1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
|
<pre>Internet Engineering Task Force (IETF) Y. Sheffer
Request for Comments: 6124 Independent
Category: Informational G. Zorn
ISSN: 2070-1721 Network Zen
H. Tschofenig
Nokia Siemens Networks
S. Fluhrer
Cisco
February 2011
<span class="h1">An EAP Authentication Method Based on</span>
<span class="h1">the Encrypted Key Exchange (EKE) Protocol</span>
Abstract
The Extensible Authentication Protocol (EAP) describes a framework
that allows the use of multiple authentication mechanisms. This
document defines an authentication mechanism for EAP called EAP-EKE,
based on the Encrypted Key Exchange (EKE) protocol. This method
provides mutual authentication through the use of a short, easy to
remember password. Compared with other common authentication
methods, EAP-EKE is not susceptible to dictionary attacks. Neither
does it require the availability of public-key certificates.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6124">http://www.rfc-editor.org/info/rfc6124</a>.
<span class="grey">Sheffer, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
<span class="grey">Sheffer, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3">3</a>. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.1">3.1</a>. Message Flows . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-4">4</a>. Message Formats . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4.1">4.1</a>. EAP-EKE Header . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4.2">4.2</a>. EAP-EKE Payloads . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-4.2.1">4.2.1</a>. The EAP-EKE-ID Payload . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-4.2.2">4.2.2</a>. The EAP-EKE-Commit Payload . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-4.2.3">4.2.3</a>. The EAP-EKE-Confirm Payload . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-4.2.4">4.2.4</a>. The EAP-EKE-Failure Payload . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-4.3">4.3</a>. Protected Fields . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-4.4">4.4</a>. Encrypted Fields . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-4.5">4.5</a>. Channel Binding Values . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-5">5</a>. Protocol Sequence . . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-5.1">5.1</a>. EAP-EKE-Commit/Request . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-5.2">5.2</a>. EAP-EKE-Commit/Response . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-5.3">5.3</a>. EAP-EKE-Confirm/Request . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-5.4">5.4</a>. EAP-EKE-Confirm/Response . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-5.5">5.5</a>. MSK and EMSK . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-6">6</a>. Cryptographic Details . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-6.1">6.1</a>. Generating Keying Material . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-6.2">6.2</a>. Diffie-Hellman Groups . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-6.3">6.3</a>. Mandatory Algorithms . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-7">7</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-8">8</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-8.1">8.1</a>. Cryptographic Analysis . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-8.2">8.2</a>. Diffie-Hellman Group Considerations . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-8.3">8.3</a>. Resistance to Active Attacks . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-8.4">8.4</a>. Identity Protection, Anonymity, and Pseudonymity . . . . . <a href="#page-28">28</a>
<a href="#section-8.5">8.5</a>. Password Processing and Long-Term Storage . . . . . . . . <a href="#page-29">29</a>
<a href="#section-9">9</a>. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-10">10</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-10.1">10.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-10.2">10.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The predominant access method for the Internet today is that of a
human using a username and password to authenticate to a computer
enforcing access control. Proof of knowledge of the password
authenticates the human to the computer.
Typically, these passwords are not stored on a user's computer for
security reasons and must be entered each time the human desires
network access. Therefore, the passwords must be ones that can be
<span class="grey">Sheffer, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
repeatedly entered by a human with a low probability of error. They
will likely not possess high entropy and it may be assumed that an
adversary with access to a dictionary will have the ability to guess
a user's password. It is therefore desirable to have a robust
authentication method that is secure even when used with a weak
password in the presence of a strong adversary.
EAP-EKE is an EAP method [<a href="./rfc3748" title=""Extensible Authentication Protocol (EAP)"">RFC3748</a>] that addresses the problem of
password-based authenticated key exchange, using a possibly weak
password for authentication and to derive an authenticated and
cryptographically strong shared secret. This problem was first
described by Bellovin and Merritt in [<a href="#ref-BM92" title=""Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks"">BM92</a>] and [<a href="#ref-BM93" title=""Augmented Encrypted Key Exchange: A Password-Based Protocol Secure against Dictionary Attacks and Password File Compromise"">BM93</a>].
Subsequently, a number of other solution approaches have been
proposed, for example [<a href="#ref-JAB96" title=""Strong Password-Only Authenticated Key Exchange"">JAB96</a>], [<a href="#ref-LUC97" title=""Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys"">LUC97</a>], [<a href="#ref-BMP00" title=""Provably Secure Password Authenticated Key Exchange Using Diffie-Hellman"">BMP00</a>], and others.
This proposal is based on the original Encrypted Key Exchange (EKE)
proposal, as described in [<a href="#ref-BM92" title=""Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks"">BM92</a>]. Some of the variants of the
original EKE have been attacked, see e.g., [<a href="#ref-PA97" title=""Number Theoretic Attacks On Secure Password Schemes"">PA97</a>], and improvements
have been proposed. None of these subsequent improvements have been
incorporated into the current protocol. However, we have used only
the subset of [<a href="#ref-BM92" title=""Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks"">BM92</a>] (namely the variant described in <a href="#section-3.1">Section 3.1</a> of
that paper) that has withstood the test of time and is believed
secure as of this writing.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
This document uses Encr(Ke, ...) to denote encrypted information, and
Prot(Ke, Ki, ...) to denote encrypted and integrity protected
information.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Protocol</span>
EAP is a two-party protocol spoken between an EAP peer and an EAP
server (also known as "authenticator"). An EAP method defines the
specific authentication protocol being used by EAP. This memo
defines a particular method and therefore defines the messages sent
between the EAP server and the EAP peer for the purpose of
authentication and key derivation.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Message Flows</span>
A successful run of EAP-EKE consists of three message exchanges: an
Identity exchange, a Commit exchange, and a Confirm exchange. This
is shown in Figure 1.
<span class="grey">Sheffer, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
The peer and server use the EAP-EKE Identity exchange to learn each
other's identities and to agree upon a ciphersuite to use in the
subsequent exchanges. In the Commit exchange, the peer and server
exchange information to generate a shared key and also to bind each
other to a particular guess of the password. In the Confirm
exchange, the peer and server prove liveness and knowledge of the
password by generating and verifying verification data (note that the
second message of the Commit exchange already plays an essential part
in this liveness proof).
+--------+ +--------+
| | EAP-EKE-ID/Request | |
| EAP |<------------------------------------| EAP |
| peer | | server |
| (P) | EAP-EKE-ID/Response | (S) |
| |------------------------------------>| |
| | | |
| | EAP-EKE-Commit/Request | |
| |<------------------------------------| |
| | | |
| | EAP-EKE-Commit/Response | |
| |------------------------------------>| |
| | | |
| | EAP-EKE-Confirm/Request | |
| |<------------------------------------| |
| | | |
| | EAP-EKE-Confirm/Response | |
| |------------------------------------>| |
| | | |
| | EAP-Success | |
| |<------------------------------------| |
+--------+ +--------+
Figure 1: A Successful EAP-EKE Exchange
Schematically, the original exchange as described in [<a href="#ref-BM92" title=""Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks"">BM92</a>] (and with
the roles reversed) is:
Server Peer
------ ----
Encr(Password, y_s) ->
<- Encr(Password, y_p), Encr(SharedSecret, Nonce_P)
Encr(SharedSecret, Nonce_S | Nonce_P) ->
<- Encr(SharedSecret, Nonce_S)
<span class="grey">Sheffer, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
Where:
o Password is a typically short string, shared between the server
and the peer. In other words, the same password is used to
authenticate the server to the peer, and vice versa.
o y_s and y_p are the server's and the peer's, respectively,
ephemeral public key, i.e., y_s = g ^ x_s (mod p) and
y_p = g ^ x_p (mod p).
o Nonce_S, Nonce_P are random strings generated by the server and
the peer as cryptographic challenges.
o SharedSecret is the secret created by the Diffie-Hellman
algorithm, namely SharedSecret = g^(x_s * x_p) (mod p). This
value is calculated by the server as: SharedSecret = y_p ^ x_s
(mod p), and by the peer as: SharedSecret = y_s ^ x_p (mod p).
The current protocol extends the basic cryptographic protocol, and
the regular successful exchange becomes:
Message Server Peer
--------- -------- ------
ID/Request ID_S, CryptoProposals ->
ID/Response <- ID_P, CryptoSelection
Commit/Request Encr(Password, y_s) ->
Commit/Response <- Encr(Password, y_p), Prot(Ke, Ki, Nonce_P)
Confirm/Request Prot(Ke, Ki, Nonce_S | Nonce_P), Auth_S ->
Confirm/Response <- Prot(Ke, Ki, Nonce_S), Auth_P
Where, in addition to the above terminology:
o Encr means encryption only, and Prot is encryption with integrity
protection.
o Ke is an encryption key, and Ki is an integrity-protection key.
<a href="#section-5">Section 5</a> explains the various cryptographic values and how they are
derived.
<span class="grey">Sheffer, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
As shown in the exchange above, the following information elements
have been added to the original protocol: identity values for both
protocol parties (ID_S, ID_P), negotiation of cryptographic
protocols, and signature fields to protect the integrity of the
negotiated parameters (Auth_S, Auth_P). In addition, the shared
secret is not used directly. In this initial exposition, a few
details were omitted for clarity. <a href="#section-5">Section 5</a> should be considered as
authoritative regarding message and field details.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Message Formats</span>
EAP-EKE defines a small number of message types, each message
consisting of a header followed by a payload. This section defines
the header, several payload formats, as well as the format of
specific fields within the payloads.
As usual, all multi-octet strings MUST be laid out in network byte
order.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. EAP-EKE Header</span>
The EAP-EKE header consists of the standard EAP header (see <a href="./rfc3748#section-4">Section 4
of [RFC3748]</a>), followed by an EAP-EKE exchange type. The header has
the following structure:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | EKE-Exch | Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: EAP-EKE Header
The Code, Identifier, Length, and Type fields are all part of the EAP
header as defined in [<a href="./rfc3748" title=""Extensible Authentication Protocol (EAP)"">RFC3748</a>]. The Type field in the EAP header is
53 for EAP-EKE Version 1.
The EKE-Exch (EKE Exchange) field identifies the type of EAP-EKE
payload encapsulated in the Data field. This document defines the
following values for the EKE-Exch field:
o 0x00: Reserved
o 0x01: EAP-EKE-ID exchange
o 0x02: EAP-EKE-Commit exchange
<span class="grey">Sheffer, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
o 0x03: EAP-EKE-Confirm exchange
o 0x04: EAP-EKE-Failure message
Further values of this EKE-Exch field are available via IANA
registration (<a href="#section-7.7">Section 7.7</a>).
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. EAP-EKE Payloads</span>
EAP-EKE messages all contain the EAP-EKE header and information
encoded in a single payload, which differs for the different
exchanges.
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. The EAP-EKE-ID Payload</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NumProposals | Reserved | Proposal ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... Proposal | IDType | Identity ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: EAP-EKE-ID Payload
The EAP-EKE-ID payload contains the following fields:
NumProposals:
The NumProposals field contains the number of Proposal fields
subsequently contained in the payload. In the EAP-EKE-ID/Request
message, the NumProposals field MUST NOT be set to zero (0), and
in the EAP-EKE-ID/Response message, the NumProposals field MUST be
set to one (1). The offered proposals in the Request are listed
contiguously in priority order, most preferable first. The
selected proposal in the Response MUST be fully identical with one
of the offered proposals.
Reserved:
This field MUST be sent as zero, and MUST be ignored by the
recipient.
<span class="grey">Sheffer, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
Proposal:
Each proposal consists of four one-octet fields, in this order:
Group Description:
This field's value is taken from the IANA registry for Diffie-
Hellman groups defined in <a href="#section-7.1">Section 7.1</a>.
Encryption:
This field's value is taken from the IANA registry for
encryption algorithms defined in <a href="#section-7.2">Section 7.2</a>.
PRF:
This field's value is taken from the IANA registry for pseudo-
random functions defined in <a href="#section-7.3">Section 7.3</a>.
MAC:
This field's value is taken from the IANA registry for keyed
message digest algorithms defined in <a href="#section-7.4">Section 7.4</a>.
IDType:
Denotes the Identity Type. This is taken from the IANA registry
defined in <a href="#section-7.5">Section 7.5</a>. The server and the peer MAY use different
identity types. All implementations MUST be able to receive two
identity types: ID_NAI and ID_FQDN.
Identity:
The meaning of the Identity field depends on the values of the
Code and IDType fields.
* EAP-EKE-ID/Request: server ID
* EAP-EKE-ID/Response: peer ID
The length of the Identity field is computed from the Length field
in the EAP header. Specifically, its length is
eap_header_length - 9 - 4 * number_of_proposals.
This field, like all other fields in this specification, MUST be
octet-aligned.
<span class="grey">Sheffer, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. The EAP-EKE-Commit Payload</span>
This payload allows both parties to send their encrypted ephemeral
public key, with the peer also including a Challenge.
In addition, a small amount of data can be included by the server
and/or the peer, and used for channel binding. This data is sent
here unprotected, but is verified later, when it is signed by the
Auth_S/Auth_P payloads of the EAP-EKE-Confirm exchange.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DHComponent_S/DHComponent_P ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PNonce_P ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CBValue (zero or more occurrences) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: EAP-EKE-Commit Payload
DHComponent_S/DHComponent_P:
This field contains the password-encrypted Diffie-Hellman public
key, which is generated as described in <a href="#section-5.1">Section 5.1</a>. Its size is
determined by the group and the encryption algorithm.
PNonce_P:
This field only appears in the response, and contains the
encrypted and integrity-protected challenge value sent by the
peer. The field's size is determined by the encryption and MAC
algorithms being used, since this protocol mandates a fixed nonce
size for a given choice of algorithms. See <a href="#section-5.2">Section 5.2</a>.
<span class="grey">Sheffer, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
CBValue:
This structure MAY be included both in the request and in the
response, and MAY be repeated multiple times in a single payload.
See <a href="#section-4.5">Section 4.5</a>. Each structure contains its own length. The
field is neither encrypted nor integrity protected, instead it is
protected by the AUTH payloads in the Confirm exchange.
<span class="h4"><a class="selflink" id="section-4.2.3" href="#section-4.2.3">4.2.3</a>. The EAP-EKE-Confirm Payload</span>
Using this payload, both parties complete the authentication by
generating a shared temporary key, authenticating the entire
protocol, and generating key material for the EAP consumer protocol.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PNonce_PS/PNonce_S ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth_S/Auth_P ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: EAP-EKE-Confirm Payload
PNonce_PS/PNonce_S:
This field ("protected nonce") contains the encrypted and
integrity-protected response to the other party's challenge; see
Sections <a href="#section-5.3">5.3</a> and <a href="#section-5.4">5.4</a>. Similarly to the PNonce_P field, this
field's size is determined by the encryption and MAC algorithms.
Auth_S/Auth_P:
This field signs the preceding messages, including the Identity
and the negotiated fields. This prevents various possible
attacks, such as algorithm downgrade attacks. See <a href="#section-5.3">Section 5.3</a> and
<a href="#section-5.4">Section 5.4</a>. The size is determined by the pseudo-random function
negotiated.
<span class="grey">Sheffer, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h4"><a class="selflink" id="section-4.2.4" href="#section-4.2.4">4.2.4</a>. The EAP-EKE-Failure Payload</span>
The EAP-EKE-Failure payload format is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Failure-Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: EAP-EKE-Failure Payload
The payload's size is always exactly 4 octets.
The following Failure-Code values are defined:
+------------+----------------+-------------------------------------+
| Value | Name | Meaning |
+------------+----------------+-------------------------------------+
| 0x00000000 | Reserved | |
| 0x00000001 | No Error | This code is used for failure |
| | | acknowledgement, see below. |
| 0x00000002 | Protocol Error | A failure to parse or understand a |
| | | protocol message or one of its |
| | | payloads. |
| 0x00000003 | Password Not | A password could not be located for |
| | Found | the identity presented by the other |
| | | protocol party, making |
| | | authentication impossible. |
| 0x00000004 | Authentication | Failure in the cryptographic |
| | Failure | computation, most likely caused by |
| | | an incorrect password or an |
| | | inappropriate identity type. |
| 0x00000005 | Authorization | While the password being used is |
| | Failure | correct, the user is not authorized |
| | | to connect. |
| 0x00000006 | No Proposal | The peer is unwilling to select any |
| | Chosen | of the cryptographic proposals |
| | | offered by the server. |
+------------+----------------+-------------------------------------+
Additional values of this field are available via IANA registration,
see <a href="#section-7.8">Section 7.8</a>.
When the peer encounters an error situation, it MUST respond with
EAP-EKE-Failure. The server MUST reply with an EAP-Failure message
to end the exchange.
<span class="grey">Sheffer, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
When the server encounters an error situation, it MUST respond with
EAP-EKE-Failure. The peer MUST send back an EAP-EKE-Failure message
containing a "No Error" failure code. Then the server MUST send an
EAP-Failure message to end the exchange.
Implementation of the "Password Not Found" code is not mandatory.
For security reasons, implementations MAY choose to return
"Authentication Failure" also in cases where the password cannot be
located.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Protected Fields</span>
Several fields are encrypted and integrity-protected. They are
denoted Prot(...). Their general structure is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector (IV) (optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encrypted Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ | Random Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Integrity Check Value (ICV) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: Protected Field Structure
The protected field is a concatenation of three octet strings:
o An optional IV, required when the encryption algorithm/mode
necessitates it, e.g., for CBC encryption. The content and size
of this field are determined by the selected encryption algorithm.
In the case of CBC encryption, this field is a random octet string
having the same size as the algorithm's block size.
o The original data, followed if necessary by random padding. This
padding has the minimal length (possibly zero) required to
complete the length of the encrypted data to the encryption
algorithm's block size. The original data and the padding are
encrypted together.
<span class="grey">Sheffer, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
o ICV, a Message Authentication Code (MAC) cryptographic checksum of
the encrypted data, including the padding. The checksum is
computed over the encrypted, rather than the plaintext, data. Its
length is determined by the MAC algorithm negotiated.
We note that because of the requirement for an explicit ICV, this
specification does not support authenticated encryption algorithms.
Such algorithms may be added by a future extension.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Encrypted Fields</span>
Two fields are encrypted but are not integrity protected. They are
denoted Encr(...). Their format is identical to a protected field
(<a href="#section-4.3">Section 4.3</a>), except that the Integrity Check Value is omitted.
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Channel Binding Values</span>
This protocol allows higher-level protocols to transmit limited
opaque information between the peer and the server. This information
is integrity protected but not encrypted, and may be used to ensure
that protocol participants are identical at different protocol
layers. See <a href="./rfc3748#section-7.15">Section 7.15 of [RFC3748]</a> for more information on the
rationale behind this facility.
EAP-EKE neither validates nor makes any use of the transmitted
information. The information MUST NOT be used by the consumer
protocol until it is verified in the EAP-EKE-Confirm exchange
(specifically, until it is integrity protected by the Auth_S, Auth_P
payloads). Consequently, it MUST NOT be relied upon in case an error
occurs at the EAP-EKE level.
An unknown Channel Binding Value SHOULD be ignored by the recipient.
Some implementations may require certain values to be present, and
will abort the protocol if they are not. Such policy is out of scope
of the current protocol.
<span class="grey">Sheffer, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
Each Channel Binding Value is encoded using a TLV structure:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CBType | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: Channel Binding Value
CBType:
This is the Channel Binding Value's type. This document defines
the value 0x0000 as reserved. Other values are available for IANA
allocation, see <a href="#section-7.6">Section 7.6</a>.
Length:
This field is the total length in octets of the structure,
including the CBType and Length fields.
This facility should be used with care, since EAP-EKE does not
provide for message fragmentation. EAP-EKE is not a tunneled method
and should not be used as a generic transport; specifically,
implementors should refrain from using the Channel Binding facility
to transmit posture information, in the sense of [<a href="./rfc5209" title=""Network Endpoint Assessment (NEA): Overview and Requirements"">RFC5209</a>].
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Protocol Sequence</span>
This section describes the sequence of messages for the Commit and
Confirm exchanges, and lists the cryptographic operations performed
by the server and the peer.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. EAP-EKE-Commit/Request</span>
The server computes:
y_s = g ^ x_s (mod p),
where x_s is a randomly chosen number in the range 2 .. p-1. The
randomly chosen number is the ephemeral private key, and the
calculated value is the corresponding ephemeral public key. The
server and the peer MUST both use a fresh, random value for x_s and
the corresponding x_p on each run of the protocol.
<span class="grey">Sheffer, et al. Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
The server computes and transmits the encrypted field (<a href="#section-4.4">Section 4.4</a>)
temp = prf(0+, password)
key = prf+(temp, ID_S | ID_P)
DHComponent_S = Encr(key, y_s).
See <a href="#section-6.1">Section 6.1</a> for the prf+ notation. The first argument to "prf"
is a string of zero octets whose length is the output size of the
base hash algorithm, e.g., 20 octets for HMAC-SHA1; the result is of
the same length. The first output octets of prf+ are used as the
encryption key for the negotiated encryption algorithm, according to
that algorithm's key length.
Since the PRF function is required to be an application of the HMAC
operator to a hash function, the above construction implements HKDF
as defined in [<a href="./rfc5869" title=""HMAC-based Extract- and-Expand Key Derivation Function (HKDF)"">RFC5869</a>].
When using block ciphers, it may be necessary to pad y_s on the
right, to fit the encryption algorithm's block size. In such cases,
random padding MUST be used, and this randomness is critical to the
security of the protocol. Randomness recommendations can be found in
[<a href="./rfc4086" title=""Randomness Requirements for Security"">RFC4086</a>]; also see [<a href="#ref-NIST.800-90.2007" title=""Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised)"">NIST.800-90.2007</a>] for additional recommendations
on cryptographic-level randomness. When decrypting this field, the
real length of y_s is determined according to the negotiated Diffie-
Hellman group.
If the password needs to be stored on the server, it is RECOMMENDED
to store a randomized password value as a password-equivalent, rather
than the cleartext password. We note that implementations may choose
the output of either of the two steps of the password derivation.
Using the output of the second step, where the password is salted by
the identity values, is more secure; however, it may create an
operational issue if identities are likely to change. See also
<a href="#section-8.5">Section 8.5</a>.
This protocol supports internationalized, non-ASCII passwords. The
input password string SHOULD be processed according to the rules of
the [<a href="./rfc4013" title=""SASLprep: Stringprep Profile for User Names and Passwords"">RFC4013</a>] profile of [<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>]. A password SHOULD be considered
a "stored string" per [<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>], and unassigned code points are
therefore prohibited. The output is the binary representation of the
processed UTF-8 [<a href="./rfc3629" title=""UTF-8, a transformation format of ISO 10646"">RFC3629</a>] character string. Prohibited output and
unassigned code points encountered in SASLprep preprocessing SHOULD
cause a preprocessing failure and the output SHOULD NOT be used.
<span class="grey">Sheffer, et al. Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. EAP-EKE-Commit/Response</span>
The peer computes:
y_p = g ^ x_p (mod p)
Then computes:
temp = prf(0+, password)
key = prf+(temp, ID_S | ID_P)
DHComponent_P = Encr(key, y_p)
formatted as an encrypted field (<a href="#section-4.4">Section 4.4</a>).
Both sides calculate
SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p))
The first argument to "prf" is a string of zero octets whose length
is the output size of the base hash algorithm, e.g., 20 octets for
HMAC-SHA1; the result is of the same length. This extra application
of the pseudo-random function is the "extraction step" of [<a href="./rfc5869" title=""HMAC-based Extract- and-Expand Key Derivation Function (HKDF)"">RFC5869</a>].
Note that the peer needs to compute the SharedSecret value before
sending out its response.
The encryption and integrity protection keys are computed:
Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P)
And the peer generates the Protected Nonce:
PNonce_P = Prot(Ke, Ki, Nonce_P),
where Nonce_P is a randomly generated binary string. The length of
Nonce_P MUST be the maximum of 16 octets, and half the key size of
the negotiated prf (rounded up to the next octet if necessary). The
peer constructs this value as a protected field (<a href="#section-4.3">Section 4.3</a>),
encrypted using Ke and integrity protected using Ki with the
negotiated encryption and MAC algorithm.
The peer now sends a message that contains the two generated fields.
The server MUST verify the correct integrity protection of the
received nonce, and MUST abort the protocol if it is incorrect, with
an "Authentication Failure" code.
<span class="grey">Sheffer, et al. Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. EAP-EKE-Confirm/Request</span>
The server constructs:
PNonce_PS = Prot(Ke, Ki, Nonce_P | Nonce_S),
as a protected field, where Nonce_S is a randomly generated string,
of the same size as Nonce_P.
It computes:
Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P |
Nonce_S)
whose length is the preferred key length of the negotiated prf (see
<a href="#section-5.2">Section 5.2</a>). It then constructs:
Auth_S = prf(Ka, "EAP-EKE server" | EAP-EKE-ID/Request | EAP-EKE-
ID/Response | EAP-EKE-Commit/Request | EAP-EKE-Commit/Response).
The messages are included in full, starting with the EAP header, and
including any possible future extensions.
This construction of the Auth_S (and Auth_P) value implies that any
future extensions MUST NOT be added to the EAP-EKE-Confirm/Request or
EAP-EKE-Confirm/Response messages themselves, unless these extensions
are integrity-protected in some other manner.
The server now sends a message that contains the two fields.
The peer MUST verify the correct integrity protection of the received
nonces and the correctness of the Auth_S value, and MUST abort the
protocol if either is incorrect, with an "Authentication Failure"
code.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. EAP-EKE-Confirm/Response</span>
The peer computes Ka, and generates:
PNonce_S = Prot(Ke, Ki, Nonce_S)
as a protected field. It then computes:
Auth_P = prf(Ka, "EAP-EKE peer" | EAP-EKE-ID/Request | EAP-EKE-ID/
Response | EAP-EKE-Commit/Request | EAP-EKE-Commit/Response)
The peer sends a message that contains the two fields.
<span class="grey">Sheffer, et al. Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
The server MUST verify the correct integrity protection of the
received nonce and the correctness of the Auth_P value, and MUST
abort the protocol if either is incorrect, with an "Authentication
Failure" code.
<span class="h3"><a class="selflink" id="section-5.5" href="#section-5.5">5.5</a>. MSK and EMSK</span>
Following the last message of the protocol, both sides compute and
export the shared keys, each 64 bytes in length:
MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S |
ID_P | Nonce_P | Nonce_S)
When the RADIUS attributes specified in [<a href="./rfc2548" title=""Microsoft Vendor-specific RADIUS Attributes"">RFC2548</a>] are used to
transport keying material, then the first 32 bytes of the MSK
correspond to MS-MPPE-RECV-KEY and the second 32 bytes to MS-MPPE-
SEND-KEY. In this case, only 64 bytes of keying material (the MSK)
are used.
At this point, both protocol participants MUST discard all
intermediate cryptographic values, including x_p, x_s, y_p, y_s, Ke,
Ki, Ka, and SharedSecret. Similarly, both parties MUST immediately
discard these values whenever the protocol terminates with a failure
code or as a result of timeout.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Cryptographic Details</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Generating Keying Material</span>
Keying material is derived as the output of the negotiated pseudo-
random function (prf) algorithm. Since the amount of keying material
needed may be greater than the size of the output of the prf
algorithm, we will use the prf iteratively. We denote by "prf+" the
function that outputs a pseudo-random stream based on the inputs to a
prf as follows (where "|" indicates concatenation):
prf+ (K, S) = T1 | T2 | T3 | T4 | ...
where:
T1 = prf(K, S | 0x01)
T2 = prf(K, T1 | S | 0x02)
T3 = prf(K, T2 | S | 0x03)
T4 = prf(K, T3 | S | 0x04)
<span class="grey">Sheffer, et al. Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
continuing as needed to compute all required keys. The keys are
taken from the output string without regard to boundaries (e.g., if
the required keys are a 256-bit Advanced Encryption Standard (AES)
key and a 160-bit HMAC key, and the prf function generates 160 bits,
the AES key will come from T1 and the beginning of T2, while the HMAC
key will come from the rest of T2 and the beginning of T3).
The constant concatenated to the end of each string feeding the prf
is a single octet. In this document, prf+ is not defined beyond 255
times the size of the prf output.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Diffie-Hellman Groups</span>
Many of the commonly used Diffie-Hellman groups are inappropriate for
use in EKE. Most of these groups use a generator that is not a
primitive element of the group. As a result, an attacker running a
dictionary attack would be able to learn at least 1 bit of
information for each decrypted password guess.
Any MODP Diffie-Hellman group defined for use in this protocol MUST
have the following properties to ensure that it does not leak a
usable amount of information about the password:
1. The generator is a primitive element of the group.
2. The most significant 64 bits of the prime number are 1.
3. The group's order p is a "safe prime", i.e., (p-1)/2 is also
prime.
The last requirement is related to the strength of the Diffie-Hellman
algorithm, rather than the password encryption. It also makes it
easy to verify that the generator is primitive.
Suitable groups are defined in <a href="#section-7.1">Section 7.1</a>.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Mandatory Algorithms</span>
To facilitate interoperability, the following algorithms are
mandatory to implement:
o ENCR_AES128_CBC (encryption algorithm)
o PRF_HMAC_SHA1 (pseudo-random function)
o MAC_HMAC_SHA1 (keyed message digest)
o DHGROUP_EKE_14 (DH-group)
<span class="grey">Sheffer, et al. Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. IANA Considerations</span>
IANA has allocated the EAP method type 53 from the range 1-191, for
"EAP-EKE Version 1".
Per this document, IANA created the registries described in the
following sub-sections. Values (other than private-use ones) can be
added to these registries per Specification Required [<a href="./rfc5226" title="">RFC5226</a>], with
two exceptions: the Exchange and Failure Code registries can only be
extended per RFC Required [<a href="./rfc5226" title="">RFC5226</a>].
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Diffie-Hellman Group Registry</span>
This section defines an IANA registry for Diffie-Hellman groups.
This table defines the initial contents of this registry. The Value
column is used when negotiating the group. Additional groups may be
defined through IANA allocation. Any future specification that
defines a non-MODP group MUST specify its use within EAP-EKE and MUST
demonstrate the group's security in this context.
+-----------------+---------+---------------------------------------+
| Name | Value | Description |
+-----------------+---------+---------------------------------------+
| Reserved | 0 | |
| DHGROUP_EKE_2 | 1 | The prime number of the 1024-bit |
| | | Group 2 [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>], with the generator |
| | | 5 (decimal) |
| DHGROUP_EKE_5 | 2 | The prime number of the 1536-bit |
| | | Group 5 [<a href="./rfc3526" title=""More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)"">RFC3526</a>], g=31 |
| DHGROUP_EKE_14 | 3 | The prime number of the 2048-bit |
| | | Group 14 [<a href="./rfc3526" title=""More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)"">RFC3526</a>], g=11 |
| DHGROUP_EKE_15 | 4 | The prime number of the 3072-bit |
| | | Group 15 [<a href="./rfc3526" title=""More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)"">RFC3526</a>], g=5 |
| DHGROUP_EKE_16 | 5 | The prime number of the 4096-bit |
| | | Group 16 [<a href="./rfc3526" title=""More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)"">RFC3526</a>], g=5 |
| Available for | 6-127 | |
| allocation via | | |
| IANA | | |
| Reserved for | 128-255 | |
| Private Use | | |
+-----------------+---------+---------------------------------------+
<span class="grey">Sheffer, et al. Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Encryption Algorithm Registry</span>
This section defines an IANA registry for encryption algorithms:
+-----------------+---------+-----------------------------------+
| Name | Value | Definition |
+-----------------+---------+-----------------------------------+
| Reserved | 0 | |
| ENCR_AES128_CBC | 1 | AES with a 128-bit key, CBC mode |
| | 2-127 | Available for allocation via IANA |
| | 128-255 | Reserved for Private Use |
+-----------------+---------+-----------------------------------+
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Pseudo-Random Function Registry</span>
This section defines an IANA registry for pseudo-random function
algorithms:
+-------------------+---------+-------------------------------------+
| Name | Value | Definition |
+-------------------+---------+-------------------------------------+
| Reserved | 0 | |
| PRF_HMAC_SHA1 | 1 | HMAC SHA-1, as defined in [<a href="./rfc2104" title=""HMAC: Keyed-Hashing for Message Authentication"">RFC2104</a>] |
| PRF_HMAC_SHA2_256 | 2 | HMAC SHA-2-256 [<a href="#ref-SHA" title=""Secure Hash Standard"">SHA</a>] |
| | 3-127 | Available for allocation via IANA |
| | 128-255 | Reserved for Private Use |
+-------------------+---------+-------------------------------------+
A pseudo-random function takes two parameters K and S (the key and
input string respectively), and, to be usable in this protocol, must
be defined for all lengths of K between 0 and 65,535 bits
(inclusive).
Any future pseudo-random function MUST be based on the HMAC
construct, since the security of HKDF is only known for such
functions.
<span class="grey">Sheffer, et al. Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h3"><a class="selflink" id="section-7.4" href="#section-7.4">7.4</a>. Keyed Message Digest (MAC) Registry</span>
This section defines an IANA registry for keyed message digest
algorithms:
+-------------------+---------+--------------+----------------------+
| Name | Value | Key Length | Definition |
| | | (Octets) | |
+-------------------+---------+--------------+----------------------+
| Reserved | 0 | | |
| MAC_HMAC_SHA1 | 1 | 20 | HMAC SHA-1, as |
| | | | defined in [<a href="./rfc2104" title=""HMAC: Keyed-Hashing for Message Authentication"">RFC2104</a>] |
| MAC_HMAC_SHA2_256 | 2 | 32 | HMAC SHA-2-256 |
| Reserved | 3-127 | | Available for |
| | | | allocation via IANA |
| Reserved | 128-255 | | Reserved for Private |
| | | | Use |
+-------------------+---------+--------------+----------------------+
<span class="h3"><a class="selflink" id="section-7.5" href="#section-7.5">7.5</a>. Identity Type Registry</span>
This section defines an IANA registry for identity types:
+-----------+---------+---------------------------------------------+
| Name | Value | Definition |
+-----------+---------+---------------------------------------------+
| Reserved | 0 | |
| ID_OPAQUE | 1 | An opaque octet string |
| ID_NAI | 2 | A Network Access Identifier, as defined in |
| | | [<a href="./rfc4282" title=""The Network Access Identifier"">RFC4282</a>] |
| ID_IPv4 | 3 | An IPv4 address, in binary format |
| ID_IPv6 | 4 | An IPv6 address, in binary format |
| ID_FQDN | 5 | A fully qualified domain name, see note |
| | | below |
| ID_DN | 6 | An LDAP Distinguished Name formatted as a |
| | | string, as defined in [<a href="./rfc4514" title=""Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names"">RFC4514</a>] |
| | 7-127 | Available for allocation via IANA |
| | 128-255 | Reserved for Private Use |
+-----------+---------+---------------------------------------------+
An example of an ID_FQDN is "example.com". The string MUST NOT
contain any terminators (e.g., NULL, CR, etc.). All characters in
the ID_FQDN are ASCII; for an internationalized domain name, the
syntax is as defined in [<a href="./rfc5891" title=""Internationalized Domain Names in Applications (IDNA): Protocol"">RFC5891</a>], for example
"xn--tmonesimerkki-bfbb.example.net".
<span class="grey">Sheffer, et al. Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h3"><a class="selflink" id="section-7.6" href="#section-7.6">7.6</a>. EAP-EKE Channel Binding Type Registry</span>
This section defines an IANA registry for the Channel Binding Type
registry, a 16-bit long code. The value 0x0000 has been defined as
Reserved. All other values up to and including 0xfeff are available
for allocation via IANA. The remaining values up to and including
0xffff are available for Private Use.
<span class="h3"><a class="selflink" id="section-7.7" href="#section-7.7">7.7</a>. Exchange Registry</span>
This section defines an IANA registry for the EAP-EKE Exchange
registry, an 8-bit long code. Initial values are defined in
<a href="#section-4.1">Section 4.1</a>. All values up to and including 0x7f are available for
allocation via IANA. The remaining values up to and including 0xff
are available for private use.
<span class="h3"><a class="selflink" id="section-7.8" href="#section-7.8">7.8</a>. Failure-Code Registry</span>
This section defines an IANA registry for the Failure-Code registry,
a 32-bit long code. Initial values are defined in <a href="#section-4.2.4">Section 4.2.4</a>.
All values up to and including 0xfeffffff are available for
allocation via IANA. The remaining values up to and including
0xffffffff are available for private use.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span>
Any protocol that claims to solve the problem of password-
authenticated key exchange must be resistant to active, passive, and
dictionary attack and have the quality of forward secrecy. These
characteristics are discussed further in the following paragraphs.
Resistance to Passive Attack: A passive attacker is one that merely
relays messages back and forth between the peer and server,
faithfully, and without modification. The contents of the
messages are available for inspection, but that is all. To
achieve resistance to passive attack, such an attacker must not be
able to obtain any information about the password or anything
about the resulting shared secret from watching repeated runs of
the protocol. Even if a passive attacker is able to learn the
password, she will not be able to determine any information about
the resulting secret shared by the peer and server.
Resistance to Active Attack: An active attacker is able to modify,
add, delete, and replay messages sent between protocol
participants. For this protocol to be resistant to active attack,
the attacker must not be able to obtain any information about the
password or the shared secret by using any of its capabilities.
In addition, the attacker must not be able to fool a protocol
<span class="grey">Sheffer, et al. Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
participant into thinking that the protocol completed
successfully. It is always possible for an active attacker to
deny delivery of a message critical in completing the exchange.
This is no different than dropping all messages and is not an
attack against the protocol.
Resistance to Dictionary Attack: For this protocol to be resistant
to dictionary attack, any advantage an adversary can gain must be
directly related to the number of interactions she makes with an
honest protocol participant and not through computation. The
adversary will not be able to obtain any information about the
password except whether a single guess from a single protocol run
is correct or incorrect.
Forward Secrecy: Compromise of the password must not provide any
information about the secrets generated by earlier runs of the
protocol.
[<a id="ref-RFC3748">RFC3748</a>] requires that documents describing new EAP methods clearly
articulate the security properties of the method. In addition, for
use with wireless LANs, [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>] mandates and recommends several of
these. The claims are:
1. Mechanism: password.
2. Claims:
* Mutual authentication: the peer and server both authenticate
each other by proving possession of a shared password. This
is REQUIRED by [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>].
* Forward secrecy: compromise of the password does not reveal
the secret keys (MSK and EMSK) from earlier runs of the
protocol.
* Replay protection: an attacker is unable to replay messages
from a previous exchange either to learn the password or a key
derived by the exchange. Similarly, the attacker is unable to
induce either the peer or server to believe the exchange has
successfully completed when it hasn't.
* Key derivation: a shared secret is derived by performing a
group operation in a finite cyclic group (e.g.,
exponentiation) using secret data contributed by both the peer
and server. An MSK and EMSK are derived from that shared
secret. This is REQUIRED by [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>].
<span class="grey">Sheffer, et al. Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
* Dictionary attack resistance: an attacker can only make one
password guess per active attack, and the protocol is designed
so that the attacker does not gain any confirmation of her
guess by observing the decrypted y_s or y_p value (see below).
The advantage she can gain is through interaction not through
computation. This is REQUIRED by [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>].
* Session independence: this protocol is resistant to active and
passive attacks and does not enable compromise of subsequent
or prior MSKs or EMSKs from either passive or active attacks.
* Denial-of-service resistance: it is possible for an attacker
to cause a server to allocate state and consume CPU. Such an
attack is gated, though, by the requirement that the attacker
first obtain connectivity through a lower-layer protocol
(e.g., 802.11 authentication followed by 802.11 association,
or 802.3 "link-up") and respond to two EAP messages: the
EAP-ID/Request and the EAP-EKE-ID/Request.
* Man-in-the-Middle Attack resistance: this exchange is
resistant to active attack, which is a requirement for
launching a man-in-the-middle attack. This is REQUIRED by
[<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>].
* Shared state equivalence: upon completion of EAP-EKE, the peer
and server both agree on the MSK and EMSK values. The peer
has authenticated the server based on the Server_ID and the
server has authenticated the peer based on the Peer_ID. This
is due to the fact that Peer_ID, Server_ID, and the generated
shared secret are all combined to make the authentication
element that must be shared between the peer and server for
the exchange to complete. This is REQUIRED by [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>].
* Fragmentation: this protocol does not define a technique for
fragmentation and reassembly.
* Resistance to "Denning-Sacco" attack: learning keys
distributed from an earlier run of the protocol, such as the
MSK or EMSK, will not help an adversary learn the password.
3. Key strength: the strength of the resulting key depends on the
finite cyclic group chosen. Sufficient key strength is REQUIRED
by [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>]. Clearly, "sufficient" strength varies over time,
depending on computation power assumed to be available to
potential attackers.
<span class="grey">Sheffer, et al. Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
4. Key hierarchy: MSKs and EMSKs are derived from the secret values
generated during the protocol run, using a negotiated pseudo-
random function.
5. Vulnerabilities (note that none of these are REQUIRED by
[<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>]):
* Protected ciphersuite negotiation: the ciphersuite proposal
made by the server is not protected from tampering by an
active attacker. However, if a proposal was modified by an
active attacker, it would result in a failure to confirm the
message sent by the other party, since the proposal is bound
by each side into its Confirm message, and the protocol would
fail as a result. Note that this assumes that none of the
proposed ciphersuites enables an attacker to perform real-time
cryptanalysis.
* Confidentiality: none of the messages sent in this protocol
are encrypted, though many of the protocol fields are.
* Integrity protection: protocol messages are not directly
integrity protected; however, the ID and Commit exchanges are
integrity protected through the Auth payloads exchanged in the
Confirm exchange.
* Channel binding: this protocol enables the exchange of
integrity-protected channel information that can be compared
with values communicated via out-of-band mechanisms.
* Fast reconnect: this protocol does not provide a fast
reconnect capability.
* Cryptographic binding: this protocol is not a tunneled EAP
method and therefore has no cryptographic information to bind.
* Identity protection: the EAP-EKE-ID exchange is not protected.
An attacker will see the server's identity in the EAP-EKE-ID/
Request and see the peer's identity in EAP-EKE-ID/Response.
See also <a href="#section-8.4">Section 8.4</a>.
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Cryptographic Analysis</span>
When analyzing the Commit exchange, it should be noted that the base
security assumptions are different from "normal" cryptology.
Normally, we assume that the key has strong security properties, and
that the data may have few or none. Here, we assume that the key has
weak security properties (the attacker may have a list of possible
keys), and hence we need to ensure that the data has strong
<span class="grey">Sheffer, et al. Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
properties (indistinguishable from random). This difference may mean
that conventional wisdom in cryptology might not apply in this case.
This also imposes severe constraints on the protocol, e.g., the
mandatory use of random padding and the need to define specific
finite groups.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Diffie-Hellman Group Considerations</span>
It is fundamental to the dictionary attack resistance that the
Diffie-Hellman public values y_s and y_p are indistinguishable from a
random string. If this condition is not met, then a passive attacker
can do trial-decryption of the encrypted DHComponent_P or
DHComponent_S values based on a password guess, and if they decrypt
to a value that is not a valid public value, they know that the
password guess was incorrect.
For MODP groups, <a href="#section-6.2">Section 6.2</a> gives conditions on the group to make
sure that this criterion is met. For other groups (for example,
Elliptic Curve groups), some other means of ensuring this must be
employed. The standard way of expressing Elliptic Curve public
values does not meet this criterion, as a valid Elliptic Curve X
coordinate can be distinguished from a random string with probability
of approximately 0.5.
A future document might introduce a group representation, and/or a
slight modification of the password encryption scheme, so that
Elliptic Curve groups can be accommodated. [<a href="#ref-BR02" title=""Ciphers with Arbitrary Finite Domains"">BR02</a>] presents several
alternative solutions for this problem.
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Resistance to Active Attacks</span>
An attacker, impersonating either the peer or the server, can always
try to enumerate all possible passwords, for example by using a
dictionary. To counter this likely attack vector, both peer and
server MUST implement rate-limiting mechanisms. We note that locking
out the other party after a small number of tries would create a
trivial denial-of-service opportunity.
<span class="h3"><a class="selflink" id="section-8.4" href="#section-8.4">8.4</a>. Identity Protection, Anonymity, and Pseudonymity</span>
By default, the EAP-EKE-ID exchange is unprotected, and an
eavesdropper can observe both parties' identities. A future
extension of this protocol may support anonymity, e.g., by allowing
the server to send a temporary identity to the peer at the end of the
exchange, so that the peer can use that identity in subsequent
exchanges.
<span class="grey">Sheffer, et al. Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
EAP-EKE differs in this respect from tunneled methods, which
typically provide unconditional identity protection to the peer by
encrypting the identity exchange, but reveal information in the
server certificate. It is possible to use EAP-EKE as the inner
method in a tunneled EAP method in order to achieve this level of
identity protection.
<span class="h3"><a class="selflink" id="section-8.5" href="#section-8.5">8.5</a>. Password Processing and Long-Term Storage</span>
This document recommends that a password-equivalent (a hash of the
password) be stored instead of the cleartext password. While this
solution provides a measure of security, there are also tradeoffs
related to algorithm agility:
o Each stored password must identify the hash function that was used
to compute the stored value.
o Complex deployments and migration scenarios might necessitate
multiple stored passwords, one per each algorithm.
o Changing the algorithm can require, in some cases, that the users
manually change their passwords.
The reader is referred to <a href="./rfc3629#section-10">Section 10 of [RFC3629]</a> for security
considerations related to the parsing and processing of UTF-8
strings.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgements</span>
Much of this document was unashamedly picked from [<a href="./rfc5931" title=""Extensible Authentication Protocol (EAP) Authentication Using Only a Password"">RFC5931</a>] and
[<a href="#ref-EAP-SRP" title=""EAP SRP-SHA1 Authentication Protocol"">EAP-SRP</a>], and we would like to acknowledge the authors of these
documents: Dan Harkins, Glen Zorn, James Carlson, Bernard Aboba, and
Henry Haverinen. We would like to thank David Jacobson, Steve
Bellovin, Russ Housley, Brian Weis, Dan Harkins, and Alexey Melnikov
for their useful comments. Lidar Herooty and Idan Ofrat implemented
this protocol and helped us improve it by asking the right questions,
and we would like to thank them both.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-RFC2104">RFC2104</a>] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication",
<a href="./rfc2104">RFC 2104</a>, February 1997.
<span class="grey">Sheffer, et al. Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
March 1997.
[<a id="ref-RFC2548">RFC2548</a>] Zorn, G., "Microsoft Vendor-specific RADIUS
Attributes", <a href="./rfc2548">RFC 2548</a>, March 1999.
[<a id="ref-RFC3454">RFC3454</a>] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")",
<a href="./rfc3454">RFC 3454</a>, December 2002.
[<a id="ref-RFC3526">RFC3526</a>] Kivinen, T. and M. Kojo, "More Modular
Exponential (MODP) Diffie-Hellman groups for
Internet Key Exchange (IKE)", <a href="./rfc3526">RFC 3526</a>, May 2003.
[<a id="ref-RFC3629">RFC3629</a>] Yergeau, F., "UTF-8, a transformation format of
ISO 10646", STD 63, <a href="./rfc3629">RFC 3629</a>, November 2003.
[<a id="ref-RFC3748">RFC3748</a>] Aboba, B., Blunk, L., Vollbrecht, J., Carlson,
J., and H. Levkowetz, "Extensible Authentication
Protocol (EAP)", <a href="./rfc3748">RFC 3748</a>, June 2004.
[<a id="ref-RFC4013">RFC4013</a>] Zeilenga, K., "SASLprep: Stringprep Profile for
User Names and Passwords", <a href="./rfc4013">RFC 4013</a>,
February 2005.
[<a id="ref-RFC4282">RFC4282</a>] Aboba, B., Beadles, M., Arkko, J., and P. Eronen,
"The Network Access Identifier", <a href="./rfc4282">RFC 4282</a>,
December 2005.
[<a id="ref-RFC4514">RFC4514</a>] Zeilenga, K., "Lightweight Directory Access
Protocol (LDAP): String Representation of
Distinguished Names", <a href="./rfc4514">RFC 4514</a>, June 2006.
[<a id="ref-RFC5891">RFC5891</a>] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", <a href="./rfc5891">RFC 5891</a>,
August 2010.
[<a id="ref-RFC5996">RFC5996</a>] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2
(IKEv2)", <a href="./rfc5996">RFC 5996</a>, September 2010.
[<a id="ref-SHA">SHA</a>] National Institute of Standards and Technology,
U.S. Department of Commerce, "Secure Hash
Standard", NIST FIPS 180-3, October 2008.
<span class="grey">Sheffer, et al. Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[<a id="ref-BM92">BM92</a>] Bellovin, S. and M. Merritt, "Encrypted Key
Exchange: Password-Based Protocols Secure Against
Dictionary Attacks", Proc. IEEE Symp. on Research
in Security and Privacy , May 1992.
[<a id="ref-BM93">BM93</a>] Bellovin, S. and M. Merritt, "Augmented Encrypted
Key Exchange: A Password-Based Protocol Secure
against Dictionary Attacks and Password File
Compromise", Proc. 1st ACM Conference on Computer
and Communication Security , 1993.
[<a id="ref-BMP00">BMP00</a>] Boyko, V., MacKenzie, P., and S. Patel, "Provably
Secure Password Authenticated Key Exchange Using
Diffie-Hellman", Advances in Cryptology,
EUROCRYPT 2000 , 2000.
[<a id="ref-BR02">BR02</a>] Black, J. and P. Rogaway, "Ciphers with Arbitrary
Finite Domains", Proc. of the RSA Cryptographer's
Track (RSA CT '02), LNCS 2271 , 2002.
[<a id="ref-EAP-SRP">EAP-SRP</a>] Carlson, J., Aboba, B., and H. Haverinen, "EAP
SRP-SHA1 Authentication Protocol", Work
in Progress, July 2001.
[<a id="ref-JAB96">JAB96</a>] Jablon, D., "Strong Password-Only Authenticated
Key Exchange", ACM Computer Communications
Review Volume 1, Issue 5, October 1996.
[<a id="ref-LUC97">LUC97</a>] Lucks, S., "Open Key Exchange: How to Defeat
Dictionary Attacks Without Encrypting Public
Keys", Proc. of the Security Protocols
Workshop LNCS 1361, 1997.
[<a id="ref-NIST.800-90.2007">NIST.800-90.2007</a>] National Institute of Standards and Technology,
"Recommendation for Random Number Generation
Using Deterministic Random Bit Generators
(Revised)", NIST SP 800-90, March 2007.
[<a id="ref-PA97">PA97</a>] Patel, S., "Number Theoretic Attacks On Secure
Password Schemes", Proceedings of the 1997 IEEE
Symposium on Security and Privacy , 1997.
[<a id="ref-RFC4017">RFC4017</a>] Stanley, D., Walker, J., and B. Aboba,
"Extensible Authentication Protocol (EAP) Method
Requirements for Wireless LANs", <a href="./rfc4017">RFC 4017</a>,
March 2005.
<span class="grey">Sheffer, et al. Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
[<a id="ref-RFC4086">RFC4086</a>] Eastlake, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", <a href="https://www.rfc-editor.org/bcp/bcp106">BCP 106</a>,
<a href="./rfc4086">RFC 4086</a>, June 2005.
[<a id="ref-RFC5209">RFC5209</a>] Sangster, P., Khosravi, H., Mani, M., Narayan,
K., and J. Tardo, "Network Endpoint Assessment
(NEA): Overview and Requirements", <a href="./rfc5209">RFC 5209</a>,
June 2008.
[<a id="ref-RFC5226">RFC5226</a>] Narten, T. and H. Alvestrand, "Guidelines for
Writing an IANA Considerations Section in RFCs",
<a href="https://www.rfc-editor.org/bcp/bcp26">BCP 26</a>, <a href="./rfc5226">RFC 5226</a>, May 2008.
[<a id="ref-RFC5869">RFC5869</a>] Krawczyk, H. and P. Eronen, "HMAC-based Extract-
and-Expand Key Derivation Function (HKDF)",
<a href="./rfc5869">RFC 5869</a>, May 2010.
[<a id="ref-RFC5931">RFC5931</a>] Harkins, D. and G. Zorn, "Extensible
Authentication Protocol (EAP) Authentication
Using Only a Password", <a href="./rfc5931">RFC 5931</a>, August 2010.
<span class="grey">Sheffer, et al. Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc6124">RFC 6124</a> The EAP-EKE Method February 2011</span>
Authors' Addresses
Yaron Sheffer
Independent
EMail: yaronf.ietf@gmail.com
Glen Zorn
Network Zen
227/358 Thanon Sanphawut
Bang Na, Bangkok 10260
Thailand
Phone: +66 (0) 87-040-4617
EMail: gwz@net-zen.net
Hannes Tschofenig
Nokia Siemens Networks
Linnoitustie 6
Espoo 02600
Finland
Phone: +358 (50) 4871445
EMail: Hannes.Tschofenig@gmx.net
URI: <a href="http://www.tschofenig.priv.at">http://www.tschofenig.priv.at</a>
Scott Fluhrer
Cisco Systems.
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
EMail: sfluhrer@cisco.com
Sheffer, et al. Informational [Page 33]
</pre>
|
