List Info

Thread: Issue: Server-Id for Pre-Shared Key and Password-only EAP Methods
Issue: Server-Id for Pre-Shared Key and Password-only EAP Methods
country flaguser name
United States		 2007-07-24 16:56:35 

  


  

    Issue: Server-Id for Pre-Shared Key EAP Methods
Submitter name: Bernard Aboba
Submitter email address:  aboba%20[at]%20internaut.comDate">aboba [at] internaut.com
Date Submitted: July 24, 2007
Reference:
Document: KEYING-18

Comment type: Technical

Priority: S
Section: Sectoin 2.3, Appendix A
Rationale/Explanation of issue:
In his review of the EAP Keying Framework for SecDir, Charlie Kaufman asked when an EAP method supporting mutual authentication and key generation would provide a null Server-Id.  In looking through Appendix A (see below), I have struggled to come up with a good answer to his question. 
Certainly, if the EAP method does not identify the server at all, then it will have a null Server-Id.  If the method utilizes server certificates, then the Server-Id can be obtained from the certificate, as described in RFC 2716bis. But what if the method utilizes pre-shared key or password-only authentication? 
In this case, the server can assert an identity, and prove possession of the pre-shared key or password, but it cannot "prove" its identity in the same sense that a method supporting server certificates can.  So should such a method export a Server-Id?  Currently Appendix A states that EAP-PSK and EAP-SAKE do export a Server-Id, whereas EAP-AKA and EAP-SIM do not. 
While the server cannot "prove" its identity, for the purpose of EAP key management, I think it is still useful to export the Server-Id as long as some level of server authentication has been successfully completed.  While the EAP server could conceivably lie about its identity and get away with it, it is still useful for the peer (or perhaps even the authenticator) to have a claim of which EAP server negotiated the EAP keying material with the peer. 
Assuming that the WG agrees with this perspective, I would propose to add some text along these lines to Section 2.3. 
 
 
 
 
Appendix A - Exported Parameters in Existing Methods


   This Appendix specifies Session-Id, Peer-Id, Server-Id and Key-
   Lifetime for EAP methods that have been published prior to this
   specification.  Future EAP method specifications MUST include a
   definition of the Session-Id,  Peer-Id and Server-Id (could be the
   empty string).

EAP-Identity

   The EAP-Identity method is defined in [RFC3748].  It does not derive
   keys, and therefore does not define the Session-Id.  The Peer-Id and
   Server-Id are the empty string (zero length).

EAP-Notification

   The EAP-Notification method is defined in [RFC3748].  It does not
   derive keys and therefore does not define the Session-Id.  The Peer-
   Id and Server-Id are the empty string (zero length).

EAP-MD5-Challenge


   The EAP-MD5-Challenge method is defined in [RFC3748].  It does not
   derive keys and therefore does not define the Session-Id.  The Peer-
   Id and Server-Id are the empty string (zero length).

EAP-GTC

   The EAP-GTC method is defined in [RFC3748].  It does not derive keys
   and therefore does not define the Session-Id.  The Peer-Id and
   Server-Id are the empty string (zero length).

EAP-OTP

   The EAP-OTP method is defined in [RFC3748].  It does not derive keys
   and therefore does not define the Session-Id.  The Peer-Id and
   Server-Id are the empty string (zero length).

EAP-AKA

   EAP-AKA is defined in [RFC4187].  The EAP-AKA Session-Id is the
   concatenation of the EAP Type Code (0x17) with the contents of the
   RAND field from the AT_RAND attribute, followed by the contents of
   the AUTN field in the AT_AUTN attribute.

   The Peer-Id is the contents of the Identity field from the
   AT_IDENTITY attribute, using only the Actual Identity Length octets
   from the beginning, however.  Note that the contents are used as they
   are transmitted, regardless of whether the transmitted identity was a
   permanent, pseudonym, or fast EAP re-authentication identity.  The
   Server-Id is the empty string (zero length).

EAP-SIM

   EAP-SIM is defined in [RFC4186].  The EAP-SIM Session-Id is the
   concatenation of the EAP Type Code (0x12) with the contents of the
   RAND field from the AT_RAND attribute, followed by the contents of
   the NONCE_MT field in the AT_NONCE_MT attribute.

   The Peer-Id is the contents of the Identity field from the
   AT_IDENTITY attribute, using only the Actual Identity Length octets
   from the beginning, however.  Note that the contents are used as they
   are transmitted, regardless of whether the transmitted identity was a
   permanent, pseudonym, or fast EAP re-authentication identity.  The
   Server-Id is the empty string (zero length).

EAP-PSK

   EAP-PSK is defined in [RFC4764].  The EAP-PSK Session-Id is the
   concatenation of the EAP Type Code (0x2F) with the peer (RAND_P) and
   server (RAND_S) nonces.  The Peer-Id is the contents of the ID_P
   field and the Server-Id is the contents of the ID_S field.

EAP-SAKE


   EAP-SAKE is defined in [RFC4763].  The EAP-SAKE Session-Id is the
   concatenation of the EAP Type Code (0x30) with the contents of the
   RAND_S field from the AT_RAND_S attribute, followed by the contents
   of the RAND_P field in the AT_RAND_P attribute.  Note that the EAP-
   SAKE Session-Id is not the same as the "Session ID" parameter chosen
   by the Server, which is sent in the first message, and replicated in
   subsequent messages.  The Peer-Id is contained within the value field
   of the AT_PEERID attibute and the Server-Id, if available, is
   contained in the value field of the AT_SERVERID attribute.

EAP-TLS

   For EAP-TLS, the Peer-Id, Server-Id and Session-Id are defined in [I-
   D.simon-emu-rfc2716bis].


  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )