Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.

Author: Gushicage Zulkitilar
Country: Jordan
Language: English (Spanish)
Genre: Career
Published (Last): 3 January 2008
Pages: 29
PDF File Size: 14.58 Mb
ePub File Size: 1.75 Mb
ISBN: 523-3-62168-940-7
Downloads: 53339
Price: Free* [*Free Regsitration Required]
Uploader: Duzshura

RFC – Extensible Authentication Protocol (EAP)

This includes impersonating another authenticator, or providing inconsistent information to the peer and EAP server. Depending on the lower layer, these attacks 3784 be carried out ieetf requiring physical proximity. Where EAP is used over the Internet, attacks may be carried out at an even greater distance. This is a statement iftf the authentication technology: This is a statement of the claimed security properties of ietr method, using terms defined in Section 7.

This can be accomplished by including a proof in an Appendix, or including a reference to a proof. If the method derives keys, then the effective key strength MUST be estimated. This estimate is ietv for potential users of the method to determine if the keys produced are strong enough for the intended application. This explanation SHOULD include the parameters required to achieve the stated key strength based on current knowledge of the algorithms.

Although it is difficult to define what “comparable effort” and “typical block cipher” exactly mean, reasonable approximations are sufficient here. The key strength depends on efc methods used to derive the keys. For instance, if keys are derived from a shared secret such as a password or a long-term secretand possibly some public information such as nonces, the effective key strength is limited by the strength of the long-term secret assuming that the derivation procedure is computationally simple.

To take another example, when using public key algorithms, the strength of the symmetric key depends 348 the strength of the public keys used. In addition to the security claims that are made, the specification MUST indicate which of the security claims detailed in Section 7. Protected ciphersuite negotiation This refers to the ability of an EAP method to negotiate the ciphersuite used to protect the EAP conversation, as well as to integrity protect the negotiation.

It does not refer to the ability to negotiate the ciphersuite used to protect data. Two independent one-way methods, running in opposite directions do not irtf mutual authentication as defined here. Integrity protection This refers to providing data origin authentication and protection against unauthorized modification of information for EAP packets including EAP Requests and Responses.

Replay protection This refers to protection against replay of an EAP method or its messages, including success and failure result indications. The MSK is used only for further key derivation, not directly for protection of the EAP conversation or subsequent data.

Extensible Authentication Protocol

Use of the EMSK is reserved. Dictionary attack resistance Where password authentication is used, passwords are commonly selected from a small set as compared to a set of N-bit keyswhich raises a concern about dictionary attacks.

A method may be said to provide protection against dictionary attacks if, when it uses a password as a secret, the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker’s dictionary.

If executed correctly, binding serves to mitigate man-in-the-middle vulnerabilities. Fragmentation This refers to whether an EAP method supports fragmentation and reassembly. As noted in Section 3. Channel binding The communication within an EAP method of integrity-protected channel properties such as endpoint identifiers which can be compared to values communicated via out of band mechanisms such as via a AAA or lower layer protocol.

This list of security claims is not exhaustive. Additional properties, such as additional denial-of-service protection, may be relevant as well. Therefore, it is possible to omit the Identity exchange entirely, or to use a method-specific identity exchange once a protected channel has been established.

However, where roaming is supported as described in [RFC], it may be necessary to locate the appropriate backend authentication server before the authentication conversation can proceed.

It is possible for the identity in the identity response to be different from the identity authenticated by the EAP method.


This may be intentional in the case of identity privacy. Man-in-the-Middle Attacks Where EAP is tunneled within another protocol that omits peer authentication, there exists a potential vulnerability to a man-in- the-middle attack. As noted in Section 2. Were a sequence of EAP authentication methods to be permitted, the peer might not have proof that a single entity has acted as the authenticator for all EAP methods within the sequence.

For example, an authenticator might terminate one EAP method, then forward the next method in the sequence to another party without the peer’s knowledge or consent. Similarly, the authenticator might not have proof that a single entity has acted as the peer for all EAP methods within the sequence. Where the tunneling protocol is used for key establishment but does not require peer authentication, an attacker convincing a legitimate peer to connect to it will be able to tunnel EAP packets to a legitimate server, successfully authenticating and obtaining the key.

This allows the attacker to successfully establish itself as a man-in- the-middle, gaining access to the network, as well as the ability to decrypt data traffic between the legitimate peer and server.

This attack may be mitigated by the following measures: Where cryptographic binding is supported, a mechanism is also needed to protect against downgrade attacks that would bypass it. Packet Modification Attacks While EAP methods may support per-packet data origin authentication, integrity, and replay protection, support is not provided within the EAP layer.

Since the Identifier is only a single octet, it is easy to guess, allowing an attacker to successfully inject or replay EAP packets. This could cause packets to be inappropriately discarded or misinterpreted. To protect EAP packets against modification, spoofing, or replay, methods supporting protected ciphersuite negotiation, mutual authentication, and key derivation, as well as integrity and replay protection, are recommended.

Method-specific MICs may be used to provide protection. However, as noted in Section 7. However, it is also possible to develop EAP methods that support per-packet MICs, and respond to verification failures by silently discarding the offending packet. In this document, descriptions of EAP message handling assume that per-packet MIC validation, where it occurs, is effectively performed as though it occurs before sending any responses or changing the state of the host which received the packet.

In order to protect against dictionary attacks, authentication methods resistant to dictionary attacks as defined in Section 7. If an authentication algorithm is used that is known to be vulnerable to dictionary attacks, then the conversation may be tunneled within a protected channel in order to provide additional protection. Connection to an Untrusted Network With EAP methods supporting one-way authentication, such as EAP-MD5, the peer does not authenticate the authenticator, making the peer vulnerable to attack by 37488 rogue authenticator.

Methods supporting mutual authentication as defined in Section 7. In EAP there is no requirement that authentication be full duplex or that the same protocol be used in both directions. It is perfectly Aboba, et al. This will, of course, depend on the specific protocols negotiated. However, in general, completing a single unitary mutual authentication is preferable to two one-way authentications, one in each direction. This is because separate authentications that are not bound cryptographically so as to demonstrate they are part of the same session are subject to man-in-the-middle attacks, as discussed in Section 7.

Negotiation Attacks In a negotiation attack, the attacker attempts to convince the peer and authenticator to negotiate a less secure EAP method. Within or associated with each authenticator, it is not anticipated that a particular named peer will gfc a choice of methods. This ffc make the peer vulnerable to attacks that negotiate the least iehf method from among a set.

Instead, for each named peer, there SHOULD be an indication of exactly one method used to authenticate that peer name. If a peer needs to make use of different authentication methods under different circumstances, then distinct identities SHOULD be employed, each of which identifies exactly iehf authentication method. For example, upon failure of authentication, some PPP implementations do not terminate the rfd, instead limiting traffic in Network-Layer Protocols to a filtered subset, which in turn allows the peer the opportunity to update secrets or send mail to the network administrator iehf a problem.

Similarly, while an authentication failure will result in tfc access to the controlled port in [IEEE In EAP rfv is no provision for retries of failed authentication. However, in PPP the LCP state machine can renegotiate the authentication protocol at any time, thus allowing a new attempt. Similarly, in IEEE It is recommended that any counters used for authentication failure not be reset until after successful authentication, or subsequent termination of the failed link.


This derivation occurs on the AAA server. Depending on the lower layer, EAP methods may run before or after ciphersuite negotiation, so that the selected ciphersuite may not be known to the EAP method.

By providing keying material usable with any ciphersuite, EAP methods can used with a wide range of rcf and media.

This is distinct from the ciphersuite negotiated between the peer and authenticator, used to protect data. That is, knowledge of one substring MUST NOT help in recovering some other substring without breaking some hard cryptographic assumption.

This restriction will be relaxed in a future 3478 that specifies how the EMSK can be used. Since EAP does not provide for explicit key lifetime negotiation, EAP peers, authenticators, and authentication servers MUST be prepared for situations in which one of the parties discards the key state, which remains valid on another party. Weak Ciphersuites If after the initial EAP authentication, data packets are sent without per-packet authentication, integrity, and replay protection, an attacker with access to the media can inject packets, “flip bits” within existing packets, replay packets, or even hijack the session completely.

Without per-packet confidentiality, it is possible to snoop data packets.

To protect against data modification, spoofing, or snooping, it is recommended that EAP methods supporting mutual authentication and key derivation as defined by Section 7. Additionally, if the lower layer performs ciphersuite negotiation, it should be understood that EAP does not provide by itself integrity protection of that negotiation. Therefore, in order to avoid downgrading attacks which would lead to weaker ciphersuites iietf used, clients implementing lower layer ciphersuite negotiation SHOULD protect against negotiation downgrading.

This can be done by enabling users to configure which ciphersuites are acceptable as a matter of security policy, or the ciphersuite negotiation MAY be authenticated using keying material derived from the EAP authentication and a MIC algorithm agreed upon in advance by lower-layer peers. They can therefore be spoofed by an attacker with access to the link. These messages are not authenticated or integrity protected, and although they are not forwardable, they are spoofable by an attacker within range.

To avoid unnecessary resets, it is advisable to damp these indications, rather than passing them directly to the EAP. Since EAP supports retransmission, it is robust against transient connectivity losses. However, in the case where the authenticator and authentication server reside on different machines, there are several implications for security. This means that it is not possible for the peer to validate the identity of the authenticator that it is speaking to, using EAP alone.

In practice, this implies that the AAA protocol spoken between the authenticator and authentication server MUST support per-packet authentication, integrity, and replay protection.

Therefore, a mechanism needs to be provided to transmit the AAA-Key from idtf authentication server to the authenticator that needs it. The specification of 3478 AAA-key derivation, transport, and wrapping mechanisms is outside the scope of this document. Cleartext Passwords This specification does not define a mechanism for cleartext password authentication. The omission is intentional. Use of cleartext passwords would allow the password to be captured by an attacker with access to a link over which EAP packets are transmitted.

As letf result, cleartext passwords cannot be securely used within EAP, except where encapsulated within a protected tunnel with server authentication. Some of the same risks apply to EAP methods without dictionary attack resistance, as defined in Section 7. For details, see Section 7. This may enable an authenticator to impersonate another authenticator or communicate incorrect information via out- of-band mechanisms such as via a AAA or lower layer protocol.