Network Working Group J. Arkko
Request for Comments: 5448 V. Lehtovirta
Updates: 4187 Ericsson
Category: Informational P. Eronen
Nokia
May 2009
Improved Extensible Authentication Protocol Method for
3rd Generation Authentication and Key Agreement (EAP-AKA')
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
This specification defines a new EAP method, EAP-AKA', which is a
small revision of the EAP-AKA (Extensible Authentication Protocol
Method for 3rd Generation Authentication and Key Agreement) method.
The change is a new key derivation function that binds the keys
derived within the method to the name of the access network. The new
key derivation mechanism has been defined in the 3rd Generation
Partnership Project (3GPP). This specification allows its use in EAP
in an interoperable manner. In addition, EAP-AKA' employs SHA-256
instead of SHA-1.
This specification also updates RFC 4187, EAP-AKA, to prevent bidding
down attacks from EAP-AKA'.
Arkko, et al. Informational [Page 1]
RFC 5448 EAP-AKA' May 2009
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. EAP-AKA' . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. AT_KDF_INPUT . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. AT_KDF . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3. Key Generation . . . . . . . . . . . . . . . . . . . . . . 10
3.4. Hash Functions . . . . . . . . . . . . . . . . . . . . . . 12
3.4.1. PRF' . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4.2. AT_MAC . . . . . . . . . . . . . . . . . . . . . . . . 13
3.4.3. AT_CHECKCODE . . . . . . . . . . . . . . . . . . . . . 13
4. Bidding Down Prevention for EAP-AKA . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
5.1. Security Properties of Binding Network Names . . . . . . . 18
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
6.1. Type Value . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2. Attribute Type Values . . . . . . . . . . . . . . . . . . 19
6.3. Key Derivation Function Namespace . . . . . . . . . . . . 19
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
9.1. Normative References . . . . . . . . . . . . . . . . . . . 20
9.2. Informative References . . . . . . . . . . . . . . . . . . 21
Appendix A. Changes from RFC 4187 . . . . . . . . . . . . . . . . 23
Appendix B. Importance of Explicit Negotiation . . . . . . . . . 23
Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 24
1. Introduction
This specification defines a new Extensible Authentication Protocol
(EAP)[RFC3748] method, EAP-AKA', which is a small revision of the
EAP-AKA method originally defined in [RFC4187]. What is new in EAP-
AKA' is that it has a new key derivation function, specified in
[3GPP.33.402]. This function binds the keys derived within the
method to the name of the access network. This limits the effects of
compromised access network nodes and keys. This specification
defines the EAP encapsulation for AKA when the new key derivation
mechanism is in use.
3GPP has defined a number of applications for the revised AKA
mechanism, some based on native encapsulation of AKA over 3GPP radio
access networks and others based on the use of EAP.
For making the new key derivation mechanisms usable in EAP-AKA,
additional protocol mechanisms are necessary. Given that RFC 4187
datatracker.ietf.org