The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method
RFC 4764
Document | Type |
RFC - Experimental
(January 2007; No errata)
Was draft-bersani-eap-psk (int)
|
|
---|---|---|---|
Authors | Florent Bersani , Hannes Tschofenig | ||
Last updated | 2015-10-14 | ||
Stream | Independent Submission | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4764 (Experimental) | |
Action Holders |
(None)
|
||
Telechat date | |||
Responsible AD | Jari Arkko | ||
Send notices to | eap-chairs@ietf.org |
Network Working Group F. Bersani Request for Comments: 4764 France Telecom R&D Category: Experimental H. Tschofenig Siemens Networks GmbH & Co KG January 2007 The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). IESG Note This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose and in particular notes that the decision to publish is not based on IETF review for such things as security, congestion control, or inappropriate interaction with deployed protocols. The RFC Editor has chosen to publish this document at its discretion. Readers of this document should exercise caution in evaluating its value for implementation and deployment. See RFC 3932 for more information. The IESG thinks that this work is related to IETF work done in WGs EMU and EAP, but this does not prevent publishing. Abstract This document specifies EAP-PSK, an Extensible Authentication Protocol (EAP) method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). EAP-PSK provides a protected communication channel when mutual authentication is successful for both parties to communicate over. This document describes the use of this channel only for protected exchange of result indications, but future EAP-PSK extensions may use the channel for other purposes. EAP-PSK is designed for authentication over insecure networks such as IEEE 802.11. Bersani & Tschofenig Experimental [Page 1] RFC 4764 EAP-PSK January 2007 Table of Contents 1. Introduction ....................................................4 1.1. Design Goals for EAP-PSK ...................................4 1.1.1. Simplicity ..........................................4 1.1.2. Wide Applicability ..................................5 1.1.3. Security ............................................5 1.1.4. Extensibility .......................................5 1.2. Terminology ................................................5 1.3. Conventions ................................................8 1.4. Related Work ...............................................9 2. Protocol Overview ..............................................12 2.1. EAP-PSK Key Hierarchy .....................................13 2.1.1. The PSK ............................................13 2.1.2. AK .................................................14 2.1.3. KDK ................................................14 2.2. The TEK ...................................................15 2.3. The MSK ...................................................15 2.4. The EMSK ..................................................15 2.5. The IV ....................................................15 3. Cryptographic Design of EAP-PSK ................................15 3.1. The Key Setup .............................................16 3.2. The Authenticated Key Exchange ............................19 3.3. The Protected Channel .....................................23 4. EAP-PSK Message Flows ..........................................25 4.1. EAP-PSK Standard Authentication ...........................26 4.2. EAP-PSK Extended Authentication ...........................28 5. EAP-PSK Message Format .........................................31 5.1. EAP-PSK First Message .....................................32 5.2. EAP-PSK Second Message ....................................34 5.3. EAP-PSK Third Message .....................................36 5.4. EAP-PSK Fourth Message ....................................39 6. Rules of Operation for the EAP-PSK Protected Channel ...........41 6.1. Protected Result Indications ..............................41 6.1.1. CONT ...............................................42 6.1.2. DONE_SUCCESS .......................................43 6.1.3. DONE_FAILURE .......................................43 6.2. Extended Authentication ...................................43 7. IANA Considerations ............................................45 7.1. Allocation of an EAP-Request/Response Type for EAP-PSK ....45Show full document text