Flags 0 1 2 3 4 +-+-+-+-+-+ |L M S R R| +-+-+-+-+-+ L Length included; set to indicate the presence of the four- octet Message Length field M More fragments; set on all but the last fragment S EAP-FAST start; set in an EAP-FAST Start message R Reserved (must be zero) Ver This field contains the version of the protocol. This document describes version 1 (001 in binary) of EAP-FAST. Message Length The Message Length field is four octets, and is present only if the L bit is set. This field provides the total length of the message that may be fragmented over the data fields of multiple packets. Data In the case of an EAP-FAST Start request (i.e., when the S bit is set) the Data field consists of the A-ID described in Section 4.1.1. In other cases, when the Data field is present, it consists of an encapsulated TLS packet in TLS record format. An EAP-FAST packet with Flags and Version fields, but with zero length data field, is used to indicate EAP-FAST acknowledgement for either a fragmented message, a TLS Alert message or a TLS Finished message.
EAP implementations compliant with this specification MUST support TLV exchanges, as well as the processing of mandatory/optional settings on the TLV. Implementations conforming to this specification MUST support the following TLVs: Result TLV NAK TLV Error TLV EAP-Payload TLV Intermediate-Result TLV Crypto-Binding TLV Request-Action TLV
0 Reserved 1 Reserved 2 Reserved 3 Result TLV (Section 4.2.2) 4 NAK TLV (Section 4.2.3) 5 Error TLV (Section 4.2.4) 7 Vendor-Specific TLV (Section 4.2.5) 9 EAP-Payload TLV (Section 4.2.6) 10 Intermediate-Result TLV (Section 4.2.7) 11 PAC TLV [EAP-PROV] 12 Crypto-Binding TLV (Section 4.2.8) 18 Server-Trusted-Root TLV [EAP-PROV] 19 Request-Action TLV (Section 4.2.9) 20 PKCS#7 TLV [EAP-PROV] Length The length of the Value field in octets. Value The value of the TLV. Section 3.3.2 and Section 3.6.2. A Result TLV indicating failure MUST NOT be accompanied by the following TLVs: NAK, EAP-Payload TLV, or Crypto- Binding TLV. The Result TLV is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M|R| TLV Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ M Mandatory, set to one (1)
R Reserved, set to zero (0) TLV Type 3 for Result TLV Length 2 Status The Status field is two octets. Values include: 1 Success 2 Failure
TLV Type 4 for NAK TLV Length >=6 Vendor-Id The Vendor-Id field is four octets, and contains the Vendor-Id of the TLV that was not supported. The high-order octet is 0 and the low-order three octets are the Structure of Management Information (SMI) Network Management Private Enterprise Code of the Vendor in network byte order. The Vendor-Id field MUST be zero for TLVs that are not Vendor-Specific TLVs. NAK-Type The NAK-Type field is two octets. The field contains the Type of the TLV that was not supported. A TLV of this Type MUST have been included in the previous packet. TLVs This field contains a list of zero or more TLVs, each of which MUST NOT have the mandatory bit set. These optional TLVs are for future extensibility to communicate why the offending TLV was determined to be unsupported. Section 3.6.2. The Error TLV is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M|R| TLV Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error-Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M Mandatory, set to one (1) R Reserved, set to zero (0) TLV Type 5 for Error TLV Length 4 Error-Code The Error-Code field is four octets. Currently defined values for Error-Code include: 2001 Tunnel_Compromise_Error 2002 Unexpected_TLVs_Exchanged
The Vendor-Specific TLV is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M|R| TLV Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor TLVs... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ M 0 or 1 R Reserved, set to zero (0) TLV Type 7 for Vendor Specific TLV Length 4 + cumulative length of all included Vendor TLVs Vendor-Id The Vendor-Id field is four octets, and contains the Vendor-Id of the TLV. The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the Vendor in network byte order. Vendor TLVs This field is of indefinite length. It contains vendor- specific TLVs, in a format defined by the vendor.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M|R| TLV Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | EAP packet... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TLVs... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ M Mandatory, set to (1) R Reserved, set to zero (0) TLV Type 9 for EAP-Payload TLV Length length of embedded EAP packet + cumulative length of additional TLVs EAP packet This field contains a complete EAP packet, including the EAP header (Code, Identifier, Length, Type) fields. The length of this field is determined by the Length field of the encapsulated EAP packet. TLVs This field contains a list of zero or more TLVs associated with the EAP packet field. The TLVs MUST NOT have the mandatory bit set. The total length of this field is equal to the Length field of the EAP-Payload TLV, minus the Length field in the EAP header of the EAP packet field.
Section 3.1. The Crypto-Binding TLV MUST be included with the Intermediate-Result TLV to perform Cryptographic Binding after each successful EAP method in a sequence of EAP methods. The Crypto-Binding TLV can be issued at other times as well. The Crypto-Binding TLV is valid only if the following checks pass: o The Crypto-Binding TLV version is supported o The MAC verifies correctly o The received version in the Crypto-Binding TLV matches the version sent by the receiver during the EAP version negotiation o The subtype is set to the correct value If any of the above checks fail, then the TLV is invalid. An invalid Crypto-Binding TLV is a fatal error and is handled as described in Section 3.6.2. The Crypto-Binding TLV is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M|R| TLV Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Version | Received Ver. | Sub-Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Nonce ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Compound MAC ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ M Mandatory, set to (1)
R Reserved, set to zero (0) TLV Type 12 for Crypto-Binding TLV Length 56 Reserved Reserved, set to zero (0) Version The Version field is a single octet, which is set to the version of Crypto-Binding TLV the EAP method is using. For an implementation compliant with this version of EAP-FAST, the version number MUST be set to 1. Received Version The Received Version field is a single octet and MUST be set to the EAP version number received during version negotiation. Note that this field only provides protection against downgrade attacks, where a version of EAP requiring support for this TLV is required on both sides. Sub-Type The Sub-Type field is one octet. Defined values include: 0 Binding Request 1 Binding Response Nonce The Nonce field is 32 octets. It contains a 256-bit nonce that is temporally unique, used for compound MAC key derivation at each end. The nonce in a request MUST have its least significant bit set to 0 and the nonce in a response MUST have the same value as the request nonce except the least significant bit MUST be set to 1.
Compound MAC The Compound MAC field is 20 octets. This can be the Server MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the MAC is described in Section 5.3.
To generate the key material required for the EAP-FAST Authentication tunnel, the following construction from [RFC4346] is used: key_block = PRF(master_secret, "key expansion", server_random + client_random) where '+' denotes concatenation. The PRF function used to generate keying material is defined by [RFC4346]. For example, if the EAP-FAST Authentication employs 128-bit RC4 and SHA1, the key_block is 112 octets long and is partitioned as follows: client_write_MAC_secret server_write_MAC_secret client_write_key server_write_key client_write_IV server_write_IV session_key_seed The session_key_seed is used by the EAP-FAST Authentication Phase 2 conversation to both cryptographically bind the inner method(s) to the tunnel as well as generate the resulting EAP-FAST session keys. The other quantities are used as they are defined in [RFC4346]. The master_secret is generated as specified in TLS unless a PAC is used to establish the TLS tunnel. When a PAC is used to establish the TLS tunnel, the master_secret is calculated from the specified client_random, server_random, and PAC-Key as follows: master_secret = T-PRF(PAC-Key, "PAC to master secret label hash", server_random + client_random, 48) where T-PRF is described in Section 5.5. RFC3748]. Note that the IMCK must be recalculated after each successful inner EAP method.
The first step in these calculations is the generation of the base compound key, IMCK[n] from the session_key_seed and any session keys derived from the successful execution of n inner EAP methods. The inner EAP method(s) may provide Master Session Keys, MSK1..MSKn, corresponding to inner methods 1 through n. The MSK is truncated at 32 octets if it is longer than 32 octets or padded to a length of 32 octets with zeros if it is less than 32 octets. If the ith inner method does not generate an MSK, then MSKi is set to zero (e.g., MSKi = 32 octets of 0x00s). If an inner method fails, then it is not included in this calculation. The derivations of S-IMCK is as follows: S-IMCK = session_key_seed For j = 1 to n-1 do IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", MSK[j], 60) S-IMCK[j] = first 40 octets of IMCK[j] CMK[j] = last 20 octets of IMCK[j] where T-PRF is described in Section 5.5. Section 4.2.8, which helps provide assurance that the same entities are involved in all communications in EAP-FAST. During the calculation of the Compound-MAC the MAC field is filled with zeros. The Compound MAC computation is as follows: CMK = CMK[j] Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) where j is the number of the last successfully executed inner EAP method.
Section 5.2 by combining the MSKs from inner EAP methods with key material from EAP-FAST Phase 1. The resulting MSK and EMSK are generated as part of the IMCKn key hierarchy as follows: MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64) EMSK = T-PRF(S-IMCK[j], "Extended Session Key Generating Function", 64) where j is the number of the last successfully executed inner EAP method. The EMSK is typically only known to the EAP-FAST peer and server and is not provided to a third party. The derivation of additional keys and transportation of these keys to a third party is outside the scope of this document. If no EAP methods have been negotiated inside the tunnel or no EAP methods have been successfully completed inside the tunnel, the MSK and EMSK will be generated directly from the session_key_seed meaning S-IMCK = session_key_seed. Section 5.4.
To generate the desired outputlength octets of key material, the T-PRF is calculated as follows: S = label + 0x00 + seed T-PRF output = T1 + T2 + T3 + ... + Tn T1 = HMAC-SHA1 (key, S + outputlength + 0x01) T2 = HMAC-SHA1 (key, T1 + S + outputlength + 0x02) T3 = HMAC-SHA1 (key, T2 + S + outputlength + 0x03) Tn = HMAC-SHA1 (key, Tn-1 + S + outputlength + 0xnn) where '+' indicates concatenation. Each Ti generates 20-octets of keying material. The last Tn may be truncated to accommodate the desired length specified by outputlength. BCP 26, [RFC2434]. EAP-FAST has already been assigned the EAP Method Type number 43. The document defines a registry for EAP-FAST TLV types, which may be assigned by Specification Required as defined in [RFC2434]. Section 4.2 defines the TLV types that initially populate the registry. A summary of the EAP-FAST TLV types is given below: 0 Reserved 1 Reserved 2 Reserved 3 Result TLV 4 NAK TLV 5 Error TLV 7 Vendor-Specific TLV 9 EAP-Payload TLV 10 Intermediate-Result TLV 11 PAC TLV [EAP-PROV] 12 Crypto-Binding TLV 18 Server-Trusted-Root TLV [EAP-PROV] 19 Request-Action TLV 20 PKCS#7 TLV [EAP-PROV] The Error-TLV defined in Section 4.2.4 requires an error-code. EAP- FAST Error-TLV error-codes are assigned based on specifications required as defined in [RFC2434]. The initial list of error codes is as follows:
2001 Tunnel_Compromise_Error 2002 Unexpected_TLVs_Exchanged The Request-Action TLV defined in Section 4.2.9 contains an action code which is assigned on a specification required basis as defined in [RFC2434]. The initial actions defined are: 1 Process-TLV 2 Negotiate-EAP The various values under Vendor-Specific TLV are assigned by Private Use and do not need to be assigned by IANA. RFC3748].
RFC4086] when generating random numbers. RFC4282] in the identity response is useful only for the realm information that is used to route the authentication requests to the right EAP server. This means that the identity response may contain an anonymous identity and just contain realm information. In other cases, the identity exchange may be eliminated altogether if there are other means for establishing the destination realm of the request. In no case should an intermediary place any trust in the identity information in the identity response since it
is unauthenticated an may not have any relevance to the authenticated identity. EAP-FAST implementations should not attempt to compare any identity disclosed in the initial cleartext EAP Identity response packet with those Identities authenticated in Phase 2 Identity request-response exchanges sent after the EAP-FAST tunnel is established are protected from modification and eavesdropping by attackers. Note that since TLS client certificates are sent in the clear, if identity protection is required, then it is possible for the TLS authentication to be re-negotiated after the first server authentication. To accomplish this, the server will typically not request a certificate in the server_hello, then after the server_finished message is sent, and before EAP-FAST Phase 2, the server MAY send a TLS hello_request. This allows the client to perform client authentication by sending a client_hello if it wants to, or send a no_renegotiation alert to the server indicating that it wants to continue with EAP-FAST Phase 2 instead. Assuming that the client permits renegotiation by sending a client_hello, then the server will respond with server_hello, a certificate and certificate_request messages. The client replies with certificate, client_key_exchange and certificate_verify messages. Since this re- negotiation occurs within the encrypted TLS channel, it does not reveal client certificate details. It is possible to perform certificate authentication using an EAP method (for example: EAP-TLS) within the TLS session in EAP-FAST Phase 2 instead of using TLS handshake renegotiation.
1. By using the PAC-Key to mutually authenticate the peer and server during EAP-FAST Authentication Phase 1 establishment of a secure tunnel. 2. By using the keys generated by the inner authentication method (if the inner methods are key generating) in the crypto-binding exchange and in the generation of the key material exported by the EAP method described in Section 5. Section 3.3.2. The success/failure decisions within the EAP-FAST tunnel indicate the final decision of the EAP-FAST authentication conversation. After a success/failure result has been indicated by a protected mechanism, the EAP-FAST peer can process unprotected EAP success and EAP failure messages; however the peer MUST ignore any unprotected EAP success or failure messages where the result does not match the result of the protected mechanism. To abide by [RFC3748], the server must send a clear text EAP Success or EAP Failure packet to terminate the EAP conversation. However, since EAP Success and EAP Failure packets are not retransmitted, the
final packet may be lost. While an EAP-FAST protected EAP Success or EAP Failure packet should not be a final packet in an EAP-FAST conversation, it may occur based on the conditions stated above, so an EAP peer should not rely upon the unprotected EAP success and failure messages. RFC4507]. Thus, the security considerations defined by [RFC4507] also apply to the PAC- Opaque. The PAC-Info may contain information about the Tunnel PAC such as the identity of the PAC issuer and the Tunnel PAC lifetime for use in the management of the Tunnel PAC. The PAC-Info should be securely stored by the peer to protect it from disclosure and modification.
RFC3748]. Auth. mechanism: Certificate based, shared secret based and various tunneled authentication mechanisms. Ciphersuite negotiation: Yes Mutual authentication: Yes Integrity protection: Yes, Any method executed within the EAP-FAST tunnel is integrity protected. The cleartext EAP headers outside the tunnel are not integrity protected. Replay protection: Yes Confidentiality: Yes Key derivation: Yes Key strength: See Note 1 below. Dictionary attack prot.: Yes Fast reconnect: Yes Cryptographic binding: Yes Session independence: Yes Fragmentation: Yes Key Hierarchy: Yes Channel binding: No, but TLVs could be defined for this. Notes 1. BCP 86 [RFC3766] offers advice on appropriate key sizes. The National Institute for Standards and Technology (NIST) also offers advice on appropriate key sizes in [NIST.SP800-57]. [RFC3766] Section 5 advises use of the following required RSA or DH module and DSA subgroup size in bits, for a given level of attack resistance in bits. Based on the table below, a 2048-bit RSA key is required to provide 128-bit equivalent key strength: Attack Resistance RSA or DH Modulus DSA subgroup (bits) size (bits) size (bits) ----------------- ----------------- ------------ 70 947 129 80 1228 148 90 1553 167 100 1926 186 150 4575 284 200 8719 383 250 14596 482