tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 4851


The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)

Part 2 of 3, p. 18 to 43
Prev RFC Part       Next RFC Part


prevText      Top      Up      ToC       Page 18 
4.  Message Formats

   The following sections describe the message formats used in EAP-FAST.
   The fields are transmitted from left to right in network byte order.

4.1.  EAP-FAST Message Format

   A summary of the EAP-FAST Request/Response packet format is shown

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Code      |   Identifier  |            Length             |
   |     Type      |   Flags | Ver |        Message Length         :
   :         Message Length        |           Data...             +


         The code field is one octet in length defined as follows:

         1  Request

         2  Response


         The Identifier field is one octet and aids in matching
         responses with requests.  The Identifier field MUST be changed
         on each Request packet.  The Identifier field in the Response
         packet MUST match the Identifier field from the corresponding


         The Length field is two octets and indicates the length of the
         EAP packet including the Code, Identifier, Length, Type, Flags,
         Ver, Message Length, and Data fields.  Octets outside the range
         of the Length field should be treated as Data Link Layer
         padding and should be ignored on reception.


         43 for EAP-FAST

Top      Up      ToC       Page 19 

          0 1 2 3 4
         |L M S R R|

         L  Length included; set to indicate the presence of the four-
            octet Message Length field

         M  More fragments; set on all but the last fragment

         S  EAP-FAST start; set in an EAP-FAST Start message

         R  Reserved (must be zero)


         This field contains the version of the protocol.  This document
         describes version 1 (001 in binary) of EAP-FAST.

      Message Length

         The Message Length field is four octets, and is present only if
         the L bit is set.  This field provides the total length of the
         message that may be fragmented over the data fields of multiple


         In the case of an EAP-FAST Start request (i.e., when the S bit
         is set) the Data field consists of the A-ID described in
         Section 4.1.1.  In other cases, when the Data field is present,
         it consists of an encapsulated TLS packet in TLS record format.
         An EAP-FAST packet with Flags and Version fields, but with zero
         length data field, is used to indicate EAP-FAST acknowledgement
         for either a fragmented message, a TLS Alert message or a TLS
         Finished message.

Top      Up      ToC       Page 20 
4.1.1.  Authority ID Data

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |          Type (0x04)          |            Length             |
   |                              ID


         The Type field is two octets.  It is set to 0x0004 for
         Authority ID


         The Length filed is two octets, which contains the length of
         the ID field in octets.


         Hint of the identity of the server.  It should be unique across
         the deployment.

4.2.  EAP-FAST TLV Format and Support

   The TLVs defined here are standard Type-Length-Value (TLV) objects.
   The TLV objects could be used to carry arbitrary parameters between
   EAP peer and EAP server within the protected TLS tunnel.

   The EAP peer may not necessarily implement all the TLVs supported by
   the EAP server.  To allow for interoperability, TLVs are designed to
   allow an EAP server to discover if a TLV is supported by the EAP
   peer, using the NAK TLV.  The mandatory bit in a TLV indicates
   whether support of the TLV is required.  If the peer or server does
   not support a TLV marked mandatory, then it MUST send a NAK TLV in
   the response, and all the other TLVs in the message MUST be ignored.
   If an EAP peer or server finds an unsupported TLV that is marked as
   optional, it can ignore the unsupported TLV.  It MUST NOT send an NAK
   TLV for a TLV that is not marked mandatory.

   Note that a peer or server may support a TLV with the mandatory bit
   set, but may not understand the contents.  The appropriate response
   to a supported TLV with content that is not understood is defined by
   the individual TLV specification.

Top      Up      ToC       Page 21 
   EAP implementations compliant with this specification MUST support
   TLV exchanges, as well as the processing of mandatory/optional
   settings on the TLV.  Implementations conforming to this
   specification MUST support the following TLVs:

      Result TLV
      NAK TLV
      Error TLV
      EAP-Payload TLV
      Intermediate-Result TLV
      Crypto-Binding TLV
      Request-Action TLV

4.2.1.  General TLV Format

   TLVs are defined as described below.  The fields are transmitted from
   left to right.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|            TLV Type       |            Length             |
   |                              Value...


         0  Optional TLV

         1  Mandatory TLV


         Reserved, set to zero (0)

      TLV Type

         A 14-bit field, denoting the TLV type.  Allocated Types

Top      Up      ToC       Page 22 
            0  Reserved
            1  Reserved
            2  Reserved
            3  Result TLV              (Section 4.2.2)
            4  NAK TLV                 (Section 4.2.3)
            5  Error TLV               (Section 4.2.4)
            7  Vendor-Specific TLV     (Section 4.2.5)
            9  EAP-Payload TLV         (Section 4.2.6)
            10 Intermediate-Result TLV (Section 4.2.7)
            11 PAC TLV                 [EAP-PROV]
            12 Crypto-Binding TLV      (Section 4.2.8)
            18 Server-Trusted-Root TLV [EAP-PROV]
            19 Request-Action TLV      (Section 4.2.9)
            20 PKCS#7 TLV              [EAP-PROV]


         The length of the Value field in octets.


         The value of the TLV.

4.2.2.  Result TLV

   The Result TLV provides support for acknowledged success and failure
   messages for protected termination within EAP-FAST.  If the Status
   field does not contain one of the known values, then the peer or EAP
   server MUST treat this as a fatal error of Unexpected_TLVs_Exchanged.
   The behavior of the Result TLV is further discussed in Section 3.3.2
   and Section 3.6.2.  A Result TLV indicating failure MUST NOT be
   accompanied by the following TLVs: NAK, EAP-Payload TLV, or Crypto-
   Binding TLV.  The Result TLV is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |             Status            |


         Mandatory, set to one (1)

Top      Up      ToC       Page 23 

         Reserved, set to zero (0)

      TLV Type

         3 for Result TLV




         The Status field is two octets.  Values include:

         1  Success

         2  Failure

4.2.3.  NAK TLV

   The NAK TLV allows a peer to detect TLVs that are not supported by
   the other peer.  An EAP-FAST packet can contain 0 or more NAK TLVs.
   A NAK TLV should not be accompanied by other TLVs.  A NAK TLV MUST
   NOT be sent in response to a message containing a Result TLV, instead
   a Result TLV of failure should be sent indicating failure and an
   Error TLV of Unexpected_TLVs_Exchanged.  The NAK TLV is defined as

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |                          Vendor-Id                            |
   |            NAK-Type           |           TLVs...


         Mandatory, set to one (1)


         Reserved, set to zero (0)

Top      Up      ToC       Page 24 
      TLV Type

         4 for NAK TLV




         The Vendor-Id field is four octets, and contains the Vendor-Id
         of the TLV that was not supported.  The high-order octet is 0
         and the low-order three octets are the Structure of Management
         Information (SMI) Network Management Private Enterprise Code of
         the Vendor in network byte order.  The Vendor-Id field MUST be
         zero for TLVs that are not Vendor-Specific TLVs.


         The NAK-Type field is two octets.  The field contains the Type
         of the TLV that was not supported.  A TLV of this Type MUST
         have been included in the previous packet.


         This field contains a list of zero or more TLVs, each of which
         MUST NOT have the mandatory bit set.  These optional TLVs are
         for future extensibility to communicate why the offending TLV
         was determined to be unsupported.

4.2.4.  Error TLV

   The Error TLV allows an EAP peer or server to indicate errors to the
   other party.  An EAP-FAST packet can contain 0 or more Error TLVs.
   The Error-Code field describes the type of error.  Error Codes 1-999
   represent successful outcomes (informative messages), 1000-1999
   represent warnings, and codes 2000-2999 represent fatal errors.  A
   fatal Error TLV MUST be accompanied by a Result TLV indicating
   failure and the conversation must be terminated as described in
   Section 3.6.2.  The Error TLV is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |                           Error-Code                          |

Top      Up      ToC       Page 25 

         Mandatory, set to one (1)


         Reserved, set to zero (0)

      TLV Type

         5 for Error TLV




         The Error-Code field is four octets.  Currently defined values
         for Error-Code include:

            2001 Tunnel_Compromise_Error

            2002 Unexpected_TLVs_Exchanged

4.2.5.  Vendor-Specific TLV

   The Vendor-Specific TLV is available to allow vendors to support
   their own extended attributes not suitable for general usage.  A
   Vendor-Specific TLV attribute can contain one or more TLVs, referred
   to as Vendor TLVs.  The TLV-type of a Vendor-TLV is defined by the
   vendor.  All the Vendor TLVs inside a single Vendor-Specific TLV
   belong to the same vendor.  There can be multiple Vendor-Specific
   TLVs from different vendors in the same message.

   Vendor TLVs may be optional or mandatory.  Vendor TLVs sent with
   Result TLVs MUST be marked as optional.

Top      Up      ToC       Page 26 
   The Vendor-Specific TLV is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |                          Vendor-Id                            |
   |                         Vendor TLVs...


         0 or 1


         Reserved, set to zero (0)

      TLV Type

         7 for Vendor Specific TLV


         4 + cumulative length of all included Vendor TLVs


         The Vendor-Id field is four octets, and contains the Vendor-Id
         of the TLV.  The high-order octet is 0 and the low-order 3
         octets are the SMI Network Management Private Enterprise Code
         of the Vendor in network byte order.

      Vendor TLVs

         This field is of indefinite length.  It contains vendor-
         specific TLVs, in a format defined by the vendor.

4.2.6.  EAP-Payload TLV

   To allow piggybacking an EAP request or response with other TLVs, the
   EAP-Payload TLV is defined, which includes an encapsulated EAP packet
   and a list of optional TLVs.  The optional TLVs are provided for
   future extensibility to provide hints about the current EAP
   authentication.  Only one EAP-Payload TLV is allowed in a message.
   The EAP-Payload TLV is defined as follows:

Top      Up      ToC       Page 27 
   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |                          EAP packet...
   |                             TLVs...


         Mandatory, set to (1)


         Reserved, set to zero (0)

      TLV Type

         9 for EAP-Payload TLV


         length of embedded EAP packet + cumulative length of additional

      EAP packet

         This field contains a complete EAP packet, including the EAP
         header (Code, Identifier, Length, Type) fields.  The length of
         this field is determined by the Length field of the
         encapsulated EAP packet.


         This field contains a list of zero or more TLVs associated with
         the EAP packet field.  The TLVs MUST NOT have the mandatory bit
         set.  The total length of this field is equal to the Length
         field of the EAP-Payload TLV, minus the Length field in the EAP
         header of the EAP packet field.

Top      Up      ToC       Page 28 
4.2.7.  Intermediate-Result TLV

   The Intermediate-Result TLV provides support for acknowledged
   intermediate Success and Failure messages between multiple inner EAP
   methods within EAP.  An Intermediate-Result TLV indicating success
   MUST be accompanied by a Crypto-Binding TLV.  The optional TLVs
   associated with this TLV are provided for future extensibility to
   provide hints about the current result.  The Intermediate-Result TLV
   is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |             Status            |        TLVs...


         Mandatory, set to (1)


         Reserved, set to zero (0)

      TLV Type

         10 for Intermediate-Result TLV


         2 + cumulative length of the embedded associated TLVs


         The Status field is two octets.  Values include:

         1  Success

         2  Failure


         This field is of indeterminate length, and contains zero or
         more of the TLVs associated with the Intermediate Result TLV.
         The TLVs in this field MUST NOT have the mandatory bit set.

Top      Up      ToC       Page 29 
4.2.8.  Crypto-Binding TLV

   The Crypto-Binding TLV is used to prove that both the peer and server
   participated in the tunnel establishment and sequence of
   authentications.  It also provides verification of the EAP-FAST
   version negotiated before TLS tunnel establishment, see Section 3.1.

   The Crypto-Binding TLV MUST be included with the Intermediate-Result
   TLV to perform Cryptographic Binding after each successful EAP method
   in a sequence of EAP methods.  The Crypto-Binding TLV can be issued
   at other times as well.

   The Crypto-Binding TLV is valid only if the following checks pass:

   o  The Crypto-Binding TLV version is supported

   o  The MAC verifies correctly

   o  The received version in the Crypto-Binding TLV matches the version
      sent by the receiver during the EAP version negotiation

   o  The subtype is set to the correct value

   If any of the above checks fail, then the TLV is invalid.  An invalid
   Crypto-Binding TLV is a fatal error and is handled as described in
   Section 3.6.2.

   The Crypto-Binding TLV is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |    Reserved   |    Version    | Received Ver. |    Sub-Type   |
   |                                                               |
   ~                             Nonce                             ~
   |                                                               |
   |                                                               |
   ~                          Compound MAC                         ~
   |                                                               |


         Mandatory, set to (1)

Top      Up      ToC       Page 30 

         Reserved, set to zero (0)

      TLV Type

         12 for Crypto-Binding TLV




         Reserved, set to zero (0)


         The Version field is a single octet, which is set to the
         version of Crypto-Binding TLV the EAP method is using.  For an
         implementation compliant with this version of EAP-FAST, the
         version number MUST be set to 1.

      Received Version

         The Received Version field is a single octet and MUST be set to
         the EAP version number received during version negotiation.
         Note that this field only provides protection against downgrade
         attacks, where a version of EAP requiring support for this TLV
         is required on both sides.


         The Sub-Type field is one octet.  Defined values include:

         0  Binding Request

         1  Binding Response


         The Nonce field is 32 octets.  It contains a 256-bit nonce that
         is temporally unique, used for compound MAC key derivation at
         each end.  The nonce in a request MUST have its least
         significant bit set to 0 and the nonce in a response MUST have
         the same value as the request nonce except the least
         significant bit MUST be set to 1.

Top      Up      ToC       Page 31 
      Compound MAC

         The Compound MAC field is 20 octets.  This can be the Server
         MAC (B1_MAC) or the Client MAC (B2_MAC).  The computation of
         the MAC is described in Section 5.3.

4.2.9.  Request-Action TLV

   The Request-Action TLV MAY be sent by the peer along with a Result
   TLV in response to a server's successful Result TLV.  It allows the
   peer to request the EAP server to negotiate additional EAP methods or
   process TLVs specified in the response packet.  The server MAY ignore
   this TLV.

   The Request-Action TLV is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |M|R|         TLV Type          |            Length             |
   |             Action            |


         Mandatory set to one (1)


         Reserved, set to zero (0)

      TLV Type

         19 for Request-Action TLV




         The Action field is two octets.  Values include:



Top      Up      ToC       Page 32 
4.3.  Table of TLVs

   The following table provides a guide to which TLVs may be found in
   which kinds of messages, and in what quantity.  The messages are as
   follows: Request is an EAP-FAST Request, Response is an EAP-FAST
   Response, Success is a message containing a successful Result TLV,
   and Failure is a message containing a failed Result TLV.

   Request  Response    Success   Failure   TLVs
   0-1      0-1         0-1       0-1       Intermediate-Result
   0-1      0-1         0         0         EAP-Payload
   0-1      0-1         1         1         Result
   0-1      0-1         0-1       0-1       Crypto-Binding
   0+       0+          0+        0+        Error
   0+       0+          0         0         NAK
   0+       0+          0+        0+        Vendor-Specific [NOTE1]
   0        0-1         0-1       0-1       Request-Action

   [NOTE1] Vendor TLVs (included in Vendor-Specific TLVs) sent with a
   Result TLV MUST be marked as optional.

   The following table defines the meaning of the table entries in the
   sections below:

   0   This TLV MUST NOT be present in the message.

   0+  Zero or more instances of this TLV MAY be present in the message.

   0-1 Zero or one instance of this TLV MAY be present in the message.

   1   Exactly one instance of this TLV MUST be present in the message.

5.  Cryptographic Calculations

5.1.  EAP-FAST Authentication Phase 1: Key Derivations

   The EAP-FAST Authentication tunnel key is calculated similarly to the
   TLS key calculation with an additional 40 octets (referred to as the
   session_key_seed) generated.  The additional session_key_seed is used
   in the Session Key calculation in the EAP-FAST Tunneled
   Authentication conversation.

Top      Up      ToC       Page 33 
   To generate the key material required for the EAP-FAST Authentication
   tunnel, the following construction from [RFC4346] is used:

      key_block = PRF(master_secret, "key expansion",
           server_random + client_random)

   where '+' denotes concatenation.

   The PRF function used to generate keying material is defined by

   For example, if the EAP-FAST Authentication employs 128-bit RC4 and
   SHA1, the key_block is 112 octets long and is partitioned as follows:


   The session_key_seed is used by the EAP-FAST Authentication Phase 2
   conversation to both cryptographically bind the inner method(s) to
   the tunnel as well as generate the resulting EAP-FAST session keys.
   The other quantities are used as they are defined in [RFC4346].

   The master_secret is generated as specified in TLS unless a PAC is
   used to establish the TLS tunnel.  When a PAC is used to establish
   the TLS tunnel, the master_secret is calculated from the specified
   client_random, server_random, and PAC-Key as follows:

      master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
           server_random + client_random, 48)

   where T-PRF is described in Section 5.5.

5.2.  Intermediate Compound Key Derivations

   The session_key_seed derived as part of EAP-FAST Phase 2 is used in
   EAP-FAST Phase 2 to generate an Intermediate Compound Key (IMCK) used
   to verify the integrity of the TLS tunnel after each successful inner
   authentication and in the generation of Master Session Key (MSK) and
   Extended Master Session Key (EMSK) defined in [RFC3748].  Note that
   the IMCK must be recalculated after each successful inner EAP method.

Top      Up      ToC       Page 34 
   The first step in these calculations is the generation of the base
   compound key, IMCK[n] from the session_key_seed and any session keys
   derived from the successful execution of n inner EAP methods.  The
   inner EAP method(s) may provide Master Session Keys, MSK1..MSKn,
   corresponding to inner methods 1 through n.  The MSK is truncated at
   32 octets if it is longer than 32 octets or padded to a length of 32
   octets with zeros if it is less than 32 octets.  If the ith inner
   method does not generate an MSK, then MSKi is set to zero (e.g., MSKi
   = 32 octets of 0x00s).  If an inner method fails, then it is not
   included in this calculation.  The derivations of S-IMCK is as

      S-IMCK[0] = session_key_seed
      For j = 1 to n-1 do
           IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
                MSK[j], 60)
           S-IMCK[j] = first 40 octets of IMCK[j]
           CMK[j] = last 20 octets of IMCK[j]

   where T-PRF is described in Section 5.5.

5.3.  Computing the Compound MAC

   For authentication methods that generate keying material, further
   protection against man-in-the-middle attacks is provided through
   cryptographically binding keying material established by both EAP-
   FAST Phase 1 and EAP-FAST Phase 2 conversations.  After each
   successful inner EAP authentication, EAP MSKs are cryptographically
   combined with key material from EAP-FAST Phase 1 to generate a
   compound session key, CMK.  The CMK is used to calculate the Compound
   MAC as part of the Crypto-Binding TLV described in Section 4.2.8,
   which helps provide assurance that the same entities are involved in
   all communications in EAP-FAST.  During the calculation of the
   Compound-MAC the MAC field is filled with zeros.

   The Compound MAC computation is as follows:

      CMK = CMK[j]
      Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV )

   where j is the number of the last successfully executed inner EAP

Top      Up      ToC       Page 35 
5.4.  EAP Master Session Key Generation

   EAP-FAST Authentication assures the master session key (MSK) and
   Extended Master Session Key (EMSK) output from the EAP method are the
   result of all authentication conversations by generating an
   Intermediate Compound Key (IMCK).  The IMCK is mutually derived by
   the peer and the server as described in Section 5.2 by combining the
   MSKs from inner EAP methods with key material from EAP-FAST Phase 1.
   The resulting MSK and EMSK are generated as part of the IMCKn key
   hierarchy as follows:

      MSK  = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
      EMSK = T-PRF(S-IMCK[j],
             "Extended Session Key Generating Function", 64)

   where j is the number of the last successfully executed inner EAP

   The EMSK is typically only known to the EAP-FAST peer and server and
   is not provided to a third party.  The derivation of additional keys
   and transportation of these keys to a third party is outside the
   scope of this document.

   If no EAP methods have been negotiated inside the tunnel or no EAP
   methods have been successfully completed inside the tunnel, the MSK
   and EMSK will be generated directly from the session_key_seed meaning
   S-IMCK = session_key_seed.

5.5.  T-PRF

   EAP-FAST employs the following PRF prototype and definition:

      T-PRF = F(key, label, seed, outputlength)

   Where label is intended to be a unique label for each different use
   of the T-PRF.  The outputlength parameter is a two-octet value that
   is represented in big endian order.  Also note that the seed value
   may be optional and may be omitted as in the case of the MSK
   derivation described in Section 5.4.

Top      Up      ToC       Page 36 
   To generate the desired outputlength octets of key material, the
   T-PRF is calculated as follows:

      S = label + 0x00 + seed
      T-PRF output = T1 + T2 + T3  + ... + Tn
      T1 = HMAC-SHA1 (key, S + outputlength + 0x01)
      T2 = HMAC-SHA1 (key, T1 + S + outputlength + 0x02)
      T3 = HMAC-SHA1 (key, T2 + S + outputlength + 0x03)
      Tn = HMAC-SHA1 (key, Tn-1 + S + outputlength + 0xnn)

   where '+' indicates concatenation.  Each Ti generates 20-octets of
   keying material.  The last Tn may be truncated to accommodate the
   desired length specified by outputlength.

6.  IANA Considerations

   This section provides guidance to the Internet Assigned Numbers
   Authority (IANA) regarding registration of values related to the EAP-
   FAST protocol, in accordance with BCP 26, [RFC2434].

   EAP-FAST has already been assigned the EAP Method Type number 43.

   The document defines a registry for EAP-FAST TLV types, which may be
   assigned by Specification Required as defined in [RFC2434].
   Section 4.2 defines the TLV types that initially populate the
   registry.  A summary of the EAP-FAST TLV types is given below:

   0  Reserved
   1  Reserved
   2  Reserved
   3  Result TLV
   4  NAK TLV
   5  Error TLV
   7  Vendor-Specific TLV
   9  EAP-Payload TLV
   10 Intermediate-Result TLV
   12 Crypto-Binding TLV
   18 Server-Trusted-Root TLV [EAP-PROV]
   19 Request-Action TLV

   The Error-TLV defined in Section 4.2.4 requires an error-code.  EAP-
   FAST Error-TLV error-codes are assigned based on specifications
   required as defined in [RFC2434].  The initial list of error codes is
   as follows:

Top      Up      ToC       Page 37 
      2001 Tunnel_Compromise_Error

      2002 Unexpected_TLVs_Exchanged

   The Request-Action TLV defined in Section 4.2.9 contains an action
   code which is assigned on a specification required basis as defined
   in [RFC2434].  The initial actions defined are:

      1  Process-TLV

      2  Negotiate-EAP

   The various values under Vendor-Specific TLV are assigned by Private
   Use and do not need to be assigned by IANA.

7.  Security Considerations

   EAP-FAST is designed with a focus on wireless media, where the medium
   itself is inherent to eavesdropping.  Whereas in wired media, an
   attacker would have to gain physical access to the wired medium;
   wireless media enables anyone to capture information as it is
   transmitted over the air, enabling passive attacks.  Thus, physical
   security can not be assumed and security vulnerabilities are far
   greater.  The threat model used for the security evaluation of EAP-
   FAST is defined in the EAP [RFC3748].

7.1.  Mutual Authentication and Integrity Protection

   EAP-FAST as a whole, provides message and integrity protection by
   establishing a secure tunnel for protecting the authentication
   method(s).  The confidentiality and integrity protection is defined
   by TLS and provides the same security strengths afforded by TLS
   employing a strong entropy shared master secret.  The integrity of
   the key generating authentication methods executed within the EAP-
   FAST tunnel is verified through the calculation of the Crypto-Binding
   TLV.  This ensures that the tunnel endpoints are the same as the
   inner method endpoints.

   The Result TLV is protected and conveys the true Success or Failure
   of EAP-FAST, and should be used as the indicator of its success or
   failure respectively.  However, as EAP must terminate with a clear
   text EAP Success or Failure, a peer will also receive a clear text
   EAP Success or Failure.  The received clear text EAP success or
   failure must match that received in the Result TLV; the peer SHOULD
   silently discard those clear text EAP Success or Failure messages
   that do not coincide with the status sent in the protected Result

Top      Up      ToC       Page 38 
7.2.  Method Negotiation

   As is true for any negotiated EAP protocol, NAK packets used to
   suggest an alternate authentication method are sent unprotected and
   as such, are subject to spoofing.  During unprotected EAP method
   negotiation, NAK packets may be interjected as active attacks to
   negotiate down to a weaker form of authentication, such as EAP-MD5
   (which only provides one-way authentication and does not derive a
   key).  Both the peer and server should have a method selection policy
   that prevents them from negotiating down to weaker methods.  Inner
   method negotiation resists attacks because it is protected by the
   mutually authenticated TLS tunnel established.  Selection of EAP-FAST
   as an authentication method does not limit the potential inner
   authentication methods, so EAP-FAST should be selected when

   An attacker cannot readily determine the inner EAP method used,
   except perhaps by traffic analysis.  It is also important that peer
   implementations limit the use of credentials with an unauthenticated
   or unauthorized server.

7.3.  Separation of Phase 1 and Phase 2 Servers

   Separation of the EAP-FAST Phase 1 from the Phase 2 conversation is
   not recommended.  Allowing the Phase 1 conversation to be terminated
   at a different server than the Phase 2 conversation can introduce
   vulnerabilities if there is not a proper trust relationship and
   protection for the protocol between the two servers.  Some
   vulnerabilities include:

   o  Loss of identity protection
   o  Offline dictionary attacks
   o  Lack of policy enforcement

   There may be cases where a trust relationship exists between the
   Phase 1 and Phase 2 servers, such as on a campus or between two
   offices within the same company, where there is no danger in
   revealing the inner identity and credentials of the peer to entities
   between the two servers.  In these cases, using a proxy solution
   without end-to-end protection of EAP-FAST MAY be used.  The EAP-FAST
   encrypting/decrypting gateway SHOULD, at a minimum, provide support
   for IPsec or similar protection in order to provide confidentiality
   for the portion of the conversation between the gateway and the EAP

Top      Up      ToC       Page 39 
7.4.  Mitigation of Known Vulnerabilities and Protocol Deficiencies

   EAP-FAST addresses the known deficiencies and weaknesses in the EAP
   method.  By employing a shared secret between the peer and server to
   establish a secured tunnel, EAP-FAST enables:

   o  Per packet confidentiality and integrity protection
   o  User identity protection
   o  Better support for notification messages
   o  Protected EAP inner method negotiation
   o  Sequencing of EAP methods
   o  Strong mutually derived master session keys
   o  Acknowledged success/failure indication
   o  Faster re-authentications through session resumption
   o  Mitigation of dictionary attacks
   o  Mitigation of man-in-the-middle attacks
   o  Mitigation of some denial-of-service attacks

   It should be noted that with EAP-FAST, as in many other
   authentication protocols, a denial-of-service attack can be mounted
   by adversaries sending erroneous traffic to disrupt the protocol.
   This is a problem in many authentication or key agreement protocols
   and is therefore noted for EAP-FAST as well.

   EAP-FAST was designed with a focus on protected authentication
   methods that typically rely on weak credentials, such as password-
   based secrets.  To that extent, the EAP-FAST Authentication mitigates
   several vulnerabilities, such as dictionary attacks, by protecting
   the weak credential-based authentication method.  The protection is
   based on strong cryptographic algorithms in TLS to provide message
   confidentiality and integrity.  The keys derived for the protection
   relies on strong random challenges provided by both peer and server
   as well as an established key with strong entropy.  Implementations
   should follow the recommendation in [RFC4086] when generating random

7.4.1.  User Identity Protection and Verification

   The initial identity request response exchange is sent in cleartext
   outside the protection of EAP-FAST.  Typically the Network Access
   Identifier (NAI) [RFC4282] in the identity response is useful only
   for the realm information that is used to route the authentication
   requests to the right EAP server.  This means that the identity
   response may contain an anonymous identity and just contain realm
   information.  In other cases, the identity exchange may be eliminated
   altogether if there are other means for establishing the destination
   realm of the request.  In no case should an intermediary place any
   trust in the identity information in the identity response since it

Top      Up      ToC       Page 40 
   is unauthenticated an may not have any relevance to the authenticated
   identity.  EAP-FAST implementations should not attempt to compare any
   identity disclosed in the initial cleartext EAP Identity response
   packet with those Identities authenticated in Phase 2

   Identity request-response exchanges sent after the EAP-FAST tunnel is
   established are protected from modification and eavesdropping by

   Note that since TLS client certificates are sent in the clear, if
   identity protection is required, then it is possible for the TLS
   authentication to be re-negotiated after the first server
   authentication.  To accomplish this, the server will typically not
   request a certificate in the server_hello, then after the
   server_finished message is sent, and before EAP-FAST Phase 2, the
   server MAY send a TLS hello_request.  This allows the client to
   perform client authentication by sending a client_hello if it wants
   to, or send a no_renegotiation alert to the server indicating that it
   wants to continue with EAP-FAST Phase 2 instead.  Assuming that the
   client permits renegotiation by sending a client_hello, then the
   server will respond with server_hello, a certificate and
   certificate_request messages.  The client replies with certificate,
   client_key_exchange and certificate_verify messages.  Since this re-
   negotiation occurs within the encrypted TLS channel, it does not
   reveal client certificate details.  It is possible to perform
   certificate authentication using an EAP method (for example: EAP-TLS)
   within the TLS session in EAP-FAST Phase 2 instead of using TLS
   handshake renegotiation.

7.4.2.  Dictionary Attack Resistance

   EAP-FAST was designed with a focus on protected authentication
   methods that typically rely on weak credentials, such as password-
   based secrets.  EAP-FAST mitigates dictionary attacks by allowing the
   establishment of a mutually authenticated encrypted TLS tunnel
   providing confidentiality and integrity to protect the weak
   credential based authentication method.

7.4.3.  Protection against Man-in-the-Middle Attacks

   Allowing methods to be executed both with and without the protection
   of a secure tunnel opens up a possibility of a man-in-the-middle
   attack.  To avoid man-in-the-middle attacks it is recommended to
   always deploy authentication methods with protection of EAP-FAST.
   EAP-FAST provides protection from man-in-the-middle attacks even if a
   deployment chooses to execute inner EAP methods both with and without
   EAP-FAST protection, EAP-FAST prevents this attack in two ways:

Top      Up      ToC       Page 41 
   1.  By using the PAC-Key to mutually authenticate the peer and server
       during EAP-FAST Authentication Phase 1 establishment of a secure

   2.  By using the keys generated by the inner authentication method
       (if the inner methods are key generating) in the crypto-binding
       exchange and in the generation of the key material exported by
       the EAP method described in Section 5.

7.4.4.  PAC Binding to User Identity

   A PAC may be bound to a user identity.  A compliant implementation of
   EAP-FAST MUST validate that an identity obtained in the PAC-Opaque
   field matches at minimum one of the identities provided in the EAP-
   FAST Phase 2 authentication method.  This validation provides another
   binding to ensure that the intended peer (based on identity) has
   successfully completed the EAP-FAST Phase 1 and proved identity in
   the Phase 2 conversations.

7.5.  Protecting against Forged Clear Text EAP Packets

   EAP Success and EAP Failure packets are, in general, sent in clear
   text and may be forged by an attacker without detection.  Forged EAP
   Failure packets can be used to attempt to convince an EAP peer to
   disconnect.  Forged EAP Success packets may be used to attempt to
   convince a peer that authentication has succeeded, even though the
   authenticator has not authenticated itself to the peer.

   By providing message confidentiality and integrity, EAP-FAST provides
   protection against these attacks.  Once the peer and AS initiate the
   EAP-FAST Authentication Phase 2, compliant EAP-FAST implementations
   must silently discard all clear text EAP messages, unless both the
   EAP-FAST peer and server have indicated success or failure using a
   protected mechanism.  Protected mechanisms include TLS alert
   mechanism and the protected termination mechanism described in
   Section 3.3.2.

   The success/failure decisions within the EAP-FAST tunnel indicate the
   final decision of the EAP-FAST authentication conversation.  After a
   success/failure result has been indicated by a protected mechanism,
   the EAP-FAST peer can process unprotected EAP success and EAP failure
   messages; however the peer MUST ignore any unprotected EAP success or
   failure messages where the result does not match the result of the
   protected mechanism.

   To abide by [RFC3748], the server must send a clear text EAP Success
   or EAP Failure packet to terminate the EAP conversation.  However,
   since EAP Success and EAP Failure packets are not retransmitted, the

Top      Up      ToC       Page 42 
   final packet may be lost.  While an EAP-FAST protected EAP Success or
   EAP Failure packet should not be a final packet in an EAP-FAST
   conversation, it may occur based on the conditions stated above, so
   an EAP peer should not rely upon the unprotected EAP success and
   failure messages.

7.6.  Server Certificate Validation

   As part of the TLS negotiation, the server presents a certificate to
   the peer.  The peer MUST verify the validity of the EAP server
   certificate, and SHOULD also examine the EAP server name presented in
   the certificate, in order to determine whether the EAP server can be
   trusted.  Please note that in the case where the EAP authentication
   is remote, the EAP server will not reside on the same machine as the
   authenticator, and therefore the name in the EAP server's certificate
   cannot be expected to match that of the intended destination.  In
   this case, a more appropriate test might be whether the EAP server's
   certificate is signed by a CA controlling the intended domain and
   whether the authenticator can be authorized by a server in that

7.7.  Tunnel PAC Considerations

   Since the Tunnel PAC is stored by the peer, special care should be
   given to the overall security of the peer.  The Tunnel PAC must be
   securely stored by the peer to prevent theft or forgery of any of the
   Tunnel PAC components.

   In particular, the peer must securely store the PAC-Key and protect
   it from disclosure or modification.  Disclosure of the PAC-Key
   enables an attacker to establish the EAP-FAST tunnel; however,
   disclosure of the PAC-Key does not reveal the peer or server identity
   or compromise any other peer's PAC credentials.  Modification of the
   PAC-Key or PAC-Opaque components of the Tunnel PAC may also lead to
   denial of service as the tunnel establishment will fail.

   The PAC-Opaque component is the effective TLS ticket extension used
   to establish the tunnel using the techniques of [RFC4507].  Thus, the
   security considerations defined by [RFC4507] also apply to the PAC-

   The PAC-Info may contain information about the Tunnel PAC such as the
   identity of the PAC issuer and the Tunnel PAC lifetime for use in the
   management of the Tunnel PAC.  The PAC-Info should be securely stored
   by the peer to protect it from disclosure and modification.

Top      Up      ToC       Page 43 
7.8.  Security Claims

   This section provides the needed security claim requirement for EAP

   Auth. mechanism:         Certificate based, shared secret based and
                            various tunneled authentication mechanisms.
   Ciphersuite negotiation: Yes
   Mutual authentication:   Yes
   Integrity protection:    Yes, Any method executed within the EAP-FAST
                            tunnel is integrity protected.  The
                            cleartext EAP headers outside the tunnel are
                            not integrity protected.
   Replay protection:       Yes
   Confidentiality:         Yes
   Key derivation:          Yes
   Key strength:            See Note 1 below.
   Dictionary attack prot.: Yes
   Fast reconnect:          Yes
   Cryptographic binding:   Yes
   Session independence:    Yes
   Fragmentation:           Yes
   Key Hierarchy:           Yes
   Channel binding:         No, but TLVs could be defined for this.


   1.  BCP 86 [RFC3766] offers advice on appropriate key sizes.  The
       National Institute for Standards and Technology (NIST) also
       offers advice on appropriate key sizes in [NIST.SP800-57].
       [RFC3766] Section 5 advises use of the following required RSA or
       DH module and DSA subgroup size in bits, for a given level of
       attack resistance in bits.  Based on the table below, a 2048-bit
       RSA key is required to provide 128-bit equivalent key strength:

      Attack Resistance     RSA or DH Modulus            DSA subgroup
       (bits)                  size (bits)                size (bits)
      -----------------     -----------------            ------------
         70                        947                        129
         80                       1228                        148
         90                       1553                        167
        100                       1926                        186
        150                       4575                        284
        200                       8719                        383
        250                      14596                        482

Next RFC Part