Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding
RFC 7029
Document Type RFC - Informational (October 2013; No errata)
Last updated 2015-10-14
Replaces draft-hartman-emu-mutual-crypto-bind
Stream IETF
Formats plain text pdf html bibtex
Reviews
GENART Last Call Review: Ready
Stream WG state WG Document
Document shepherd Alan DeKok
Shepherd write-up Show (last changed 2013-07-11)
IESG IESG state RFC 7029 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Sean Turner
IESG note Alan DeKok (aland@deployingradius.com) is the document shepherd.
Send notices to (None)
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                        S. Hartman
Request for Comments: 7029                                  M. Wasserman
Category: Informational                                Painless Security
ISSN: 2070-1721                                                 D. Zhang
                                                                  Huawei
                                                            October 2013

 Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding

Abstract

   As the Extensible Authentication Protocol (EAP) evolves, EAP peers
   rely increasingly on information received from the EAP server.  EAP
   extensions such as channel binding or network posture information are
   often carried in tunnel methods; peers are likely to rely on this
   information.  Cryptographic binding is a facility described in RFC
   3748 that protects tunnel methods against man-in-the-middle attacks.
   However, cryptographic binding focuses on protecting the server
   rather than the peer.  This memo explores attacks possible when the
   peer is not protected from man-in-the-middle attacks and recommends
   cryptographic binding based on an Extended Master Session Key, a new
   form of cryptographic binding that protects both peer and server
   along with other mitigations.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7029.

Hartman, et al.               Informational                     [Page 1]
RFC 7029                  Mutual Crypto Binding             October 2013

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Keywords for Requirement Levels ............................5
   2. An Example Problem ..............................................5
   3. The Server Insertion Attack .....................................6
      3.1. Conditions for the Attack ..................................7
      3.2. Mitigation Strategies ......................................8
           3.2.1. Server Authentication ...............................8
           3.2.2. Server Policy .......................................9
           3.2.3. Existing Cryptographic Binding .....................12
           3.2.4. Introducing EMSK-Based Cryptographic Binding .......12
           3.2.5. Mix Key into Long-Term Credentials .................14
      3.3. Intended Intermediates ....................................14
   4. Recommendations ................................................15
      4.1. Mutual Cryptographic Binding ..............................15
      4.2. State Tracking ............................................15
      4.3. Certificate Naming ........................................16
      4.4. Inner Mixing ..............................................16
   5. Survey of Tunnel Methods .......................................16
      5.1. Tunnel EAP (TEAP) Method ..................................16
      5.2. Flexible Authentication via Secure Tunneling (FAST) .......17
      5.3. EAP Tunneled Transport Layer Security (EAP-TTLS) ..........17
   6. Security Considerations ........................................17
   7. Acknowledgements ...............................................18
   8. References .....................................................18
      8.1. Normative References ......................................18
      8.2. Informative References ....................................18

Hartman, et al.               Informational                     [Page 2]
RFC 7029                  Mutual Crypto Binding             October 2013

1.  Introduction

   The Extensible Authentication Protocol (EAP) [RFC3748] provides
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools