draft-ietf-emu-eap-tls13-04.txt   draft-ietf-emu-eap-tls13-05.txt 
Network Working Group J. Mattsson Network Working Group J. Mattsson
Internet-Draft M. Sethi Internet-Draft M. Sethi
Updates: 5216 (if approved) Ericsson Updates: 5216 (if approved) Ericsson
Intended status: Standards Track March 11, 2019 Intended status: Standards Track May 26, 2019
Expires: September 12, 2019 Expires: November 27, 2019
Using EAP-TLS with TLS 1.3 Using EAP-TLS with TLS 1.3
draft-ietf-emu-eap-tls13-04 draft-ietf-emu-eap-tls13-05
Abstract Abstract
This document specifies the use of EAP-TLS with TLS 1.3 while This document specifies the use of EAP-TLS with TLS 1.3 while
remaining backwards compatible with existing implementations of EAP- remaining backwards compatible with existing implementations of EAP-
TLS. TLS 1.3 provides significantly improved security, privacy, and TLS. TLS 1.3 provides significantly improved security, privacy, and
reduced latency when compared to earlier versions of TLS. EAP-TLS reduced latency when compared to earlier versions of TLS. EAP-TLS
with TLS 1.3 further improves security and privacy by mandating use with TLS 1.3 further improves security and privacy by mandating use
of privacy and revocation checking. This document updates RFC 5216. of privacy and revocation checking. This document updates RFC 5216.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on November 27, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 13
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements and Terminology . . . . . . . . . . . . . . 3 1.1. Requirements and Terminology . . . . . . . . . . . . . . 3
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Overview of the EAP-TLS Conversation . . . . . . . . . . 4 2.1. Overview of the EAP-TLS Conversation . . . . . . . . . . 4
2.1.1. Base Case . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. Mutual Authentication . . . . . . . . . . . . . . . . 4
2.1.2. Resumption . . . . . . . . . . . . . . . . . . . . . 7 2.1.2. Termination . . . . . . . . . . . . . . . . . . . . . 5
2.1.3. Termination . . . . . . . . . . . . . . . . . . . . . 9 2.1.3. No Peer Authentication . . . . . . . . . . . . . . . 8
2.1.4. Privacy . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.4. Hello Retry Request . . . . . . . . . . . . . . . . . 9
2.1.5. Fragmentation . . . . . . . . . . . . . . . . . . . . 14 2.1.5. Ticket Establishment . . . . . . . . . . . . . . . . 10
2.2. Identity Verification . . . . . . . . . . . . . . . . . . 15 2.1.6. Resumption . . . . . . . . . . . . . . . . . . . . . 11
2.3. Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . 15 2.1.7. Privacy . . . . . . . . . . . . . . . . . . . . . . . 13
2.4. Parameter Negotiation and Compliance Requirements . . . . 16 2.1.8. Fragmentation . . . . . . . . . . . . . . . . . . . . 13
2.5. EAP State Machines . . . . . . . . . . . . . . . . . . . 17 2.2. Identity Verification . . . . . . . . . . . . . . . . . . 14
3. Detailed Description of the EAP-TLS Protocol . . . . . . . . 17 2.3. Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . 14
4. IANA considerations . . . . . . . . . . . . . . . . . . . . . 17 2.4. Parameter Negotiation and Compliance Requirements . . . . 15
5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 2.5. EAP State Machines . . . . . . . . . . . . . . . . . . . 16
5.1. Security Claims . . . . . . . . . . . . . . . . . . . . . 18 3. Detailed Description of the EAP-TLS Protocol . . . . . . . . 16
5.2. Peer and Server Identities . . . . . . . . . . . . . . . 18 4. IANA considerations . . . . . . . . . . . . . . . . . . . . . 16
5.3. Certificate Validation . . . . . . . . . . . . . . . . . 18 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
5.4. Certificate Revocation . . . . . . . . . . . . . . . . . 18 5.1. Security Claims . . . . . . . . . . . . . . . . . . . . . 17
5.5. Packet Modification Attacks . . . . . . . . . . . . . . . 19 5.2. Peer and Server Identities . . . . . . . . . . . . . . . 17
5.6. Authorization . . . . . . . . . . . . . . . . . . . . . . 19 5.3. Certificate Validation . . . . . . . . . . . . . . . . . 17
5.7. Resumption . . . . . . . . . . . . . . . . . . . . . . . 20 5.4. Certificate Revocation . . . . . . . . . . . . . . . . . 17
5.8. Privacy Considerations . . . . . . . . . . . . . . . . . 21 5.5. Packet Modification Attacks . . . . . . . . . . . . . . . 18
5.9. Pervasive Monitoring . . . . . . . . . . . . . . . . . . 22 5.6. Authorization . . . . . . . . . . . . . . . . . . . . . . 18
5.10. Discovered Vulnerabilities . . . . . . . . . . . . . . . 23 5.7. Resumption . . . . . . . . . . . . . . . . . . . . . . . 19
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 5.8. Privacy Considerations . . . . . . . . . . . . . . . . . 20
6.1. Normative References . . . . . . . . . . . . . . . . . . 23 5.9. Pervasive Monitoring . . . . . . . . . . . . . . . . . . 21
6.2. Informative references . . . . . . . . . . . . . . . . . 24 5.10. Discovered Vulnerabilities . . . . . . . . . . . . . . . 21
Appendix A. Updated references . . . . . . . . . . . . . . . . . 27 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1. Normative References . . . . . . . . . . . . . . . . . . 22
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.2. Informative references . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 Appendix A. Updated references . . . . . . . . . . . . . . . . . 26
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 26
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
The Extensible Authentication Protocol (EAP), defined in [RFC3748], The Extensible Authentication Protocol (EAP), defined in [RFC3748],
provides a standard mechanism for support of multiple authentication provides a standard mechanism for support of multiple authentication
methods. EAP-Transport Layer Security (EAP-TLS) [RFC5216] specifies methods. EAP-Transport Layer Security (EAP-TLS) [RFC5216] specifies
an EAP authentication method with certificate-based mutual an EAP authentication method with certificate-based mutual
authentication and key derivation utilizing the TLS handshake authentication and key derivation utilizing the TLS handshake
protocol for cryptographic algorithms and protocol version protocol for cryptographic algorithms and protocol version
negotiation, mutual authentication, and establishment of shared negotiation, mutual authentication, and establishment of shared
secret keying material. EAP-TLS is widely supported for secret keying material. EAP-TLS is widely supported for
authentication in IEEE 802.11 [IEEE-802.11] networks (Wi-Fi) using authentication in IEEE 802.11 [IEEE-802.11] networks (Wi-Fi) using
IEEE 802.1X [IEEE-802.1X] and it's the default mechanism for IEEE 802.1X [IEEE-802.1X] and it's the default mechanism for
certificate based authentication in 3GPP 5G [TS.33.501] and MulteFire certificate based authentication in 3GPP 5G [TS.33.501] and MulteFire
[MulteFire] networks. EAP-TLS [RFC5216] references TLS 1.0 [RFC2246] [MulteFire] networks. EAP-TLS [RFC5216] references TLS 1.0 [RFC2246]
and TLS 1.1 [RFC4346], but works perfectly also with TLS 1.2 and TLS 1.1 [RFC4346], but works perfectly also with TLS 1.2
[RFC5246]. [RFC5246]. TLS 1.0 and 1.1 are formally deprecated and prohibited to
negotiate and use [I-D.ietf-tls-oldversions-deprecate].
Weaknesses found in previous versions of TLS, as well as new Weaknesses found in TLS 1.2, as well as new requirements for
requirements for security, privacy, and reduced latency has led to security, privacy, and reduced latency has led to the specification
the development of TLS 1.3 [RFC8446], which in large parts is a of TLS 1.3 [RFC8446], which obsoletes TLS 1.2 [RFC5246]. TLS 1.3 is
complete remodeling of the TLS handshake protocol including a in large parts a complete remodeling of the TLS handshake protocol
different message flow, different handshake messages, different key including a different message flow, different handshake messages,
schedule, different cipher suites, different resumption, and different key schedule, different cipher suites, different
different privacy protection. This means that significant parts of resumption, and different privacy protection. This means that
the normative text in the previous EAP-TLS specification [RFC5216] significant parts of the normative text in the previous EAP-TLS
are not applicable to EAP-TLS with TLS 1.3 (or higher). Therefore, specification [RFC5216] are not applicable to EAP-TLS with TLS 1.3
aspects such as resumption, privacy handling, and key derivation need (or higher). Therefore, aspects such as resumption, privacy
to be appropriately addressed for EAP-TLS with TLS 1.3 (or higher). handling, and key derivation need to be appropriately addressed for
EAP-TLS with TLS 1.3 (or higher).
This document defines how to use EAP-TLS with TLS 1.3 (or higher) and This document defines how to use EAP-TLS with TLS 1.3 (or higher) and
does not change how EAP-TLS is used with older versions of TLS. does not change how EAP-TLS is used with older versions of TLS.
While this document updates EAP-TLS [RFC5216], it remains backwards While this document updates EAP-TLS [RFC5216], it remains backwards
compatible with it and existing implementations of EAP-TLS. This compatible with it and existing implementations of EAP-TLS. This
document only describes differences compared to [RFC5216]. document only describes differences compared to [RFC5216].
In addition to the improved security and privacy offered by TLS 1.3, In addition to the improved security and privacy offered by TLS 1.3,
there are other significant benefits of using EAP-TLS with TLS 1.3. there are other significant benefits of using EAP-TLS with TLS 1.3.
Privacy is mandatory and achieved without any additional round-trips, Privacy is mandatory and achieved without any additional round-trips,
skipping to change at page 4, line 9 skipping to change at page 4, line 9
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Readers are expected to be familiar with the terms and concepts used Readers are expected to be familiar with the terms and concepts used
in EAP-TLS [RFC5216] and TLS [RFC8446]. in EAP-TLS [RFC5216] and TLS [RFC8446].
2. Protocol Overview 2. Protocol Overview
2.1. Overview of the EAP-TLS Conversation 2.1. Overview of the EAP-TLS Conversation
2.1.1. Base Case
TLS 1.3 changes both the message flow and the handshake messages TLS 1.3 changes both the message flow and the handshake messages
compared to earlier versions of TLS. Therefore, much of Section 2.1 compared to earlier versions of TLS. Therefore, much of Section 2.1
of RFC5216 [RFC5216] does not apply for TLS 1.3 (or higher). of [RFC5216] does not apply for TLS 1.3 (or higher).
After receiving an EAP-Request packet with EAP-Type=EAP-TLS as After receiving an EAP-Request packet with EAP-Type=EAP-TLS as
described in [RFC5216] the conversation will continue with the TLS described in [RFC5216] the conversation will continue with the TLS
handshake protocol encapsulated in the data fields of EAP-Response handshake protocol encapsulated in the data fields of EAP-Response
and EAP-Request packets. When EAP-TLS is used with TLS version 1.3 and EAP-Request packets. When EAP-TLS is used with TLS version 1.3
or higher, the formatting and processing of the TLS handshake SHALL or higher, the formatting and processing of the TLS handshake SHALL
be done as specified in that version of TLS. This document only be done as specified in that version of TLS. This document only
lists additional and different requirements, restrictions, and lists additional and different requirements, restrictions, and
processing compared to [RFC8446] and [RFC5216]. processing compared to [RFC8446] and [RFC5216].
2.1.1. Mutual Authentication
The EAP server MUST authenticate with a certificate and SHOULD The EAP server MUST authenticate with a certificate and SHOULD
require the EAP peer to authenticate with a certificate. require the EAP peer to authenticate with a certificate.
Certificates can be of any type supported by TLS including raw public Certificates can be of any type supported by TLS including raw public
keys. Pre-Shared Key (PSK) authentication SHALL NOT be used except keys. Pre-Shared Key (PSK) authentication SHALL NOT be used except
for resumption. SessionID is deprecated in TLS 1.3 and the EAP for resumption. SessionID is deprecated in TLS 1.3 and the EAP
server SHALL ignore the legacy_session_id field if TLS 1.3 is server SHALL ignore the legacy_session_id field if TLS 1.3 is
negotiated. TLS 1.3 introduces early application data; early negotiated. TLS 1.3 introduced early application data which is not
application data SHALL NOT be used with EAP-TLS. Resumption is used in EAP-TLS. A server which receives an "early_data" extension
handled as described in Section 2.1.2. After the TLS handshake has MUST ignore the extension or respond with a HelloRetryRequest as
completed and all Post-Handshake messages have been sent, the EAP described in Section 4.2.10 of [RFC8446]. Resumption is handled as
server sends EAP-Success. described in Section 2.1.6. After the TLS handshake has completed
and all Post-Handshake messages have been sent, the EAP server sends
EAP-Success.
In the case where EAP-TLS with mutual authentication is successful, In the case where EAP-TLS with mutual authentication is successful,
the conversation will appear as shown in Figure 1. The EAP server the conversation will appear as shown in Figure 1. The EAP server
commits to not send any more handshake messages by sending an empty commits to not send any more handshake messages by sending an empty
TLS record, see Section 2.5. TLS record, see Section 2.5.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
skipping to change at page 5, line 35 skipping to change at page 5, line 35
<-------- TLS empty record) <-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Certificate, (TLS Certificate,
TLS CertificateVerify, TLS CertificateVerify,
TLS Finished) --------> TLS Finished) -------->
<-------- EAP-Success <-------- EAP-Success
Figure 1: EAP-TLS mutual authentication Figure 1: EAP-TLS mutual authentication
In the case where EAP-TLS is used without peer authentication (e.g., 2.1.2. Termination
emergency services, as described in [RFC7406]) the conversation will
appear as shown in Figure 2. TLS 1.3 changes both the message flow and the handshake messages
compared to earlier versions of TLS. Therefore, some normative text
in Section 2.1.3 of [RFC5216] does not apply for TLS 1.3 or higher.
The two paragraphs below replaces the corresponding paragraphs in
Section 2.1.3 of [RFC5216] when EAP-TLS is used with TLS 1.3 or
higher. The other paragraphs in Section 2.1.3 of [RFC5216] still
apply with the exception that SessionID is deprecated.
If the EAP server authenticates successfully, the EAP peer MUST
send an EAP-Response message with EAP-Type=EAP-TLS containing TLS
records conforming to the version of TLS used.
If the EAP peer authenticates successfully, the EAP server MUST
send an EAP-Request packet with EAP-Type=EAP-TLS containing TLS
records conforming to the version of TLS used. The message flow
ends with the EAP server sending an EAP-Success message.
Figures 2, 3, and 4 illustrate message flows in several cases where
the EAP peer or EAP server sends a TLS fatal alert message. TLS
warning alerts generally mean that the connection can continue
normally and does not change the message flow. Note that the party
receiving a TLS warning alert may choose to terminate the connection
by sending a TLS fatal alert, which may add an extra round-trip, see
[RFC8446].
In the case where the server rejects the ClientHello, the
conversation will appear as shown in Figure 2.
EAP Peer EAP Server
EAP-Request/
<-------- Identity
EAP-Response/
Identity (Privacy-Friendly) -------->
EAP-Request/
EAP-Type=EAP-TLS
<-------- (TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS ClientHello) -------->
EAP-Request/
EAP-Type=EAP-TLS
<-------- (TLS Fatal Alert)
EAP-Response/
EAP-Type=EAP-TLS -------->
<-------- EAP-Failure
Figure 2: EAP-TLS server rejection of ClientHello
In the case where server authentication is unsuccessful, the
conversation will appear as shown in Figure 3.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
EAP-Response/ EAP-Response/
Identity (Privacy-Friendly) --------> Identity (Privacy-Friendly) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
TLS CertificateRequest,
TLS Certificate, TLS Certificate,
TLS CertificateVerify, TLS CertificateVerify,
TLS Finished, TLS Finished,
<-------- TLS empty record) <-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Finished) --------> (TLS Fatal Alert)
<-------- EAP-Success -------->
<-------- EAP-Failure
Figure 2: EAP-TLS without peer authentication
When using EAP-TLS with TLS 1.3, the EAP server MUST indicate support Figure 3: EAP-TLS unsuccessful server authentication
of resumption in the initial authentication. To indicate support of
resumption, the EAP server sends a NewSessionTicket message
(containing a PSK and other parameters) after it has received the
Finished message.
In the case where EAP-TLS with mutual authentication and ticket In the case where the server authenticates to the peer successfully,
establishment is successful, the conversation will appear as shown in but the peer fails to authenticate to the server, the conversation
Figure 3. will appear as shown in Figure 4.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
EAP-Response/ EAP-Response/
Identity (Privacy-Friendly) --------> Identity (Privacy-Friendly) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
skipping to change at page 7, line 24 skipping to change at page 8, line 25
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
TLS CertificateRequest, TLS CertificateRequest,
TLS Certificate, TLS Certificate,
TLS CertificateVerify, TLS CertificateVerify,
<-------- TLS Finished) TLS Finished,
<-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Certificate, (TLS Certificate,
TLS CertificateVerify, TLS CertificateVerify,
TLS Finished) --------> TLS Finished) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS NewSessionTicket, <-------- (TLS Fatal Alert)
<-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS --------> EAP-Type=EAP-TLS -------->
<-------- EAP-Success <-------- EAP-Failure
Figure 3: EAP-TLS ticket establishment
2.1.2. Resumption
TLS 1.3 replaces the session resumption mechanisms in earlier Figure 4: EAP-TLS unsuccessful client authentication
versions of TLS with a new PSK exchange. When EAP-TLS is used with
TLS version 1.3 or higher, EAP-TLS SHALL use a resumption mechanism
compatible with that version of TLS.
For TLS 1.3, resumption is described in Section 2.2 of [RFC8446]. If 2.1.3. No Peer Authentication
the client has received a NewSessionTicket message from the server,
the client can use the PSK identity received in the ticket to
negotiate the use of the associated PSK. If the server accepts it,
then the security context of the new connection is tied to the
original connection and the key derived from the initial handshake is
used to bootstrap the cryptographic state instead of a full
handshake. It is left up to the EAP peer whether to use resumption,
but an EAP peer SHOULD use resumption as long as it has a valid
ticket cached. It is RECOMMENDED that the EAP server accept
resumption as long as the ticket is valid. However, the server MAY
choose to require a full authentication.
A subsequent authentication using resumption, where both sides In the case where EAP-TLS is used without peer authentication (e.g.,
authenticate successfully is shown in Figure 4. emergency services, as described in [RFC7406]) the conversation will
appear as shown in Figure 5.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
EAP-Response/ EAP-Response/
Identity (Privacy-Friendly) --------> Identity (Privacy-Friendly) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
TLS Certificate,
TLS CertificateVerify,
TLS Finished, TLS Finished,
<-------- TLS empty record) <-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Finished) --------> (TLS Finished) -------->
<-------- EAP-Success <-------- EAP-Success
Figure 4: EAP-TLS resumption Figure 5: EAP-TLS without peer authentication
As specified in Section 2.2 of [RFC8446], the EAP peer SHOULD supply
a "key_share" extension when offering resumption, which allows the
EAP server to decline resumption and continue the handshake as a full
handshake. The message flow in this case is given by Figure 1 or
Figure 3. If the EAP peer did not supply a "key_share" extension
when offering resumption, the EAP server needs to reject the
ClientHello and the EAP peer needs to restart a full handshake. The
message flow in this case is given by Figure 5 followed by Figure 1
or Figure 3.
2.1.3. Termination
TLS 1.3 changes both the message flow and the handshake messages
compared to earlier versions of TLS. Therefore, some normative text
in Section 2.1.3 of RFC 5216 [RFC5216] does not apply for TLS 1.3 or
higher. The two paragraphs below replaces the corresponding
paragraphs in Section 2.1.3 of RFC 5216 [RFC5216] when EAP-TLS is
used with TLS 1.3 or higher. The other paragraphs in Section 2.1.3
of RFC 5216 [RFC5216] still apply with the exception that SessionID
is deprecated.
If the EAP server authenticates successfully, the EAP peer MUST 2.1.4. Hello Retry Request
send an EAP-Response message with EAP-Type=EAP-TLS containing TLS
records conforming to the version of TLS used.
If the EAP peer authenticates successfully, the EAP server MUST TLS 1.3 [RFC8446] defines that TLS servers can send a
send an EAP-Request packet with EAP-Type=EAP-TLS containing TLS HelloRetryRequest message in response to a ClientHello if the server
records conforming to the version of TLS used. The message flow finds an acceptable set of parameters but the initial ClientHello
ends with the EAP server sending an EAP-Success message. does not contain all the needed information to continue the
handshake.
Figures 5, 6, 7, and 8 illustrate message flows in several cases An EAP-TLS peer and server SHOULD support the use of
where the EAP peer or EAP server sends a TLS fatal alert message. HelloRetryRequest message. As noted in Section 4.1.4 of [RFC8446],
TLS warning alerts generally mean that the connection can continue the server MUST provide the supported_versions extensions and SHOULD
normally and does not change the message flow. Note that the party contain the minimal set of extensions necessary for the client to
receiving a TLS warning alert may choose to terminate the connection generate a correct ClientHello pair. A HelloRetryRequest MUST NOT
by sending a TLS fatal alert, which may add an extra round-trip, see contain any extensions that were not first offered by the client in
[RFC8446]. its ClientHello, with the exception of optionally the cookie
extension.
In the case where the server rejects the ClientHello, the The case of a successful EAP-TLS mutual authentication after the
conversation will appear as shown in Figure 5. server has sent a HelloRetryRequest message is shown in Figure 6.
Note the extra round-trip as a result of the HelloRetryRequest.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
EAP-Response/ EAP-Response/
Identity (Privacy-Friendly) --------> Identity (Privacy-Friendly) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Fatal Alert) (TLS HelloRetryRequest)
EAP-Response/ <--------
EAP-Type=EAP-TLS -------->
<-------- EAP-Failure
Figure 5: EAP-TLS server rejection of ClientHello
In the case where server authentication is unsuccessful, the
conversation will appear as shown in Figure 6.
EAP Peer EAP Server
EAP-Request/
<-------- Identity
EAP-Response/
Identity (Privacy-Friendly) -------->
EAP-Request/
EAP-Type=EAP-TLS
<-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
TLS CertificateRequest,
TLS Certificate,
TLS CertificateVerify,
TLS Finished, TLS Finished,
<-------- TLS empty record) <-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Fatal Alert) (TLS Finished) -------->
--------> <-------- EAP-Success
<-------- EAP-Failure
Figure 6: EAP-TLS unsuccessful server authentication Figure 6: EAP-TLS with Hello Retry Request
In the case where the server authenticates to the peer successfully, 2.1.5. Ticket Establishment
but the peer fails to authenticate to the server, the conversation
will appear as shown in Figure 7. When using EAP-TLS with TLS 1.3, the EAP server MUST indicate support
of resumption in the initial authentication. To indicate support of
resumption, the EAP server sends a NewSessionTicket message
(containing a PSK and other parameters) after it has received the
Finished message. The NewSessionTicket message MUST NOT include an
"early_data" extension.
In the case where EAP-TLS with mutual authentication and ticket
establishment is successful, the conversation will appear as shown in
Figure 7.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
EAP-Response/ EAP-Response/
Identity (Privacy-Friendly) --------> Identity (Privacy-Friendly) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
skipping to change at page 12, line 25 skipping to change at page 11, line 24
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
TLS CertificateRequest, TLS CertificateRequest,
TLS Certificate, TLS Certificate,
TLS CertificateVerify, TLS CertificateVerify,
TLS Finished, <-------- TLS Finished)
<-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Certificate, (TLS Certificate,
TLS CertificateVerify, TLS CertificateVerify,
TLS Finished) --------> TLS Finished) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Fatal Alert) (TLS NewSessionTicket,
<-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS --------> EAP-Type=EAP-TLS -------->
<-------- EAP-Failure <-------- EAP-Success
Figure 7: EAP-TLS unsuccessful client authentication Figure 7: EAP-TLS ticket establishment
In the case where the client rejects a NewSessionTicket, the 2.1.6. Resumption
conversation will appear as shown in Figure 8.
TLS 1.3 replaces the session resumption mechanisms in earlier
versions of TLS with a new PSK exchange. When EAP-TLS is used with
TLS version 1.3 or higher, EAP-TLS SHALL use a resumption mechanism
compatible with that version of TLS.
For TLS 1.3, resumption is described in Section 2.2 of [RFC8446]. If
the client has received a NewSessionTicket message from the server,
the client can use the PSK identity received in the ticket to
negotiate the use of the associated PSK. If the server accepts it,
then the security context of the new connection is tied to the
original connection and the key derived from the initial handshake is
used to bootstrap the cryptographic state instead of a full
handshake. It is left up to the EAP peer whether to use resumption,
but it is RECOMMENDED that the EAP server accept resumption as long
as the ticket is valid. However, the server MAY choose to require a
full authentication.
A subsequent authentication using resumption, where both sides
authenticate successfully is shown in Figure 8.
EAP Peer EAP Server EAP Peer EAP Server
EAP-Request/ EAP-Request/
<-------- Identity <-------- Identity
EAP-Response/ EAP-Response/
Identity (Privacy-Friendly) --------> Identity (Privacy-Friendly) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
skipping to change at page 13, line 22 skipping to change at page 12, line 29
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
<-------- (TLS Start) <-------- (TLS Start)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ClientHello) --------> (TLS ClientHello) -------->
EAP-Request/ EAP-Request/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS ServerHello, (TLS ServerHello,
TLS EncryptedExtensions, TLS EncryptedExtensions,
TLS CertificateRequest, TLS Finished,
TLS Certificate,
TLS CertificateVerify,
<-------- TLS Finished)
EAP-Response/
EAP-Type=EAP-TLS
(TLS Certificate,
TLS CertificateVerify,
TLS Finished) -------->
EAP-Request/
EAP-Type=EAP-TLS
(TLS NewSessionTicket,
<-------- TLS empty record) <-------- TLS empty record)
EAP-Response/ EAP-Response/
EAP-Type=EAP-TLS EAP-Type=EAP-TLS
(TLS Fatal Alert) (TLS Finished) -------->
--------> <-------- EAP-Success
<-------- EAP-Failure
Figure 8: EAP-TLS client rejection of NewSessionTicket Figure 8: EAP-TLS resumption
2.1.4. Privacy As specified in Section 2.2 of [RFC8446], the EAP peer SHOULD supply
a "key_share" extension when offering resumption, which allows the
EAP server to decline resumption and continue the handshake as a full
handshake. The message flow in case of mutual authentication is
given by Figure 1. If the EAP peer did not supply a "key_share"
extension when offering resumption, the EAP server needs to reject
the ClientHello and the EAP peer needs to restart a full handshake.
The message flow in this case is given by Figure 2 followed by
Figure 1.
Also during resumption, the server can respond with a Hello Retry
Request (see Section 2.1.4) and issue a new ticket (see
Section 2.1.5)
2.1.7. Privacy
TLS 1.3 significantly improves privacy when compared to earlier TLS 1.3 significantly improves privacy when compared to earlier
versions of TLS by forbidding cipher suites without confidentiality versions of TLS by forbidding cipher suites without confidentiality
and encrypting large parts of the TLS handshake including the and encrypting large parts of the TLS handshake including the
certificate messages. certificate messages.
EAP-TLS peer and server implementations supporting TLS 1.3 or higher EAP-TLS peer and server implementations supporting TLS 1.3 or higher
MUST support anonymous NAIs (Network Access Identifiers) (Section 2.4 MUST support anonymous NAIs (Network Access Identifiers) (Section 2.4
in [RFC7542]) and a client supporting TLS 1.3 MUST NOT send its in [RFC7542]) and a client supporting TLS 1.3 MUST NOT send its
username in cleartext in the Identity Response. It is RECOMMENDED to username in cleartext in the Identity Response. It is RECOMMENDED to
use anonymous NAIs, but other privacy-friendly identities (e.g. use anonymous NAIs, but other privacy-friendly identities (e.g.
encrypted usernames) MAY be used. encrypted usernames) MAY be used.
As the certificate messages in TLS 1.3 are encrypted, there is no As the certificate messages in TLS 1.3 are encrypted, there is no
need to send an empty certificate_list or perform a second handshake need to send an empty certificate_list and perform a second handshake
(as needed by EAP-TLS with earlier versions of TLS). When EAP-TLS is for privacy (as needed by EAP-TLS with earlier versions of TLS).
used with TLS version 1.3 or higher the EAP-TLS peer and EAP-TLS When EAP-TLS is used with TLS version 1.3 or higher the EAP-TLS peer
server SHALL follow the processing specified by the used version of and EAP-TLS server SHALL follow the processing specified by the used
TLS. For TLS 1.3 this means that the EAP-TLS peer only sends an version of TLS. For TLS 1.3 this means that the EAP-TLS peer only
empty certificate_list if it does not have an appropriate certificate sends an empty certificate_list if it does not have an appropriate
to send, and the EAP-TLS server MAY treat an empty certificate_list certificate to send, and the EAP-TLS server MAY treat an empty
as a terminal condition. certificate_list as a terminal condition.
EAP-TLS with TLS 1.3 is always used with privacy. This does not add EAP-TLS with TLS 1.3 is always used with privacy. This does not add
any extra round-trips and the message flow with privacy is just the any extra round-trips and the message flow with privacy is just the
normal message flow as shown in Figure 1. normal message flow as shown in Figure 1.
2.1.5. Fragmentation 2.1.8. Fragmentation
Including ContentType and ProtocolVersion a single TLS record may be Including ContentType and ProtocolVersion a single TLS record may be
up to 16387 octets in length. EAP-TLS fragmentation support is up to 16387 octets in length. EAP-TLS fragmentation support is
provided through addition of a flags octet within the EAP-Response provided through addition of a flags octet within the EAP-Response
and EAP-Request packets, as well as a TLS Message Length field of and EAP-Request packets, as well as a TLS Message Length field of
four octets. Unfragmented messages MAY have the L bit set and four octets. Implementations MUST NOT set the L bit in unfragmented
include the length of the message (though this information is messages, but MUST accept unfragmented messages with and without the
redundant). L bit set.
Some EAP implementations and access networks may limit the number of Some EAP implementations and access networks may limit the number of
EAP packet exchanges that can be handled. To avoid fragmentation, it EAP packet exchanges that can be handled. To avoid fragmentation, it
is RECOMMENDED to keep the sizes of client, server, and trust anchor is RECOMMENDED to keep the sizes of client, server, and trust anchor
certificates small and the length of the certificate chains short. certificates small and the length of the certificate chains short.
In addition, it is RECOMMENDED to use mechanisms that reduce the In addition, it is RECOMMENDED to use mechanisms that reduce the
sizes of Certificate messages. sizes of Certificate messages.
While Elliptic Curve Cryptography (ECC) was optional for earlier While Elliptic Curve Cryptography (ECC) was optional for earlier
version of TLS, TLS 1.3 mandates support of ECC (see Section 9 of version of TLS, TLS 1.3 mandates support of ECC (see Section 9 of
skipping to change at page 15, line 4 skipping to change at page 14, line 14
signature algorithms, and groups are RECOMMENDED when using EAP-TLS signature algorithms, and groups are RECOMMENDED when using EAP-TLS
with TLS 1.3 or higher. At a 128-bit security level, this reduces with TLS 1.3 or higher. At a 128-bit security level, this reduces
public key sizes from 384 bytes (RSA and DHE) to 32-64 bytes (ECDHE) public key sizes from 384 bytes (RSA and DHE) to 32-64 bytes (ECDHE)
and signatures from 384 bytes (RSA) to 64 bytes (ECDSA and EdDSA). and signatures from 384 bytes (RSA) to 64 bytes (ECDSA and EdDSA).
An EAP-TLS deployment MAY further reduce the certificate sizes by An EAP-TLS deployment MAY further reduce the certificate sizes by
limiting the number of Subject Alternative Names. limiting the number of Subject Alternative Names.
Endpoints SHOULD reduce the sizes of Certificate messages by omitting Endpoints SHOULD reduce the sizes of Certificate messages by omitting
certificates that the other endpoint is known to possess. When using certificates that the other endpoint is known to possess. When using
TLS 1.3, all certificates that specifies a trust anchor may be TLS 1.3, all certificates that specifies a trust anchor may be
omitted (see Section 4.4.2 of [RFC8446]). When using TLS 1.2 or omitted (see Section 4.4.2 of [RFC8446]). When using TLS 1.2, only
earlier, only the self-signed certificate that specifies the root the self-signed certificate that specifies the root certificate
certificate authority may be omitted (see Section 7.4.2 of authority may be omitted (see Section 7.4.2 of [RFC5246]). EAP-TLS
[RFC5246]). EAP-TLS peers and servers SHOULD support and use the peers and servers SHOULD support and use the Cached Information
Cached Information Extension as specified in [RFC7924]. EAP-TLS Extension as specified in [RFC7924]. EAP-TLS peers and servers MAY
peers and servers MAY use other extensions for reducing the sizes of use other extensions for reducing the sizes of Certificate messages,
Certificate messages, e.g. certificate compression e.g. certificate compression [I-D.ietf-tls-certificate-compression].
[I-D.ietf-tls-certificate-compression].
2.2. Identity Verification 2.2. Identity Verification
The identity provided in the EAP-Response/Identity is not The identity provided in the EAP-Response/Identity is not
authenticated by EAP-TLS. Unauthenticated information SHALL NOT be authenticated by EAP-TLS. Unauthenticated information SHALL NOT be
used for accounting purposes or to give authorization. The used for accounting purposes or to give authorization. The
authenticator and the EAP server MAY examine the identity presented authenticator and the EAP server MAY examine the identity presented
in EAP-Response/Identity for purposes such as routing and EAP method in EAP-Response/Identity for purposes such as routing and EAP method
selection. They MAY reject conversations if the identity does not selection. They MAY reject conversations if the identity does not
match their policy. Note that this also applies to resumption, see match their policy. Note that this also applies to resumption, see
Sections 2.1.2, 5.6, and 5.7. Sections 2.1.6, 5.6, and 5.7.
2.3. Key Hierarchy 2.3. Key Hierarchy
TLS 1.3 replaces the TLS pseudorandom function (PRF) used in earlier TLS 1.3 replaces the TLS pseudorandom function (PRF) used in earlier
versions of TLS with HKDF and completely changes the Key Schedule. versions of TLS with HKDF and completely changes the Key Schedule.
The key hierarchies shown in Section 2.3 of [RFC5216] are therefore The key hierarchies shown in Section 2.3 of [RFC5216] are therefore
not correct when EAP-TLS is used with TLS version 1.3 or higher. For not correct when EAP-TLS is used with TLS version 1.3 or higher. For
TLS 1.3 the key schedule is described in Section 7.1 of [RFC8446]. TLS 1.3 the key schedule is described in Section 7.1 of [RFC8446].
When EAP-TLS is used with TLS version 1.3 or higher the Key_Material, When EAP-TLS is used with TLS version 1.3 or higher the Key_Material,
skipping to change at page 16, line 16 skipping to change at page 15, line 29
EMSK = Key_Material(64, 127) EMSK = Key_Material(64, 127)
Enc-RECV-Key = MSK(0, 31) Enc-RECV-Key = MSK(0, 31)
Enc-SEND-Key = MSK(32, 63) Enc-SEND-Key = MSK(32, 63)
RECV-IV = IV(0, 31) RECV-IV = IV(0, 31)
SEND-IV = IV(32, 63) SEND-IV = IV(32, 63)
The use of these keys is specific to the lower layer, as described The use of these keys is specific to the lower layer, as described
[RFC5247]. [RFC5247].
Note that the key derivation MUST use the length values given above. Note that the key derivation MUST use the length values given above.
Where in TLS 1.2 and earlier it was possible to truncate the output While in TLS 1.2 and earlier it was possible to truncate the output
by requesting less data from the TLS-Exporter function, this practice by requesting less data from the TLS-Exporter function, this practice
is not possible with TLS 1.3. If an implementation intends to use is not possible with TLS 1.3. If an implementation intends to use
only part of the output of the TLS-Exporter function, then it MUST only a part of the output of the TLS-Exporter function, then it MUST
ask for the full output, and then only use part of that output. ask for the full output and then only use the desired part. Failure
Failure to do so will result in incorrect values being calculated for to do so will result in incorrect values being calculated for the
the above keying material. above keying material.
By using the TLS exporter, EAP-TLS can use any TLS 1.3 implementation By using the TLS exporter, EAP-TLS can use any TLS 1.3 implementation
without having to extract the Master Secret, ClientHello.random, and without having to extract the Master Secret, ClientHello.random, and
ServerHello.random in a non-standard way. ServerHello.random in a non-standard way.
Other TLS-based EAP methods can perform similar key derivations by
replacing the Type-Code with the value of their EAP type. The Type-
Code is defined to be 1 octet for values smaller than 256, otherwise
it is a 32-bit number (four octets), in network byte order.
Additional discussion of other EAP methods is outside of the scope of
this document.
2.4. Parameter Negotiation and Compliance Requirements 2.4. Parameter Negotiation and Compliance Requirements
TLS 1.3 cipher suites are defined differently than in earlier TLS 1.3 cipher suites are defined differently than in earlier
versions of TLS (see Section B.4 of [RFC8446]), and the cipher suites versions of TLS (see Section B.4 of [RFC8446]), and the cipher suites
discussed in Section 2.4 of [RFC5216] can therefore not be used when discussed in Section 2.4 of [RFC5216] can therefore not be used when
EAP-TLS is used with TLS version 1.3 or higher. The requirements on EAP-TLS is used with TLS version 1.3 or higher.
protocol version and compression given in Section 2.4 of [RFC5216]
still apply.
When EAP-TLS is used with TLS version 1.3 or higher, the EAP-TLS When EAP-TLS is used with TLS version 1.3 or higher, the EAP-TLS
peers and servers MUST comply with the compliance requirements peers and servers MUST comply with the compliance requirements
(mandatory-to-implement cipher suites, signature algorithms, key (mandatory-to-implement cipher suites, signature algorithms, key
exchange algorithms, extensions, etc.) for the TLS version used. For exchange algorithms, extensions, etc.) for the TLS version used. For
TLS 1.3 the compliance requirements are defined in Section 9 of TLS 1.3 the compliance requirements are defined in Section 9 of
[RFC8446]. [RFC8446].
While EAP-TLS does not protect any application data, the negotiated While EAP-TLS does not protect any application data, the negotiated
cipher suites and algorithms MAY be used to secure data as done in cipher suites and algorithms MAY be used to secure data as done in
skipping to change at page 19, line 29 skipping to change at page 18, line 29
associated certificate instead of a separate CertificateStatus associated certificate instead of a separate CertificateStatus
message as in [RFC4366]. This enables sending OCSP information for message as in [RFC4366]. This enables sending OCSP information for
all certificates in the certificate chain. all certificates in the certificate chain.
5.5. Packet Modification Attacks 5.5. Packet Modification Attacks
No updates to [RFC5216]. No updates to [RFC5216].
5.6. Authorization 5.6. Authorization
EAP-TLS may be encapsulated in other protocols, such as PPP EAP-TLS is typically encapsulated in other protocols, such as PPP
[RFC1661], RADIUS [RFC2865], Diameter [RFC6733], or PANA [RFC5191]. [RFC1661], RADIUS [RFC2865], Diameter [RFC6733], or PANA [RFC5191].
Systems implementing those protocols interact with EAP-TLS and can The encapsulating protocols can also provide additional, non-EAP
make policy decisions and enforce authorization based on information information to an EAP server. This information can include, but is
from the EAP-TLS exchange. The encapsulating protocols can also not limited to, information about the authenticator, information
provide additional, non-EAP information to the EAP server. This about the EAP peer, or information about the protocol layers above or
information can include, but is not limited to, information about the below EAP (MAC addresses, IP addresses, port numbers, WiFi SSID,
authenticator, information about the EAP peer, or information about etc.). Servers implementing EAP-TLS inside those protocols can make
the protocol layers below EAP (MAC addresses, IP addresses, port policy decisions and enforce authorization based on a combination of
numbers, WiFi SSID, etc.). information from the EAP-TLS exchange and non-EAP information.
As noted in Section 2.2, the identity presented in EAP-Response/ As noted in Section 2.2, the identity presented in EAP-Response/
Identity is not authenticated by EAP-TLS and is therefore trivial for Identity is not authenticated by EAP-TLS and is therefore trivial for
an attacker to forge, modify, or replay. Authorization and an attacker to forge, modify, or replay. Authorization and
accounting MUST be based on authenticated information such as accounting MUST be based on authenticated information such as
information in the certificate or the PSK identity and cached data information in the certificate or the PSK identity and cached data
provisioned for resumption as described in Section 5.7. Note that provisioned for resumption as described in Section 5.7. Note that
the requirements for Network Access Identifiers (NAIs) specified in the requirements for Network Access Identifiers (NAIs) specified in
Section 4 of [RFC7542] still apply and MUST be followed. Section 4 of [RFC7542] still apply and MUST be followed.
Policy decisions are often based on a mixture of information from EAP-TLS servers MAY reject conversations based on non-EAP information
TLS, EAP, and encapsulating protocols. EAP servers MAY reject provided by the encapsulating protocol, for example, if the MAC
conversations based on examining unauthenticated information such as address of the authenticator does not match the expected policy.
an unknown MAC address or an identity provided in in EAP-Response/
Identity that do not match a certain policy.
5.7. Resumption 5.7. Resumption
There are a number of security issues related to resumption that are There are a number of security issues related to resumption that are
not described in [RFC5216]. The problems, guidelines, and not described in [RFC5216]. The problems, guidelines, and
requirements in this section therefore applies to all version of TLS. requirements in this section therefore applies to all version of TLS.
When resumption occurs, it is based on cached information at the TLS When resumption occurs, it is based on cached information at the TLS
layer. As described in Section 2.2, the identity provided in the layer. To perform resumption in a secure way, the EAP-TLS peer and
EAP-Response/Identity is not authenticated by EAP-TLS. EAP-TLS server need to be able to securely retrieve authorization
information such as certificate chains, revocation status, etc. from
To perform resumption in a secure way, the EAP peer and EAP server
need to be able to securely retrieve information such as certificate
chains, revocation status, and other authorization information from
the initial full handshake. We use the term "cached data" to the initial full handshake. We use the term "cached data" to
describe such information. Authorization during resumption MUST be describe such information. Authorization during resumption MUST be
based on such cached data. The resumption MAY be rejected based on based on such cached data.
examining unauthenticated information.
There are two ways to retrieve the needed information. The first There are two ways to retrieve the cached information from the
method is that the TLS server and client caches the information original full handshake. The first method is that the TLS server and
locally, identified by an identifier and secured by the other party client cache the information locally. The cached information is
showing proof-of-position of a key obtained from the initial full identified by an identifier. For TLS versions before 1.3, the
handshake. For TLS versions before 1.3, the identifier can be the identifier can be the session ID, for TLS 1.3, the identifier is the
session ID, for TLS 1.3, the identifier is the PSK identity. The PSK identity. The second method for retrieving cached information is
second method is via [RFC5077], where the TLS server encapsulates the via [RFC5077] or [RFC8446], where the TLS server encapsulates the
information into a ticket and forwards it to the client. The client information into a ticket and sends it to the client. The client can
can subsequently do resumption using the obtained ticket. Note that subsequently do resumption using the obtained ticket. Note that the
the client still needs to cache the information locally. The client still needs to cache the information locally. The following
following requirements apply to both methods. requirements apply to both methods.
If the EAP server or EAP client do not apply any authorization If the EAP server or EAP client do not apply any authorization
policies, they MAY allow resumption where no cached data is policies, they MAY allow resumption where no cached data is
available. In all other cases, they MUST cache data during the available. In all other cases, they MUST cache data during the
initial full authentication to enable resumption. The cached data initial full authentication to enable resumption. The cached data
MUST be sufficient to make authorization decisions during resumption. MUST be sufficient to make authorization decisions during resumption.
If cached data cannot be retrieved in a secure way, resumption MUST If cached data cannot be retrieved in a secure way, resumption MUST
NOT be done. NOT be done.
The above requirements also apply if the EAP server expects some The above requirements also apply if the EAP server expects some
system to perform accounting for the session. Since accounting must system to perform accounting for the session. Since accounting must
be tied to an authenticated identity, and resumption does not supply be tied to an authenticated identity, and resumption does not supply
such an identity, accounting is impossible without access to cached such an identity, accounting is impossible without access to cached
data. data.
Some information such as IP addresses and the identity provided in Information from the EAP-TLS exchange (e.g. the identity provided in
EAP-Response/Identity may change between the initial full handshake EAP-Response/Identity) as well as non-EAP information (e.g. IP
and resumption. This change creates a "Time of check, time of use" addresses) may change between the initial full handshake and
resumption. This change creates a "Time-of-check time-of-use"
(TOCTOU) security vulnerability. A malicious or compromised user (TOCTOU) security vulnerability. A malicious or compromised user
could supply one set of data during the initial authentication, and a could supply one set of data during the initial authentication, and a
different set of data during resumption, potentially leading to them different set of data during resumption, potentially leading to them
obtaining access that they should not have. obtaining access that they should not have.
If any authorization, accounting, or policy decisions were made with If any authorization, accounting, or policy decisions were made with
information that have changed since the initial full handshake and information that have changed between the initial full handshake and
resumption, and if change may lead to a different decision, such resumption, and if change may lead to a different decision, such
decisions MUST be reevaluated. It is RECOMMENDED that authorization, decisions MUST be reevaluated. It is RECOMMENDED that authorization,
accounting, and policy decisions are reevaluated based on the accounting, and policy decisions are reevaluated based on the
information given in the resumption. EAP servers MAY reject information given in the resumption. EAP servers MAY reject
resumption where the information supplied during resumption does not resumption where the information supplied during resumption does not
match the information supplied during the original authentication. match the information supplied during the original authentication.
Where a good decision is unclear, EAP servers SHOULD err on the side Where a good decision is unclear, EAP servers SHOULD reject the
of caution, and therefore reject the resumption. resumption.
Any security policies for authorization and revocation MUST be
followed also for resumption. The EAP client and server MAY need to
recheck the authorization and revocation status of the other party.
The certificates may have been revoked since the initial full
handshake and the authorizations of the other party may have been
reduced.
It is difficult to state the above requirements more precisely. If Any security policies for authorization MUST be followed also for
the EAP server determine that the user is acting maliciously, they resumption. The EAP-TLS client and server MAY need to recheck the
MUST reject the resumption. It's up to each implementation and / or authorization and revocation status of the other party. The
deploymentment of EAP-TLS to determine which information to examine, certificates may have been revoked since the initial full handshake
and which policies to apply. and the authorizations of the other party may have been reduced. If
the cached revocation information is not sufficiently current, the
EAP Peer or EAP Server needs to force a full TLS handshake.
5.8. Privacy Considerations 5.8. Privacy Considerations
[RFC6973] suggests that the privacy considerations of IETF protocols [RFC6973] suggests that the privacy considerations of IETF protocols
be documented. be documented.
TLS 1.3 offers much better privacy than earlier versions of TLS as TLS 1.3 offers much better privacy than earlier versions of TLS as
discussed in Section 2.1.4. In this section, we only discuss the discussed in Section 2.1.7. In this section, we only discuss the
privacy properties of EAP-TLS with TLS 1.3. For privacy properties privacy properties of EAP-TLS with TLS 1.3. For privacy properties
of TLS 1.3 itself, see [RFC8446]. of TLS 1.3 itself, see [RFC8446].
EAP-TLS sends the standard TLS 1.3 handshake messages encapsulated in EAP-TLS sends the standard TLS 1.3 handshake messages encapsulated in
EAP packets. Additionally, the EAP peer sends an identity in the EAP packets. Additionally, the EAP peer sends an identity in the
first EAP-Response. The other fields in the EAP-TLS Request and the first EAP-Response. The other fields in the EAP-TLS Request and the
EAP-TLS Response packets do not contain any cleartext privacy EAP-TLS Response packets do not contain any cleartext privacy
sensitive information. sensitive information.
Tracking of users by eavesdropping on identity responses or Tracking of users by eavesdropping on identity responses or
skipping to change at page 22, line 33 skipping to change at page 21, line 19
to the same user from two identities belonging to different users in to the same user from two identities belonging to different users in
the same realm. This can be achieved, for instance, by using random the same realm. This can be achieved, for instance, by using random
or pseudo-random usernames such as random byte strings or or pseudo-random usernames such as random byte strings or
ciphertexts. Note that the privacy-friendly usernames also MUST NOT ciphertexts. Note that the privacy-friendly usernames also MUST NOT
include substrings that can be used to relate the identity to a include substrings that can be used to relate the identity to a
specific user. Similarly, privacy-friendly username SHOULD NOT be specific user. Similarly, privacy-friendly username SHOULD NOT be
formed by a fixed mapping that stays the same across multiple formed by a fixed mapping that stays the same across multiple
different authentications. different authentications.
An EAP peer with a policy allowing communication with EAP servers An EAP peer with a policy allowing communication with EAP servers
supporting only TLS 1.2 (or lower) without privacy and with a static supporting only TLS 1.2 without privacy and with a static RSA key
RSA key exchange is vulnerable to disclosure of the peer username. exchange is vulnerable to disclosure of the peer username. An active
An active attacker can in this case make the EAP peer believe that an attacker can in this case make the EAP peer believe that an EAP
EAP server supporting TLS 1.3 only supports TLS 1.2 (or lower) server supporting TLS 1.3 only supports TLS 1.2 without privacy. The
without privacy. The attacker can simply impersonate the EAP server attacker can simply impersonate the EAP server and negotiate TLS 1.2
and negotiate TLS 1.2 (or lower) with static RSA key exchange and with static RSA key exchange and send an TLS alert message when the
send an TLS alert message when the EAP peer tries to use privacy by EAP peer tries to use privacy by sending an empty certificate
sending an empty certificate message. Since the attacker message. Since the attacker (impersonating the EAP server) does not
(impersonating the EAP server) does not provide a proof-of-possession provide a proof-of-possession of the private key until the Finished
of the private key until the Finished message when a static RSA key message when a static RSA key exchange is used, an EAP peer may
exchange is used, an EAP peer may inadvertently disclose its identity inadvertently disclose its identity (username) to an attacker.
(username) to an attacker. Therefore, it is RECOMMENDED for EAP Therefore, it is RECOMMENDED for EAP peers to not use EAP-TLS with
peers to not use EAP-TLS with TLS 1.2 (or lower) and RSA based cipher TLS 1.2 and static RSA based cipher suites without privacy.
suites without privacy.
5.9. Pervasive Monitoring 5.9. Pervasive Monitoring
As required by [RFC7258], work on IETF protocols needs to consider As required by [RFC7258], work on IETF protocols needs to consider
the effects of pervasive monitoring and mitigate them when possible. the effects of pervasive monitoring and mitigate them when possible.
Pervasive Monitoring is widespread surveillance of users. By Pervasive Monitoring is widespread surveillance of users. By
encrypting more information and by mandating the use of privacy, TLS encrypting more information and by mandating the use of privacy, TLS
1.3 offers much better protection against pervasive monitoring. In 1.3 offers much better protection against pervasive monitoring. In
addition to the privacy attacks discussed above, surveillance on a addition to the privacy attacks discussed above, surveillance on a
skipping to change at page 23, line 20 skipping to change at page 22, line 4
area and across different access networks. Using information from area and across different access networks. Using information from
EAP-TLS together with information gathered from other protocols EAP-TLS together with information gathered from other protocols
increases the risk of identifying individual users. increases the risk of identifying individual users.
5.10. Discovered Vulnerabilities 5.10. Discovered Vulnerabilities
Over the years, there have been several serious attacks on earlier Over the years, there have been several serious attacks on earlier
versions of Transport Layer Security (TLS), including attacks on its versions of Transport Layer Security (TLS), including attacks on its
most commonly used ciphers and modes of operation. [RFC7457] most commonly used ciphers and modes of operation. [RFC7457]
summarizes the attacks that were known at the time of publishing and summarizes the attacks that were known at the time of publishing and
[RFC7525] provides recommendations for improving the security of [RFC7525] provides recommendations for improving the security of
deployed services that use TLS. However, many of the attacks are deployed services that use TLS. However, many of the attacks are
less serious for EAP-TLS as EAP-TLS only uses the TLS handshake and less serious for EAP-TLS as EAP-TLS only uses the TLS handshake and
does not protect any application data. EAP-TLS implementations does not protect any application data. EAP-TLS implementations
SHOULD mitigate known attacks and follow the recommendations in SHOULD mitigate known attacks and follow the recommendations in
[RFC7525]. The use of TLS 1.3 mitigates most of the known attacks. [RFC7525] and [I-D.ietf-tls-oldversions-deprecate]. The use of TLS
1.3 mitigates most of the known attacks.
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 24, line 46 skipping to change at page 23, line 31
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
6.2. Informative references 6.2. Informative references
[I-D.ietf-tls-certificate-compression] [I-D.ietf-tls-certificate-compression]
Ghedini, A. and V. Vasiliev, "TLS Certificate Ghedini, A. and V. Vasiliev, "TLS Certificate
Compression", draft-ietf-tls-certificate-compression-04 Compression", draft-ietf-tls-certificate-compression-05
(work in progress), October 2018. (work in progress), April 2019.
[I-D.ietf-tls-oldversions-deprecate]
Moriarty, K. and S. Farrell, "Deprecating TLSv1.0 and
TLSv1.1", draft-ietf-tls-oldversions-deprecate-04 (work in
progress), May 2019.
[IEEE-802.11] [IEEE-802.11]
Institute of Electrical and Electronics Engineers, "IEEE Institute of Electrical and Electronics Engineers, "IEEE
Standard for Information technology--Telecommunications Standard for Information technology--Telecommunications
and information exchange between systems Local and and information exchange between systems Local and
metropolitan area networks--Specific requirements - Part metropolitan area networks--Specific requirements - Part
11: Wireless LAN Medium Access Control (MAC) and Physical 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Std 802.11-2016 Layer (PHY) Specifications", IEEE Std 802.11-2016
(Revision of IEEE Std 802.11-2012) , December 2016. (Revision of IEEE Std 802.11-2012) , December 2016.
skipping to change at page 27, line 5 skipping to change at page 25, line 35
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, July 2013, DOI 10.17487/RFC6973, July 2013,
<https://www.rfc-editor.org/info/rfc6973>. <https://www.rfc-editor.org/info/rfc6973>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <https://www.rfc-editor.org/info/rfc7258>. 2014, <https://www.rfc-editor.org/info/rfc7258>.
[RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/info/rfc7301>.
[RFC7406] Schulzrinne, H., McCann, S., Bajko, G., Tschofenig, H., [RFC7406] Schulzrinne, H., McCann, S., Bajko, G., Tschofenig, H.,
and D. Kroeselberg, "Extensions to the Emergency Services and D. Kroeselberg, "Extensions to the Emergency Services
Architecture for Dealing With Unauthenticated and Architecture for Dealing With Unauthenticated and
Unauthorized Devices", RFC 7406, DOI 10.17487/RFC7406, Unauthorized Devices", RFC 7406, DOI 10.17487/RFC7406,
December 2014, <https://www.rfc-editor.org/info/rfc7406>. December 2014, <https://www.rfc-editor.org/info/rfc7406>.
[RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
Known Attacks on Transport Layer Security (TLS) and Known Attacks on Transport Layer Security (TLS) and
Datagram TLS (DTLS)", RFC 7457, DOI 10.17487/RFC7457, Datagram TLS (DTLS)", RFC 7457, DOI 10.17487/RFC7457,
February 2015, <https://www.rfc-editor.org/info/rfc7457>. February 2015, <https://www.rfc-editor.org/info/rfc7457>.
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
2015, <https://www.rfc-editor.org/info/rfc7525>. 2015, <https://www.rfc-editor.org/info/rfc7525>.
[TS.33.501] [TS.33.501]
3GPP, "Security architecture and procedures for 5G 3GPP, "Security architecture and procedures for 5G
System", 3GPP TS 33.501 15.3.1, December 2018. System", 3GPP TS 33.501 15.4.0, March 2019.
Appendix A. Updated references Appendix A. Updated references
All the following references in [RFC5216] are updated as specified All the following references in [RFC5216] are updated as specified
below when EAP-TLS is used with TLS 1.3 or higher. below when EAP-TLS is used with TLS 1.3 or higher.
All references to [RFC2560] are updated with [RFC6960]. All references to [RFC2560] are updated with [RFC6960].
All references to [RFC3280] are updated with [RFC5280]. All references to [RFC3280] are updated with [RFC5280].
All references to [RFC4282] are updated with [RFC7542]. All references to [RFC4282] are updated with [RFC7542].
Acknowledgments Acknowledgments
The authors want to thank Alan DeKok, Ari Keraenen, Bernard Aboba, The authors want to thank Bernard Aboba, Jari Arkko, Alan DeKok, Ari
Eric Rescorla, Jari Arkko, Jim Schaad, Jouni Malinen, and Vesa Keraenen, Jouni Malinen, Oleg Pekar, Eric Rescorla, Jim Schaad, and
Torvinen for comments and suggestions on the draft. Vesa Torvinen for comments and suggestions on the draft.
Contributors Contributors
Alan DeKok, FreeRADIUS Alan DeKok, FreeRADIUS
Authors' Addresses Authors' Addresses
John Mattsson John Mattsson
Ericsson Ericsson
Stockholm 164 40 Stockholm 164 40
 End of changes. 73 change blocks. 
303 lines changed or deleted 310 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/