[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 RFC 4017

Network Working Group                                    Dorothy Stanley
INTERNET-DRAFT                                                     Agere
Category: Informational                                     Jesse Walker
<draft-walker-ieee802-req-03.txt>                      Intel Corporation
7 August 2004                                              Bernard Aboba
                                                   Microsoft Corporation


               EAP Method Requirements for Wireless LANs

   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   and any of which I become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 2, 2005.

Copyright Notice

   Copyright (C) The Internet Society 2004.  All rights reserved.

Abstract

   The IEEE 802.11i MAC Security Enhancements Amendment makes use of
   IEEE 802.1X which in turn relies on the Extensible Authentication
   Protocol (EAP).  This document defines requirements for EAP methods
   used in IEEE 802.11 wireless LAN deployments.  The material in this
   document has been approved by IEEE 802.11 and it is being presented
   as an IETF RFC for informational purposes.






Stanley, et al.               Informational                     [Page 1]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


Table of Contents

1.     Introduction ..........................................    3
   1.1       Requirements Specification ......................    3
   1.2       Terminology .....................................    3
2.     Method Requirements ...................................    4
   2.1       Credential Types ................................    4
   2.2       Mandatory Requirements ..........................    5
   2.3       Recommended Requirements ........................    6
   2.4       Optional Features ...............................    6
   2.5       Non-compliant EAP Authentication Methods ........    6
3.     Security Considerations ...............................    6
4.     References ............................................    8
   4.1       Normative References ............................    8
   4.2       Informative References ..........................    9
Acknowledgments ..............................................   10
Authors' Addresses ...........................................   10
Intellectual Property Statement ..............................   10
Disclaimer of Validity .......................................   11
Copyright Statement ..........................................   11































Stanley, et al.               Informational                     [Page 2]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


1.  Introduction

   The IEEE 802.11i MAC Security Enhancements Amendment [IEEE802.11i]
   makes use of IEEE 802.1X [IEEE802.1X] which in turn relies on the
   Extensible Authentication Protocol (EAP), defined in [RFC3748].

   Deployments of IEEE 802.11 wireless LANs today are based on EAP, and
   use several EAP methods, including EAP-TLS [RFC2716], EAP-TTLS
   [TTLS], PEAP [PEAP] and EAP-SIM [SIM].  These methods support
   authentication credentials that include digital certificates, user-
   names and passwords, secure tokens, and SIM secrets.

   This document defines requirements for EAP methods used in IEEE
   802.11 wireless LAN deployments.  EAP methods claiming conformance to
   the IEEE 802.11 EAP method requirements for wireless LANs must
   complete IETF last call review.

1.1.  Requirements Specification

   In this document, several words are used to signify the requirements
   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
   and "OPTIONAL" in this document are to be interpreted as described in
   [RFC2119].

   An EAP authentication method is not compliant with this specification
   if it fails to satisfy one or more of the MUST or MUST NOT
   requirements.  An EAP authentication method that satisfies all the
   MUST, MUST NOT, SHOULD and SHOULD NOT requirements is said to be
   "unconditionally compliant"; one that satisfies all the MUST and MUST
   NOT requirements but not all the SHOULD or SHOULD NOT requirements is
   said to be "conditionally compliant".

1.2.  Terminology

authenticator
     The end of the link initiating EAP authentication. The term
     authenticator is used in [IEEE-802.1X], and authenticator has the
     same meaning in this document.

peer The end of the link that responds to the authenticator. In
     [IEEE802.1X], this end is known as the supplicant.

Supplicant
     The end of the link that responds to the authenticator in
     [IEEE802.1X].





Stanley, et al.               Informational                     [Page 3]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


backend authentication server
     A backend authentication server is an entity that provides an
     authentication service to an authenticator.  When used, this server
     typically executes EAP methods for the authenticator.  This
     terminology is also used in [IEEE802.1X].

EAP server
     The entity that terminates the EAP authentication method with the
     peer.  In the case where no backend authentication server is used,
     the EAP server is part of the authenticator.  In the case where the
     authenticator operates in pass-through mode, the EAP server is
     located on the backend authentication server.

Master Session Key (MSK)
     Keying material that is derived between the EAP peer and server and
     exported by the EAP method.  The MSK is at least 64 octets in
     length.  In existing implementations a AAA server acting as an EAP
     server transports the MSK to the authenticator.

Extended Master Session Key (EMSK)
     Additional keying material derived between the EAP client and
     server that is exported by the EAP method.  The EMSK is at least 64
     octets in length.  The EMSK is not shared with the authenticator or
     any other third party.  The EMSK is reserved for future uses that
     are not defined yet.

4-Way Handshake
     A pairwise Authentication and Key Management Protocol (AKMP)
     defined in [IEEE802.11i], which confirms mutual possession of a
     Pairwise Master Key by two parties and distributes a Group Key.

2.  Method Requirements

2.1.  Credential Types

   The IEEE 802.11i MAC Security Enhancements Amendment requires that
   EAP authentication methods are available.  Wireless LAN deployments
   are expected to use different credentials types, including digital
   certificates, user-names and passwords, existing secure tokens, and
   mobile network credentials (GSM and UMTS secrets).  Other credential
   types that may be used include public/private key (without
   necessarily requiring certificates), and asymmetric credential
   support (such as password on one side, public/private key on the
   other).







Stanley, et al.               Informational                     [Page 4]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


2.2.  Mandatory Requirements

   EAP authentication methods suitable for use in wireless LAN
   authentication MUST satisfy the following criteria:

[1]  Generation of symmetric keying material.  This corresponds to the
     "Key derivation" security claim defined in [RFC3748], Section
     7.2.1.

[2]  Key strength.  An EAP method suitable for use with IEEE 802.11 MUST
     be capable of generating keying material with 128-bits of effective
     key strength, as defined in [RFC3748] Section 7.2.1.  As noted in
     [RFC3748] Section 7.10, an EAP method supporting key derivation
     MUST export a Master Session Key (MSK) of at least 64 octets, and
     an Extended Master Session Key (EMSK) of at least 64 octets.

[3]  Mutual authentication support.  This corresponds to the "Mutual
     authentication" security claim defined in [RFC3748], Section 7.2.1.

[4]  Shared state equivalence.  The shared EAP method state of the EAP
     peer and server must be equivalent when the EAP method completes
     successfully on both sides.  This includes the internal state of
     the authentication protocol but not the state external to the EAP
     method,  such as the negotiation occurring prior to initiation of
     the EAP method.  The exact state attributes that are shared may
     vary from method to method but typically include the method version
     number, what credentials were presented and accepted by both
     parties, what cryptographic keys are shared and what EAP method
     specific attributes were negotiated, such as ciphersuites and
     limitations of usage on all protocol state.  Both parties must be
     able to distinguish this instance of the protocol from all other
     instances of the protocol and they must share the same view of
     which state attributes are public and which are private to the two
     parties alone.

[5]  Resistance to dictionary attacks.  This corresponds to the
     "Dictionary attack resistance" security claim defined in [RFC3748],
     Section 7.2.1.

[6]  Protection against man-in-the-middle attacks.  This corresponds to
     the "Cryptographic binding", "Integrity protection", "Replay
     protection", and "Session independence" security claims defined in
     [RFC3748], Section 7.2.1.

[7]  Protected ciphersuite negotiation.  If the method negotiates the
     ciphersuite used to protect the EAP conversation, then it MUST
     support the "Protected ciphersuite negotiation" security claim
     defined in [RFC3748], Section 7.2.1.



Stanley, et al.               Informational                     [Page 5]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


2.3.  Recommended Requirements

   EAP authentication methods used for wireless LAN authentication
   SHOULD support the following features:

[8]  Fragmentation.  This implies support for the "Fragmentation" claim
     defined in [RFC3748], Section 7.2.1.  [RFC3748] Section 3.1 states:
     "EAP methods can assume a minimum EAP MTU of 1020 octets, in the
     absence of other information.  EAP methods SHOULD include support
     for fragmentation and reassembly if their payloads can be larger
     than this minimum EAP MTU."

[9]  End-user identity hiding.  This corresponds to the
     "Confidentiality" security claim defined in [RFC3748], Section
     7.2.1.

2.4.  Optional Features

   EAP authentication methods used for wireless LAN authentication MAY
   support the following features:

[10] Channel binding.  This corresponds to the "Channel binding"
     security claim defined in [RFC3748], Section 7.2.1.

[11] Fast reconnect.  This corresponds to the "Fast reconnect" security
     claim defined in [RFC3748], Section 7.2.1.

2.5.  Non-compliant EAP Authentication Methods

   EAP-MD5-Challenge (the current mandatory-to-implement EAP
   authentication method), is defined in [RFC3748] Section 5.4.  As
   defined in [RFC3748], EAP-MD5-Challenge, One-Time Password (Section
   5.5) and Generic Token Card (Section 5.6) are non-compliant with the
   requirements specified in this document.  As noted in [RFC3748],
   these methods do not support any of the mandatory requirements
   defined in Section 2.2 including key derivation, or mutual
   authentication.  In addition, these methods do not support any of the
   recommended features defined in Section 2.3 or any of the optional
   features defined in Section 2.4.

3.  Security Considerations

   Within [IEEE802.11i], EAP is used for both authentication and key
   exchange between the EAP peer and server.  Given that wireless local
   area networks provide ready access to an attacker within range, EAP
   usage within [IEEE802.11i] is subject to the threats outlined in
   [RFC3748] Section 7.1.  Security considerations relating to EAP are
   discussed in [RFC3748] Sections 7; where an authentication server is



Stanley, et al.               Informational                     [Page 6]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


   utilized, the security considerations described in [RFC3579], Section
   4 will apply.

   The system security properties required to address the threats
   described in [RFC3748] Section 7.1 are noted in [Housley56].  In the
   material below, the requirements articulated in [Housley56] are
   listed, along with the corresponding recommendations.

Algorithm independence
     Requirement: "Wherever cryptographic algorithms are chosen, the
     algorithms must be negotiable, in order to provide resilience
     against compromise of a particular cryptographic algorithm."

     This issue is addressed by mandatory requirement [7] in Section
     2.2.  Algorithm independence is one of the EAP invariants described
     in [KEYFRAME].

Strong, fresh session keys
     Requirement: "Session keys must be demonstrated to be strong and
     fresh in all circumstances, while at the same time retaining
     algorithm independence."

     Key strength is addressed by mandatory requirement [Section 7.2.1. As noted in [RFC3748] Section 7.10">2] in Section
     2.2.  Recommendations for ensuring the Freshness of keys derived by
     EAP methods are discussed in [RFC3748], Section 7.10.

Replay protection
     Requirement: "All protocol exchanges must be replay protected."

     This is addressed by mandatory requirement [6] in Section 2.2.

Authentication
     Requirement: "All parties need to be authenticated."

     Mutual authentication is required as part of mandatory requirement
     [3] in Section 2.2.  The confidentiality of the authenticator must
     be maintained.  Identity protection is a recommended capability,
     described in requirement [9] in Section 2.3.  No plaintext
     passwords are allowed.  EAP does not support plaintext passwords,
     as noted in [RFC3748] Section 7.14.

Authorization
     Requirement: "EAP peer and authenticator authorization must be
     performed."

     Issues relating to authorization are discussed in [RFC3748] Section
     7.15, and [RFC3579] Section 4.3.7.




Stanley, et al.               Informational                     [Page 7]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


Session keys
     Requirement: "Confidentiality of session keys must be maintained."

     Issues relating to Key Derivation are described in [RFC3748]
     Section 7.10, as well as in [KEYFRAME].

Ciphersuite negotiation
     Requirement: "The selection of the "best" ciphersuite must be
     securely confirmed."

     This is addressed in mandatory requirement [7] in Section 2.2.

Unique naming
     Requirement: "Session keys must be uniquely named."

     Key naming issues are addressed in [KEYFRAME].

Domino effect
     Requirement: "Compromise of a single authenticator cannot
     compromise any other part of the system, including session keys and
     long-term secrets."

     This issue is addressed by mandatory requirement [6] in Section
     2.2.

Key binding
     Requirement: "The key must be bound to the appropriate context."

     This issue is addressed in optional requirement [10] in Section
     2.4.  Channel binding is also discussed in Section 7.15 of
     [RFC3748].

4.  References

4.1.  Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
          Requirement Levels", RFC 2119, March, 1997.

[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial
          In User Service) Support For Extensible Authentication
          Protocol (EAP)", RFC 3579, September 2003.

[RFC3748] Aboba, B., et al., "Extensible Authentication Protocol (EAP)",
          RFC 3748, June 2004.

[802.11]  Information technology - Telecommunications and information
          exchange between systems - Local and metropolitan area



Stanley, et al.               Informational                     [Page 8]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


          networks - Specific Requirements Part 11:  Wireless LAN Medium
          Access Control (MAC) and Physical Layer (PHY) Specifications,
          IEEE Std. 802.11-2003, 2003.

[IEEE802.1X]
          IEEE Standards for Local and Metropolitan Area Networks: Port
          based Network Access Control, IEEE Std 802.1X-2004,  August
          2004.

[IEEE802.11i]
          Institute of Electrical and Electronics Engineers, "Supplement
          to Standard for Telecommunications and Information Exchange
          Between Systems - LAN/MAN Specific Requirements - Part 11:
          Wireless LAN Medium Access Control (MAC) and Physical Layer
          (PHY) Specifications: Specification for Enhanced Security",
          IEEE 802.11i, July 2004.

4.2.  Informative References

[Housley56]
          Housley, R., "Key Management in AAA", Presentation to the AAA
          WG at IETF 56,
          http://www.ietf.org/proceedings/03mar/slides/aaa-5/index.html,
          March 2003.

[RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol",
          RFC 2716, October 1999.

[PEAP]    Palekar, A., et al., "Protected EAP Protocol (PEAP)", draft-
          josefsson-pppext-eap-tls-eap-08.txt, Internet draft (work in
          progress), July 2004.

[TTLS]    Funk, P. and S. Blake-Wilson, "EAP Tunneled TLS Authentication
          Protocol (EAP-TTLS)", draft-ietf-pppext-eap-ttls-05.txt, July
          2004.

[EAPSIM]  Haverinen, H. and J. Salowey, "EAP SIM Authentication", draft-
          haverinen-pppext-eap-sim-13.txt, Internet draft (work in
          progress), April 2004.

[IEEE802] IEEE Standards for Local and Metropolitan Area Networks:
          Overview and Architecture, ANSI/IEEE Std 802, 1990.

[KEYFRAME]
          Aboba, B., et al., "EAP Key Management Framework", draft-ietf-
          eap-keying-03.txt, Internet draft (work in progress), July
          2004.




Stanley, et al.               Informational                     [Page 9]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


Acknowledgments

   The authors would like to acknowledge contributions to this document
   from members of the IEEE 802.11i Task Group, including Russ Housley
   of Vigil Security, David Nelson of Enterasys Networks and Clint
   Chaplin of Symbol Technologies, as well as members of the EAP WG
   including Joe Salowey of Cisco Systems, Pasi Eronen of Nokia, Jari
   Arkko of Ericsson, and Florent Bersani of France Telecom.

Authors' Addresses

   Dorothy Stanley
   Agere Systems
   2000 North Naperville Rd.
   Naperville, IL 60566

   EMail: dstanley@agere.com
   Phone: +1 630 979 1572

   Jesse R. Walker
   Intel Corporation
   2111 N.E. 25th Avenue
   Hillsboro, OR  97214

   EMail: jesse.walker@intel.com

   Bernard Aboba
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA 98052

   EMail: bernarda@microsoft.com
   Phone: +1 425 706 6605
   Fax:   +1 425 936 7329

Intellectual Property Statement

   The IETF has been notified of intellectual property rights claimed in
   regard to some or all of the specification contained in this
   document. For more information consult the online list of claimed
   rights.

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information



Stanley, et al.               Informational                    [Page 10]

INTERNET-DRAFT         EAP Method Reqts. for WLAN          7 August 2004


   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

Open issues

   Open issues relating to this specification are tracked on the
   following web site:

   http://www.drizzle.com/~aboba/EAP/eapissues.html













Stanley, et al.               Informational                    [Page 11]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/