Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding
RFC 7029
Internet Engineering Task Force (IETF) S. Hartman
Request for Comments: 7029 M. Wasserman
Category: Informational Painless Security
ISSN: 2070-1721 D. Zhang
Huawei
October 2013
Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding
Abstract
As the Extensible Authentication Protocol (EAP) evolves, EAP peers
rely increasingly on information received from the EAP server. EAP
extensions such as channel binding or network posture information are
often carried in tunnel methods; peers are likely to rely on this
information. Cryptographic binding is a facility described in RFC
3748 that protects tunnel methods against man-in-the-middle attacks.
However, cryptographic binding focuses on protecting the server
rather than the peer. This memo explores attacks possible when the
peer is not protected from man-in-the-middle attacks and recommends
cryptographic binding based on an Extended Master Session Key, a new
form of cryptographic binding that protects both peer and server
along with other mitigations.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7029.
Hartman, et al. Informational [Page 1]
RFC 7029 Mutual Crypto Binding October 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Keywords for Requirement Levels ............................5
2. An Example Problem ..............................................5
3. The Server Insertion Attack .....................................6
3.1. Conditions for the Attack ..................................7
3.2. Mitigation Strategies ......................................8
3.2.1. Server Authentication ...............................8
3.2.2. Server Policy .......................................9
3.2.3. Existing Cryptographic Binding .....................12
3.2.4. Introducing EMSK-Based Cryptographic Binding .......12
3.2.5. Mix Key into Long-Term Credentials .................14
3.3. Intended Intermediates ....................................14
4. Recommendations ................................................15
4.1. Mutual Cryptographic Binding ..............................15
4.2. State Tracking ............................................15
4.3. Certificate Naming ........................................16
4.4. Inner Mixing ..............................................16
5. Survey of Tunnel Methods .......................................16
5.1. Tunnel EAP (TEAP) Method ..................................16
5.2. Flexible Authentication via Secure Tunneling (FAST) .......17
5.3. EAP Tunneled Transport Layer Security (EAP-TTLS) ..........17
6. Security Considerations ........................................17
7. Acknowledgements ...............................................18
8. References .....................................................18
8.1. Normative References ......................................18
8.2. Informative References ....................................18
Hartman, et al. Informational [Page 2]
RFC 7029 Mutual Crypto Binding October 2013
1. Introduction
The Extensible Authentication Protocol (EAP) [RFC3748] provides
Show full document text