Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')
RFC 5448
Document Type RFC - Informational (May 2009; No errata)
Updates RFC 4187
Was draft-arkko-eap-aka-kdf (individual in gen area)
Authors Jari Arkko  , Vesa Lehtovirta  , Pasi Eronen 
Last updated 2018-12-20
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5448 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors IPR 1 References Referenced by Nits 
Network Working Group                                           J. Arkko
Request for Comments: 5448                                 V. Lehtovirta
Updates: 4187                                                   Ericsson
Category: Informational                                        P. Eronen
                                                                   Nokia
                                                                May 2009

        Improved Extensible Authentication Protocol Method for
       3rd Generation Authentication and Key Agreement (EAP-AKA')

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This specification defines a new EAP method, EAP-AKA', which is a
   small revision of the EAP-AKA (Extensible Authentication Protocol
   Method for 3rd Generation Authentication and Key Agreement) method.
   The change is a new key derivation function that binds the keys
   derived within the method to the name of the access network.  The new
   key derivation mechanism has been defined in the 3rd Generation
   Partnership Project (3GPP).  This specification allows its use in EAP
   in an interoperable manner.  In addition, EAP-AKA' employs SHA-256
   instead of SHA-1.

   This specification also updates RFC 4187, EAP-AKA, to prevent bidding
   down attacks from EAP-AKA'.

Arkko, et al.                Informational                      [Page 1]
RFC 5448                        EAP-AKA'                        May 2009

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Requirements Language  . . . . . . . . . . . . . . . . . . . .  3
   3.  EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
     3.1.  AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.3.  Key Generation . . . . . . . . . . . . . . . . . . . . . . 10
     3.4.  Hash Functions . . . . . . . . . . . . . . . . . . . . . . 12
       3.4.1.  PRF' . . . . . . . . . . . . . . . . . . . . . . . . . 12
       3.4.2.  AT_MAC . . . . . . . . . . . . . . . . . . . . . . . . 13
       3.4.3.  AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . . 13
   4.  Bidding Down Prevention for EAP-AKA  . . . . . . . . . . . . . 14
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
     5.1.  Security Properties of Binding Network Names . . . . . . . 18
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 19
     6.1.  Type Value . . . . . . . . . . . . . . . . . . . . . . . . 19
     6.2.  Attribute Type Values  . . . . . . . . . . . . . . . . . . 19
     6.3.  Key Derivation Function Namespace  . . . . . . . . . . . . 19
   7.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20
   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 20
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 20
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 21
   Appendix A.  Changes from RFC 4187 . . . . . . . . . . . . . . . . 23
   Appendix B.  Importance of Explicit Negotiation  . . . . . . . . . 23
   Appendix C.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 24

1.  Introduction

   This specification defines a new Extensible Authentication Protocol
   (EAP)[RFC3748] method, EAP-AKA', which is a small revision of the
   EAP-AKA method originally defined in [RFC4187].  What is new in EAP-
   AKA' is that it has a new key derivation function, specified in
   [3GPP.33.402].  This function binds the keys derived within the
   method to the name of the access network.  This limits the effects of
   compromised access network nodes and keys.  This specification
   defines the EAP encapsulation for AKA when the new key derivation
   mechanism is in use.

   3GPP has defined a number of applications for the revised AKA
   mechanism, some based on native encapsulation of AKA over 3GPP radio
   access networks and others based on the use of EAP.

   For making the new key derivation mechanisms usable in EAP-AKA,
   additional protocol mechanisms are necessary.  Given that RFC 4187
   calls for the use of CK (the encryption key) and IK (the integrity
   key) from AKA, existing implementations continue to use these.  Any

Arkko, et al.                Informational                      [Page 2]
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools