Network Working Group F. Bersani
Request for Comments: 4764 France Telecom R&D
Category: Experimental H. Tschofenig
Siemens Networks GmbH & Co KG
January 2007
The EAP-PSK Protocol:
A Pre-Shared Key Extensible Authentication Protocol (EAP) Method
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
IESG Note
This RFC is not a candidate for any level of Internet Standard. The
IETF disclaims any knowledge of the fitness of this RFC for any
purpose and in particular notes that the decision to publish is not
based on IETF review for such things as security, congestion control,
or inappropriate interaction with deployed protocols. The RFC Editor
has chosen to publish this document at its discretion. Readers of
this document should exercise caution in evaluating its value for
implementation and deployment. See RFC 3932 for more information.
The IESG thinks that this work is related to IETF work done in WGs
EMU and EAP, but this does not prevent publishing.
Abstract
This document specifies EAP-PSK, an Extensible Authentication
Protocol (EAP) method for mutual authentication and session key
derivation using a Pre-Shared Key (PSK). EAP-PSK provides a
protected communication channel when mutual authentication is
successful for both parties to communicate over. This document
describes the use of this channel only for protected exchange of
result indications, but future EAP-PSK extensions may use the channel
for other purposes. EAP-PSK is designed for authentication over
insecure networks such as IEEE 802.11.
Bersani & Tschofenig Experimental [Page 1]
RFC 4764 EAP-PSK January 2007
Table of Contents
1. Introduction ....................................................4
1.1. Design Goals for EAP-PSK ...................................4
1.1.1. Simplicity ..........................................4
1.1.2. Wide Applicability ..................................5
1.1.3. Security ............................................5
1.1.4. Extensibility .......................................5
1.2. Terminology ................................................5
1.3. Conventions ................................................8
1.4. Related Work ...............................................9
2. Protocol Overview ..............................................12
2.1. EAP-PSK Key Hierarchy .....................................13
2.1.1. The PSK ............................................13
2.1.2. AK .................................................14
2.1.3. KDK ................................................14
2.2. The TEK ...................................................15
2.3. The MSK ...................................................15
2.4. The EMSK ..................................................15
2.5. The IV ....................................................15
3. Cryptographic Design of EAP-PSK ................................15
3.1. The Key Setup .............................................16
3.2. The Authenticated Key Exchange ............................19
3.3. The Protected Channel .....................................23
4. EAP-PSK Message Flows ..........................................25
4.1. EAP-PSK Standard Authentication ...........................26
4.2. EAP-PSK Extended Authentication ...........................28
5. EAP-PSK Message Format .........................................31
5.1. EAP-PSK First Message .....................................32
5.2. EAP-PSK Second Message ....................................34
5.3. EAP-PSK Third Message .....................................36
5.4. EAP-PSK Fourth Message ....................................39
6. Rules of Operation for the EAP-PSK Protected Channel ...........41
6.1. Protected Result Indications ..............................41
6.1.1. CONT ...............................................42
6.1.2. DONE_SUCCESS .......................................43
6.1.3. DONE_FAILURE .......................................43
6.2. Extended Authentication ...................................43
datatracker.ietf.org