPP Draft
fips/fips180-2/fips180-2.pdf>. Technical Specification 33.402, June 2018.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: [TS-3GPP.33.501]
Keyed-Hashing for Message Authentication", 3GPP, "3rd Generation Partnership Project; Technical
RFC 2104, February 1997. Specification Group Services and System Aspects; 3G
Security; Security architecture and procedures for 5G
System (Release 15)", 3GPP Draft Technical Specification
33.501, June 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to [FIPS.180-4]
Indicate Requirement Levels", BCP 14, RFC 2119, National Institute of Standards and Technology, "Secure
March 1997. Hash Standard", FIPS PUB 180-4, August 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
and H. Levkowetz, "Extensible Authentication Hashing for Message Authentication", RFC 2104,
Protocol (EAP)", RFC 3748, June 2004. DOI 10.17487/RFC2104, February 1997, <https://www.rfc-
editor.org/info/rfc2104>.
[RFC4187] Arkko, J. and H. Haverinen, "Extensible [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Authentication Protocol Method for 3rd Generation Requirement Levels", BCP 14, RFC 2119,
Authentication and Key Agreement (EAP-AKA)", DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
RFC 4187, January 2006. editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Writing an IANA Considerations Section in RFCs", Levkowetz, Ed., "Extensible Authentication Protocol
BCP 26, RFC 5226, May 2008. (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>.
9.2. Informative References [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
Protocol Method for 3rd Generation Authentication and Key
Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187,
January 2006, <https://www.rfc-editor.org/info/rfc4187>.
[3GPP.23.003] 3GPP, "3rd Generation Partnership Project; [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Technical Specification Group Core Network and Writing an IANA Considerations Section in RFCs", BCP 26,
Terminals; Numbering, addressing and RFC 8126, DOI 10.17487/RFC8126, June 2017,
identification (Release 8)", 3GPP Draft Technical <https://www.rfc-editor.org/info/rfc8126>.
Specification 23.003, December 2008.
[3GPP.35.208] 3GPP, "3rd Generation Partnership Project; [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
Technical Specification Group Services and System 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
Aspects; 3G Security; Specification of the May 2017, <https://www.rfc-editor.org/info/rfc8174>.
MILENAGE Algorithm Set: An example algorithm set
for the 3GPP authentication and key generation
functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 4: Design Conformance Test Data (Release
8)", 3GPP Technical Specification 35.208,
December 2008.
[FIPS.180-1.1995] National Institute of Standards and Technology, 11.2. Informative References
"Secure Hash Standard", FIPS PUB 180-1,
April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[RFC4186] Haverinen, H. and J. Salowey, "Extensible [TS-3GPP.23.003]
Authentication Protocol Method for Global System 3GPP, "3rd Generation Partnership Project; Technical
for Mobile Communications (GSM) Subscriber Specification Group Core Network and Terminals; Numbering,
Identity Modules (EAP-SIM)", RFC 4186, addressing and identification (Release 15)", 3GPP Draft
January 2006. Technical Specification 23.003, June 2018.
[RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen, [TS-3GPP.35.208]
"Identity Selection Hints for the Extensible 3GPP, "3rd Generation Partnership Project; Technical
Authentication Protocol (EAP)", RFC 4284, Specification Group Services and System Aspects; 3G
January 2006. Security; Specification of the MILENAGE Algorithm Set: An
example algorithm set for the 3GPP authentication and key
generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 4: Design Conformance Test Data (Release 14)",
3GPP Technical Specification 35.208, March 2017.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) [FIPS.180-1]
Protocol", RFC 4306, December 2005. National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[RFC5113] Arkko, J., Aboba, B., Korhonen, J., and F. Bari, [FIPS.180-2]
"Network Discovery and Selection Problem", National Institute of Standards and Technology, "Secure
RFC 5113, January 2008. Hash Standard", FIPS PUB 180-2, August 2002,
<http://csrc.nist.gov/publications/fips/fips180-2/
fips180-2.pdf>.
[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible
Authentication Protocol (EAP) Key Management Authentication Protocol Method for Global System for
Framework", RFC 5247, August 2008. Mobile Communications (GSM) Subscriber Identity Modules
(EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006,
<https://www.rfc-editor.org/info/rfc4186>.
Appendix A. Changes from RFC 4187 [RFC4284] Adrangi, F., Lortz, V., Bari, F., and P. Eronen, "Identity
Selection Hints for the Extensible Authentication Protocol
(EAP)", RFC 4284, DOI 10.17487/RFC4284, January 2006,
<https://www.rfc-editor.org/info/rfc4284>.
[RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005,
<https://www.rfc-editor.org/info/rfc4306>.
[RFC5113] Arkko, J., Aboba, B., Korhonen, J., Ed., and F. Bari,
"Network Discovery and Selection Problem", RFC 5113,
DOI 10.17487/RFC5113, January 2008, <https://www.rfc-
editor.org/info/rfc5113>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226,
DOI 10.17487/RFC5226, May 2008, <https://www.rfc-
editor.org/info/rfc5226>.
[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible
Authentication Protocol (EAP) Key Management Framework",
RFC 5247, DOI 10.17487/RFC5247, August 2008,
<https://www.rfc-editor.org/info/rfc5247>.
[RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved
Extensible Authentication Protocol Method for 3rd
Generation Authentication and Key Agreement (EAP-AKA')",
RFC 5448, DOI 10.17487/RFC5448, May 2009,
<https://www.rfc-editor.org/info/rfc5448>.
Appendix A. Changes from RFC 5448
The changes consist first of all, referring to a newer version of
[TS-3GPP.24.302]. The new version includes an updated definition of
the Network Name field, to include 5G.
Secondly, identifier usage for 5G has been specified in Section 5.
Thirdly, exported parameters for EAP-AKA' have been defined in
Section 6, as required by [RFC5247], including the definition of
those parameters for both full authentication and fast re-
authentication.
Finally, the references to [RFC2119], [RFC5226], [FIPS.180-1] and
[FIPS.180-2] have been updated to their most recent versions and
language in this document changed accordingly. Similarly, references
to all 3GPP technical specifications have been updated to their 5G
(Release 15) versions or otherwise most recent version when there has
not been a 5G-related update.
Appendix B. Changes from RFC 4187 to RFC 5448
The changes to RFC 4187 relate only to the bidding down prevention The changes to RFC 4187 relate only to the bidding down prevention
support defined in Section 4. In particular, this document does not support defined in Section 4. In particular, this document does not
change how the Master Key (MK) is calculated in RFC 4187 (it uses CK change how the Master Key (MK) is calculated in RFC 4187 (it uses CK
and IK, not CK' and IK'); neither is any processing of the AMF bit and IK, not CK' and IK'); neither is any processing of the AMF bit
added to RFC 4187. added to RFC 4187.
Appendix B. Importance of Explicit Negotiation Appendix C. Changes from Previous Version of This Draft
RFC Editor: Please delete this section at the time of publication.
The -00 version of the working group draft is merely a republication
of an earlier individual draft.
The -01 version of the working group clarifies updates relationship
to RFC 4187, clarifies language relating to obsoleting RFC 5448,
clarifies when the 3GPP references are expected to be stable, updates
several past references to their more recently published versions,
specifies what identifiers should be used in key derivation formula
for 5G, specifies how to construct the network name in manner that is
compatible with both 5G and previous versions, and has some minor
editorial changes.
Appendix D. Importance of Explicit Negotiation
Choosing between the traditional and revised AKA key derivation Choosing between the traditional and revised AKA key derivation
functions is easy when their use is unambiguously tied to a functions is easy when their use is unambiguously tied to a
particular radio access network, e.g., Long Term Evolution (LTE) as particular radio access network, e.g., Long Term Evolution (LTE) as
defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined defined by 3GPP or evolved High Rate Packet Data (eHRPD) as defined
by 3GPP2. There is no possibility for interoperability problems if by 3GPP2. There is no possibility for interoperability problems if
this radio access network is always used in conjunction with new this radio access network is always used in conjunction with new
protocols that cannot be mixed with the old ones; clients will always protocols that cannot be mixed with the old ones; clients will always
know whether they are connecting to the old or new system. know whether they are connecting to the old or new system.
skipping to change at page 24, line 5 skipping to change at page 29, line 12
requests, or server configuration does not match expectations. It requests, or server configuration does not match expectations. It
also does not help to assume that the EAP client and server are also does not help to assume that the EAP client and server are
running a particular release of 3GPP network specifications. Network running a particular release of 3GPP network specifications. Network
vendors often provide features from future releases early or do not vendors often provide features from future releases early or do not
provide all features of the current release. And obviously, there provide all features of the current release. And obviously, there
are many EAP and even some EAP-AKA implementations that are not are many EAP and even some EAP-AKA implementations that are not
bundled with the 3GPP network offerings. In general, these bundled with the 3GPP network offerings. In general, these
approaches are expected to lead to hard-to-diagnose problems and approaches are expected to lead to hard-to-diagnose problems and
increased support calls. increased support calls.
Appendix C. Test Vectors Appendix E. Test Vectors
Test vectors are provided below for four different cases. The test Test vectors are provided below for four different cases. The test
vectors may be useful for testing implementations. In the first two vectors may be useful for testing implementations. In the first two
cases, we employ the Milenage algorithm and the algorithm cases, we employ the Milenage algorithm and the algorithm
configuration parameters (the subscriber key K and operator algorithm configuration parameters (the subscriber key K and operator algorithm
variant configuration value OP) from test set 19 in [3GPP.35.208]. variant configuration value OP) from test set 19 in [TS-3GPP.35.208].
The last two cases use artificial values as the output of AKA, and is The last two cases use artificial values as the output of AKA, and is
useful only for testing the computation of values within EAP-AKA', useful only for testing the computation of values within EAP-AKA',
not AKA itself. not AKA itself.
Case 1 Case 1
The parameters for the AKA run are as follows: The parameters for the AKA run are as follows:
Identity: "0555444333222111" Identity: "0555444333222111"
skipping to change at page 29, line 6 skipping to change at page 34, line 4
680a 04b0 b086 ee87 00ac e3e0 b95f a026 680a 04b0 b086 ee87 00ac e3e0 b95f a026
83c2 87be ee44 4322 94ff 98af 26d2 cc78 83c2 87be ee44 4322 94ff 98af 26d2 cc78
3bac e75c 4b0a f7fd feb5 511b a8e4 cbd0 3bac e75c 4b0a f7fd feb5 511b a8e4 cbd0
EMSK: 7fb5 6813 838a dafa 99d1 40c2 f198 f6da EMSK: 7fb5 6813 838a dafa 99d1 40c2 f198 f6da
cebf b6af ee44 4961 1054 02b5 08c7 f363 cebf b6af ee44 4961 1054 02b5 08c7 f363
352c b291 9644 b504 63e6 a693 5415 0147 352c b291 9644 b504 63e6 a693 5415 0147
ae09 cbc5 4b8a 651d 8787 a689 3ed8 536d ae09 cbc5 4b8a 651d 8787 a689 3ed8 536d
Authors' Addresses Authors' Addresses
Jari Arkko Jari Arkko
Ericsson Ericsson
Jorvas 02420 Jorvas 02420
Finland Finland
EMail: jari.arkko@piuha.net Email: jari.arkko@piuha.net
Vesa Lehtovirta Vesa Lehtovirta
Ericsson Ericsson
Jorvas 02420 Jorvas 02420
Finland Finland
EMail: vesa.lehtovirta@ericsson.com Email: vesa.lehtovirta@ericsson.com
Vesa Torvinen
Ericsson
Jorvas 02420
Finland
Email: vesa.torvinen@ericsson.com
Pasi Eronen Pasi Eronen
Nokia Research Center Nokia Research Center
P.O. Box 407 P.O. Box 407
FIN-00045 Nokia Group FIN-00045 Nokia Group
Finland Finland
EMail: pasi.eronen@nokia.com Email: pasi.eronen@nokia.com
 End of changes. 76 change blocks. 
239 lines changed or deleted 556 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/