draft-ietf-emu-eap-gpsk-07.txt   draft-ietf-emu-eap-gpsk-08.txt 
EMU Working Group T. Clancy EMU Working Group T. Clancy
Internet-Draft LTS Internet-Draft LTS
Intended status: Standards Track H. Tschofenig Intended status: Standards Track H. Tschofenig
Expires: May 22, 2008 Nokia Siemens Networks Expires: June 6, 2008 Nokia Siemens Networks
November 19, 2007 December 4, 2007
EAP Generalized Pre-Shared Key (EAP-GPSK) EAP Generalized Pre-Shared Key (EAP-GPSK)
draft-ietf-emu-eap-gpsk-07 draft-ietf-emu-eap-gpsk-08
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 22, 2008. This Internet-Draft will expire on June 6, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This Internet Draft defines an Extensible Authentication Protocol This Internet Draft defines an Extensible Authentication Protocol
method called EAP Generalized Pre-Shared Key (EAP-GPSK). This method method called EAP Generalized Pre-Shared Key (EAP-GPSK). This method
is a lightweight shared-key authentication protocol supporting mutual is a lightweight shared-key authentication protocol supporting mutual
skipping to change at page 2, line 24 skipping to change at page 2, line 24
5. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . . 11
6. Generalized Key Derivation Function (GKDF) . . . . . . . . . . 12 6. Generalized Key Derivation Function (GKDF) . . . . . . . . . . 12
7. Ciphersuites Processing Rules . . . . . . . . . . . . . . . . 12 7. Ciphersuites Processing Rules . . . . . . . . . . . . . . . . 12
7.1. Ciphersuite #1 . . . . . . . . . . . . . . . . . . . . . 12 7.1. Ciphersuite #1 . . . . . . . . . . . . . . . . . . . . . 12
7.1.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 12 7.1.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 12
7.1.2. Integrity . . . . . . . . . . . . . . . . . . . . . . 13 7.1.2. Integrity . . . . . . . . . . . . . . . . . . . . . . 13
7.1.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 13 7.1.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 13
7.2. Ciphersuite #2 . . . . . . . . . . . . . . . . . . . . . 13 7.2. Ciphersuite #2 . . . . . . . . . . . . . . . . . . . . . 14
7.2.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 14 7.2.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 14
7.2.2. Integrity . . . . . . . . . . . . . . . . . . . . . . 14 7.2.2. Integrity . . . . . . . . . . . . . . . . . . . . . . 14
7.2.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 14 7.2.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 14
8. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . . 14 8. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . . 15
8.1. Header Format . . . . . . . . . . . . . . . . . . . . . . 15 8.1. Header Format . . . . . . . . . . . . . . . . . . . . . . 15
8.2. Ciphersuite Formatting . . . . . . . . . . . . . . . . . 15 8.2. Ciphersuite Formatting . . . . . . . . . . . . . . . . . 15
8.3. Payload Formatting . . . . . . . . . . . . . . . . . . . 16 8.3. Payload Formatting . . . . . . . . . . . . . . . . . . . 16
8.4. Protected Data . . . . . . . . . . . . . . . . . . . . . 20 8.4. Protected Data . . . . . . . . . . . . . . . . . . . . . 21
8.4.1. Protected Results Indication . . . . . . . . . . . . . 23 8.4.1. Protected Results Indication . . . . . . . . . . . . . 24
9. Packet Processing Rules . . . . . . . . . . . . . . . . . . . 23 9. Packet Processing Rules . . . . . . . . . . . . . . . . . . . 24
10. Example Message Exchanges . . . . . . . . . . . . . . . . . . 24 10. Example Message Exchanges . . . . . . . . . . . . . . . . . . 25
11. Security Considerations . . . . . . . . . . . . . . . . . . . 27 11. Security Considerations . . . . . . . . . . . . . . . . . . . 28
11.1. Mutual Authentication . . . . . . . . . . . . . . . . . . 27 11.1. Mutual Authentication . . . . . . . . . . . . . . . . . . 28
11.2. Protected Result Indications . . . . . . . . . . . . . . 28 11.2. Protected Result Indications . . . . . . . . . . . . . . 29
11.3. Integrity Protection . . . . . . . . . . . . . . . . . . 28 11.3. Integrity Protection . . . . . . . . . . . . . . . . . . 29
11.4. Replay Protection . . . . . . . . . . . . . . . . . . . . 28 11.4. Replay Protection . . . . . . . . . . . . . . . . . . . . 29
11.5. Reflection attacks . . . . . . . . . . . . . . . . . . . 28 11.5. Reflection attacks . . . . . . . . . . . . . . . . . . . 29
11.6. Dictionary Attacks . . . . . . . . . . . . . . . . . . . 28 11.6. Dictionary Attacks . . . . . . . . . . . . . . . . . . . 29
11.7. Key Derivation . . . . . . . . . . . . . . . . . . . . . 29 11.7. Key Derivation . . . . . . . . . . . . . . . . . . . . . 30
11.8. Denial of Service Resistance . . . . . . . . . . . . . . 29 11.8. Denial of Service Resistance . . . . . . . . . . . . . . 30
11.9. Session Independence . . . . . . . . . . . . . . . . . . 29 11.9. Session Independence . . . . . . . . . . . . . . . . . . 30
11.10. Exposition of the PSK . . . . . . . . . . . . . . . . . . 30 11.10. Exposition of the PSK . . . . . . . . . . . . . . . . . . 31
11.11. Fragmentation . . . . . . . . . . . . . . . . . . . . . . 30 11.11. Fragmentation . . . . . . . . . . . . . . . . . . . . . . 31
11.12. Channel Binding . . . . . . . . . . . . . . . . . . . . . 30 11.12. Channel Binding . . . . . . . . . . . . . . . . . . . . . 31
11.13. Fast Reconnect . . . . . . . . . . . . . . . . . . . . . 30 11.13. Fast Reconnect . . . . . . . . . . . . . . . . . . . . . 31
11.14. Identity Protection . . . . . . . . . . . . . . . . . . . 30 11.14. Identity Protection . . . . . . . . . . . . . . . . . . . 31
11.15. Protected Ciphersuite Negotiation . . . . . . . . . . . . 30 11.15. Protected Ciphersuite Negotiation . . . . . . . . . . . . 31
11.16. Confidentiality . . . . . . . . . . . . . . . . . . . . . 31 11.16. Confidentiality . . . . . . . . . . . . . . . . . . . . . 32
11.17. Cryptographic Binding . . . . . . . . . . . . . . . . . . 31 11.17. Cryptographic Binding . . . . . . . . . . . . . . . . . . 32
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 32 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 33
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34
15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35
15.1. Normative References . . . . . . . . . . . . . . . . . . 34 15.1. Normative References . . . . . . . . . . . . . . . . . . 35
15.2. Informative References . . . . . . . . . . . . . . . . . 34 15.2. Informative References . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36
Intellectual Property and Copyright Statements . . . . . . . . . . 36 Intellectual Property and Copyright Statements . . . . . . . . . . 37
1. Introduction 1. Introduction
EAP Generalized Pre-Shared Key (EAP-GPSK) is an EAP method defining a EAP Generalized Pre-Shared Key (EAP-GPSK) is an EAP method defining a
generalized pre-shared key authentication technique. Mutual generalized pre-shared key authentication technique. Mutual
authentication is achieved through a nonce-based exchange that is authentication is achieved through a nonce-based exchange that is
secured by a pre-shared key. secured by a pre-shared key.
EAP-GPSK addresses a large number of design goals with the intention EAP-GPSK addresses a large number of design goals with the intention
of being applicable in a broad range of usage scenarios. of being applicable in a broad range of usage scenarios.
skipping to change at page 9, line 40 skipping to change at page 9, line 40
X is the length, in octets, of the desired output, X is the length, in octets, of the desired output,
Y is a secret key, Y is a secret key,
Z is the inputString, Z is the inputString,
[A..B] extracts the string of octets starting with octet A finishing [A..B] extracts the string of octets starting with octet A finishing
with octet B from the output of the KDF function. with octet B from the output of the KDF function.
This keying material is derived using the ciphersuite-specified KDF This keying material is derived using the ciphersuite-specified KDF
as follows: as follows:
o inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server o inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server
o zero = 0x00 || 0x00 || ... || 0x00 (KS times) o MK = KDF-KS(PSK[0..KS-1], PL || PSK || CSuite_Sel ||
inputString)[0..KS-1]
o MK = KDF-KS(zero, PL || PSK || CSuite_Sel || inputString)[0..KS-1]
o MSK = KDF-{128+2*KS}(MK, inputString)[0..63] o MSK = KDF-{128+2*KS}(MK, inputString)[0..63]
o EMSK = KDF-{128+2*KS}(MK, inputString)[64..127] o EMSK = KDF-{128+2*KS}(MK, inputString)[64..127]
o SK = KDF-{128+2*KS}(MK, inputString)[128..127+KS] o SK = KDF-{128+2*KS}(MK, inputString)[128..127+KS]
o PK = KDF-{128+2*KS}(MK, inputString)[128+KS..127+2*KS] (if using o PK = KDF-{128+2*KS}(MK, inputString)[128+KS..127+2*KS] (if using
an encrypting ciphersuite) an encrypting ciphersuite)
Additionally, the EAP keying framework [I-D.ietf-eap-keying] requires Additionally, the EAP keying framework [I-D.ietf-eap-keying] requires
the definition of a Method-ID, Session-ID, Peer-ID, and Server-ID. the definition of a Method-ID, Session-ID, Peer-ID, and Server-ID.
These values are defined as: These values are defined as:
o zero = 0x00 || 0x00 || ... || 0x00 (KS times) o zero = 0x00 || 0x00 || ... || 0x00 (KS times)
o Method-ID = KDF-16(zero, "Method ID" || EAP_Method_Type || o Method-ID = KDF-16(zero, "Method ID" || EAP_Method_Type ||
CSuite_Sel || inputString)[0..15] CSuite_Sel || inputString)[0..15]
o Session-ID = Type_Code || Method_ID o Session-ID = Type_Code || Method_ID
o Peer-ID = ID_Peer o Peer-ID = ID_Peer
o Server-ID = ID_Server o Server-ID = ID_Server
EAP_Method_Type refers to the integer value of the IANA allocated EAP EAP_Method_Type refers to the integer value of the IANA allocated EAP
skipping to change at page 13, line 33 skipping to change at page 13, line 33
o Value of SEC_SK(Value) in message GPSK-2 o Value of SEC_SK(Value) in message GPSK-2
o Value of SEC_SK(Value) in message GPSK-3 o Value of SEC_SK(Value) in message GPSK-3
o Value of SEC_SK(Value) in message GPSK-4 o Value of SEC_SK(Value) in message GPSK-4
7.1.3. Key Derivation 7.1.3. Key Derivation
This ciphersuite instantiates the KDF in the following way: This ciphersuite instantiates the KDF in the following way:
inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server
MK = GKDF-16 (PSK[0..127], PL || PSK || CSuite_Sel || inputString) MK = GKDF-16 (PSK[0..15], PL || PSK || CSuite_Sel || inputString)
MSK = GKDF-160 (MK, inputString)[0..63] MSK = GKDF-160 (MK, inputString)[0..63]
EMSK = GKDF-160 (MK, inputString)[64..127] EMSK = GKDF-160 (MK, inputString)[64..127]
SK = GKDF-160 (MK, inputString)[128..143] SK = GKDF-160 (MK, inputString)[128..143]
PK = GKDF-160 (MK, inputString)[144..159] PK = GKDF-160 (MK, inputString)[144..159]
zero = 0x00 || 0x00 || ... || 0x00 (16 times)
Method-ID = GKDF-16 (zero, "Method ID" || EAP_Method_Type || Method-ID = GKDF-16 (zero, "Method ID" || EAP_Method_Type ||
CSuite_Sel || inputString) CSuite_Sel || inputString)
7.2. Ciphersuite #2 7.2. Ciphersuite #2
7.2.1. Encryption 7.2.1. Encryption
Ciphersuite 2 does not include an algorithm for encryption. With a Ciphersuite 2 does not include an algorithm for encryption. With a
NULL encryption algorithm, encryption is defined as: NULL encryption algorithm, encryption is defined as:
skipping to change at page 14, line 36 skipping to change at page 14, line 38
o Value of SEC_SK(Value) in message GPSK-2 o Value of SEC_SK(Value) in message GPSK-2
o Value of SEC_SK(Value) in message GPSK-3 o Value of SEC_SK(Value) in message GPSK-3
o Value of SEC_SK(Value) in message GPSK-4 o Value of SEC_SK(Value) in message GPSK-4
7.2.3. Key Derivation 7.2.3. Key Derivation
This ciphersuite instantiates the KDF in the following way: This ciphersuite instantiates the KDF in the following way:
inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server
MK = GKDF-32 (PSK[0..255], PL || PSK || CSuite_Sel || inputString) MK = GKDF-32 (PSK[0..31], PL || PSK || CSuite_Sel || inputString)
MSK = GKDF-160 (MK, inputString)[0..63] MSK = GKDF-160 (MK, inputString)[0..63]
EMSK = GKDF-160 (MK, inputString)[64..127] EMSK = GKDF-160 (MK, inputString)[64..127]
SK = GKDF-160 (MK, inputString)[128..159] SK = GKDF-160 (MK, inputString)[128..159]
zero = 0x00 || 0x00 || ... || 0x00 (32 times)
Method-ID = GKDF-16 (zero, "Method ID" || EAP_Method_Type || Method-ID = GKDF-16 (zero, "Method ID" || EAP_Method_Type ||
CSuite_Sel || inputString) CSuite_Sel || inputString)
8. Packet Formats 8. Packet Formats
This section defines the packet format of the EAP-GPSK messages. This section defines the packet format of the EAP-GPSK messages.
8.1. Header Format 8.1. Header Format
The EAP-GPSK header has the following structure: The EAP-GPSK header has the following structure:
 End of changes. 20 change blocks. 
42 lines changed or deleted 44 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/