| draft-ietf-emu-aka-pfs-03.txt | draft-arkko-eap-aka-pfs.txt | |||
|---|---|---|---|---|
| Network Working Group J. Arkko | Network Working Group J. Arkko | |||
| Internet-Draft K. Norrman | Internet-Draft K. Norrman | |||
| Updates: RFC5448 (if approved) V. Torvinen | Updates: RFC5448 (if approved) V. Torvinen | |||
| Intended status: Informational Ericsson | Intended status: Informational Ericsson | |||
| Expires: November 23, 2020 May 22, 2020 | Expires: November 26, 2020 May 25, 2020 | |||
| Perfect-Forward Secrecy for the Extensible Authentication Protocol | Perfect-Forward Secrecy for the Extensible Authentication Protocol | |||
| Method for Authentication and Key Agreement (EAP-AKA' PFS) | Method for Authentication and Key Agreement (EAP-AKA' PFS) | |||
| draft-ietf-emu-aka-pfs-03 | draft-ietf-emu-aka-pfs-04 | |||
| Abstract | Abstract | |||
| Many different attacks have been reported as part of revelations | Many different attacks have been reported as part of revelations | |||
| associated with pervasive surveillance. Some of the reported attacks | associated with pervasive surveillance. Some of the reported attacks | |||
| involved compromising smart cards, such as attacking SIM card | involved compromising smart cards, such as attacking SIM card | |||
| manufacturers and operators in an effort to compromise shared secrets | manufacturers and operators in an effort to compromise shared secrets | |||
| stored on these cards. Since the publication of those reports, | stored on these cards. Since the publication of those reports, | |||
| manufacturing and provisioning processes have gained much scrutiny | manufacturing and provisioning processes have gained much scrutiny | |||
| and have improved. However, the danger of resourceful attackers for | and have improved. However, the danger of resourceful attackers for | |||
| skipping to change at page 1, line 49 | skipping to change at page 1, line 49 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 23, 2020. | This Internet-Draft will expire on November 26, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 11, line 45 | skipping to change at page 11, line 45 | |||
| Value | Value | |||
| This value is the sender's ECDHE public value. It is calculated | This value is the sender's ECDHE public value. It is calculated | |||
| as follows: | as follows: | |||
| * For X25519/Curve25519, the length of this value is 32 bytes, | * For X25519/Curve25519, the length of this value is 32 bytes, | |||
| encoded in binary as specified [RFC7748] Section 6.1. | encoded in binary as specified [RFC7748] Section 6.1. | |||
| * For P-256, the length of this value is 32 bytes, encoded in | * For P-256, the length of this value is 32 bytes, encoded in | |||
| binary as specified in [SEC2v2]. | binary as specified in [FIPS186-4]. | |||
| To retain the security of the keys, the sender SHALL generate a | To retain the security of the keys, the sender SHALL generate a | |||
| fresh value for each run of the protocol. | fresh value for each run of the protocol. | |||
| 6.2. AT_KDF_PFS | 6.2. AT_KDF_PFS | |||
| The AT_KDF_PFS indicates the used or desired key generation function, | The AT_KDF_PFS indicates the used or desired key generation function, | |||
| if the Perfect Forward Secrecy extension is taken into use. It will | if the Perfect Forward Secrecy extension is taken into use. It will | |||
| also at the same time indicate the used or desired ECDHE group. A | also at the same time indicate the used or desired ECDHE group. A | |||
| new attribute is needed to carry this information, as AT_KDF carries | new attribute is needed to carry this information, as AT_KDF carries | |||
| skipping to change at page 15, line 43 | skipping to change at page 15, line 43 | |||
| The selection of suitable groups for the elliptic curve computation | The selection of suitable groups for the elliptic curve computation | |||
| is necessary. The choice of a group is made at the same time as | is necessary. The choice of a group is made at the same time as | |||
| deciding to use of particular key derivation function in AT_KDF_PFS. | deciding to use of particular key derivation function in AT_KDF_PFS. | |||
| For "EAP-AKA' with ECDHE and X25519" the group is the Curve25519 | For "EAP-AKA' with ECDHE and X25519" the group is the Curve25519 | |||
| group specified in [RFC7748]. The support for this group is | group specified in [RFC7748]. The support for this group is | |||
| REQUIRED. | REQUIRED. | |||
| For "EAP-AKA' with ECDHE and P-256" the group is the NIST P-256 group | For "EAP-AKA' with ECDHE and P-256" the group is the NIST P-256 group | |||
| (SEC group secp256r1), specified in [SEC2v2]. The support for this | (SEC group secp256r1), specified in [FIPS186-4]. The support for | |||
| group is OPTIONAL. | this group is OPTIONAL. | |||
| 6.5. Message Processing | 6.5. Message Processing | |||
| This section specifies the changes related to message processing when | This section specifies the changes related to message processing when | |||
| this extension is used in EAP-AKA'. It specifies when a message may | this extension is used in EAP-AKA'. It specifies when a message may | |||
| be transmitted or accepted, which attributes are allowed in a | be transmitted or accepted, which attributes are allowed in a | |||
| message, which attributes are required in a message, and other | message, which attributes are required in a message, and other | |||
| message-specific details, where those details are different for this | message-specific details, where those details are different for this | |||
| extension than the base EAP-AKA' or EAP-AKA protocol. Unless | extension than the base EAP-AKA' or EAP-AKA protocol. Unless | |||
| otherwise specified here, the rules from [I-D.ietf-emu-rfc5448bis] or | otherwise specified here, the rules from [I-D.ietf-emu-rfc5448bis] or | |||
| skipping to change at page 23, line 44 | skipping to change at page 23, line 44 | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [I-D.ietf-emu-rfc5448bis] | [I-D.ietf-emu-rfc5448bis] | |||
| Arkko, J., Lehtovirta, V., Torvinen, V., and P. Eronen, | Arkko, J., Lehtovirta, V., Torvinen, V., and P. Eronen, | |||
| "Improved Extensible Authentication Protocol Method for | "Improved Extensible Authentication Protocol Method for | |||
| 3GPP Mobile Network Authentication and Key Agreement (EAP- | 3GPP Mobile Network Authentication and Key Agreement (EAP- | |||
| AKA')", draft-ietf-emu-rfc5448bis-07 (work in progress), | AKA')", draft-ietf-emu-rfc5448bis-07 (work in progress), | |||
| March 2020. | March 2020. | |||
| [SEC2v2] Standards for Elliptic Cryptography Group, , "SEC 2: | [FIPS186-4] | |||
| Recommended Elliptic Curve Domain Parameters", August | NIST, , "Digital Signature Standard (DSS)", July 2013. | |||
| 2010, version 2.0. | ||||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible | [RFC4186] Haverinen, H., Ed. and J. Salowey, Ed., "Extensible | |||
| Authentication Protocol Method for Global System for | Authentication Protocol Method for Global System for | |||
| Mobile Communications (GSM) Subscriber Identity Modules | Mobile Communications (GSM) Subscriber Identity Modules | |||
| (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, | (EAP-SIM)", RFC 4186, DOI 10.17487/RFC4186, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4186>. | <https://www.rfc-editor.org/info/rfc4186>. | |||
| [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS | [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS | |||
| skipping to change at page 25, line 7 | skipping to change at page 25, line 7 | |||
| 2015, in https://firstlook.org/theintercept/2015/02/19/ | 2015, in https://firstlook.org/theintercept/2015/02/19/ | |||
| great-sim-heist/ . | great-sim-heist/ . | |||
| [DOW1992] Diffie, W., vanOorschot, P., and M. Wiener, | [DOW1992] Diffie, W., vanOorschot, P., and M. Wiener, | |||
| "Authentication and Authenticated Key Exchanges", June | "Authentication and Authenticated Key Exchanges", June | |||
| 1992, in Designs, Codes and Cryptography 2 (2): pp. | 1992, in Designs, Codes and Cryptography 2 (2): pp. | |||
| 107-125. | 107-125. | |||
| Appendix A. Change Log | Appendix A. Change Log | |||
| The -04 version of the WG draft takes into account feedback from the | ||||
| May 2020 WG interim meeting, correcting the reference to the NIST | ||||
| P-256 specification. | ||||
| The -03 version of the WG draft is first of all a refresh; there are | The -03 version of the WG draft is first of all a refresh; there are | |||
| no issues that we think need addressing, beyond the one for which | no issues that we think need addressing, beyond the one for which | |||
| there is a suggestion in -03: The specification now suggests an | there is a suggestion in -03: The specification now suggests an | |||
| alternate group/curve as an optional one besides X25519. The | alternate group/curve as an optional one besides X25519. The | |||
| specific choice of particular groups and algorithms is still up to | specific choice of particular groups and algorithms is still up to | |||
| the working group. | the working group. | |||
| The -02 version of the WG draft took into account additional reviews, | The -02 version of the WG draft took into account additional reviews, | |||
| and changed the document to update RFC 5448 (or rather, its | and changed the document to update RFC 5448 (or rather, its | |||
| successor, [I-D.ietf-emu-rfc5448bis]), changed the wording of the | successor, [I-D.ietf-emu-rfc5448bis]), changed the wording of the | |||
| skipping to change at page 26, line 6 | skipping to change at page 26, line 8 | |||
| Appendix B. Acknowledgments | Appendix B. Acknowledgments | |||
| The authors would like to note that the technical solution in this | The authors would like to note that the technical solution in this | |||
| document came out of the TrustCom paper [TrustCom2015], whose authors | document came out of the TrustCom paper [TrustCom2015], whose authors | |||
| were J. Arkko, K. Norrman, M. Naslund, and B. Sahlin. This | were J. Arkko, K. Norrman, M. Naslund, and B. Sahlin. This | |||
| document uses also a lot of material from [RFC4187] by J. Arkko and | document uses also a lot of material from [RFC4187] by J. Arkko and | |||
| H. Haverinen as well as [RFC5448] by J. Arkko, V. Lehtovirta, and | H. Haverinen as well as [RFC5448] by J. Arkko, V. Lehtovirta, and | |||
| P. Eronen. | P. Eronen. | |||
| The authors would also like to thank Tero Kivinen, John Mattsson, | The authors would also like to thank Tero Kivinen, John Mattsson, | |||
| Mohit Sethi, Vesa Lehtovirta, Joseph Salowey, Kathleen Moriarty, | Mohit Sethi, Vesa Lehtovirta, Russ Housley, Sean Turner, Eliot Lear, | |||
| Zhang Fu, Bengt Sahlin, Ben Campbell, Prajwol Kumar Nakarmi, Goran | Joseph Salowey, Kathleen Moriarty, Zhang Fu, Bengt Sahlin, Ben | |||
| Rune, Tim Evans, Helena Vahidi Mazinani, Anand R. Prasad, and many | Campbell, Prajwol Kumar Nakarmi, Goran Rune, Tim Evans, Helena Vahidi | |||
| other people at the GSMA and 3GPP groups for interesting discussions | Mazinani, Anand R. Prasad, and many other people at the IETF, GSMA | |||
| in this problem space. | and 3GPP groups for interesting discussions in this problem space. | |||
| Authors' Addresses | Authors' Addresses | |||
| Jari Arkko | Jari Arkko | |||
| Ericsson | Ericsson | |||
| Jorvas 02420 | Jorvas 02420 | |||
| Finland | Finland | |||
| Email: jari.arkko@piuha.net | Email: jari.arkko@piuha.net | |||
| End of changes. 8 change blocks. | ||||
| 14 lines changed or deleted | 17 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||