Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)
RFC 4187
Document | Type |
RFC - Informational
(January 2006; Errata)
Updated by RFC 5448
Was draft-arkko-pppext-eap-aka (individual in int area)
|
|
---|---|---|---|
Authors | Jari Arkko , Henry Haverinen | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4187 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Thomas Narten | ||
Send notices to | stephen.hayes@ericsson.com |
Network Working Group J. Arkko Request for Comments: 4187 Ericsson Category: Informational H. Haverinen Nokia January 2006 Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). IESG Note The EAP-AKA protocol was developed by 3GPP. The documentation of EAP-AKA is provided as information to the Internet community. While the EAP WG has verified that EAP-AKA is compatible with EAP as defined in RFC 3748, no other review has been done, including validation of the security claims. The IETF has also not reviewed the security of the underlying UMTS AKA algorithms. Abstract This document specifies an Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution that uses the Authentication and Key Agreement (AKA) mechanism. AKA is used in the 3rd generation mobile networks Universal Mobile Telecommunications System (UMTS) and CDMA2000. AKA is based on symmetric keys, and typically runs in a Subscriber Identity Module, which is a UMTS Subscriber Identity Module, USIM, or a (Removable) User Identity Module, (R)UIM, similar to a smart card. EAP-AKA includes optional identity privacy support, optional result indications, and an optional fast re-authentication procedure. Arkko & Haverinen Informational [Page 1] RFC 4187 EAP-AKA Authentication January 2006 Table of Contents 1. Introduction and Motivation .....................................4 2. Terms and Conventions Used in This Document .....................5 3. Protocol Overview ...............................................9 4. Operation ......................................................15 4.1. Identity Management .......................................15 4.1.1. Format, Generation, and Usage of Peer Identities ...15 4.1.2. Communicating the Peer Identity to the Server ......21 4.1.3. Choice of Identity for the EAP-Response/Identity ...23 4.1.4. Server Operation in the Beginning of EAP-AKA Exchange ...................................23 4.1.5. Processing of EAP-Request/AKA-Identity by the Peer ...........................................24 4.1.6. Attacks against Identity Privacy ...................25 4.1.7. Processing of AT_IDENTITY by the Server ............26 4.2. Message Sequence Examples (Informative) ...................27 4.2.1. Usage of AT_ANY_ID_REQ .............................27 4.2.2. Fall Back on Full Authentication ...................28 4.2.3. Requesting the Permanent Identity 1 ................29 4.2.4. Requesting the Permanent Identity 2 ................30 4.2.5. Three EAP/AKA-Identity Round Trips .................30 5. Fast Re-Authentication .........................................32 5.1. General ...................................................32 5.2. Comparison to AKA .........................................33 5.3. Fast Re-Authentication Identity ...........................33 5.4. Fast Re-Authentication Procedure ..........................35 5.5. Fast Re-Authentication Procedure when Counter is Too Small .................................................37 6. EAP-AKA Notifications ..........................................38 6.1. General ...................................................38 6.2. Result Indications ........................................39 6.3. Error Cases ...............................................40 6.3.1. Peer Operation .....................................41 6.3.2. Server Operation ...................................41 6.3.3. EAP-Failure ........................................42 6.3.4. EAP-Success ........................................42 7. Key Generation .................................................43 8. Message Format and Protocol Extensibility ......................45 8.1. Message Format ............................................45 8.2. Protocol Extensibility ....................................47 9. Messages .......................................................48 9.1. EAP-Request/AKA-Identity ..................................48 9.2. EAP-Response/AKA-Identity .................................48Show full document text