-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdraft-aboba-emu-rfc5216bis-00.txt
1683 lines (1214 loc) · 66 KB
/
draft-aboba-emu-rfc5216bis-00.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
EMU Working Group Bernard Aboba
Internet-Draft Microsoft Corporation
Obsoletes: 5216 Ryan Hurst
Category: Full Standard Google
Expires: July 1, 2018 Alan DeKok
FreeRADIUS Project
The EAP TLS Authentication Protocol
draft-aboba-emu-rfc5216bis-01.txt
Abstract
The Extensible Authentication Protocol (EAP), defined in RFC 3748,
provides support for multiple authentication methods. Transport
Level Security (TLS) provides for mutual authentication, integrity-
protected ciphersuite negotiation and key exchange between two
endpoints. This document defines EAP-TLS, which includes support for
certificate-based mutual authentication and key derivation.
This document obsoletes RFC 5216. A summary of the changes between
this document and RFC 5216 is available in Appendix A.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 1, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Aboba, Hurst & DeKok Full Standard [Page 1]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction.............................................. 3
1.1 Requirements Language ........................... 3
1.2 Terminology ..................................... 3
2. Protocol Overview ........................................ 4
2.1 Overview of the EAP-TLS Conversation ............ 4
2.2 Identity Verification ........................... 15
2.3 Key Hierarchy ................................... 16
2.4 Ciphersuite and Compression Negotiation ......... 18
3. Detailed Description of the EAP-TLS Protocol ............. 19
3.1 EAP TLS Request Packet ......................... 19
3.2 EAP TLS Response Packet ........................ 21
4. IANA Considerations ...................................... 22
5. Security Considerations .................................. 22
5.1 Security Claims ................................ 22
5.2 Peer and Server Identities ..................... 23
5.3 Certificate Validation ......................... 24
5.4 Certificate Revocation ......................... 25
5.5 Packet Modification Attacks .................... 26
6. References ............................................... 27
6.1 Normative references ....... .................... 27
6.2 Informative references .......................... 28
Acknowledgments .............................................. 29
Authors' Addresses ........................................... 30
Appendix A - Changes from RFC 2716 ........................... 31
Full Copyright Statement ..................................... 32
Intellectual Property ........................................ 32
Aboba, Hurst & DeKok Full Standard [Page 2]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
1. Introduction
The Extensible Authentication Protocol (EAP), described in [RFC3748],
provides a standard mechanism for support of multiple authentication
methods. Through the use of EAP, support for a number of
authentication schemes may be added, including smart cards, Kerberos,
Public Key, One Time Passwords, and others. EAP has been defined for
use with a variety of lower layers, including Point-to-Point Protocol
(PPP) [RFC1661], Layer 2 tunneling protocols such as PPTP [RFC2637]
or L2TP [RFC2661], IEEE 802 wired networks [IEEE-802.1X] and wireless
technologies such as IEEE 802.11 [IEEE-802.11] and IEEE 802.16
[IEEE-802.16e].
While the EAP methods defined in [RFC3748] did not support mutual
authentication, the use of EAP with wireless technologies such as
[IEEE-802.11] has resulted in development of a new set of
requirements. As described in "EAP Method Requirements for Wireless
LANs" [RFC4017], it is desirable for EAP methods used for wireless
LAN authentication to support mutual authentication and key
derivation. Other link layers can also make use of EAP to enable
mutual authentication and key derivation.
This document defines EAP-Transport Layer Security (EAP-TLS), which
includes support for certificate-based mutual authentication and key
derivation, utilizing the version negotiation, protected ciphersuite
negotiation, mutual authentication and key management capabilities of
the TLS protocol. While this document obsoletes RFC 5216 [RFC5216],
it remains backward compatible with it. A summary of the changes
between this document and RFC 5216 is available in Appendix A.
1.1. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
1.2. Terminology
This document frequently uses the following terms:
authenticator
The entity initiating EAP authentication.
peer The entity that responds to the authenticator. In [IEEE-802.1X],
this entity is known as the Supplicant.
backend authentication server
A backend authentication server is an entity that provides an
Aboba, Hurst & DeKok Full Standard [Page 3]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
authentication service to an authenticator. When used, this server
typically executes EAP methods for the authenticator. This
terminology is also used in [IEEE-802.1X].
EAP server
The entity that terminates the EAP authentication method with the
peer. In the case where no backend authentication server is used,
the EAP server is part of the authenticator. In the case where the
authenticator operates in pass-through mode, the EAP server is
located on the backend authentication server.
Master Session Key (MSK)
Keying material that is derived between the EAP peer and server and
exported by the EAP method.
Extended Master Session Key (EMSK)
Additional keying material derived between the EAP peer and server
that is exported by the EAP method.
2. Protocol Overview
2.1. Overview of the EAP-TLS Conversation
As described in [RFC3748], the EAP-TLS conversation will typically
begin with the authenticator and the peer negotiating EAP. The
authenticator will then typically send an EAP-Request/Identity packet
to the peer, and the peer will respond with an EAP-Response/Identity
packet to the authenticator, containing the peer's user-Id.
From this point forward, while nominally the EAP conversation occurs
between the EAP authenticator and the peer, the authenticator can act
as a pass-through device, with the EAP packets received from the peer
being encapsulated for transmission to a backend authentication
server. In the discussion that follows, we will use the term "EAP
server" to denote the ultimate endpoint conversing with the peer.
2.1.1. Base Case
Once having received the peer's Identity, the EAP server MUST respond
with an EAP-TLS/Start packet, which is an EAP-Request packet with
EAP-Type=EAP-TLS, the Start (S) bit set, and no data. The EAP-TLS
conversation will then begin, with the peer sending an EAP-Response
packet with EAP-Type=EAP-TLS. The data field of that packet will
encapsulate one or more TLS records in TLS record layer format,
containing a TLS client_hello handshake message. The current cipher
spec for the TLS records will be TLS_NULL_WITH_NULL_NULL and null
compression. This current cipher spec remains the same until the
change_cipher_spec message signals that subsequent records will have
the negotiated attributes for the remainder of the handshake.
Aboba, Hurst & DeKok Full Standard [Page 4]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
The client_hello message contains the peer's TLS version number, a
sessionId, a random number, and a set of ciphersuites supported by
the peer. The version offered by the peer MUST correspond to TLS
v1.0 or later.
The EAP server will then respond with an EAP-Request packet with EAP-
Type=EAP-TLS. The data field of this packet will encapsulate one or
more TLS records. These will contain a TLS server_hello handshake
message, possibly followed by TLS certificate, server_key_exchange,
certificate_request, server_hello_done and/or finished handshake
messages, and/or a TLS change_cipher_spec message. The server_hello
handshake message contains a TLS version number, another random
number, a sessionId, and a ciphersuite. The version offered by the
server MUST correspond to TLS v1.0 or later.
If the peer's sessionId is null or unrecognized by the server, the
server MUST choose the sessionId to establish a new session.
Otherwise, the sessionId will match that offered by the peer,
indicating a resumption of the previously established session with
that sessionId. The server will also choose a ciphersuite from those
offered by the peer. If the session matches the peer's, then the
ciphersuite MUST match the one negotiated during the handshake
protocol execution that established the session.
If the EAP server is not resuming a previously established session,
then it MUST include a TLS server_certificate handshake message, and
a server_hello_done handshake message MUST be the last handshake
message encapsulated in this EAP-Request packet.
The certificate message contains a public key certificate chain for
either a key exchange public key (such as an RSA or Diffie-Hellman
key exchange public key) or a signature public key (such as an RSA or
Digital Signature Standard (DSS) signature public key). In the
latter case, a TLS server_key_exchange handshake message MUST also be
included to allow the key exchange to take place.
The certificate_request message is included when the server desires
the peer to authenticate itself via public key. While the EAP server
SHOULD require peer authentication, this is not mandatory, since
there are circumstances in which peer authentication will not be
needed (e.g., emergency services, as described in [UNAUTH]), or where
the peer will authenticate via some other means.
If the peer supports EAP-TLS and is configured to use it, it MUST
respond to the EAP-Request with an EAP-Response packet of EAP-
Type=EAP-TLS. If the preceding server_hello message sent by the EAP
server in the preceding EAP-Request packet did not indicate the
resumption of a previous session, the data field of this packet MUST
Aboba, Hurst & DeKok Full Standard [Page 5]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
encapsulate one or more TLS records containing a TLS
client_key_exchange, change_cipher_spec, and finished messages. If
the EAP server sent a certificate_request message in the preceding
EAP-Request packet, then unless the peer is configured for privacy
(see Section 2.1.4) the peer MUST send, in addition, certificate and
certificate_verify messages. The former contains a certificate for
the peer's signature public key, while the latter contains the peer's
signed authentication response to the EAP server. After receiving
this packet, the EAP server will verify the peer's certificate and
digital signature, if requested.
If the preceding server_hello message sent by the EAP server in the
preceding EAP-Request packet indicated the resumption of a previous
session, then the peer MUST send only the change_cipher_spec and
finished handshake messages. The finished message contains the
peer's authentication response to the EAP server.
In the case where the EAP-TLS mutual authentication is successful,
the conversation will appear as follows:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=EAP-TLS
Aboba, Hurst & DeKok Full Standard [Page 6]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Success
2.1.2. Session Resumption
The purpose of the sessionId within the TLS protocol is to allow for
improved efficiency in the case where a peer repeatedly attempts to
authenticate to an EAP server within a short period of time. While
this model was developed for use with HTTP authentication, it also
can be used to provide "fast reconnect" functionality as defined in
[RFC3748] Section 7.2.1.
It is left up to the peer whether to attempt to continue a previous
session, thus shortening the TLS conversation. Typically the peer's
decision will be made based on the time elapsed since the previous
authentication attempt to that EAP server. Based on the sessionId
chosen by the peer, and the time elapsed since the previous
authentication, the EAP server will decide whether to allow the
continuation, or whether to choose a new session.
In the case where the EAP server and authenticator reside on the same
device, the peer will only be able to continue sessions when
connecting to the same authenticator. Should the authenticators be
set up in a rotary or round-robin then it may not be possible for the
peer to know in advance the authenticator it will be connecting to,
and therefore which sessionId to attempt to reuse. As a result, it
is likely that the continuation attempt will fail. In the case where
the EAP authentication is remoted then continuation is much more
likely to be successful, since multiple authenticators will utilize
the same backend authentication server.
If the EAP server is resuming a previously established session, then
it MUST include only a TLS change_cipher_spec message and a TLS
finished handshake message after the server_hello message. The
finished message contains the EAP server's authentication response to
the peer.
In the case where a previously established session is being resumed,
and both sides authenticate successfully, the conversation will
appear as follows:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
Aboba, Hurst & DeKok Full Standard [Page 7]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS change_cipher_spec
TLS finished)
EAP-Response/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished) ->
<- EAP-Success
2.1.3. Termination
To ensure that the peer receives the TLS alert message, the EAP
server MUST wait for the peer to reply with an EAP-Response packet.
The EAP-Response packet sent by the peer MAY encapsulate a TLS
client_hello handshake message, in which case the EAP server MAY
allow the EAP-TLS conversation to be restarted, or it MAY contain an
EAP-Response packet with EAP-Type=EAP-TLS and no data, in which case
the EAP-Server MUST send an EAP-Failure packet, and terminate the
conversation. It is up to the EAP server whether to allow restarts,
and if so, how many times the conversation can be restarted. An EAP
Server implementing restart capability SHOULD impose a per-peer limit
on the number of restarts, so as to protect against denial of service
attacks.
If the peer authenticates successfully, the EAP server MUST respond
with an EAP-Request packet with EAP-Type=EAP-TLS, which includes, in
the case of a new TLS session, one or more TLS records containing TLS
change_cipher_spec and finished handshake messages. The latter
contains the EAP server's authentication response to the peer. The
peer will then verify the finished message in order to authenticate
the EAP server.
If EAP server authentication is unsuccessful, the peer SHOULD delete
the session from its cache, preventing reuse of the sessionId. The
peer MAY send an EAP-Response packet of EAP-Type=EAP-TLS containing a
TLS Alert message identifying the reason for the failed
authentication. The peer MAY send a TLS alert message rather than
Aboba, Hurst & DeKok Full Standard [Page 8]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
immediately terminating the conversation so as to allow the EAP
server to log the cause of the error for examination by the system
administrator.
To ensure that the EAP Server receives the TLS alert message, the
peer MUST wait for the EAP-Server to reply before terminating the
conversation. The EAP Server MUST reply with an EAP-Failure packet
since server authentication failure is a terminal condition.
If the EAP server authenticates successfully, the peer MUST send an
EAP-Response packet of EAP-Type=EAP-TLS, and no data. The EAP-Server
then MUST respond with an EAP-Success message.
In the case where the server authenticates to the peer successfully,
but the peer fails to authenticate to the server, the conversation
will appear as follows:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
Aboba, Hurst & DeKok Full Standard [Page 9]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
EAP-Type=EAP-TLS ->
<- EAP-Request
EAP-Type=EAP-TLS
(TLS Alert message)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Failure
(User Disconnected)
In the case where server authentication is unsuccessful, the
conversation will appear as follows:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS Alert message) ->
<- EAP-Failure
(User Disconnected)
2.1.4. Privacy
EAP-TLS peer and server implementations MAY support privacy.
Disclosure of the username is avoided by utilizing a privacy Network
Access Identifier (NAI) [RFC7542] in the EAP-Response/Identity, and
transmitting the peer certificate within a TLS session providing
confidentiality.
In order to avoid disclosing the peer username, an EAP-TLS peer
configured for privacy MUST negotiate a TLS ciphersuite supporting
confidentiality and MUST provide a client certificate list containing
Aboba, Hurst & DeKok Full Standard [Page 10]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
no entries in response to the initial certificate_request from the
EAP-TLS server.
An EAP-TLS server supporting privacy MUST NOT treat a certificate
list containing no entries as a terminal condition; instead it MUST
bring up the TLS session and then send a hello_request. The
handshake then proceeds normally; the peer sends a client_hello and
the server replies with a server_hello, certificate,
server_key_exchange, certificate_request, server_hello_done, etc.
For the calculation of exported keying material (see Section 2.3),
the master_secret derived within the second handshake is used.
An EAP-TLS peer supporting privacy MUST provide a certificate list
containing at least one entry in response to the subsequent
certificate_request sent by the server. If the EAP-TLS server
supporting privacy does not receive a client certificate in response
to the subsequent certificate_request, then it MUST abort the
session.
EAP-TLS privacy support is designed to allow EAP-TLS peers that do
not support privacy to interoperate with EAP-TLS servers supporting
privacy. EAP-TLS servers supporting privacy MUST request a client
certificate, and MUST be able to accept a client certificate offered
by the EAP-TLS peer, in order to preserve interoperability with EAP-
TLS peers that do not support privacy.
However, an EAP-TLS peer configured for privacy typically will not be
able to successfully authenticate with an EAP-TLS server that does
not support privacy, since such a server will typically treat the
refusal to provide a client certificate as a terminal error. As a
result, unless authentication failure is considered preferable to
disclosure of the username, EAP-TLS peers SHOULD only be configured
for privacy on networks known to support it.
This is most easily achieved with EAP lower layers that support
network advertisement, so that the network and appropriate privacy
configuration can be determined. In order to determine the privacy
configuration on link layers (such as IEEE 802 wired networks) which
do not support network advertisement, it may be desirable to utilize
information provided in the server certificate (such as the subject
and subjectAltName fields) or within identity selection hints
[RFC4284] to determine the appropriate configuration.
In the case where the peer and server support privacy and mutual
authentication, the conversation will appear as follows:
Authenticating Peer Authenticator
------------------- -------------
Aboba, Hurst & DeKok Full Standard [Page 11]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
<- EAP-Request/
Identity
EAP-Response/
Identity (Anonymous NAI) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate (no cert),
TLS client_key_exchange,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
finished,
hello_request)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
TLS server_key_exchange,
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
Aboba, Hurst & DeKok Full Standard [Page 12]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
TLS finished)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Success
2.1.5. Fragmentation
A single TLS record may be up to 16384 octets in length, but a TLS
message may span multiple TLS records, and a TLS certificate message
may in principle be as long as 16MB. The group of EAP-TLS messages
sent in a single round may thus be larger than the MTU size or the
maximum RADIUS packet size of 4096 octets. As a result, an EAP-TLS
implementation MUST provide its own support for fragmentation and
reassembly. However, in order to ensure interoperability with
existing implementations, TLS handshake messages SHOULD NOT be
fragmented into multiple TLS records if they fit within a single TLS
record.
In order to protect against reassembly lockup and denial of service
attacks, it may be desirable for an implementation to set a maximum
size for one such group of TLS messages. Since a single certificate
is rarely longer than a few thousand octets, and no other field is
likely to be anywhere near as long, a reasonable choice of maximum
acceptable message length might be 64 KB.
Since EAP is a simple ACK-NAK protocol, fragmentation support can be
added in a simple manner. In EAP, fragments that are lost or damaged
in transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a
fragment offset field as is provided in IPv4.
EAP-TLS fragmentation support is provided through addition of a flags
octet within the EAP-Response and EAP-Request packets, as well as a
TLS Message Length field of four octets. Flags include the Length
included (L), More fragments (M), and EAP-TLS Start (S) bits. The L
flag is set to indicate the presence of the four octet TLS Message
Length field, and MUST be set for the first fragment of a fragmented
TLS message or set of messages. The M flag is set on all but the last
fragment. The S flag is set only within the EAP-TLS start message
sent from the EAP server to the peer. The TLS Message Length field is
four octets, and provides the total length of the TLS message or set
of messages that is being fragmented; this simplifies buffer
allocation.
When an EAP-TLS peer receives an EAP-Request packet with the M bit
set, it MUST respond with an EAP-Response with EAP-Type=EAP-TLS and
no data. This serves as a fragment ACK. The EAP server MUST wait
until it receives the EAP-Response before sending another fragment.
Aboba, Hurst & DeKok Full Standard [Page 13]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
In order to prevent errors in processing of fragments, the EAP server
MUST increment the Identifier field for each fragment contained
within an EAP-Request, and the peer MUST include this Identifier
value in the fragment ACK contained within the EAP-Response.
Retransmitted fragments will contain the same Identifier value.
Similarly, when the EAP server receives an EAP-Response with the M
bit set, it MUST respond with an EAP-Request with EAP-Type=EAP-TLS
and no data. This serves as a fragment ACK. The EAP peer MUST wait
until it receives the EAP-Request before sending another fragment.
In order to prevent errors in the processing of fragments, the EAP
server MUST increment the Identifier value for each fragment ACK
contained within an EAP-Request, and the peer MUST include this
Identifier value in the subsequent fragment contained within an EAP-
Response.
In the case where the EAP-TLS mutual authentication is successful,
and fragmentation is required, the conversation will appear as
follows:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start, S bit set)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
(Fragment 1: L, M bits set)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Request/
EAP-Type=EAP-TLS
(Fragment 2: M bit set)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Request/
Aboba, Hurst & DeKok Full Standard [Page 14]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
EAP-Type=EAP-TLS
(Fragment 3)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)(Fragment 1:
L, M bits set)->
<- EAP-Request/
EAP-Type=EAP-TLS
EAP-Response/
EAP-Type=EAP-TLS
(Fragment 2)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Success
2.2. Identity Verification
As noted in [RFC3748] Section 5.1:
It is RECOMMENDED that the Identity Response be used primarily for
routing purposes and selecting which EAP method to use. EAP
Methods SHOULD include a method-specific mechanism for obtaining
the identity, so that they do not have to rely on the Identity
Response.
As part of the TLS negotiation, the server presents a certificate to
the peer, and if mutual authentication is requested, the peer
presents a certificate to the server. EAP-TLS therefore provides a
mechanism for determining both the peer identity (Peer-Id in
[RFC5247]) and server identity (Server-Id in [RFC5247]). For
details, see Section 5.2.
Since the identity presented in the EAP-Response/Identity need not be
related to the identity presented in the peer certificate, EAP-TLS
implementations SHOULD NOT require that they be identical. However,
if they are not identical, the identity presented in the EAP-
Response/Identity is unauthenticated information, and SHOULD NOT be
used for access control or accounting purposes.
Aboba, Hurst & DeKok Full Standard [Page 15]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
2.3. Key Hierarchy
Figure 1 illustrates the TLS Key Hierarchy, described in [RFC4346]
Section 6.3. The derivation proceeds as follows:
master_secret = TLS-PRF-48(pre_master_secret, "master secret",
client.random || server.random)
key_block = TLS-PRF-X(master_secret, "key expansion",
server.random || client.random)
Where:
TLS-PRF-X = TLS pseudo-random function defined in [RFC4346],
computed to X octets.
In EAP-TLS, the MSK, EMSK and IV are derived from the TLS master
secret via a one-way function. This ensures that the TLS master
secret cannot be derived from the MSK, EMSK or IV unless the one-way
function (TLS PRF) is broken. Since the MSK and EMSK are derived
from the TLS master secret, if the TLS master secret is compromised
then the MSK and EMSK are also compromised.
The MSK is divided into two halves, corresponding to the "Peer to
Authenticator Encryption Key" (Enc-RECV-Key, 32 octets) and
"Authenticator to Peer Encryption Key" (Enc-SEND-Key, 32 octets).
The IV is a 64 octet quantity that is a known value; octets 0-31 are
known as the "Peer to Authenticator IV" or RECV-IV, and Octets 32-63
are known as the "Authenticator to Peer IV", or SEND-IV.
Aboba, Hurst & DeKok Full Standard [Page 16]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
| | pre_master_secret |
server| | | client
Random| V | Random
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | | |
+---->| master_secret |<----+
| | | |
| | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | |
V V V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| key_block |
| label == "key expansion" |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | | | |
| client | server | client | server | client | server
| MAC | MAC | write | write | IV | IV
| | | | | |
V V V V V V
Figure 1 - TLS [RFC4346] Key Hierarchy
EAP-TLS derives exported keying material and parameters as follows:
Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",
client.random || server.random)
MSK = Key_Material(0,63)
EMSK = Key_Material(64,127)
IV = TLS-PRF-64("", "client EAP encryption",
client.random || server.random)
Enc-RECV-Key = MSK(0,31) = Peer to Authenticator Encryption Key
(MS-MPPE-Recv-Key in [RFC2548]). Also known as the
PMK in [IEEE-802.11].
Enc-SEND-Key = MSK(32,63) = Authenticator to Peer Encryption Key
(MS-MPPE-Send-Key in [RFC2548])
RECV-IV = IV(0,31) = Peer to Authenticator Initialization Vector
SEND-IV = IV(32,63) = Authenticator to Peer Initialization
Vector
Session-Id = 0x0D || client.random || server.random
Where:
Key_Material(W,Z) = Octets W through Z inclusive of the key material.
IV(W,Z) = Octets W through Z inclusive of the IV.
MSK(W,Z) = Octets W through Z inclusive of the MSK.
Aboba, Hurst & DeKok Full Standard [Page 17]
INTERNET-DRAFT EAP TLS Authentication Protocol 26 November 2017
EMSK(W,Z) = Octets W through Z inclusive of the EMSK.
TMS = TLS master_secret
TLS-PRF-X = TLS PRF function computed to X octets
client.random = Nonce generated by the TLS client.
server.random = Nonce generated by the TLS server.
| | pre_master_secret |
server| | | client
Random| V | Random
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | | |
+---->| master_secret |<----+
| | | |
| | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | |
V V V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MSK, EMSK |
| label == "client EAP encryption" |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
| MSK(0,31) | MSK(32,63) | EMSK(0,63)
| | |
| | |
V V V
Figure 2 - EAP-TLS Key Hierarchy
The use of these keys is specific to the lower layer, as described in
[RFC5247] Section 2.1.
2.4. Version, Ciphersuite and Compression Negotiation
Since EAP-TLS represents the encapsulation of TLS within EAP,
implementations utilize TLS to negotiate protocol versions and
ciphersuites.
To ensure backward compatibility, EAP-TLS implementations MUST
support TLS 1.0. To ensure forward compatibility, EAP-TLS
implementations MUST support TLS version negotiation.