EAP Working Group L. Blunk INTERNET-DRAFT Merit Networks, Inc. Category: Standards Track J. Vollbrecht Interlink Networks, Inc. 28 November 2002 Bernard Aboba Obsoletes: RFC 2284 Microsoft Extensible Authentication Protocol (EAP) This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document defines the Extensible Authentication Protocol (EAP), an authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this. While EAP was originally developed for use with PPP, it is also now in use with IEEE 802. This document obsoletes RFC 2284. Blunk, Vollbrecht & Aboba Standards Track [Page 1] INTERNET-DRAFT RFC2284bis 28 November 2002 Table of Contents 1. Introduction .......................................... 3 1.1 Specification of Requirements ................... 3 1.2 Terminology ..................................... 3 2. Extensible Authentication Protocol (EAP) .............. 4 2.1 Success and failure indications ................. 6 2.2 EAP multiplexing model .......................... 7 3. Media-specific issues ................................. 8 3.1 Lower layer assumptions ......................... 8 3.2 EAP usage within PPP ............................ 9 3.3 EAP usage within IEEE 802 ....................... 10 3.4 Link layer indications .......................... 11 4. EAP Packet Format ..................................... 11 4.1 Request and Response ............................ 12 4.2 Success and Failure ............................. 14 5. Initial EAP Request/Response Types .................... 15 5.1 Identity ........................................ 16 5.2 Notification .................................... 17 5.3 Nak ............................................. 18 5.4 MD5-Challenge ................................... 19 5.5 One-Time Password ............................... 20 5.6 Generic Token Card .............................. 21 5.7 Vendor-specific ................................. 22 6. IANA Considerations ................................... 24 6.1 Definition of Terms ............................. 24 6.2 Recommended Registration Policies ............... 24 7. Security considerations ............................... 25 7.1 Threat model .................................... 25 7.2 Security terms .................................. 26 7.3 Security claims ................................. 28 7.4 Identity protection ............................. 28 7.5 Man-in-the-middle attacks ....................... 29 7.6 Packet modification attacks ..................... 29 7.7 Dictionary attacks .............................. 30 7.8 Connection to an untrusted network .............. 30 7.9 Negotiation attacks ............................. 31 7.10 Implementation idiosyncrasies ................... 31 7.11 Key derivation .................................. 32 7.12 Weak ciphersuites ............................... 32 8. Normative references .................................. 33 9. Informative references ................................ 33 ACKNOWLEDGMENTS .............................................. 35 AUTHORS' ADDRESSES ........................................... 35 Full Copyright Statement ..................................... 36 Blunk, Vollbrecht & Aboba Standards Track [Page 2] INTERNET-DRAFT RFC2284bis 28 November 2002 1. Introduction This document defines the Extensible Authentication Protocol (EAP), an authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this. While EAP was originally developed for use with PPP, it is also now in use with IEEE 802. 1.1. Specification of Requirements In this document, several words are used to signify the requirements of the specification. These words are often capitalized. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Terminology This document frequently uses the following terms: Authenticator The end of the link requiring the authentication. Peer The other end of the point-to-point link (PPP), point-to-point LAN segment (IEEE 802) or 802.11 wireless link, which being authenticated by the Authenticator. In [IEEE8021X], this end is known as the Supplicant. Authentication Server An Authentication Server is an entity that provides an Authentication Service to an Authenticator. This service verifies from the credentials provided by the Peer, the claim of identity made by the Peer. Silently Discard This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter. Displayable Message This is interpreted to be a human readable string of characters, and MUST NOT affect operation of the protocol. The message encoding MUST follow the UTF-8 transformation Blunk, Vollbrecht & Aboba Standards Track [Page 3] INTERNET-DRAFT RFC2284bis 28 November 2002 format [RFC2044]. 2. Extensible Authentication Protocol (EAP) The Extensible Authentication Protocol (EAP) is a general protocol for authentication which supports multiple authentication mechanisms. EAP may be used on dedicated links as well as switched circuits, and wired as well as wireless links. To date, EAP has been implemented with hosts and routers that connect via switched circuits or dial-up lines using PPP [RFC1661]. It has also been implemented with switches and access points using IEEE 802 [IEEE802]. EAP encapsulation on IEEE 802 wired media is described in [IEEE8021X]. One of the advantages of the EAP architecture is its flexibility. EAP is used to select a specific authentication mechanism, typically after the Authenticator requests more information in order to determine the specific authentication mechanism(s) to be used. Rather than requiring the Authenticator to be updated to support each new authentication method, EAP permits the use of a backend server which may implement some or all authentication methods, with the Authenticator acting as a pass- through for some or all methods and users. The authentication exchange proceeds as follows: [1] The Authenticator sends a Request to authenticate the Peer. The Request has a type field to indicate what is being requested. Examples of Request types include Identity, MD5-challenge, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol [RFC1994]. Typically, the Authenticator will send an initial Identity Request; however, an initial Identity Request is not required, and MAY be bypassed. For example, the identity may not be required where it is requested within the EAP method itself, which is pre-determined; where it is determined by the port to which the Peer has connected (leased lines, dedicated switch or dial-up ports); or where the identity is obtained in another fashion (via calling station identity or MAC address, in the Name field of the MD5-Challenge Response, etc.). [2] The Peer sends a Response packet in reply to the Request. As with the Request packet, the Response packet contains a type field which corresponds to the type field of the Request. [3] The Authenticator sends an additional Request packet, and the Peer replies with a Response. The sequence of Requests and Responses continues as long as needed. Blunk, Vollbrecht & Aboba Standards Track [Page 4] INTERNET-DRAFT RFC2284bis 28 November 2002 [4] If the initial authentication method completes unsuccessfully, then the Authenticator sends a Failure packet to the Peer. If it completes successfully, and the Authenticator does not require additional authentication methods, then the Authenticator sends a Success packet to the Peer. [5] An Authenticator MAY authenticate the Peer using a sequence of methods. A common example of this is an Identity request followed by an EAP authentication method such as an MD5-Challenge. If additional authentication methods are required, the Authenticator MAY send a Request packet for a subsequent authentication method, or it MAY send another Identity request. If the Peer does not support sequences, it SHOULD respond to the subsequent Request with a Nak, and no alternative method. However, Peer implementations MAY not respond at all, in which case a timeout will result and authentication will fail. Since the Authenticator presumably requires successful completion of the sequence in order to grant access, authentication failure is the correct result. Therefore, it is not necessary for the Authenticator to determine that the Peer supports sequences prior to sending a Request for a subsequent authentication method. [6] The sequence of authentication methods proceeds until either an authentication method fails (in which case the Authenticator sends an EAP Failure packet to the Peer) or the final authentication method completes successfully, in which case the Authenticator sends an EAP Success packet to the Peer. [7] Since EAP is a Peer-to-Peer protocol, after authentication in one direction is complete, the direction of authentication MAY reverse, with the endpoint previously serving as the Authenticator assuming the Peer role, and the former Peer now taking on the Authenticator role. As with the original conversation, the reversal is signalled by the (new) Authenticator sending a Request. Support for bi- directional authentication requires that each endpoint implement both the Peer and Authenticator roles. Where the Authenticator acts as a pass-through, it MUST determine the outcome of the authentication solely based on the Accept/Reject indication sent by the backend authentication server; the outcome MUST NOT be determined by the contents of an EAP packet sent along with the Accept/Reject indication, or the absence of such an encapsulated EAP packet. Advantages The EAP protocol can support multiple authentication mechanisms Blunk, Vollbrecht & Aboba Standards Track [Page 5] INTERNET-DRAFT RFC2284bis 28 November 2002 without having to pre-negotiate a particular one. Devices (e.g. a NAS, switch or access point) do not have to understand each authentication method and MAY act as a pass-through agent for a backend authentication server. Support for pass-through is optional. An Authenticator MAY authenticate local users while at the same time acting as a pass-through for non-local users and authentication methods it does not implement locally. Separation of the Authenticator from the backend authentication server simplifies credentials management and policy decision making. Disadvantages For use in PPP, EAP does require the addition of a new authentication type to PPP LCP and thus PPP implementations will need to be modified to use it. It also strays from the previous PPP authentication model of negotiating a specific authentication mechanism during LCP. Similarly, switch or access point implementations need to support [IEEE8021X] in order to use EAP. Where the Authenticator is separate from the backend Authenticator server, this complicates the security analysis and, if needed, key distribution. 2.1. Success and failure indications Within EAP, success and failure indications may be protected or unprotected. Unless protected by an underlying link layer ciphersuite, EAP Success and Failure messages are unprotected indications which may be spoofed, since they are sent in cleartext and contain no embedded message integrity check. However, individual EAP methods may include support for acknowledged and protected success and failure indications. Where a protected success/failure indication has been received at the EAP layer by an EAP Peer, it MUST accept and process the protected indication. Subsequent unprotected success or failure EAP layer indications MUST be silently discarded by the Peer if they contradict the protected indication. In the absence of a protected EAP layer indication, unprotected failure indications MAY be accepted and processed by the EAP implementation. This can result in a denial of service attack. Unprotected EAP layer success indications are only accepted and processed once methods have completed successfully. For example, if the Peer is configured to require an EAP method providing mutual authentication, then it MUST silently discard a Success packet sent by the Authenticator, prior to the conclusion of mutual authentication. Blunk, Vollbrecht & Aboba Standards Track [Page 6] INTERNET-DRAFT RFC2284bis 28 November 2002 Whether authentication is mandatory is determined by the Authenticator and Peer configurations. If authentication is not required by the Authenticator, or if the identity of the Peer is verified by another mechanism (e.g. Calling-Station-ID or MAC address), then the Authenticator MAY send a "canned" Success message. However, the Peer may be configured to require the Authenticator to authenticate itself prior to being willing to process a Success message. 2.2. EAP multiplexing model The EAP layer provides sequencing and duplicate elimination to EAP methods. During the period after an EAP Peer receives an EAP-Request, but has not yet sent an EAP-Response, the Peer EAP layer MUST silently discard additional EAP packets upon reception, rather than providing them to the EAP method. This occurs whether the received packet is a duplicate (same Identifier) or not (different Identifier). Similarly, during the period after an EAP Authenticator receives an EAP-Response, but has not yet sent an EAP-Request, the Authenticator EAP layer MUST silently discard additional EAP packets upon reception, rather than providing them to the EAP method. This provides an opportunity for a denial of service attack: an attacker can swamp a Peer with EAP Requests, preventing valid EAP Requests from being processed. Addressing this requires an EAP method to be able to indicate to the EAP layer that it wants to handle duplicate elimination and packet validation itself. This is not supported. Within EAP, the Type field functions much like a port number in UDP or TCP. With the exception of types handled by the EAP layer, it is assumed that EAP implementations multiplex incoming EAP packets according to their Type, and deliver them only to the EAP method corresponding to that Type code, with some exceptions. The Nak method is utilized for the purposes of method negotiation, and is implemented within the EAP layer. Peers MUST respond to an EAP Request for an unacceptable Type with a Nak Response. Authenticators receiving an EAP Response with a Type for which the Authenticator has no outstanding Request MUST silently discard the Response. The Notification method may be considered to reside within the EAP layer. While a Notification Request may be generated at the behest of an EAP method residing on the Authenticator, a Notification Response is typically generated automatically by the Peer EAP layer, so that it can only be used as confirmation that the Peer received the Notification Request, not that it has processed it, or displayed the message to the user. It cannot be assumed that the contents of the Notification Request is available to another method. Blunk, Vollbrecht & Aboba Standards Track [Page 7] INTERNET-DRAFT RFC2284bis 28 November 2002 The Identity Request may also be generated at the behest of an EAP method residing on the Authenticator. However, the Identity Response can be assumed to be stored within the EAP layer so as to be available to methods of types other than 1 (Identity). EAP packets with codes of Success or Failure do not include a Type, and therefore are not delivered to an EAP method. Given these considerations, the Success, Failure, Nak and Notification messages MUST NOT used to carry data destined for delivery to other EAP methods. The architecture is illustrated in figure 1 below. +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | | | EAP method| EAP method| | EAP method| EAP method| | Type = X | Type = Y | | Type = X | Type = Y | | ! | | | ^ | | +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ | ! | | ! | | ! EAP | | ! EAP | | (Nak, ! Success, | | (Nak, ! Success, | | ! Failure, | | ! Failure, | | ! Notification, | | ! Notification, | | ! Identity) | | ! Identity) | | ! | | ! | +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ | ! | | ! | | Link ! Layer | | Link ! Layer | | ! | | ! | +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ ! ! +------------>-------------+ Figure 1. EAP Multiplexing Model 3. Media-specific issues EAP has been run over a variety of lower layers including PPP; wired IEEE 802 LANs [IEEE8021X]; IEEE 802.11 wireless LANs [IEEE802.11]; UDP (L2TP [RFC2661] and ISAKMP [PIC]); and TCP [PIC]. This section discusses EAP dependencies on lower layers. 3.1. Lower layer assumptions EAP makes the following assumptions about lower layers: [1] Unreliable transmission. With the exception of Success and Failure, EAP packets are acknowledged, so that EAP does not assume that Blunk, Vollbrecht & Aboba Standards Track [Page 8] INTERNET-DRAFT RFC2284bis 28 November 2002 lower layers are reliable. However, if lower layers exhibit a high loss rate, then frequent timeouts are likely to result. Since EAP defines its own retransmission behavior, when run over a reliable lower layer, it is possible (though undesirable) for retransmission to occur both in the lower layer and the EAP layer. [2] Known MTU. EAP itself does not support fragmentation and reassembly. However, individual EAP methods SHOULD NOT make assumptions about the minimum MTU size and SHOULD be capable of handling fragmentation and reassembly. As a result, EAP is typically capable of functioning across a range of MTU sizes, as long as the MTU is known. [3] Possible duplication. While it is desirable that lower layers provide for non-duplication, this is not a requirement. The Identifier field provides both the Peer and Authenticator with the ability to detect duplicates. Where the lower layer is reliable, it will provide the EAP layer with a non-duplicated stream of packets. In EAP, the Authenticator is responsible for retransmission. Although EAP Peers do not retransmit Responses, they do respond to duplicate Requests. Since it is possible for the Authenticator to retransmit before receiving a Response from the Peer, Authenticators can receive duplicate Responses. [4] Possible reordering. EAP provides its own mechanisms to detect reordering and so does not assume that the lower layer provides ordering guarantees. EAP is a "lockstep" protocol, so that the Authenticator MUST NOT send a new Request until a Response is received to an outstanding Request. Since the Peer should not expect a new Request until it has sent a Response, if it receives a new Request with a different Identifier before sending a Response to the outstanding Request, the new Request MUST be silently discarded. Similarly, if the Authenticator receives a Response with an Identifier that does not match the Identifier in the outstanding Request, the Response MUST be silently discarded. 3.2. EAP usage within PPP In order to establish communications over a point-to-point link, each end of the PPP link must first send LCP packets to configure the data link during Link Establishment phase. After the link has been established, PPP provides for an optional Authentication phase before proceeding to the Network-Layer Protocol phase. Blunk, Vollbrecht & Aboba Standards Track [Page 9] INTERNET-DRAFT RFC2284bis 28 November 2002 By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication- Protocol Configuration Option during Link Establishment phase. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations. When implemented within PPP, EAP does not select a specific authentication mechanism at PPP Link Control Phase, but rather postpones this until the Authentication Phase. This allows the Authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a "back-end" server which actually implements the various mechanisms while the PPP Authenticator merely passes through the authentication exchange. The PPP Link Establishment and Authentication phases, and the Authentication-Protocol Configuration Option, are defined in The Point-to-Point Protocol (PPP) [RFC1661]. 3.2.1. PPP Configuration Option Format A summary of the PPP Authentication-Protocol Configuration Option format to negotiate the EAP Authentication Protocol is shown below. The fields are transmitted from left to right. Exactly one EAP packet is encapsulated in the Information field of a PPP Data Link Layer frame where the protocol field indicates type hex C227 (PPP EAP). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Authentication-Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 3 Length 4 Authentication-Protocol C227 (Hex) for PPP Extensible Authentication Protocol (EAP) Blunk, Vollbrecht & Aboba Standards Track [Page 10] INTERNET-DRAFT RFC2284bis 28 November 2002 3.3. EAP usage within IEEE 802 The encapsulation of EAP over IEEE 802 link layers is defined in [IEEE8021X]. The IEEE 802 encapsulation of EAP does not involve PPP, and IEEE 802.1X does not include support for link or network layer negotiations. As a result, within IEEE 802.1X it is not possible to negotiate non-EAP authentication mechanisms, such as PAP or CHAP [RFC1994]. 3.4. Link layer indications The reliability and security of link layer indications is dependent on the medium. Link layer failure indications accepted by the link layer and provided to EAP MUST be processed. However, as described in Section 2.1, only EAP layer success/failure indications (not link layer success indications) can cause an EAP implementation to conclude that authentication has succeeded. In PPP, link layer indications are not authenticated. They are therefore subject to spoofing. This includes LCP-Terminate (a link failure indication) and NCP (a link success indication). In PPP, a "link down" indication is considered a reliable indication of link failure. In 802.11, control and management frames are not authenticated and are therefore subject to spoofing. This includes Disassociate and Deauthenticate frames (link failure indications), and Association and Reassociation Response frames (link success indications). In IEEE 802 wired networks, the IEEE 802.1X EAPOL-Start and EAPOL-Logoff frames are not authenticated, whereas within 802.11, authentication is possible depending on when they are sent and the ciphersuite that has been negotiated. Therefore, depending on the circumstances, EAPOL-Start and EAPOL-Logoff frames may or may not be subject to spoofing. In 802.11 a "link down" signal is considered an unreliable indication of link failure, since wireless signal strength can come and go. 4. EAP Packet format A summary of the EAP packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+ Blunk, Vollbrecht & Aboba Standards Track [Page 11] INTERNET-DRAFT RFC2284bis 28 November 2002 Code The Code field is one octet and identifies the type of EAP packet. EAP Codes are assigned as follows: 1 Request 2 Response 3 Success 4 Failure Since EAP only defines Codes 1-4, EAP packets with other codes MUST be silently discarded by both Authenticators and Peers. Identifier The Identifier field is one octet and aids in matching Responses with Requests. Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length and Data fields. Octets outside the range of the Length field should be treated as Data Link Layer padding and should be ignored on reception. Data The Data field is zero or more octets. The format of the Data field is determined by the Code field. 4.1. Request and Response Description The Request packet is sent by the Authenticator to the Peer. Each Request has a type field which serves to indicate what is being requested. The Authenticator MUST transmit an EAP packet with the Code field set to 1 (Request). Additional Request packets MUST be sent until a valid Response packet is received, or an optional retry counter expires. In [IEEE8021X], the retry counter is effectively set to zero, so that retransmission never occurs, and instead the Peer times out and authentication is restarted. The contents of the data field is dependent on the Request type. The Peer MUST send a Response packet in reply to a Request packet. Responses MUST only be sent in reply to a received Request and never retransmitted on a timer. The Identifier field of the Response MUST match that of the Request. If a Peer receives a duplicate Request Blunk, Vollbrecht & Aboba Standards Track [Page 12] INTERNET-DRAFT RFC2284bis 28 November 2002 for which it has already sent a Response, it MUST resend its Response. If a Peer receives a duplicate Request before it has sent a Response to the initial Request (i.e. it's waiting for user input), it MUST silently discard the duplicate Request. Retransmitted Requests MUST be sent with the same Identifier value in order to distinguish them from new Requests. In order to avoid confusion between new Requests and retransmissions, the Identifier value chosen for each new Request MUST be unique within the EAP conversation. One way to achieve this is to start the Identifier at an initial value and increment it for each new Request. If the Authenticator receives a Response with an Identifier different from the Identifier within the last Request, then the message MUST be silently discarded. Since it is possible that the Authenticator may retransmit prior to receiving a Response from the Peer, the Authenticator can receive duplicate responses. Note that the Identifier field need only be unique on a per-port basis, so that Authenticators are not restricted to only 255 simultaneous authentication conversations. Implementation Note: Because the authentication process will often involve user input, some care must be taken when deciding upon retransmission strategies and authentication timeouts. By default, where EAP is run over an unreliable lower layer, the EAP retransmission timer (EAP_RTO) SHOULD be computed as described in [RFC2988]. A maximum of 3-5 retransmissions is suggested. When run over a reliable lower layer (e.g. EAP over ISAKMP/TCP, as within [PIC]), the EAP retransmission timer SHOULD be set to an infinite value, so that retransmissions do not occur at the EAP layer. Where the authentication process requires user input, the measured round trip times are largely be determined by user responsiveness rather than network characteristics, so that RTO estimation is not helpful. Instead, the retransmission timers SHOULD be set so as to provide sufficient time for the user to respond, with longer timeouts required in certain cases, such as where Token Cards are involved. In order to provide the EAP Authenticator with guidance as to the appropriate timeout value, a hint can be communicated to the Authenticator by the backend authentication server (such as via the RADIUS Session-Timeout attribute). Additionally, the Peer MUST be prepared to silently discard received retransmissions while waiting for user input, so as to mitigate the ill effects of a too small retransmission timer. Blunk, Vollbrecht & Aboba Standards Track [Page 13] INTERNET-DRAFT RFC2284bis 28 November 2002 A summary of the Request and Response packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Type-Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Code 1 for Request 2 for Response Identifier The Identifier field is one octet and aids in matching Responses with Requests. Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, Type, and Type-Data fields. Octets outside the range of the Length field should be treated as Data Link Layer padding and should be ignored on reception. Type The Type field is one octet. This field indicates the Type of Request or Response. A single Type MUST be specified for each EAP Request or Response. Normally, the Type field of the Response will be the same as the Type of the Request. However, there is also a Nak Response Type for indicating that a Request type is unacceptable to the Peer. An initial specification of Types follows in a later section of this document. Type-Data The Type-Data field varies with the Type of Request and the associated Response. 4.2. Success and Failure The Success packet is sent by the Authenticator to the Peer to acknowledge successful completion of the authentication conversation. Blunk, Vollbrecht & Aboba Standards Track [Page 14] INTERNET-DRAFT RFC2284bis 28 November 2002 The Authenticator MUST transmit an EAP packet with the Code field set to 3 (Success). If the Authenticator cannot authenticate the Peer (unacceptable Responses to one or more Requests) then the implementation MUST transmit an EAP packet with the Code field set to 4 (Failure). An Authenticator MAY wish to issue multiple Requests before sending a Failure response in order to allow for human typing mistakes. Success and Failure packets MUST NOT contain additional data. Implementation Note: Because the Success and Failure packets are not acknowledged, the Authenticator cannot know whether they have been received. As a result, these packets are not retransmitted by the Authenticator, and if they are lost, the Peer will timeout. If acknowledged success and failure indications are desired, these MAY be implemented within individual EAP methods. A summary of the Success and Failure packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 3 for Success 4 for Failure Identifier The Identifier field is one octet, and aids in matching Responses with Requests. In order to avoid confusion between Success or Failure packets and retransmissions, the Identifier value chosen for a Success or Failure packet MUST be unique within the EAP conversation. Length 4 5. Initial EAP Request/Response Types This section defines the initial set of EAP Types used in Request/Response exchanges. More Types may be defined in follow-on documents. The Type field is one octet and identifies the structure of an EAP Request or Response packet. The first 3 Types are considered special case Types. Blunk, Vollbrecht & Aboba Standards Track [Page 15] INTERNET-DRAFT RFC2284bis 28 November 2002 The remaining Types define authentication exchanges. The Nak Type is valid only for Response packets, it MUST NOT be sent in a Request. The Nak Type MUST only be sent in response to a Request which uses an authentication Type code (i.e., Type > 3). All EAP implementations MUST support Types 1-4, which are defined in this document, and SHOULD support Type 255. Follow-on RFCs MAY define additional EAP Types. 1 Identity 2 Notification 3 Nak (Response only) 4 MD5-Challenge 5 One Time Password (OTP) 6 Generic Token Card (GTC) 255 Vendor-specific 5.1. Identity Description The Identity Type is used to query the identity of the Peer. The Authenticator will typically issue this as the initial Request; however, an Identity Request MAY also be sent multiple times within a sequence of methods. An Identity Request MUST NOT be sent in the middle of another method conversation. An optional displayable message MAY be included within an Identity Request, to prompt the Peer in the case where there is an expectation of interaction with a user. An Identity Response MUST be sent to an Identity Request. A Peer MUST NOT respond to an Identity Request with a NAK. Authentication methods executing on the Authenticator are assumed to have access to the Identity Response(s) returned by the Peer, even though those messages have Type = 1 (Identity). Since the Identity Request is often sent automatically by the Authenticator, the Identity method may be thought of as residing within the EAP layer and providing services to the method layer. Since Identity Requests and Responses are not protected, from a security perspective, it may be preferable for protected method- specific Identity exchanges to be used instead. Since sending of Identity Requests by Authenticators is optional, implementations SHOULD provide a way to configure the Authenticator so that Identity Requests are not sent. However, it is possible that a method residing on the Authenticator may depend on the Identity Response, and and so Authenticator implementations SHOULD provide a way for a method to Blunk, Vollbrecht & Aboba Standards Track [Page 16] INTERNET-DRAFT RFC2284bis 28 November 2002 invoke sending of the Identity Request, in case no method-specific identity exchange is supported, and a claim of identity is required. Implementation Note: The Peer MAY obtain the Identity via user input. It is suggested that the Authenticator retry the Identity Request in the case of an invalid Identity or authentication failure to allow for potential typos on the part of the user. It is suggested that the Identity Request be retried a minimum of 3 times before terminating the authentication phase with a Failure reply. The Notification Request MAY be used to indicate an invalid authentication attempt prior to transmitting a new Identity Request (optionally, the failure MAY be indicated within the message of the new Identity Request itself). Type 1 Type-Data This field MAY contain a displayable message in the Request, containing UTF-8 encoded 10646 characters [RFC2279]. The Response uses this field to return the Identity. If the Identity is unknown, this field should be zero bytes in length. The field MUST NOT be null terminated. The length of this field is derived from the Length field of the Request/Response packet and hence a null is not required. 5.2. Notification Description The Notification Type is optionally used to convey a displayable message from the Authenticator to the Peer. An Authenticator MAY send a Notification Request to the Peer at any time, including in the middle of an ongoing method conversation. The Peer MUST respond to a Notification Request with a Notification Response; a NAK Response MUST NOT be sent. A Notification Response is typically generated automatically by the EAP layer; therefore the contents of a Notification Request MUST NOT be delivered to a Peer method other than Notification. The Peer SHOULD display this message to the user or log it if it cannot be displayed. The Notification Type is intended to provide an acknowledged notification of some imperative nature, but it is not an error indication, and therefore does not change the state of the Peer. Examples include a password with an expiration time that is about to expire, an OTP sequence integer which is nearing 0, an Blunk, Vollbrecht & Aboba Standards Track [Page 17] INTERNET-DRAFT RFC2284bis 28 November 2002 authentication failure warning, etc. In most circumstances, notification should not be required. Type 2 Type-Data The Type-Data field in the Request contains a displayable message greater than zero octets in length, containing UTF-8 encoded 10646 characters [RFC2279]. The length of the message is determined by Length field of the Request packet. The message MUST NOT be null terminated. A Response MUST be sent in reply to the Request with a Type field of 2 (Notification). The Type-Data field of the Response is zero octets in length. The Response should be sent immediately (independent of how the message is displayed or logged). 5.3. Nak Description The Nak Type is valid only in Response messages. It is sent in reply to a method proposal (the initial EAP Request for a given Type) where the desired authentication Type is unacceptable. Authentication Types are numbered 4 and above. The Response contains zero or one authentication Type desired by the Peer. A Nak with no authentication Type indicates that the Peer does not wish to authenticate using the proposed method but is not proposing an alternative. Since the Nak Type is only valid in Responses and has very limited functionality, it MUST NOT be used as a general purpose error indication, such as for communication of error messages, or negotiation of parameters specific to a particular EAP method. As a result, a NAK is only sent in response to a method proposal and MUST NOT be sent in the middle of an EAP method conversation. Code 2 for Response. Identifier The Identifier field is one octet and aids in matching Responses with Requests. The Identifier field of a Nak Response MUST match the Identifier field of the Request packet that it is sent in response to. Blunk, Vollbrecht & Aboba Standards Track [Page 18] INTERNET-DRAFT RFC2284bis 28 November 2002 Length >=5 Type 3 Type-Data Where the desired authentication Type is within the original EAP Type space (1-254), the Type-Data field, when present, MUST contain a single octet indicating the desired authentication Type. Where the desired authentication Type is a method within the extended EAP Type space (Type=255), the Type-Data field is formatted as follows (see Section 5.7 for details): 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=255 | Vendor-Id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5.4. MD5-Challenge Description The MD5-Challenge Type is analogous to the PPP CHAP protocol [RFC1994] (with MD5 as the specified algorithm). The Request contains a "challenge" message to the Peer. A Response MUST be sent in reply to the Request. The Response MAY be either of Type 4 (MD5-Challenge) or Type 3 (Nak). The Nak reply indicates zero or more of the Peer's desired authentication Types. All EAP implementations MUST support the MD5-Challenge mechanism. Note that the use of the Identifier field in the MD5-Challenge Type is different from that described in [RFC1994]. EAP allows for retransmission of MD5-Challenge Request packets while [RFC1994] states that both the Identifier and Challenge fields MUST change each time a Challenge (the CHAP equivalent of the MD5-Challenge Request packet) is sent. Type 4 Blunk, Vollbrecht & Aboba Standards Track [Page 19] INTERNET-DRAFT RFC2284bis 28 November 2002 Type-Data The contents of the Type-Data field is summarized below. For reference on the use of this fields see the PPP Challenge Handshake Authentication Protocol [RFC1994]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value-Size | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Name ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Security Claims (see Section 7.3) Intended use: Wired networks, including PPP, PPPOE, and IEEE 802. Use over the Internet or with wireless only when protected. Mechanism: Password or pre-shared key. Mutual authentication: No Integrity protection: No Replay protection: No Confidentiality: No Key Derivation: No Key strength: N/A Dictionary attack prot: No Key hierarchy: N/A Fast reconnect: No MiTM resistance: No Acknowledged S/F: No 5.5. One-Time Password (OTP) Description The One-Time Password system is defined in "A One-Time Password System" [RFC2289] and "OTP Extended Responses" [RFC 2243]. The Request contains a displayable message containing an OTP challenge. A Response MUST be sent in reply to the Request. The Response MUST be of Type 5 (OTP) or Type 3 (Nak). The Nak reply indicates the Peer's desired authentication mechanism Type(s). Type 5 Type-Data Blunk, Vollbrecht & Aboba Standards Track [Page 20] INTERNET-DRAFT RFC2284bis 28 November 2002 The Type-Data field contains the OTP "challenge" as a displayable message in the Request. In the Response, this field is used for the 6 words from the OTP dictionary [RFC2289]. The messages MUST NOT be null terminated. The length of the field is derived from the Length field of the Request/Reply packet. Security Claims (see Section 7.3) Intended use: Wired networks, including PPP, PPPOE, and IEEE 802. Use over the Internet or with wireless only when protected. Mechanism: One-Time Password Mutual authentication: No Integrity protection: No Replay protection: No Confidentiality: No Key Derivation: No Key strength: N/A Dictionary attack prot: No Key hierarchy: N/A Fast reconnect: No MiTM resistance: No Acknowledged S/F: No 5.6. Generic Token Card (GTC) Description The Generic Token Card Type is defined for use with various Token Card implementations which require user input. The Request contains a displayable message and the Reply contains the Token Card information necessary for authentication. Typically, this would be information read by a user from the Token card device and entered as ASCII text. Type 6 Type-Data The Type-Data field in the Request contains a displayable message greater than zero octets in length. The length of the message is determined by Length field of the Request packet. The message MUST NOT be null terminated. A Response MUST be sent in reply to the Request with a Type field of 6 (Generic Token Card). The Response contains data from the Token Card required for authentication. The length is of the data is determined by the Length field of the Blunk, Vollbrecht & Aboba Standards Track [Page 21] INTERNET-DRAFT RFC2284bis 28 November 2002 Response packet. Security Claims (See Section 7.3) Intended use: Wired networks, including PPP, PPPOE, and IEEE 802. Use over the Internet or with wireless only when protected. Mechanism: Hardware token. Mutual authentication: No Integrity protection: No Replay protection: No Confidentiality: No Key Derivation: No Key strength: N/A Dictionary attack prot: No Key hierarchy: N/A Fast reconnect: No MiTM resistance: No Acknowledged S/F: No 5.7. Vendor-specific Description Due to EAP's popularity, the original Method Type space, which only provides for 255 values, is being allocated at a pace, which if continued, would result in exhaustion within a few years. Since many of the existing uses of EAP are vendor-specific, the Vendor-Specific Method Type is available to allow vendors to support their own extended Types not suitable for general usage. The Vendor-specific Type may also be used to expand the global Type space beyond the original 255 values. Peers not equipped to interpret the Vendor-specific Type MUST send a Nak as described in Section 5.3, in order to negotiate a more suitable authentication method. A summary of the Vendor-specific Type format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Vendor-Id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Blunk, Vollbrecht & Aboba Standards Track [Page 22] INTERNET-DRAFT RFC2284bis 28 November 2002 Type 255 for Vendor-specific Vendor-Id The Vendor-Id is 3 octets and represents the SMI Network Management Private Enterprise Code of the Vendor in network byte order, as allocated by IANA. A Vendor-Id of zero is reserved for use by the IETF in providing an expanded global EAP Type space. String The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets. The codification of the range of allowed usage of this field is outside the scope of this specification. It SHOULD be encoded as follows. The Vendor-Specific field is dependent on the vendor's definition of that attribute. An example encoding of the Vendor-Specific attribute using this method follows. Example Implementation 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Vendor-Id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Type The Vendor-Type field is four octets and represents the vendor- specific Method Type. Where a Vendor-Id of zero is present, the Vendor-Type field provides an expanded global EAP Type space, beginning with EAP Type values of 256. Vendor-Specific The Vendor-Specific field is dependent on the vendor's definition of that attribute. Where a Vendor-Id of zero is present, the Vendor- Blunk, Vollbrecht & Aboba Standards Track [Page 23] INTERNET-DRAFT RFC2284bis 28 November 2002 Specific field will be used for transporting the contents of EAP Methods of Types 256 or greater. 6. IANA Considerations This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of values related to the EAP protocol, in accordance with BCP 26, [RFC2434]. There are two name spaces in EAP that require registration: Packet Codes and Method Types. EAP is not intended as a general-purpose protocol, and allocations SHOULD NOT be made for purposes unrelated to authentication. 6.1. Definition of Terms The following terms are used here with the meanings defined in BCP 26: "name space", "assigned value", "registration". The following policies are used here with the meanings defined in BCP 26: "Private Use", "First Come First Served", "Expert Review", "Specification Required", "IETF Consensus", "Standards Action". 6.2. Recommended Registration Policies For registration requests where a Designated Expert should be consulted, the responsible IESG area director should appoint the Designated Expert. For Designated Expert with Specification Required, the request is posted to the EAP WG mailing list (or, if it has been disbanded, a successor designated by the Area Director) for comment and review, and MUST include a pointer to a public specification. Before a period of 30 days has passed, the Designated Expert will either approve or deny the registration request and publish a notice of the decision to the EAP WG mailing list or its successor. A denial notice must be justified by an explanation and, in the cases where it is possible, concrete suggestions on how the request can be modified so as to become acceptable. For registration requests requiring Expert Review, the EAP mailing list should be consulted. If the EAP mailing list is no longer operational, an alternative mailing list may be designated by the responsible IESG Area Director. Packet Codes have a range from 1 to 255, of which 1-4 have been allocated. Because a new Packet Code has considerable impact on interoperability, a new Packet Code requires Standards Action, and should be allocated starting at 5. Blunk, Vollbrecht & Aboba Standards Track [Page 24] INTERNET-DRAFT RFC2284bis 28 November 2002 The original EAP Method Type space has a range from 1 to 255, and is the scarcest resource in EAP, and thus must be allocated with care. Method Types 1-36 have been allocated, with 20 available for re-use. Method Types 37-191 may be allocated following Designated Expert, with Specification Required. Release of blocks of Method Types (more than one for a given purpose) should require IETF Consensus. EAP Type Values 192-254 are reserved and allocation requires Standards Action. Method Type 255 is allocated for Vendor-Specific extensions and the use of that should be encouraged instead of allocation from the original global Method Type space, for functions specific only to one vendor's implementation of EAP, where no interoperability is deemed useful. When used with a Vendor-Id of zero, Method Type 255 can also be used to provide for an expanded Method Type space. Expanded Method Type values 256-4294967295 may be allocated after Type values 1-191 have been allocated. 7. Security Considerations EAP was designed for use with dialup PPP [RFC1661] and wired [IEEE802] networks such as Ethernet [IEEE8023]. On these networks, an attacker would need to gain physical access to the telephone or switch infrastructure in order to mount an attack. While such attacks have been documented, such as in [DECEPTION], they are assumed to be rare. However, subsequently EAP has been proposed for use on wireless networks, and over the Internet, where physical security cannot be assumed. On such networks, the security vulnerabilities are greater, as are the requirements for EAP security. This section defines the threat model and security terms and describes the security claims section required in EAP method specifications. We then discuss threat mitigation. 7.1. Threat model On physically insecure networks, it is possible for an attacker to gain access to the physical medium. This enables a range of attacks, including the following: [1] An adversary may try to discover user identities by snooping authentication traffic. [2] An adversary may try to modify or spoof EAP packets. Blunk, Vollbrecht & Aboba Standards Track [Page 25] INTERNET-DRAFT RFC2284bis 28 November 2002 [3] An adversary may launch denial of service attacks by spoofing layer 2 indications or EAP layer success/failure indications, replaying EAP packets, or generating packets with overlapping Identifiers. [4] An adversary might attempt to recover the pass-phrase by mounting an offline dictionary attack. [5] An adversary may attempt to convince the Peer to connect to an untrusted network, by mounting a man-in-the-middle attack. [6] An adversary may attempt to disrupt the EAP negotiation in order to weaken the authentication. [7] An attacker may attempt to recover the key by taking advantage of weak key derivation techniques used within EAP methods. [8] An attacker may attempt to take advantage of weak ciphersuites subsequently used after the EAP conversation is complete. Where EAP is used over wireless networks, an attacker needs to be within the coverage area of the wireless medium in order to carry out these attacks. However, where EAP is used over the Internet, no such restrictions apply. 7.2. Security terms Mutual authentication This refers to a method in which, within a single conversation, the Authenticator authenticates the Peer and the Peer authenticates the Authenticator. Two one-way conversations, running in opposite directions do not provide mutual authentication as defined here. Integrity protection This refers to authentication and integrity protection of EAP messages, including EAP Requests and Responses of types Identity, Nak and Notification, as well as other EAP Requests and Responses, and success and failure indications. Replay protection This refers to replay protection of EAP messages, including EAP Requests and Responses of types Identity, Nak and Notification, as well as other EAP Requests and Responses, and success and failure indications. Blunk, Vollbrecht & Aboba Standards Track [Page 26] INTERNET-DRAFT RFC2284bis 28 November 2002 Confidentiality This refers to encryption of EAP messages, including EAP Requests and Responses of types Identity, Nak and Notification, as well as other EAP Requests and Responses, and success and failure indications. A method making this claim MUST therefore also include support for identity protection. Key derivation This refers to the ability of the EAP method to derive ciphersuite-independent master session keys, used only for further key derivation. Key strength This refers to the effective entropy of the derived master session keys, independent of their physical length. For example, a 128-bit key derived from a password might have an effective entropy much less than 128 bits. Dictionary attack resistance Where password authentication is used, users are notoriously prone to selection of poor passwords. A method may be said to be dictionary attack resistant if an attack would require, on average, sorting through 2^64 or more possibilities. This can be accomplished, for example, by avoiding the use of passwords altogether (e.g. certificates, token cards), or by using a shared secret with sufficiently high entropy. Fast reconnect The ability, in the case where a security association has been previously established, to create a new or refreshed security association in 2.5 round-trips or less (excluding an Identity exchange). Man-in-the-Middle resistance The ability for the Peer to demonstrate to the Authenticator that it has acted as the Peer for each method within a sequence of methods or tunnel. Similarly, the Authenticator demonstrates to the Peer that it has acted as the Authenticator for each method within the sequence or tunnel. If this is not possible, then the authentication sequence or tunnel may be vulnerable to a man-in-the-middle attack. Acknowledged Success/Failure indications The ability of the Peer to provide the Authenticator with a Success/Failure indication in response to such an indication sent from the Authenticator to the Peer. Since cleartext success/failure indications can be spoofed, Blunk, Vollbrecht & Aboba Standards Track [Page 27] INTERNET-DRAFT RFC2284bis 28 November 2002 making this claim requires that the acknowledged Success/Failure exchange be integrity protected. 7.3. Security claims In order to clearly articulate the security provided by an EAP method, EAP method specifications MUST include a Security Claims section including the following declarations: [a] Intended use. This includes a statement of whether the method is intended for use over a physically secure or insecure network, as well as a statement of the applicable media. [b] Mechanism. This is a statement of the authentication technology: certificates, pre-shared keys, passwords, token cards, etc. [c] Security claims. This is a statement of the claimed security properties of the method, using terms defined in Section 7.2. The Security Claims section SHOULD include references to proof, or the proof itself (preferably in an Appendix). [d] Key strength. If the method derives keys, then the effective key strength MUST be estimated. [e] Description of key hierarchy. EAP methods deriving keys MUST either provide a reference to a key hierarchy specification, or describe how keys for authentication/integrity, encryption and IVs are to be derived from the provided keying material, and how cryptographic separation is maintained between keying material used for different purposes. [f] Indication of vulnerabilities. In addition to the security claims that are made, the specification MUST indicate which of the security claims detailed in Section 7.1 are NOT being made, and discuss the security implications. 7.4. Identity protection An Identity exchange is an optional within the EAP conversation. Therefore, it is possible to omit the Identity exchange entirely, or to postpone it until later in the conversation once a protected channel has been negotiated. However, within networks where backend authentication proxies or relays are present, it may be necessary to locate the appropriate backend authentication server before the authentication conversation can proceed. The realm portion of the Network Access Identifier (NAI) [RFC2486] is typically included within the Response-Identity in order to Blunk, Vollbrecht & Aboba Standards Track [Page 28] INTERNET-DRAFT RFC2284bis 28 November 2002 enable the authentication exchange to be routed to the appropriate backend authentication server. Therefore while the user-name portion of the NAI may be omitted in the Identity-Response, where proxies or relays are present, the realm portion may be required. 7.5. Man-in-the-middle attacks Where a sequence of methods is utilized for authentication or is tunneled within another protocol that omits Peer authentication, there exists a potential vulnerability to man-in-the-middle attack. Where a sequence of EAP methods is utilized for authentication, the Peer might not have proof that a single entity has acted as the Authenticator for all EAP methods within the sequence. For example, an Authenticator might terminate one EAP method, then forward the next method in the sequence to another party without the Peer's knowledge or consent. Similarly, the Authenticator might not have proof that a single entity has acted as the Peer for all EAP methods within the sequence. This enables an attack by a rogue EAP Authenticator tunneling EAP to a legitimate server. Where the tunneling protocol is used for key establishment but does not require Peer authentication, an attacker convincing a legitimate Peer to connect to it will be able to tunnel EAP packets to a legitimate server, successfully authenticating and obtaining the key. This allows the attacker to successfully establish itself as a man-in-the-middle, gaining access to the network, as well as the ability to decrypt data traffic between the legitimate Peer and server. This attack may be mitigated by the following measures: [a] Requiring mutual authentication within EAP tunneling mechanisms. [b] Requiring cryptographic binding between EAP methods executed within a sequence or between the EAP tunneling protocol and the tunneled EAP methods. [c] Limiting the EAP methods authorized for use without protection based on Peer and Authenticator policy. [d] Avoiding the use of sequences or tunnels when a single, strong method is available. 7.6. Packet modification attacks While individual EAP methods such as EAP TLS [RFC2716] may provide for authentication, integrity and replay protection of data placed within the Type-Data portion of EAP Request and Response packets, EAP itself Blunk, Vollbrecht & Aboba Standards Track [Page 29] INTERNET-DRAFT RFC2284bis 28 November 2002 does not provide built-in support for per-packet data origin authentication, replay or integrity protection. Since the Identifier is only a single octet, it is very easy to guess, allowing an attacker to successfully inject or replay EAP packets, including EAP Requests and Responses of types Identity, Nak and Notification, as well as other EAP Requests and Responses, and success and failure indications. An attacker may also modify the EAP headers within EAP packets where only the Type-Data field is protected. In the case of PPP and IEEE 802 wired links, it is assumed that such attacks are restricted to attackers who can gain access to the physical link. However, where EAP is run over wireless media such as IEEE 802.11, or over IP, such as within protocols supporting PPP or Ethernet tunneling [RFC2661], this assumption is no longer valid and the vulnerability to attack is much greater. To provide protection for EAP messages sent over physically insecure media, it is necessary to protect the EAP conversation via per-packet data origin authentication, integrity and replay protection. A variety of techniques may be used, including encapsulation of EAP within ISAKMP [RFC2408], (PIC) or within TLS [RFC2246]. However, as noted in Section 7.5, EAP tunneling may result in a man-in-the-middle vulnerability. 7.7. Dictionary attacks Password authentication algorithms such as EAP-MD5, MS-CHAPv1 [RFC2433] and Kerberos V [RFC1510] are known to be vulnerable to dictionary attacks. MS-CHAPv1 vulnerabilities are documented in [PPTPv1]; Kerberos vulnerabilities are described in [KRBATTACK], [KRBLIM], and [KERB4WEAK]. In order to protect against dictionary attacks, an authentication algorithm resistant to dictionary attack (as defined in Section 7.2) may be used. If an authentication algorithm is used that is known to be vulnerable to dictionary attack, then the authentication may be encrypted to obtain additional protection. However, as noted in Section 7.5, EAP tunneling may result in a man-in-the-middle vulnerability. 7.8. Connection to an untrusted network If a one-way authentication method is negotiated, such as EAP-MD5, then the Authenticator's identity will not be verified. While this might be acceptable over a link that is believed to be physically secure, this level of security is not acceptable where EAP runs over wireless media or IP, since this leaves the Peer vulnerable to connection to an untrusted network. As a result, where EAP is used over a physically insecure network, it is highly desirable to use a method supporting mutual authentication. Blunk, Vollbrecht & Aboba Standards Track [Page 30] INTERNET-DRAFT RFC2284bis 28 November 2002 In EAP there is no requirement that authentication be full duplex or that the same protocol be used in both directions. It is perfectly acceptable for different protocols to be used in each direction. This will, of course, depend on the specific protocols negotiated. However, in general, completing a single, mutual authentication is preferable to two one-way authentications, one in each direction. 7.9. Negotiation attacks In a negotiation attack, the attacker attempts to convince the Peer and Authenticator to negotiate a less secure EAP method. To avoid downgrading from a mutually authenticating method to one that only authenticates the Peer, where EAP is used over a physically insecure network, it is desirable for the Peer to only accept negotiation of a mutually authenticating method with dictionary attack resistance. In practice it is anticipated that a particular named user will be authenticated by a predefined method or sequence of methods, without leaving the user any choice. Enabling negotiation would make the user vulnerable to attacks which negotiate the least secure method from among a set (such as EAP-MD5 instead of a mutually authenticating method with dictionary attack resistance). Instead, for each named user there SHOULD be an indication of exactly one method or sequence of methods used to authenticate that user name. If a user needs to make use of different authentication methods under different circumstances, then distinct identities SHOULD be employed, each of which identifies exactly one authentication method or sequence of methods. 7.10. Implementation idiosyncrasies The interaction of authentication protocols with link layer technologies such as PPP and IEEE 802 are highly implementation dependent. For example, upon failure of authentication, some PPP implementations do not terminate the link, instead limiting the kind of traffic in the Network-Layer Protocols to a filtered subset, which in turn allows the user opportunity to update secrets or send mail to the network administrator indicating a problem. Similarly, while in IEEE 802.1X an authentication failure will result denied access to the controlled port, limited traffic may be permitted on the uncontrolled port. In EAP there is no provision for retries of failed authentication. However, in PPP the LCP state machine can renegotiate the authentication protocol at any time, thus allowing a new attempt. Similarly, in IEEE Blunk, Vollbrecht & Aboba Standards Track [Page 31] INTERNET-DRAFT RFC2284bis 28 November 2002 802.1X the Supplicant or Authenticator can re-authenticate at any time. It is recommended that any counters used for authentication failure not be reset until after successful authentication, or subsequent termination of the failed link. 7.11. Key derivation It is possible for the EAP endpoints to mutually authenticate, negotiate a ciphersuite, and derive session key(s) for subsequent use with per- packet authentication, integrity protection and encryption. Since the Peer and EAP client reside on the same machine, the EAP client module passes the derived session key to the link layer security module. In the case where the backend authentication server and Authenticator reside on different machines, there are several implications for security: [a] Mutual authentication will occur between the Peer and the backend authentication server, not between the Peer and the Authenticator. This means that it is not possible for the Peer to validate the identity of the Authenticator within EAP alone. [b] The session key negotiated between the Peer and backend authentication server will need to be transmitted to the Authenticator. Therefore a mechanism needs to be provided to transmit the session key from the backend authentication server to the Authenticator that needs to use the key. The specification of this transit mechanism is outside the scope of this document. This specification does not provide guidance on how EAP methods are to derive keys. Key derivation is an art that is best practiced by professionals; rather than inventing new key derivation algorithms, reuse of existing algorithms such as those specified in IKE [RFC2409], or TLS [RFC2246] is recommended. 7.12. Weak ciphersuites EAP authentication may be used in situations where after the initial authentication, data packets are sent without per-packet data origin authentication, integrity and replay protection or confidentiality. These scenarios are inherently insecure. Without per-packet authentication, integrity and replay protection, an attacker with access to the media can inject packets, "flip bits" within existing packets, or even hijack the session completely. Without per-packet confidentiality, it is possible to snoop data packets. On physically insecure media, EAP SHOULD be used in concert with credible ciphersuites in order to provide defensible security. In Blunk, Vollbrecht & Aboba Standards Track [Page 32] INTERNET-DRAFT RFC2284bis 28 November 2002 particular, EAP SHOULD NOT be used for authentication without subsequent invocation of per-packet integrity protection and authentication of data, since this would leave the session vulnerable to hijacking. Due to the many of known attacks to which it is vulnerable, Wired Equivalent Privacy (WEP) [IEEE80211] does not qualify as a credible ciphersuite. 8. Normative references [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994. [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996. [RFC2044] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO 10646", RFC 2044, October 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997.] [RFC2243] Metz, C., "OTP Extended Responses", RFC 2243, November 1997. [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998. [RFC2289] Haller, N., Metz, C., Nesser, P., and Straw M., "A One- Time Password System", RFC 2289, February 1998. [RFC2434] Alvestrand, H. and Narten, T., "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC2988] Paxson, V., Allman, M., "Computing TCP's Retransmission Timer", RFC 2988, November 2000. [IEEE802] IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture, ANSI/IEEE Std 802, 1990. [IEEE8021X] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2001, June 2001. 9. Informative references [DECEPTION] Slatalla, M., and Quittner, J., "Masters of Deception." HarperCollins, New York, 1995. Blunk, Vollbrecht & Aboba Standards Track [Page 33] INTERNET-DRAFT RFC2284bis 28 November 2002 [RFC1510] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993. [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, November 1998. [RFC2486] Beadles, M., Aboba, B., "The Network Access Identifier", RFC 2486, January 1999. [RFC2401] Atkinson, R., Kent, S., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC2408] Maughan, D., Schertler, M., Schneider, M., Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2433] Zorn, G., Cobb, S., "Microsoft PPP CHAP Extensions", RFC 2433, October 1998. [RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G., and Palter, B., "Layer Two Tunneling Protocol L2TP", RFC 2661, August 1999. [RFC2716] Aboba, B., Simon, D.,"PPP EAP TLS Authentication Protocol", RFC 2716, October 1999. [KRBATTACK] Wu, T., "A Real-World Analysis of Kerberos Password Security", Stanford University Computer Science Department, http://theory.stanford.edu/~tjw/krbpass.html [KRBLIM] Bellovin, S.M., Merritt, M., "Limitations of the Kerberos authentication system", Proceedings of the 1991 Winter USENIX Conference, pp. 253-267, 1991. [KERB4WEAK] Dole, B., Lodin, S., and Spafford, E., "Misplaced trust: Kerberos 4 session keys", Proceedings of the Internet Society Network and Distributed System Security Symposium, pp. 60-70, March 1997. [PIC] Sheffer, Y., Krawczyk, H., Aboba, B., "PIC, A Pre-IKE Credential Provisioning Protocol", Internet draft (work in progress), draft-ietf-ipsra-pic-06.txt, October 2002. [PPTPv1] Schneier, B, Mudge, "Cryptanalysis of Microsoft's Point- to- Point Tunneling Protocol", Proceedings of the 5th ACM Conference on Communications and Computer Security, ACM Press, November 1998. Blunk, Vollbrecht & Aboba Standards Track [Page 34] INTERNET-DRAFT RFC2284bis 28 November 2002 [IEEE8023] ISO/IEC 8802-3 Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, (also ANSI/IEEE Std 802.3- 1996), 1996. [IEEE80211] Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std. 802.11-1999, 1999. Acknowledgments This protocol derives much of its inspiration from Dave Carrel's AHA draft as well as the PPP CHAP protocol [RFC1994]. Bill Simpson provided much of the boilerplate used throughout this document. Al Rubens (Merit) also provided valuable feedback, as did Glen Zorn (Cisco) and Ashwin Palekar (Microsoft). Authors' Addresses Larry J. Blunk Merit Network, Inc. 4251 Plymouth Rd., Suite C Ann Arbor, MI 48105 EMail: ljb@merit.edu Phone: 734-763-6056 FAX: 734-647-3185 John R. Vollbrecht Interlink Networks, Inc. 775 Technology Drive, Suite 200 Ann Arbor, MI 48108 USA Phone: +1 734 821 1205 Fax: +1 734 821 1235 EMail: jrv@interlinknetworks.com Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052 Blunk, Vollbrecht & Aboba Standards Track [Page 35] INTERNET-DRAFT RFC2284bis 28 November 2002 EMail: bernarda@microsoft.com Phone: +1 425 706 6605 Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Open issues Open issues relating to this specification are tracked on the following web site: http://www.drizzle.com/~aboba/EAP/eapissues.html Expiration Date This memo is filed as , and expires June 24, 2003. Blunk, Vollbrecht & Aboba Standards Track [Page 36]