Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')
RFC 5448
Document | Type |
RFC - Informational
(May 2009; No errata)
Updates RFC 4187
Was draft-arkko-eap-aka-kdf (individual in gen area)
|
|
---|---|---|---|
Authors | Jari Arkko , Vesa Lehtovirta , Pasi Eronen | ||
Last updated | 2018-12-20 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5448 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group J. Arkko Request for Comments: 5448 V. Lehtovirta Updates: 4187 Ericsson Category: Informational P. Eronen Nokia May 2009 Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA') Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract This specification defines a new EAP method, EAP-AKA', which is a small revision of the EAP-AKA (Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement) method. The change is a new key derivation function that binds the keys derived within the method to the name of the access network. The new key derivation mechanism has been defined in the 3rd Generation Partnership Project (3GPP). This specification allows its use in EAP in an interoperable manner. In addition, EAP-AKA' employs SHA-256 instead of SHA-1. This specification also updates RFC 4187, EAP-AKA, to prevent bidding down attacks from EAP-AKA'. Arkko, et al. Informational [Page 1] RFC 5448 EAP-AKA' May 2009 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . . 10 3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . . 12 3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . . 13 4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 14 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5.1. Security Properties of Binding Network Names . . . . . . . 18 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 6.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . . 19 6.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 19 6.3. Key Derivation Function Namespace . . . . . . . . . . . . 19 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 9.1. Normative References . . . . . . . . . . . . . . . . . . . 20 9.2. Informative References . . . . . . . . . . . . . . . . . . 21 Appendix A. Changes from RFC 4187 . . . . . . . . . . . . . . . . 23 Appendix B. Importance of Explicit Negotiation . . . . . . . . . 23 Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 24 1. Introduction This specification defines a new Extensible Authentication Protocol (EAP)[RFC3748] method, EAP-AKA', which is a small revision of the EAP-AKA method originally defined in [RFC4187]. What is new in EAP- AKA' is that it has a new key derivation function, specified in [3GPP.33.402]. This function binds the keys derived within the method to the name of the access network. This limits the effects of compromised access network nodes and keys. This specification defines the EAP encapsulation for AKA when the new key derivation mechanism is in use. 3GPP has defined a number of applications for the revised AKA mechanism, some based on native encapsulation of AKA over 3GPP radio access networks and others based on the use of EAP. For making the new key derivation mechanisms usable in EAP-AKA, additional protocol mechanisms are necessary. Given that RFC 4187 calls for the use of CK (the encryption key) and IK (the integrity key) from AKA, existing implementations continue to use these. Any Arkko, et al. Informational [Page 2]Show full document text