Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)
RFC 4187
Document Type RFC - Informational (January 2006; Errata)
Updated by RFC 5448
Was draft-arkko-pppext-eap-aka (individual in int area)
Last updated 2018-12-20
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4187 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Thomas Narten
Send notices to stephen.hayes@ericsson.com
Email authors IPR 2 References Referenced by Nits 
Network Working Group                                           J. Arkko
Request for Comments: 4187                                      Ericsson
Category: Informational                                     H. Haverinen
                                                                   Nokia
                                                            January 2006

      Extensible Authentication Protocol Method for 3rd Generation
               Authentication and Key Agreement (EAP-AKA)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

IESG Note

   The EAP-AKA protocol was developed by 3GPP.  The documentation of
   EAP-AKA is provided as information to the Internet community.  While
   the EAP WG has verified that EAP-AKA is compatible with EAP as
   defined in RFC 3748, no other review has been done, including
   validation of the security claims.  The IETF has also not reviewed
   the security of the underlying UMTS AKA algorithms.

Abstract

   This document specifies an Extensible Authentication Protocol (EAP)
   mechanism for authentication and session key distribution that uses
   the Authentication and Key Agreement (AKA) mechanism.  AKA is used in
   the 3rd generation mobile networks Universal Mobile
   Telecommunications System (UMTS) and CDMA2000.  AKA is based on
   symmetric keys, and typically runs in a Subscriber Identity Module,
   which is a UMTS Subscriber Identity Module, USIM, or a (Removable)
   User Identity Module, (R)UIM, similar to a smart card.

   EAP-AKA includes optional identity privacy support, optional result
   indications, and an optional fast re-authentication procedure.

Arkko & Haverinen            Informational                      [Page 1]
RFC 4187                 EAP-AKA Authentication             January 2006

Table of Contents

   1. Introduction and Motivation .....................................4
   2. Terms and Conventions Used in This Document .....................5
   3. Protocol Overview ...............................................9
   4. Operation ......................................................15
      4.1. Identity Management .......................................15
           4.1.1. Format, Generation, and Usage of Peer Identities ...15
           4.1.2. Communicating the Peer Identity to the Server ......21
           4.1.3. Choice of Identity for the EAP-Response/Identity ...23
           4.1.4. Server Operation in the Beginning of
                  EAP-AKA Exchange ...................................23
           4.1.5. Processing of EAP-Request/AKA-Identity by
                  the Peer ...........................................24
           4.1.6. Attacks against Identity Privacy ...................25
           4.1.7. Processing of AT_IDENTITY by the Server ............26
      4.2. Message Sequence Examples (Informative) ...................27
           4.2.1. Usage of AT_ANY_ID_REQ .............................27
           4.2.2. Fall Back on Full Authentication ...................28
           4.2.3. Requesting the Permanent Identity 1 ................29
           4.2.4. Requesting the Permanent Identity 2 ................30
           4.2.5. Three EAP/AKA-Identity Round Trips .................30
   5. Fast Re-Authentication .........................................32
      5.1. General ...................................................32
      5.2. Comparison to AKA .........................................33
      5.3. Fast Re-Authentication Identity ...........................33
      5.4. Fast Re-Authentication Procedure ..........................35
      5.5. Fast Re-Authentication Procedure when Counter is
           Too Small .................................................37
   6. EAP-AKA Notifications ..........................................38
      6.1. General ...................................................38
      6.2. Result Indications ........................................39
      6.3. Error Cases ...............................................40
           6.3.1. Peer Operation .....................................41
           6.3.2. Server Operation ...................................41
           6.3.3. EAP-Failure ........................................42
           6.3.4. EAP-Success ........................................42
   7. Key Generation .................................................43
   8. Message Format and Protocol Extensibility ......................45
      8.1. Message Format ............................................45
      8.2. Protocol Extensibility ....................................47
   9. Messages .......................................................48
      9.1. EAP-Request/AKA-Identity ..................................48
      9.2. EAP-Response/AKA-Identity .................................48
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools