Internet DRAFT - draft-mattsson-emu-eap-tls-psk
draft-mattsson-emu-eap-tls-psk
Network Working Group J. Mattsson
Internet-Draft M. Sethi
Intended status: Standards Track Ericsson
Expires: September 10, 2020 T. Aura
Aalto University
O. Friel
Cisco
March 9, 2020
EAP-TLS with PSK Authentication (EAP-TLS-PSK)
draft-mattsson-emu-eap-tls-psk-00
Abstract
While TLS 1.3 supports authentication with Pre-Shared Key (PSK), EAP-
TLS with TLS 1.3 explicitly forbids PSK authentication except when
used for resumption. This document specifies a separate EAP method
(EAP-TLS-PSK) for use cases that require authentication based on
external PSKs.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Mattsson, et al. Expires September 10, 2020 [Page 1]
Internet-Draft EAP-TLS-PSK March 2020
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements and Terminology . . . . . . . . . . . . . . 3
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview of the EAP-TLS-PSK Conversation . . . . . . . . 3
2.1.1. Mutual Authentication . . . . . . . . . . . . . . . . 4
2.1.2. Termination . . . . . . . . . . . . . . . . . . . . . 4
2.1.3. Hello Retry Request . . . . . . . . . . . . . . . . . 4
2.1.4. Ticket Establishment . . . . . . . . . . . . . . . . 4
2.1.5. Resumption . . . . . . . . . . . . . . . . . . . . . 4
2.1.6. Privacy . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.7. Fragmentation . . . . . . . . . . . . . . . . . . . . 4
2.2. Identity Verification . . . . . . . . . . . . . . . . . . 4
2.3. Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . 4
2.4. Parameter Negotiation and Compliance Requirements . . . . 4
2.5. EAP State Machines . . . . . . . . . . . . . . . . . . . 4
3. IANA considerations . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
4.1. Security Claims . . . . . . . . . . . . . . . . . . . . . 5
4.2. Peer and Server Identities . . . . . . . . . . . . . . . 5
4.3. Authorization . . . . . . . . . . . . . . . . . . . . . . 5
4.4. Resumption . . . . . . . . . . . . . . . . . . . . . . . 5
4.5. Privacy Considerations . . . . . . . . . . . . . . . . . 5
4.6. Pervasive Monitoring . . . . . . . . . . . . . . . . . . 5
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Normative References . . . . . . . . . . . . . . . . . . 5
5.2. Informative references . . . . . . . . . . . . . . . . . 6
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The Extensible Authentication Protocol (EAP), defined in [RFC3748],
provides a standard mechanism for support of multiple authentication
methods. EAP-Transport Layer Security (EAP-TLS)
[RFC5216][I-D.ietf-emu-eap-tls13] defines an EAP authentication
method with certificate-based mutual authentication and key
derivation utilizing the TLS handshake protocol for cryptographic
algorithms and protocol version negotiation, mutual authentication,
and establishment of shared secret keying material.
Mattsson, et al. Expires September 10, 2020 [Page 2]
Internet-Draft EAP-TLS-PSK March 2020
While majority of TLS deployments use certificate-based
authentication, earlier version of TLS have supported Pre-Shared Keys
(PSK) authention as an optional feature. TLS 1.3 [RFC8446]
incorporporats PSK authentication into the main specification as a
main authentication method.
TLS version 1.3 [RFC8446] also uses PSKs for resuming previous TLS
sessions. The specification distinguishes resumption PSKs from
external PSKs that have been provisioned out of band. It also refers
to external PSKs as out-of-band PSKs.
EAP-TLS [RFC5216] does not discuss the use of PSKs and EAP-TLS with
TLS 1.3 [I-D.ietf-emu-eap-tls13] explicitly forbids the use of
external PSKs. Nonetheless, there are examples of EAP-TLS
deployments that rely on a PSK for authentication. For example, the
Zigbee IP specification discusses the use of EAP-TLS with PSKs.
Although EAP already has an authentication method that supports PSKs
(EAP-PSK [RFC4764]), it does not provide properties of forward
secrecy or identity protection. Similary, EAP also has EAP-Pwd
[RFC5931] for authentication based on user chosen passwords. It
however relies on a Password Authenticated Key Exchange (PAKE).
There are side-channel vulnerabilities in EAP-Pwd which are now being
addressed in [I-D.harkins-eap-pwd-prime]. Implementing all the
mitigations against side-channel attacks may not be possible in all
environments.
This document therefore specifies EAP-TLS-PSK to allow external PSKs
for mutual authentication of the peer and server.
1.1. Requirements and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Readers are expected to be familiar with the terms and concepts used
in EAP-TLS [RFC5216][I-D.ietf-emu-eap-tls13] and TLS 1.3 [RFC8446].
2. Protocol Overview
2.1. Overview of the EAP-TLS-PSK Conversation
This document only lists additional and different requirements,
restrictions, and processing compared to [RFC8446] and
[I-D.ietf-emu-eap-tls13].
Mattsson, et al. Expires September 10, 2020 [Page 3]
Internet-Draft EAP-TLS-PSK March 2020
Compared to EAP-TLS with certificate authentication, EAP-TLS-PSK uses
a new Type-Code (TBD).
What should the NAI be (e.g. can it be based on PSK id)? Does the
PSK id need to have any specific properties?
2.1.1. Mutual Authentication
The EAP server and EAP peer MUST authenticate with an external PSK.
In addition to the PSK, they can also authenticate with a certificate
as specified in [I-D.ietf-tls-tls13-cert-with-extern-psk].
2.1.2. Termination
2.1.3. Hello Retry Request
2.1.4. Ticket Establishment
2.1.5. Resumption
2.1.6. Privacy
Any additional privacy considerations based on PSK ID?
2.1.7. Fragmentation
2.2. Identity Verification
NAI, PSK Identity, Server Identity
2.3. Key Hierarchy
The key derivation is performed as defined Section 2.3 of
[I-D.ietf-emu-eap-tls13] with the only difference being the new Type-
Code.
2.4. Parameter Negotiation and Compliance Requirements
2.5. EAP State Machines
3. IANA considerations
This document registers the following item in the "Method Types"
registry under the "Extensible Authentication Protocol (EAP)
Registry" heading. The 'Reference' field points to this document.
Mattsson, et al. Expires September 10, 2020 [Page 4]
Internet-Draft EAP-TLS-PSK March 2020
+-----------+------------------------+
| Value | Description |
+-----------+------------------------+
| TBD | EAP-TLS-PSK |
+-----------+------------------------+
Figure 1: IANA Method Types
4. Security Considerations
4.1. Security Claims
4.2. Peer and Server Identities
4.3. Authorization
4.4. Resumption
4.5. Privacy Considerations
4.6. Pervasive Monitoring
5. References
5.1. Normative References
[I-D.ietf-emu-eap-tls13]
Mattsson, J. and M. Sethi, "Using EAP-TLS with TLS 1.3",
draft-ietf-emu-eap-tls13-08 (work in progress), December
2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>.
[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", RFC 5216, DOI 10.17487/RFC5216,
March 2008, <https://www.rfc-editor.org/info/rfc5216>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Mattsson, et al. Expires September 10, 2020 [Page 5]
Internet-Draft EAP-TLS-PSK March 2020
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
5.2. Informative references
[I-D.harkins-eap-pwd-prime]
Harkins, D., "Improved Extensible Authentication Protocol
Using Only a Password", draft-harkins-eap-pwd-prime-00
(work in progress), July 2019.
[I-D.ietf-tls-tls13-cert-with-extern-psk]
Housley, R., "TLS 1.3 Extension for Certificate-based
Authentication with an External Pre-Shared Key", draft-
ietf-tls-tls13-cert-with-extern-psk-07 (work in progress),
December 2019.
[RFC4764] Bersani, F. and H. Tschofenig, "The EAP-PSK Protocol: A
Pre-Shared Key Extensible Authentication Protocol (EAP)
Method", RFC 4764, DOI 10.17487/RFC4764, January 2007,
<https://www.rfc-editor.org/info/rfc4764>.
[RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication
Protocol (EAP) Authentication Using Only a Password",
RFC 5931, DOI 10.17487/RFC5931, August 2010,
<https://www.rfc-editor.org/info/rfc5931>.
Acknowledgments
The authors want to thank Elliot Lear, Alan Dekok, and Joe Salowey
for their feedback on this document.
Authors' Addresses
John Preuss Mattsson
Ericsson
Stockholm 164 40
Sweden
Email: john.mattsson@ericsson.com
Mohit Sethi
Ericsson
Jorvas 02420
Finland
Email: mohit@piuha.net
Mattsson, et al. Expires September 10, 2020 [Page 6]
Internet-Draft EAP-TLS-PSK March 2020
Tuomas Aura
Aalto University
Aalto 00076
Finland
Email: tuomas.aura@aalto.fi
Owen Friel
Cisco
Email: ofriel@cisco.com
Mattsson, et al. Expires September 10, 2020 [Page 7]