Extensible Authentication Protocol (EAP) Password Authenticated Exchange
RFC 4746
Document | Type |
RFC - Informational
(November 2006; Errata)
Was draft-clancy-eap-pax (individual in sec area)
|
|
---|---|---|---|
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text pdf html bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4746 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group T. Clancy Request for Comments: 4746 LTS Category: Informational W. Arbaugh UMD November 2006 Extensible Authentication Protocol (EAP) Password Authenticated Exchange Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2006). Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document defines an Extensible Authentication Protocol (EAP) method called EAP-PAX (Password Authenticated eXchange). This method is a lightweight shared-key authentication protocol with optional support for key provisioning, key management, identity protection, and authenticated data exchange. Table of Contents 1. Introduction ....................................................2 1.1. Language Requirements ......................................3 1.2. Terminology ................................................3 2. Overview ........................................................5 2.1. PAX_STD Protocol ...........................................6 2.2. PAX_SEC Protocol ...........................................7 2.3. Authenticated Data Exchange ................................9 2.4. Key Derivation ............................................10 2.5. Verification Requirements .................................11 2.6. PAX Key Derivation Function ...............................12 3. Protocol Specification .........................................13 3.1. Header Specification ......................................13 3.1.1. Op-Code ............................................13 3.1.2. Flags ..............................................14 Clancy & Arbaugh Informational [Page 1] RFC 4746 EAP-PAX November 2006 3.1.3. MAC ID .............................................14 3.1.4. DH Group ID ........................................14 3.1.5. Public Key ID ......................................15 3.1.6. Mandatory to Implement .............................15 3.2. Payload Formatting ........................................16 3.3. Authenticated Data Exchange (ADE) .........................18 3.4. Integrity Check Value (ICV) ...............................19 4. Security Considerations ........................................19 4.1. Server Certificates .......................................20 4.2. Server Security ...........................................20 4.3. EAP Security Claims .......................................21 4.3.1. Protected Ciphersuite Negotiation ..................21 4.3.2. Mutual Authentication ..............................21 4.3.3. Integrity Protection ...............................21 4.3.4. Replay Protection ..................................21 4.3.5. Confidentiality ....................................21 4.3.6. Key Derivation .....................................21 4.3.7. Key Strength .......................................22 4.3.8. Dictionary Attack Resistance .......................22 4.3.9. Fast Reconnect .....................................22 4.3.10. Session Independence ..............................22 4.3.11. Fragmentation .....................................23 4.3.12. Channel Binding ...................................23 4.3.13. Cryptographic Binding .............................23 4.3.14. Negotiation Attack Prevention .....................23 5. IANA Considerations ............................................23 6. Acknowledgments ................................................24 7. References .....................................................24 7.1. Normative References ......................................24 7.2. Informative References ....................................25 Appendix A. Key Generation from Passwords ........................ 27 Appendix B. Implementation Suggestions ........................... 27 B.1. WiFi Enterprise Network ................................... 27 B.2. Mobile Phone Network ...................................... 28 1. Introduction EAP-PAX (Password Authenticated eXchange) is an Extensible Authentication Protocol (EAP) method [RFC3748] designed for authentication using a shared key. It makes use of two separateShow full document text