Internet Engineering Task Force P. Urien M. Badra ENST Paris Expires: December 2006 June, 2006 Identity Protection within EAP-TLS Status By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on December 1, 2006. Copyright Notice Copyright (C) The Internet Society (2006). All Rights Reserved. Urien & Badra Expires December 2006 [Page 1] INTERNET-DRAFT EAP-TLS Identity Protection June 2006 Abstract This document defines a mechanism providing EAP-TLS identity protection. It defines new TLS extension, in order to negotiate the symmetric encryption algorithm that is used to encrypt or decrypt the client's certificate. Table of Contents Abstract...........................................................2 1 Introduction.....................................................3 1.2 Requirements language..........................................3 2 EAP-TLS Identity Protection overview.............................4 3 Certificate Encryption...........................................5 4 Identity protection extension....................................5 5 Security Considerations..........................................6 6 References.......................................................6 7 Author's Addresses...............................................6 Urien & Badra Expires December 2006 [Page 2] INTERNET-DRAFT EAP-TLS Identity Protection June 2006 1 Introduction According to [EAP], "EAP Methods deriving keys MUST provide for mutual authentication between the EAP peer and the EAP Server". Consequently, in [EAP-TLS], which is a quite transparent transport of TLS [TLS] over EAP, "the mutual authentication will occur between the peer and the EAP server". For that, when the EAP server sent a certificate_request message, then the peer MUST reply with certificate and certificate_verify handshake messages. peer EAP server ClientHello --------> ServerHello Certificate ServerKeyExchange CertificateRequest <-------- ServerHelloDone Certificate // peer identity is sent in clear text ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Figure 1. Mutual authentication exchanges within TLS The peer always sends its certificate in clear text, and therefore exposes its identity (e.g. an X509 certificate) to eavesdropping. Thus, an intruder can easily get the certificate and then derive the certificate owner's real identity. This document describes how identity protection may be integrated as an optional service in EAP-TLS. It is based on TLS and TLS extensions standards and then it does not require significant changes to the actual specifications. 1.2 Requirements language The key words "MUST", "SHALL", "SHOULD", and "MAY", in this document are to be interpreted as described in RFC-2119. Urien & Badra Expires December 2006 [Page 3] INTERNET-DRAFT EAP-TLS Identity Protection June 2006 2 EAP-TLS Identity Protection overview In order to allow an EAP-TLS peer to request identity protection exchange, a new extension type is added to the Extended Client and Server Hello messages. TLS clients and servers include an extension of type 'identity- protection (TBD)' in the Extended Client and Server Hello messages. The 'extension_data' field of this extension contains a list of encryption algorithms supported by the client, ordered by preference. If the server is willing to accept using the extension, the client and the server negotiate the symmetric algorithm that will be used to encrypt/decrypt the client certificate. At the end of the hello phase, the client generates the pre_master_secret, encrypts it under the server's public key, and sends the result to the server. According to [TLS] a shared secret, called master_secret is computed from, among others, the pre_master_secret. Hence, the client and the server have all the security parameters to generate the session keys. Before sending its certificate message, the client encrypts its certificate using the negotiated symmetric algorithm through the anonymity extension and a key derived as follows. enc_key = PRF(SecurityParameters.master_secret, "client_certificate", SecurityParameters.client_random + SecurityParameters.server_random); The server repeats the same operation by decrypting the certificate message using the negotiated symmetric algorithm through the anonymity extension and a key derived in the same manner. Urien & Badra Expires December 2006 [Page 4] INTERNET-DRAFT EAP-TLS Identity Protection June 2006 Client Server ExtendedClientHello --------> ExtendedServerHello Certificate ServerKeyExchange CertificateRequest <-------- ServerHelloDone Certificate // peer identity is sent encrypted ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Figure 2. Mutual authentication exchanges with identity protection 3 Certificate Encryption If a stream cipher is chosen, then the peer's certificate is encrypted with the enc_key, without any padding byte. If a block cipher is selected, then padding bytes are added to force the length of the certificate message to be an integral multiple of the bloc cipher's length. 4 Identity protection extension The TLS extension is sent by the client to indicate to the server that the client certificate will be sent encrypted using a symmetric algorithm negotiated through that extension. The symmetric algorithm uses a key derived from the random values and from the master_secret. struct { SymmetricAlgorithm symmetric_alg_list<0..2^16-1>; } IdentityProtection; enum { rc4_128(0), (255) } SymmetricAlgorithm; The "extension_data" field of this extension shall contain the symmetric algorithms (and their key length) supported by the client. Encryption algorithms are sent in order of the client's preference (favorite choice first). Urien & Badra Expires December 2006 [Page 5] INTERNET-DRAFT EAP-TLS Identity Protection June 2006 5 Security Considerations Security issues are discussed throughout this memo and in [EAP-TLS], [EAP-TLS] and [TLS-EXT] 6 References [EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [EAP-TLS] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol", RFC 2716, October 1999. [TLS] Dierks, T., et. al, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [TLS-EXT] Blake-Wilson, S., et. al, "Transport Layer Security (TLS) Extensions", RFC 3546, June 2003. 7 Author's Addresses Pascal Urien ENST Paris France Email: Pascal.Urien@enst.fr Mohamad Badra ENST Paris France Email: Mohamad.Badra@enst.fr Urien & Badra Expires December 2006 [Page 6] INTERNET-DRAFT EAP-TLS Identity Protection June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Urien & Badra Expires December 2006 [Page 7]