The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)

The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) Cisco Systems

3625 Cisco Way San Jose US 95134 CA ncamwing@cisco.com

Cisco Systems

San Jose US 95134 CA mcgrew@cisco.com

Cisco Systems

2901 3rd Ave Seattle US 98121 WA jsalowey@cisco.com

Cisco Systems

4125 Highlander Parkway Richfield US 44286 OH hzhou@cisco.com

This document defines the Extensible Authentication Protocol (EAP) based Flexible Authentication via Secure Tunneling (EAP-FAST) protocol. EAP-FAST is an EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) to establish a mutually authenticated tunnel. Within the tunnel, Type-Length-Value (TLV) objects are used to convey authentication related data between the peer and the EAP server.

Network access solutions requiring user friendly and easily deployable secure authentication mechanisms highlight the need for strong mutual authentication protocols that enable the use of weaker user credentials. This document defines an Extensible Authentication Protocol (EAP), which consists of establishing a Transport Layer Security (TLS) tunnel using TLS 1.0 , TLS 1.1 , or a successor version of TLS, using the latest version supported by both parties. Once the tunnel is established, the protocol further exchanges data in the form of type, length, and value objects (TLV) to perform further authentication. EAP-FAST supports the TLS extension defined in to support fast re-establishment of the secure tunnel without having to maintain per-session state on the server. defines EAP-FAST-based mechanisms to provision the credential for this extension which is called a Protected Access Credential (PAC). EAP-FAST's design motivations included: Mutual authentication: an EAP server must be able to verify the identity and authenticity of the peer, and the peer must be able to verify the authenticity of the EAP server. Immunity to passive dictionary attacks: many authentication protocols require a password to be explicitly provided (either as cleartext or hashed) by the peer to the EAP server; at minimum, the communication of the weak credential (e.g., password) must be immune from eavesdropping. Immunity to man-in-the-middle (MitM) attacks: in establishing a mutually authenticated protected tunnel, the protocol must prevent adversaries from successfully interjecting information into the conversation between the peer and the EAP server. Flexibility to enable support for most password authentication interfaces: as many different password interfaces (e.g., Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Lightweight Directory Access Protocol (LDAP), One-Time Password (OTP), etc.) exist to authenticate a peer, the protocol must provide this support seamlessly. Efficiency: specifically when using wireless media, peers will be limited in computational and power resources. The protocol must enable the network access communication to be computationally lightweight. With these motivational goals defined, further secondary design criteria are imposed: Flexibility to extend the communications inside the tunnel: with the growing complexity in network infrastructures, the need to gain authentication, authorization, and accounting is also evolving. For instance, there may be instances in which multiple existing authentication protocols are required to achieve mutual authentication. Similarly, different protected conversations may be required to achieve the proper authorization once a peer has successfully authenticated. Minimize the authentication server's per user authentication state requirements: with large deployments, it is typical to have many servers acting as the authentication servers for many peers. It is also highly desirable for a peer to use the same shared secret to secure a tunnel much the same way it uses the username and password to gain access to the network. The protocol must facilitate the use of a single strong shared secret by the peer while enabling the servers to minimize the per user and device state it must cache and manage.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

Much of the terminology in this document comes from . Additional terms are defined below: Credentials distributed to a peer for future optimized network authentication. The PAC consists of, at most, three components: a shared secret, an opaque element, and optionally other information. The shared secret component contains the pre-shared key between the peer and the authentication server. The opaque part is provided to the peer and is presented to the authentication server when the peer wishes to obtain access to network resources. Finally, a PAC may optionally include other information that may be useful to the peer. The opaque part of the PAC is the same type of data as the ticket in and the shared secret is used to derive the TLS master secret.

EAP-FAST is an authentication protocol similar to EAP-TLS that enables mutual authentication and cryptographic context establishment by using the TLS handshake protocol. EAP-FAST allows for the established TLS tunnel to be used for further authentication exchanges. EAP-FAST makes use of TLVs to carry out the inner authentication exchanges. The tunnel is then used to protect weaker inner authentication methods, which may be based on passwords, and to communicate the results of the authentication. EAP-FAST makes use of the TLS enhancements in to enable an optimized TLS tunnel session resume while minimizing server state. The secret key used in EAP-FAST is referred to as the Protected Access Credential key (or PAC-Key); the PAC-Key is used to mutually authenticate the peer and the server when securing a tunnel. The ticket is referred to as the Protected Access Credential opaque data (or PAC-Opaque). The secret key and ticket used to establish the tunnel may be provisioned through mechanisms that do not involve the TLS handshake. It is RECOMMENDED that implementations support the capability to distribute the ticket and secret key within the EAP-FAST tunnel as specified in . The EAP-FAST conversation is used to establish or resume an existing session to typically establish network connectivity between a peer and the network. Upon successful execution of EAP-FAST, both EAP peer and EAP server derive strong session key material that can then be communicated to the network access server (NAS) for use in establishing a link layer security association.

The network architectural model for EAP-FAST usage is shown below:

| Authen- |<---->| EAP-FAST |<---->| Method | | | | ticator | | server | | server | | | | | | | | | +----------+ +----------+ +----------+ +----------+ ]]> The entities depicted above are logical entities and may or may not correspond to separate network components. For example, the EAP-FAST server and inner method server might be a single entity; the authenticator and EAP-FAST server might be a single entity; or the functions of the authenticator, EAP-FAST server, and inner method server might be combined into a single physical device. For example, typical 802.11 deployments place the Authenticator in an access point (AP) while a Radius server may provide the EAP-FAST and inner method server components. The above diagram illustrates the division of labor among entities in a general manner and shows how a distributed system might be constructed; however, actual systems might be realized more simply. The security considerations provides an additional discussion of the implications of separating the EAP-FAST server from the inner method server.

EAP-FAST packets are encapsulated within EAP; EAP in turn requires a carrier protocol for transport. EAP-FAST packets encapsulate TLS, which is then used to encapsulate user authentication information. Thus, EAP-FAST messaging can be described using a layered model, where each layer encapsulates the layer above it. The following diagram clarifies the relationship between protocols:

The TLV layer is a payload with Type-Length-Value (TLV) Objects defined in . The TLV objects are used to carry arbitrary parameters between an EAP peer and an EAP server. All conversations in the EAP-FAST protected tunnel must be encapsulated in a TLV layer. Methods for encapsulating EAP within carrier protocols are already defined. For example, IEEE 802.1X may be used to transport EAP between the peer and the authenticator; RADIUS or Diameter may be used to transport EAP between the authenticator and the EAP-FAST server.

EAP-FAST authentication occurs in two phases. In the first phase, EAP-FAST employs the TLS handshake to provide an authenticated key exchange and to establish a protected tunnel. Once the tunnel is established the second phase begins with the peer and server engaging in further conversations to establish the required authentication and authorization policies. The operation of the protocol, including Phase 1 and Phase 2, are the topic of this section. The format of EAP-FAST messages is given in and the cryptographic calculations are given in .

EAP-FAST packets contain a 3-bit version field, following the TLS Flags field, which enables EAP-FAST implementations to be backward compatible with previous versions of the protocol. This specification documents the EAP-FAST version 1 protocol; implementations of this specification MUST use a version field set to 1. Version negotiation proceeds as follows: In the first EAP-Request sent with EAP type=EAP-FAST, the EAP server must set the version field to the highest supported version number. If the EAP peer supports this version of the protocol, it MUST respond with an EAP-Response of EAP type=EAP-FAST, and the version number proposed by the EAP-FAST server. If the EAP-FAST peer does not support this version, it responds with an EAP-Response of EAP type=EAP-FAST and the highest supported version number. If the EAP-FAST server does not support the version number proposed by the EAP-FAST peer, it terminates the conversation. Otherwise the EAP-FAST conversation continues. The version negotiation procedure guarantees that the EAP-FAST peer and server will agree to the latest version supported by both parties. If version negotiation fails, then use of EAP-FAST will not be possible, and another mutually acceptable EAP method will need to be negotiated if authentication is to proceed. The EAP-FAST version is not protected by TLS; and hence can be modified in transit. In order to detect a modification of the EAP-FAST version, the peers MUST exchange the EAP-FAST version number received during version negotiation using the Crypto-Binding TLV described in . The receiver of the Crypto-Binding TLV MUST verify that the version received in the Crypto-Binding TLV matches the version sent by the receiver in the EAP-FAST version negotiation.

EAP-FAST is based on the TLS handshake to establish an authenticated and protected tunnel. The TLS version offered by the peer and server MUST be TLS v1.0 or later. This version of the EAP-FAST implementation MUST support the following TLS ciphersuites: TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA Other ciphersuites MAY be supported. It is RECOMMENDED that anonymous ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA only be used in the context of the provisioning described in . Care must be taken to address potential man-in-the-middle attacks when ciphersuites that do not provide authenticated tunnel establishment are used. During the EAP-FAST Phase 1 conversation the EAP-FAST endpoints MAY negotiate TLS compression. The EAP server initiates the EAP-FAST conversation with an EAP request containing an EAP-FAST/Start packet. This packet includes a set Start (S) bit, the EAP-FAST version as specified in , and an authority identity. The TLS payload in the initial packet is empty. The authority identity (A-ID) is used to provide the peer a hint of the server's identity that may be useful in helping the peer select the appropriate credential to use. Assuming that the peer supports EAP-FAST the conversation continues with the peer sending an EAP-Response packet with EAP type of EAP-FAST with the Start (S) bit clear and the version as specified in . This message encapsulates one or more TLS records containing the TLS handshake messages. If the EAP-FAST version negotiation is successful then the EAP-FAST conversation continues until the EAP server and EAP peer are ready to enter Phase 2. When the full TLS handshake is performed, then the first payload of EAP-FAST Phase 2 MAY be sent along with server-finished handshake message to reduce the number of round trips. After the TLS session is established, another EAP exchange MAY occur within the tunnel to authenticate the EAP peer. EAP-FAST implementations MUST support client authentication during tunnel establishment using the TLS ciphersuites specified in . EAP-FAST implementations SHOULD also support the immediate renegotiation of a TLS session to initiate a new handshake message exchange under the protection of the current ciphersuite. This allows support for protection of the peer's identity. Note that the EAP peer does not need to authenticate as part of the TLS exchange, but can alternatively be authenticated through additional EAP exchanges carried out in Phase 2. The EAP-FAST tunnel protects peer identity information from disclosure outside the tunnel. Implementations that wish to provide identity privacy for the peer identity must carefully consider what information is disclosed outside the tunnel. The following sections describe resuming a TLS session based on server-side or client-side state.

EAP-FAST session resumption is achieved in the same manner TLS achieves session resume. To support session resumption, the server and peer must minimally cache the SessionID, master secret, and ciphersuite. The peer attempts to resume a session by including a valid SessionID from a previous handshake in its ClientHello message. If the server finds a match for the SessionID and is willing to establish a new connection using the specified session state, the server will respond with the same SessionID and proceed with the EAP-FAST Authentication Phase 1 tunnel establishment based on a TLS abbreviated handshake. After a successful conclusion of the EAP-FAST Authentication Phase 1 conversation, the conversation then continues on to Phase 2.

EAP-FAST supports the resumption of sessions based on client-side state using techniques described in . This version of EAP-FAST does not support the provisioning of a ticket through the use of the SessionTicket handshake message. Instead it supports the provisioning of a ticket called a Protected Access Credential (PAC) as described in . Implementations may provide additional ways to provision the PAC, such as manual configuration. Since the PAC mentioned here is used for establishing the TLS Tunnel, it is more specifically referred to as the Tunnel PAC. The Tunnel PAC is a security credential provided by the EAP server to a peer and comprised of: PAC-Key: this is a 32-octet key used by the peer to establish the EAP-FAST Phase 1 tunnel. This key is used to derive the TLS premaster secret as described in . The PAC-Key is randomly generated by the EAP server to produce a strong entropy 32-octet key. The PAC-Key is a secret and MUST be treated accordingly. For example, as the PAC-Key is a separate component provisioned by the server to establish a secure tunnel, the server may deliver this component protected by a secure channel, and it must be stored securely by the peer. PAC-Opaque: this is a variable length field that is sent to the EAP server during the EAP-FAST Phase 1 tunnel establishment. The PAC-Opaque can only be interpreted by the EAP server to recover the required information for the server to validate the peer's identity and authentication. For example, the PAC-Opaque includes the PAC-Key and may contain the PAC's peer identity. The PAC-Opaque format and contents are specific to the PAC issuing server. The PAC-Opaque may be presented in the clear, so an attacker MUST NOT be able to gain useful information from the PAC-Opaque itself. The server issuing the PAC-Opaque must ensure it is protected with strong cryptographic keys and algorithms. PAC-Info: this is a variable length field used to provide, at a minimum, the authority identity of the PAC issuer. Other useful but not mandatory information, such as the PAC-Key lifetime, may also be conveyed by the PAC issuing server to the peer during PAC provisioning or refreshment. The use of the PAC is based on the SessionTicket extension defined in . The EAP server initiates the EAP-FAST conversation as normal. Upon receiving the A-ID from the server, the peer checks to see if it has an existing valid PAC-Key and PAC-Opaque for the server. If it does, then it obtains the PAC-Opaque and puts it in the SessionTicket extension in the ClientHello. It is RECOMMENDED in EAP-FAST that the peer include an empty Session ID in a ClientHello containing a PAC-Opaque. EAP-FAST does not currently support the SessionTicket Handshake message so an empty SessionTicket extension MUST NOT be included in the ClientHello. If the PAC-Opaque included in the SessionTicket extension is valid and the EAP server permits the abbreviated TLS handshake, it will select the ciphersuite allowed to be used from information within the PAC and finish with the abbreviated TLS handshake. If the server receives a Session ID and a PAC-Opaque in the SessionTicket extension in a ClientHello, it should place the same Session ID in the ServerHello if it is resuming a session based on the PAC-Opaque. The conversation then proceeds as described in until the handshake completes or a fatal error occurs. After the abbreviated handshake completes, the peer and server are ready to commence Phase 2. Note that when a PAC is used, the TLS master secret is calculated from the PAC-Key, client random, and server random as described in . Specific details for the Tunnel PAC format, provisioning and security considerations are best described in

If session resumption based on server-side or client-side state fails, the server can gracefully fall back to a full TLS handshake. If the ServerHello received by the peer contains a empty Session ID or a Session ID that is different than in the ClientHello, the server may be falling back to a full handshake. The peer can distinguish the server's intent of negotiating full or abbreviated TLS handshake by checking the next TLS handshake messages in the server response to the ClientHello. If ChangeCipherSpec follows the ServerHello in response to the ClientHello, then the server has accepted the session resumption and intends to negotiate the abbreviated handshake. Otherwise, the server intends to negotiate the full TLS handshake. A peer can request for a new PAC to be provisioned after the full TLS handshake and mutual authentication of the peer and the server. In order to facilitate the fallback to a full handshake, the peer SHOULD include ciphersuites that allow for a full handshake and possibly PAC provisioning so the server can select one of these in case session resumption fails. An example of the transition is shown in .

The second portion of the EAP-FAST Authentication occurs immediately after successful completion of Phase 1. Phase 2 occurs even if both peer and authenticator are authenticated in the Phase 1 TLS negotiation. Phase 2 MUST NOT occur if the Phase 1 TLS handshake fails. Phase 2 consists of a series of requests and responses encapsulated in TLV objects defined in . Phase 2 MUST always end with a protected termination exchange described in . The TLV exchange may include the execution of zero or more EAP methods within the protected tunnel as described in . A server MAY proceed directly to the protected termination exchange if it does not wish to request further authentication from the peer. However, the peer and server must not assume that either will skip inner EAP methods or other TLV exchanges. The peer may have roamed to a network that requires conformance with a different authentication policy or the peer may request the server take additional action through the use of the Request-Action TLV.

EAP prohibits use of multiple authentication methods within a single EAP conversation in order to limit vulnerabilities to man-in-the-middle attacks. EAP-FAST addresses man-in-the-middle attacks through support for cryptographic protection of the inner EAP exchange and cryptographic binding of the inner authentication method(s) to the protected tunnel. EAP methods are executed serially in a sequence. This version of EAP-FAST does not support initiating multiple EAP methods simultaneously in parallel. The methods need not be distinct. For example, EAP-TLS could be run twice as an inner method, first using machine credentials followed by a second instance using user credentials. EAP method messages are carried within EAP-Payload TLVs defined in . If more than one method is going to be executed in the tunnel then, upon completion of a method, a server MUST send an Intermediate-Result TLV indicating the result. The peer MUST respond to the Intermediate-Result TLV indicating its result. If the result indicates success, the Intermediate-Result TLV MUST be accompanied by a Crypto-Binding TLV. The Crypto-Binding TLV is further discussed in and . The Intermediate-Result TLVs can be included with other TLVs such as EAP-Payload TLVs starting a new EAP conversation or with the Result TLV used in the protected termination exchange. In the case where only one EAP method is executed in the tunnel, the Intermediate-Result TLV MUST NOT be sent with the Result TLV. In this case, the status of the inner EAP method is represented by the final Result TLV, which also represents the result of the whole EAP-FAST conversation. This is to maintain backward compatibility with existing implementations. If both peer and server indicate success, then the method is considered complete. If either indicates failure. then the method is considered failed. The result of failure of an EAP method does not always imply a failure of the overall authentication. If one authentication method fails, the server may attempt to authenticate the peer with a different method.

A successful EAP-FAST Phase 2 conversation MUST always end in a successful Result TLV exchange. An EAP-FAST server may initiate the Result TLV exchange without initiating any EAP conversation in EAP-FAST Phase 2. After the final Result TLV exchange, the TLS tunnel is terminated and a clear text EAP-Success or EAP-Failure is sent by the server. The format of the Result TLV is described in . A server initiates a successful protected termination exchange by sending a Result TLV indicating success. The server may send the Result TLV along with an Intermediate-Result TLV and a Crypto-Binding TLV. If the peer requires nothing more from the server it will respond with a Result TLV indicating success accompanied by an Intermediate-Result TLV and Crypto-Binding TLV if necessary. The server then tears down the tunnel and sends a clear text EAP-Success. If the peer receives a Result TLV indicating success from the server, but its authentication policies are not satisfied (for example it requires a particular authentication mechanism be run or it wants to request a PAC), it may request further action from the server using the Request-Action TLV. The Request-Action TLV is sent along with the Result TLV indicating what EAP Success/Failure result the peer would expect if the requested action is not granted. The value of the Request-Action TLV indicates what the peer would like to do next. The format and values for the Request-Action TLV are defined in . Upon receiving the Request-Action TLV the server may process the request or ignore it, based on its policy. If the server ignores the request, it proceeds with termination of the tunnel and send the clear text EAP Success or Failure message based on the value of the peer's result TLV. If the server honors and processes the request, it continues with the requested action. The conversation completes with a Result TLV exchange. The Result TLV may be included with the TLV that completes the requested action. Error handling for Phase 2 is discussed in .

The Peer-Id and Server-Id may be determined based on the types of credentials used during either the EAP-FAST tunnel creation or authentication. When X.509 certificates are used for peer authentication, the Peer-Id is determined by the subject or subjectAltName fields in the peer certificate. As noted in (updated by ): The subject field identifies the entity associated with the public key stored in the subject public key field. The subject name MAY be carried in the subject field and/or the subjectAltName extension.... If subject naming information is present only in the subjectAltName extension (e.g., a key bound only to an email address or URI), then the subject name MUST be an empty sequence and the subjectAltName extension MUST be critical. Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN). If an inner EAP method is run, then the Peer-Id is obtained from the inner method. When the server uses an X.509 certificate to establish the TLS tunnel, the Server-Id is determined in a similar fashion as stated above for the Peer-Id; e.g., the subject or subjectAltName field in the server certificate defines the Server-Id.

The EAP session identifier is constructed using the random values provided by the peer and server during the TLS tunnel establishment. The Session-Id is defined as follows:

EAP-FAST uses the following error handling rules summarized below: Errors in the TLS layer are communicated via TLS alert messages in all phases of EAP-FAST. The Intermediate-Result TLVs carry success or failure indications of the individual EAP methods in EAP-FAST Phase 2. Errors within the EAP conversation in Phase 2 are expected to be handled by individual EAP methods. Violations of the TLV rules are handled using Result TLVs together with Error TLVs. Tunnel compromised errors (errors caused by Crypto-Binding failed or missing) are handled using Result TLVs and Error TLVs.

If the EAP-FAST server detects an error at any point in the TLS Handshake or the TLS layer, the server SHOULD send an EAP-FAST request encapsulating a TLS record containing the appropriate TLS alert message rather than immediately terminating the conversation so as to allow the peer to inform the user of the cause of the failure and possibly allow for a restart of the conversation. The peer MUST send an EAP-FAST response to an alert message. The EAP-Response packet sent by the peer may encapsulate a TLS ClientHello handshake message, in which case the EAP-FAST server MAY allow the EAP-FAST conversation to be restarted, or it MAY contain an EAP-FAST response with a zero-length message, in which case the server MUST terminate the conversation with an EAP-Failure packet. It is up to the EAP-FAST server whether to allow restarts, and if so, how many times the conversation can be restarted. An EAP-FAST Server implementing restart capability SHOULD impose a limit on the number of restarts, so as to protect against denial-of-service attacks. If the EAP-FAST peer detects an error at any point in the TLS layer, the EAP-FAST peer should send an EAP-FAST response encapsulating a TLS record containing the appropriate TLS alert message. The server may restart the conversation by sending an EAP-FAST request packet encapsulating the TLS HelloRequest handshake message. The peer may allow the EAP-FAST conversation to be restarted or it may terminate the conversation by sending an EAP-FAST response with an zero-length message.

Any time the peer or the server finds a fatal error outside of the TLS layer during Phase 2 TLV processing, it MUST send a Result TLV of failure and an Error TLV with the appropriate error code. For errors involving the processing of the sequence of exchanges, such as a violation of TLV rules (e.g., multiple EAP-Payload TLVs), the error code is Unexpected_TLVs_Exchanged. For errors involving a tunnel compromise, the error-code is Tunnel_Compromise_Error. Upon sending a Result TLV with a fatal Error TLV the sender terminates the TLS tunnel. Note that a server will still wait for a message from the peer after it sends a failure, however the server does not need to process the contents of the response message. If a server receives a Result TLV of failure with a fatal Error TLV, it SHOULD send a clear text EAP-Failure. If a peer receives a Result TLV of failure, it MUST respond with a Result TLV indicating failure. If the server has sent a Result TLV of failure, it ignores the peer response, and it SHOULD send a clear text EAP-Failure.

A single TLS record may be up to 16384 octets in length, but a TLS message may span multiple TLS records, and a TLS certificate message may in principle be as long as 16 MB. This is larger than the maximum size for a message on most media types, therefore it is desirable to support fragmentation. Note that in order to protect against reassembly lockup and denial-of-service attacks, it may be desirable for an implementation to set a maximum size for one such group of TLS messages. Since a typical certificate chain is rarely longer than a few thousand octets, and no other field is likely to be anywhere near as long, a reasonable choice of maximum acceptable message length might be 64 KB. This is still a fairly large message packet size so an EAP-FAST implementation MUST provide its own support for fragmentation and reassembly. Since EAP is an lock-step protocol, fragmentation support can be added in a simple manner. In EAP, fragments that are lost or damaged in transit will be retransmitted, and since sequencing information is provided by the Identifier field in EAP, there is no need for a fragment offset field. EAP-FAST fragmentation support is provided through the addition of flag bits within the EAP-Response and EAP-Request packets, as well as a TLS Message Length field of four octets. Flags include the Length included (L), More fragments (M), and EAP-FAST Start (S) bits. The L flag is set to indicate the presence of the four-octet TLS Message Length field, and MUST be set for the first fragment of a fragmented TLS message or set of messages. The M flag is set on all but the last fragment. The S flag is set only within the EAP-FAST start message sent from the EAP server to the peer. The TLS Message Length field is four octets, and provides the total length of the TLS message or set of messages that is being fragmented; this simplifies buffer allocation. When an EAP-FAST peer receives an EAP-Request packet with the M bit set, it MUST respond with an EAP-Response with EAP-Type of EAP-FAST and no data. This serves as a fragment ACK. The EAP server must wait until it receives the EAP-Response before sending another fragment. In order to prevent errors in processing of fragments, the EAP server MUST increment the Identifier field for each fragment contained within an EAP-Request, and the peer must include this Identifier value in the fragment ACK contained within the EAP-Response. Retransmitted fragments will contain the same Identifier value. Similarly, when the EAP-FAST server receives an EAP-Response with the M bit set, it must respond with an EAP-Request with EAP-Type of EAP-FAST and no data. This serves as a fragment ACK. The EAP peer MUST wait until it receives the EAP-Request before sending another fragment. In order to prevent errors in the processing of fragments, the EAP server MUST increment the Identifier value for each fragment ACK contained within an EAP-Request, and the peer MUST include this Identifier value in the subsequent fragment contained within an EAP-Response.

The following sections describe the message formats used in EAP-FAST. The fields are transmitted from left to right in network byte order.

A summary of the EAP-FAST Request/Response packet format is shown below.

The code field is one octet in length defined as follows: Request Response The Identifier field is one octet and aids in matching responses with requests. The Identifier field MUST be changed on each Request packet. The Identifier field in the Response packet MUST match the Identifier field from the corresponding request. The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, Type, Flags, Ver, Message Length, and Data fields. Octets outside the range of the Length field should be treated as Data Link Layer padding and should be ignored on reception. 43 for EAP-FAST

Length included; set to indicate the presence of the four-octet Message Length field More fragments; set on all but the last fragment EAP-FAST start; set in an EAP-FAST Start message Reserved (must be zero) This field contains the version of the protocol. This document describes version 1 (001 in binary) of EAP-FAST. The Message Length field is four octets, and is present only if the L bit is set. This field provides the total length of the message that may be fragmented over the data fields of multiple packets. In the case of an EAP-FAST Start request (i.e., when the S bit is set) the Data field consists of the A-ID described in . In other cases, when the Data field is present, it consists of an encapsulated TLS packet in TLS record format. An EAP-FAST packet with Flags and Version fields, but with zero length data field, is used to indicate EAP-FAST acknowledgement for either a fragmented message, a TLS Alert message or a TLS Finished message.

The Type field is two octets. It is set to 0x0004 for Authority ID The Length filed is two octets, which contains the length of the ID field in octets. Hint of the identity of the server. It should be unique across the deployment.

The TLVs defined here are standard Type-Length-Value (TLV) objects. The TLV objects could be used to carry arbitrary parameters between EAP peer and EAP server within the protected TLS tunnel. The EAP peer may not necessarily implement all the TLVs supported by the EAP server. To allow for interoperability, TLVs are designed to allow an EAP server to discover if a TLV is supported by the EAP peer, using the NAK TLV. The mandatory bit in a TLV indicates whether support of the TLV is required. If the peer or server does not support a TLV marked mandatory, then it MUST send a NAK TLV in the response, and all the other TLVs in the message MUST be ignored. If an EAP peer or server finds an unsupported TLV that is marked as optional, it can ignore the unsupported TLV. It MUST NOT send an NAK TLV for a TLV that is not marked mandatory. Note that a peer or server may support a TLV with the mandatory bit set, but may not understand the contents. The appropriate response to a supported TLV with content that is not understood is defined by the individual TLV specification. EAP implementations compliant with this specification MUST support TLV exchanges, as well as the processing of mandatory/optional settings on the TLV. Implementations conforming to this specification MUST support the following TLVs: Result TLV NAK TLV Error TLV EAP-Payload TLV Intermediate-Result TLV Crypto-Binding TLV Request-Action TLV

TLVs are defined as described below. The fields are transmitted from left to right.

Optional TLV Mandatory TLV Reserved, set to zero (0) A 14-bit field, denoting the TLV type. Allocated Types include: 0 Reserved 1 Reserved 2 Reserved 3 Result TLV (Section 4.2.2) 4 NAK TLV (Section 4.2.3) 5 Error TLV (Section 4.2.4) 7 Vendor-Specific TLV (Section 4.2.5) 9 EAP-Payload TLV (Section 4.2.6) 10 Intermediate-Result TLV (Section 4.2.7) 11 PAC TLV [EAP-PROV] 12 Crypto-Binding TLV (Section 4.2.8) 18 Server-Trusted-Root TLV [EAP-PROV] 19 Request-Action TLV (Section 4.2.9) 20 PKCS#7 TLV [EAP-PROV] The length of the Value field in octets. The value of the TLV.

The Result TLV provides support for acknowledged success and failure messages for protected termination within EAP-FAST. If the Status field does not contain one of the known values, then the peer or EAP server MUST treat this as a fatal error of Unexpected_TLVs_Exchanged. The behavior of the Result TLV is further discussed in and . A Result TLV indicating failure MUST NOT be accompanied by the following TLVs: NAK, EAP-Payload TLV, or Crypto-Binding TLV. The Result TLV is defined as follows:

Mandatory, set to one (1) Reserved, set to zero (0) 3 for Result TLV 2 The Status field is two octets. Values include: Success Failure

The NAK TLV allows a peer to detect TLVs that are not supported by the other peer. An EAP-FAST packet can contain 0 or more NAK TLVs. A NAK TLV should not be accompanied by other TLVs. A NAK TLV MUST NOT be sent in response to a message containing a Result TLV, instead a Result TLV of failure should be sent indicating failure and an Error TLV of Unexpected_TLVs_Exchanged. The NAK TLV is defined as follows:

Mandatory, set to one (1) Reserved, set to zero (0) 4 for NAK TLV >=6 The Vendor-Id field is four octets, and contains the Vendor-Id of the TLV that was not supported. The high-order octet is 0 and the low-order three octets are the Structure of Management Information (SMI) Network Management Private Enterprise Code of the Vendor in network byte order. The Vendor-Id field MUST be zero for TLVs that are not Vendor-Specific TLVs. The NAK-Type field is two octets. The field contains the Type of the TLV that was not supported. A TLV of this Type MUST have been included in the previous packet. This field contains a list of zero or more TLVs, each of which MUST NOT have the mandatory bit set. These optional TLVs are for future extensibility to communicate why the offending TLV was determined to be unsupported.

The Error TLV allows an EAP peer or server to indicate errors to the other party. An EAP-FAST packet can contain 0 or more Error TLVs. The Error-Code field describes the type of error. Error Codes 1-999 represent successful outcomes (informative messages), 1000-1999 represent warnings, and codes 2000-2999 represent fatal errors. A fatal Error TLV MUST be accompanied by a Result TLV indicating failure and the conversation must be terminated as described in . The Error TLV is defined as follows:

Mandatory, set to one (1) Reserved, set to zero (0) 5 for Error TLV 4 The Error-Code field is four octets. Currently defined values for Error-Code include: 2001 Tunnel_Compromise_Error 2002 Unexpected_TLVs_Exchanged

The Vendor-Specific TLV is available to allow vendors to support their own extended attributes not suitable for general usage. A Vendor-Specific TLV attribute can contain one or more TLVs, referred to as Vendor TLVs. The TLV-type of a Vendor-TLV is defined by the vendor. All the Vendor TLVs inside a single Vendor-Specific TLV belong to the same vendor. There can be multiple Vendor-Specific TLVs from different vendors in the same message. Vendor TLVs may be optional or mandatory. Vendor TLVs sent with Result TLVs MUST be marked as optional. The Vendor-Specific TLV is defined as follows:

The Vendor-Specific TLV is defined as follows: 0 or 1 Reserved, set to zero (0) 7 for Vendor Specific TLV 4 + cumulative length of all included Vendor TLVs The Vendor-Id field is four octets, and contains the Vendor-Id of the TLV. The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the Vendor in network byte order. This field is of indefinite length. It contains vendor-specific TLVs, in a format defined by the vendor.

To allow piggybacking an EAP request or response with other TLVs, the EAP-Payload TLV is defined, which includes an encapsulated EAP packet and a list of optional TLVs. The optional TLVs are provided for future extensibility to provide hints about the current EAP authentication. Only one EAP-Payload TLV is allowed in a message. The EAP-Payload TLV is defined as follows:

Mandatory, set to (1) Reserved, set to zero (0) 9 for EAP-Payload TLV length of embedded EAP packet + cumulative length of additional TLVs This field contains a complete EAP packet, including the EAP header (Code, Identifier, Length, Type) fields. The length of this field is determined by the Length field of the encapsulated EAP packet. This field contains a list of zero or more TLVs associated with the EAP packet field. The TLVs MUST NOT have the mandatory bit set. The total length of this field is equal to the Length field of the EAP-Payload TLV, minus the Length field in the EAP header of the EAP packet field.

The Intermediate-Result TLV provides support for acknowledged intermediate Success and Failure messages between multiple inner EAP methods within EAP. An Intermediate-Result TLV indicating success MUST be accompanied by a Crypto-Binding TLV. The optional TLVs associated with this TLV are provided for future extensibility to provide hints about the current result. The Intermediate-Result TLV is defined as follows:

Mandatory, set to (1) Reserved, set to zero (0) 10 for Intermediate-Result TLV 2 + cumulative length of the embedded associated TLVs The Status field is two octets. Values include: Success Failure This field is of indeterminate length, and contains zero or more of the TLVs associated with the Intermediate Result TLV. The TLVs in this field MUST NOT have the mandatory bit set.

The Crypto-Binding TLV is used to prove that both the peer and server participated in the tunnel establishment and sequence of authentications. It also provides verification of the EAP-FAST version negotiated before TLS tunnel establishment, see . The Crypto-Binding TLV MUST be included with the Intermediate-Result TLV to perform Cryptographic Binding after each successful EAP method in a sequence of EAP methods. The Crypto-Binding TLV can be issued at other times as well. The Crypto-Binding TLV is valid only if the following checks pass: The Crypto-Binding TLV version is supported The MAC verifies correctly The received version in the Crypto-Binding TLV matches the version sent by the receiver during the EAP version negotiation The subtype is set to the correct value If any of the above checks fail, then the TLV is invalid. An invalid Crypto-Binding TLV is a fatal error and is handled as described in . The Crypto-Binding TLV is defined as follows:

Mandatory, set to (1) Reserved, set to zero (0) 12 for Crypto-Binding TLV 56 Reserved, set to zero (0) The Version field is a single octet, which is set to the version of Crypto-Binding TLV the EAP method is using. For an implementation compliant with this version of EAP-FAST, the version number MUST be set to 1. The Received Version field is a single octet and MUST be set to the EAP version number received during version negotiation. Note that this field only provides protection against downgrade attacks, where a version of EAP requiring support for this TLV is required on both sides. The Sub-Type field is one octet. Defined values include: Binding Request Binding Response The Nonce field is 32 octets. It contains a 256-bit nonce that is temporally unique, used for compound MAC key derivation at each end. The nonce in a request MUST have its least significant bit set to 0 and the nonce in a response MUST have the same value as the request nonce except the least significant bit MUST be set to 1. The Compound MAC field is 20 octets. This can be the Server MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the MAC is described in .

The Request-Action TLV MAY be sent by the peer along with a Result TLV in response to a server's successful Result TLV. It allows the peer to request the EAP server to negotiate additional EAP methods or process TLVs specified in the response packet. The server MAY ignore this TLV. The Request-Action TLV is defined as follows:

Mandatory set to one (1) Reserved, set to zero (0) 19 for Request-Action TLV 2 The Action field is two octets. Values include: Process-TLV Negotiate-EAP

The following table provides a guide to which TLVs may be found in which kinds of messages, and in what quantity. The messages are as follows: Request is an EAP-FAST Request, Response is an EAP-FAST Response, Success is a message containing a successful Result TLV, and Failure is a message containing a failed Result TLV.

[NOTE1] Vendor TLVs (included in Vendor-Specific TLVs) sent with a Result TLV MUST be marked as optional. The following table defines the meaning of the table entries in the sections below: 0 This TLV MUST NOT be present in the message. 0+ Zero or more instances of this TLV MAY be present in the message. 0-1 Zero or one instance of this TLV MAY be present in the message. 1 Exactly one instance of this TLV MUST be present in the message.

The EAP-FAST Authentication tunnel key is calculated similarly to the TLS key calculation with an additional 40 octets (referred to as the session_key_seed) generated. The additional session_key_seed is used in the Session Key calculation in the EAP-FAST Tunneled Authentication conversation.

To generate the key material required for the EAP-FAST Authentication tunnel, the following construction from is used: where '+' denotes concatenation. The PRF function used to generate keying material is defined by . For example, if the EAP-FAST Authentication employs 128-bit RC4 and SHA1, the key_block is 112 octets long and is partitioned as follows: client_write_MAC_secret[20] server_write_MAC_secret[20] client_write_key[16] server_write_key[16] client_write_IV[0] server_write_IV[0] session_key_seed[40] The session_key_seed is used by the EAP-FAST Authentication Phase 2 conversation to both cryptographically bind the inner method(s) to the tunnel as well as generate the resulting EAP-FAST session keys. The other quantities are used as they are defined in .

The master_secret is generated as specified in TLS unless a PAC is used to establish the TLS tunnel. When a PAC is used to establish the TLS tunnel, the master_secret is calculated from the specified client_random, server_random, and PAC-Key as follows: where T-PRF is described in .

The session_key_seed derived as part of EAP-FAST Phase 2 is used in EAP-FAST Phase 2 to generate an Intermediate Compound Key (IMCK) used to verify the integrity of the TLS tunnel after each successful inner authentication and in the generation of Master Session Key (MSK) and Extended Master Session Key (EMSK) defined in . Note that the IMCK must be recalculated after each successful inner EAP method.

The first step in these calculations is the generation of the base compound key, IMCK[n] from the session_key_seed and any session keys derived from the successful execution of n inner EAP methods. The inner EAP method(s) may provide Master Session Keys, MSK1..MSKn, corresponding to inner methods 1 through n. The MSK is truncated at 32 octets if it is longer than 32 octets or padded to a length of 32 octets with zeros if it is less than 32 octets. If the ith inner method does not generate an MSK, then MSKi is set to zero (e.g., MSKi = 32 octets of 0x00s). If an inner method fails, then it is not included in this calculation. The derivations of S-IMCK is as follows: where T-PRF is described in .

For authentication methods that generate keying material, further protection against man-in-the-middle attacks is provided through cryptographically binding keying material established by both EAP-FAST Phase 1 and EAP-FAST Phase 2 conversations. After each successful inner EAP authentication, EAP MSKs are cryptographically combined with key material from EAP-FAST Phase 1 to generate a compound session key, CMK. The CMK is used to calculate the Compound MAC as part of the Crypto-Binding TLV described in , which helps provide assurance that the same entities are involved in all communications in EAP-FAST. During the calculation of the Compound-MAC the MAC field is filled with zeros.

The Compound MAC computation is as follows: where j is the number of the last successfully executed inner EAP method.

EAP-FAST Authentication assures the master session key (MSK) and Extended Master Session Key (EMSK) output from the EAP method are the result of all authentication conversations by generating an Intermediate Compound Key (IMCK). The IMCK is mutually derived by the peer and the server as described in by combining the MSKs from inner EAP methods with key material from EAP-FAST Phase 1. The resulting MSK and EMSK are generated as part of the IMCKn key hierarchy as follows: where j is the number of the last successfully executed inner EAP method. The EMSK is typically only known to the EAP-FAST peer and server and is not provided to a third party. The derivation of additional keys and transportation of these keys to a third party is outside the scope of this document. If no EAP methods have been negotiated inside the tunnel or no EAP methods have been successfully completed inside the tunnel, the MSK and EMSK will be generated directly from the session_key_seed meaning S-IMCK = session_key_seed.

EAP-FAST employs the following PRF prototype and definition: Where label is intended to be a unique label for each different use of the T-PRF. The outputlength parameter is a two-octet value that is represented in big endian order. Also note that the seed value may be optional and may be omitted as in the case of the MSK derivation described in .

To generate the desired outputlength octets of key material, the T-PRF is calculated as follows: where '+' indicates concatenation. Each Ti generates 20-octets of keying material. The last Tn may be truncated to accommodate the desired length specified by outputlength.

This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of values related to the EAP-FAST protocol, in accordance with BCP 26, . EAP-FAST has already been assigned the EAP Method Type number 43. The document defines a registry for EAP-FAST TLV types, which may be assigned by Specification Required as defined in . defines the TLV types that initially populate the registry. A summary of the EAP-FAST TLV types is given below: Reserved Reserved Reserved Result TLV NAK TLV Error TLV Vendor-Specific TLV EAP-Payload TLV Intermediate-Result TLV PAC TLV Crypto-Binding TLV Server-Trusted-Root TLV Request-Action TLV PKCS#7 TLV The Error-TLV defined in requires an error-code. EAP-FAST Error-TLV error-codes are assigned based on specifications required as defined in . The initial list of error codes is as follows: 2001 Tunnel_Compromise_Error 2002 Unexpected_TLVs_Exchanged The Request-Action TLV defined in contains an action code which is assigned on a specification required basis as defined in . The initial actions defined are: Process-TLV Negotiate-EAP The various values under Vendor-Specific TLV are assigned by Private Use and do not need to be assigned by IANA.

EAP-FAST is designed with a focus on wireless media, where the medium itself is inherent to eavesdropping. Whereas in wired media, an attacker would have to gain physical access to the wired medium; wireless media enables anyone to capture information as it is transmitted over the air, enabling passive attacks. Thus, physical security can not be assumed and security vulnerabilities are far greater. The threat model used for the security evaluation of EAP-FAST is defined in the EAP .

EAP-FAST as a whole, provides message and integrity protection by establishing a secure tunnel for protecting the authentication method(s). The confidentiality and integrity protection is defined by TLS and provides the same security strengths afforded by TLS employing a strong entropy shared master secret. The integrity of the key generating authentication methods executed within the EAP-FAST tunnel is verified through the calculation of the Crypto-Binding TLV. This ensures that the tunnel endpoints are the same as the inner method endpoints. The Result TLV is protected and conveys the true Success or Failure of EAP-FAST, and should be used as the indicator of its success or failure respectively. However, as EAP must terminate with a clear text EAP Success or Failure, a peer will also receive a clear text EAP Success or Failure. The received clear text EAP success or failure must match that received in the Result TLV; the peer SHOULD silently discard those clear text EAP Success or Failure messages that do not coincide with the status sent in the protected Result TLV.

As is true for any negotiated EAP protocol, NAK packets used to suggest an alternate authentication method are sent unprotected and as such, are subject to spoofing. During unprotected EAP method negotiation, NAK packets may be interjected as active attacks to negotiate down to a weaker form of authentication, such as EAP-MD5 (which only provides one-way authentication and does not derive a key). Both the peer and server should have a method selection policy that prevents them from negotiating down to weaker methods. Inner method negotiation resists attacks because it is protected by the mutually authenticated TLS tunnel established. Selection of EAP-FAST as an authentication method does not limit the potential inner authentication methods, so EAP-FAST should be selected when available. An attacker cannot readily determine the inner EAP method used, except perhaps by traffic analysis. It is also important that peer implementations limit the use of credentials with an unauthenticated or unauthorized server.

Separation of the EAP-FAST Phase 1 from the Phase 2 conversation is not recommended. Allowing the Phase 1 conversation to be terminated at a different server than the Phase 2 conversation can introduce vulnerabilities if there is not a proper trust relationship and protection for the protocol between the two servers. Some vulnerabilities include: Loss of identity protection Offline dictionary attacks Lack of policy enforcement There may be cases where a trust relationship exists between the Phase 1 and Phase 2 servers, such as on a campus or between two offices within the same company, where there is no danger in revealing the inner identity and credentials of the peer to entities between the two servers. In these cases, using a proxy solution without end-to-end protection of EAP-FAST MAY be used. The EAP-FAST encrypting/decrypting gateway SHOULD, at a minimum, provide support for IPsec or similar protection in order to provide confidentiality for the portion of the conversation between the gateway and the EAP server.

EAP-FAST addresses the known deficiencies and weaknesses in the EAP method. By employing a shared secret between the peer and server to establish a secured tunnel, EAP-FAST enables: Per packet confidentiality and integrity protection User identity protection Better support for notification messages Protected EAP inner method negotiation Sequencing of EAP methods Strong mutually derived master session keys Acknowledged success/failure indication Faster re-authentications through session resumption Mitigation of dictionary attacks Mitigation of man-in-the-middle attacks Mitigation of some denial-of-service attacks It should be noted that with EAP-FAST, as in many other authentication protocols, a denial-of-service attack can be mounted by adversaries sending erroneous traffic to disrupt the protocol. This is a problem in many authentication or key agreement protocols and is therefore noted for EAP-FAST as well. EAP-FAST was designed with a focus on protected authentication methods that typically rely on weak credentials, such as password-based secrets. To that extent, the EAP-FAST Authentication mitigates several vulnerabilities, such as dictionary attacks, by protecting the weak credential-based authentication method. The protection is based on strong cryptographic algorithms in TLS to provide message confidentiality and integrity. The keys derived for the protection relies on strong random challenges provided by both peer and server as well as an established key with strong entropy. Implementations should follow the recommendation in when generating random numbers.

The initial identity request response exchange is sent in cleartext outside the protection of EAP-FAST. Typically the Network Access Identifier (NAI) in the identity response is useful only for the realm information that is used to route the authentication requests to the right EAP server. This means that the identity response may contain an anonymous identity and just contain realm information. In other cases, the identity exchange may be eliminated altogether if there are other means for establishing the destination realm of the request. In no case should an intermediary place any trust in the identity information in the identity response since it is unauthenticated an may not have any relevance to the authenticated identity. EAP-FAST implementations should not attempt to compare any identity disclosed in the initial cleartext EAP Identity response packet with those Identities authenticated in Phase 2 Identity request-response exchanges sent after the EAP-FAST tunnel is established are protected from modification and eavesdropping by attackers. Note that since TLS client certificates are sent in the clear, if identity protection is required, then it is possible for the TLS authentication to be re-negotiated after the first server authentication. To accomplish this, the server will typically not request a certificate in the server_hello, then after the server_finished message is sent, and before EAP-FAST Phase 2, the server MAY send a TLS hello_request. This allows the client to perform client authentication by sending a client_hello if it wants to, or send a no_renegotiation alert to the server indicating that it wants to continue with EAP-FAST Phase 2 instead. Assuming that the client permits renegotiation by sending a client_hello, then the server will respond with server_hello, a certificate and certificate_request messages. The client replies with certificate, client_key_exchange and certificate_verify messages. Since this re-negotiation occurs within the encrypted TLS channel, it does not reveal client certificate details. It is possible to perform certificate authentication using an EAP method (for example: EAP-TLS) within the TLS session in EAP-FAST Phase 2 instead of using TLS handshake renegotiation.

EAP-FAST was designed with a focus on protected authentication methods that typically rely on weak credentials, such as password-based secrets. EAP-FAST mitigates dictionary attacks by allowing the establishment of a mutually authenticated encrypted TLS tunnel providing confidentiality and integrity to protect the weak credential based authentication method.

Allowing methods to be executed both with and without the protection of a secure tunnel opens up a possibility of a man-in-the-middle attack. To avoid man-in-the-middle attacks it is recommended to always deploy authentication methods with protection of EAP-FAST. EAP-FAST provides protection from man-in-the-middle attacks even if a deployment chooses to execute inner EAP methods both with and without EAP-FAST protection, EAP-FAST prevents this attack in two ways: By using the PAC-Key to mutually authenticate the peer and server during EAP-FAST Authentication Phase 1 establishment of a secure tunnel. By using the keys generated by the inner authentication method (if the inner methods are key generating) in the crypto-binding exchange and in the generation of the key material exported by the EAP method described in .

A PAC may be bound to a user identity. A compliant implementation of EAP-FAST MUST validate that an identity obtained in the PAC-Opaque field matches at minimum one of the identities provided in the EAP-FAST Phase 2 authentication method. This validation provides another binding to ensure that the intended peer (based on identity) has successfully completed the EAP-FAST Phase 1 and proved identity in the Phase 2 conversations.

EAP Success and EAP Failure packets are, in general, sent in clear text and may be forged by an attacker without detection. Forged EAP Failure packets can be used to attempt to convince an EAP peer to disconnect. Forged EAP Success packets may be used to attempt to convince a peer that authentication has succeeded, even though the authenticator has not authenticated itself to the peer. By providing message confidentiality and integrity, EAP-FAST provides protection against these attacks. Once the peer and AS initiate the EAP-FAST Authentication Phase 2, compliant EAP-FAST implementations must silently discard all clear text EAP messages, unless both the EAP-FAST peer and server have indicated success or failure using a protected mechanism. Protected mechanisms include TLS alert mechanism and the protected termination mechanism described in . The success/failure decisions within the EAP-FAST tunnel indicate the final decision of the EAP-FAST authentication conversation. After a success/failure result has been indicated by a protected mechanism, the EAP-FAST peer can process unprotected EAP success and EAP failure messages; however the peer MUST ignore any unprotected EAP success or failure messages where the result does not match the result of the protected mechanism. To abide by , the server must send a clear text EAP Success or EAP Failure packet to terminate the EAP conversation. However, since EAP Success and EAP Failure packets are not retransmitted, the final packet may be lost. While an EAP-FAST protected EAP Success or EAP Failure packet should not be a final packet in an EAP-FAST conversation, it may occur based on the conditions stated above, so an EAP peer should not rely upon the unprotected EAP success and failure messages.

As part of the TLS negotiation, the server presents a certificate to the peer. The peer MUST verify the validity of the EAP server certificate, and SHOULD also examine the EAP server name presented in the certificate, in order to determine whether the EAP server can be trusted. Please note that in the case where the EAP authentication is remote, the EAP server will not reside on the same machine as the authenticator, and therefore the name in the EAP server's certificate cannot be expected to match that of the intended destination. In this case, a more appropriate test might be whether the EAP server's certificate is signed by a CA controlling the intended domain and whether the authenticator can be authorized by a server in that domain.

Since the Tunnel PAC is stored by the peer, special care should be given to the overall security of the peer. The Tunnel PAC must be securely stored by the peer to prevent theft or forgery of any of the Tunnel PAC components. In particular, the peer must securely store the PAC-Key and protect it from disclosure or modification. Disclosure of the PAC-Key enables an attacker to establish the EAP-FAST tunnel; however, disclosure of the PAC-Key does not reveal the peer or server identity or compromise any other peer's PAC credentials. Modification of the PAC-Key or PAC-Opaque components of the Tunnel PAC may also lead to denial of service as the tunnel establishment will fail. The PAC-Opaque component is the effective TLS ticket extension used to establish the tunnel using the techniques of [RFC4507]. Thus, the security considerations defined by [RFC4507] also apply to the PAC-Opaque. The PAC-Info may contain information about the Tunnel PAC such as the identity of the PAC issuer and the Tunnel PAC lifetime for use in the management of the Tunnel PAC. The PAC-Info should be securely stored by the peer to protect it from disclosure and modification.

This section provides the needed security claim requirement for EAP [RFC3748]. Certificate based, shared secret based and various tunneled authentication mechanisms. Yes Yes Yes, Any method executed within the EAP-FAST tunnel is integrity protected. The cleartext EAP headers outside the tunnel are not integrity protected. Yes Yes Yes See Note 1 below. Yes Yes Yes Yes Yes Yes No, but TLVs could be defined for this. Notes BCP 86 offers advice on appropriate key sizes. The National Institute for Standards and Technology (NIST) also offers advice on appropriate key sizes in . Section 5 advises use of the following required RSA or DH module and DSA subgroup size in bits, for a given level of attack resistance in bits. Based on the table below, a 2048-bit RSA key is required to provide 128-bit equivalent key strength:

The EAP-FAST design and protocol specification is based on the ideas and hard efforts of Pad Jakkahalli, Mark Krischer, Doug Smith, and Glen Zorn of Cisco Systems, Inc. The TLV processing was inspired from work on the Protected Extensible Authentication Protocol version 2 (PEAPv2) with Ashwin Palekar, Dan Smith, and Simon Josefsson. Helpful review comments were provided by Russ Housley, Jari Arkko, Bernard Aboba, Ilan Frenkel, and Jeremy Steiglitz.

&rfc2246; &rfc4346; &rfc2119; &rfc4507; &rfc3748; &rfc3268; &rfc2434; Dynamic Provisioning using EAP-FAST &rfc2716; &rfc4282; &rfc4072; &rfc4086; &rfc3579; &rfc3766; &rfc3280; &rfc4630; Local and Metropolitan Area Networks: Port-Based Network Access Control Recommendation for Key Management National Institute of Standards and Technology

In the following examples the version field in EAP Fast is always assumed to be 1. The S, M, and L bits are assumed to be 0 unless otherwise specified.

The following exchanges show a successful EAP-FAST authentication with optional PAC refreshment; the conversation will appear as follows:

<- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello with PAC-Opaque in SessionTicket extension)-> <- EAP-Request/EAP-FAST (TLS server_hello, TLS change_cipher_spec, TLS finished) EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) -> TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) <- EAP Payload TLV (EAP-Request/EAP-GTC(Challenge)) EAP Payload TLV (EAP-Response/ EAP-GTC(Response with both user name and password)) -> optional additional exchanges (new pin mode, password change etc.) ... <- Intermediate-Result TLV (Success) Crypto-Binding TLV (Request) Intermediate-Result TLV (Success) Crypto-Binding TLV(Response) -> <- Result TLV (Success) [Optional PAC TLV] Result TLV (Success) [PAC TLV Acknowledgment] -> TLS channel torn down (messages sent in clear text) <- EAP-Success ]]>

The following exchanges show a failed EAP-FAST authentication due to wrong user credentials; the conversation will appear as follows:

<- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello with PAC-Opaque in SessionTicket extension)-> <- EAP-Request/EAP-FAST (TLS server_hello, TLS change_cipher_spec, TLS finished) EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) -> TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) <- EAP Payload TLV (EAP-Request/ EAP-GTC (Challenge)) EAP Payload TLV (EAP-Response/ EAP-GTC (Response with both user name and password)) -> <- EAP Payload TLV (EAP-Request/ EAP-GTC (error message)) EAP Payload TLV (EAP-Response/ EAP-GTC (empty data packet to acknowledge unrecoverable error)) -> <- Result TLV (Failure) Result TLV (Failure) -> TLS channel torn down (messages sent in clear text) <- EAP-Failure ]]>

In the case where an abbreviated TLS handshake is tried and failed, and a fallback to certificate-based full TLS handshake occurs within EAP-FAST Phase 1, the conversation will appear as follows:

// Identity sent in the clear. May be a hint to help route the authentication request to EAP server, instead of the full user identity. <- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello with PAC-Opaque extension)-> // Peer sends PAC-Opaque of Tunnel PAC along with a list of ciphersuites supported. If the server rejects the PAC- Opaque, it falls through to the full TLS handshake <- EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished, EAP-Payload-TLV (EAP-Request/Identity)) // TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV (EAP-Response/Identity (MyID2))-> // identity protected by TLS. <- EAP-Payload-TLV (EAP-Request/Method X) EAP-Payload-TLV (EAP-Response/Method X) -> // Method X exchanges followed by Protected Termination <- Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result-TLV (Success) -> // TLS channel torn down (messages sent in clear text) <- EAP-Success]]>

In the case where a certificate based TLS handshake occurs within EAP-FAST Phase 1, and client certificate authentication and identity privacy is desired, the conversation will appear as follows:

// Identity sent in the clear. May be a hint to help route the authentication request to EAP server, instead of the full user identity. <- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello)-> <- EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/EAP-FAST (TLS client_key_exchange, TLS change_cipher_spec, TLS finished) -> <- EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished,TLS Hello-Request) // TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) // TLS Hello-Request is piggybacked to the TLS Finished as Handshake Data and protected by the TLS tunnel // Subsequent messages are protected by the TLS Tunnel EAP-Response/EAP-FAST (TLS client_hello) -> <- EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished, Result TLV (Success)) EAP-Response/EAP-FAST (Result-TLV (Success)) -> //TLS channel torn down (messages sent in clear text) <- EAP-Success ]]>

In the case where EAP-FAST fragmentation is required, the conversation will appear as follows:

<- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello)-> <- EAP-Request/EAP-FAST (L=1,M=1, TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,]) EAP-Response/EAP-FAST -> <- EAP-Request/EAP-FAST (M=1, [TLS certificate_request(con't),]) EAP-Response/EAP-FAST -> <- EAP-Request/EAP-FAST ([TLS certificate_request(con't),] TLS server_hello_done) EAP-Response/EAP-FAST, (L=1,M=1,[TLS certificate,])-> <- EAP-Request/EAP-FAST EAP-Response/EAP-FAST ([TLS certificate(con't),] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished))-> <- EAP-Request/EAP-FAST ( TLS change_cipher_spec, TLS finished, EAP-Payload-TLV (EAP-Request/Identity)) // TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV (EAP-Response/Identity (MyID2))-> // identity protected by TLS. <- EAP-Payload-TLV (EAP-Request/Method X) EAP-Payload-TLV (EAP-Response/Method X) -> // Method X exchanges followed by Protected Termination <- Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result-TLV (Success) -> // TLS channel torn down (messages sent in clear text) <- EAP-Success ]]>

Where EAP-FAST is negotiated, with a sequence of EAP method X followed by method Y, the conversation will occur as follows:

<- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello)-> <- EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished, EAP-Payload-TLV( EAP-Request/Identity)) // TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV (EAP-Response/Identity) -> <- EAP-Payload-TLV (EAP-Request/Method X) EAP-Payload-TLV (EAP-Response/Method X) -> // Optional additional X Method exchanges... <- EAP-Payload-TLV (EAP-Request/Method X) EAP-Payload-TLV (EAP-Response/EAP-Type X)-> <- Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1 EAP-FAST Version=1, Nonce, CompoundMAC), EAP Payload TLV (EAP-Request/Method Y) // Next EAP conversation started after successful completion of previous method X. The Intermediate-Result and Crypto- Binding TLVs are sent in this packet to minimize round- trips. In this example, identity request is not sent before negotiating EAP-Type=Y. // Compound MAC calculated using Keys generated from EAP methods X and the TLS tunnel. Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), EAP-Payload-TLV (EAP-Response/Method Y) -> // Optional additional Y Method exchanges... <- EAP Payload TLV (EAP-Request/Method Y) EAP Payload TLV (EAP-Response/Method Y) -> <- Intermediate-Result-TLV (Success), Crypto-Binding TLV (Version=1 EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Intermediate-Result-TLV (Success), Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result-TLV (Success) -> // Compound MAC calculated using Keys generated from EAP methods X and Y and the TLS tunnel. Compound Keys generated using Keys generated from EAP methods X and Y; and the TLS tunnel. // TLS channel torn down (messages sent in clear text) <- EAP-Success ]]>

The following exchanges show a failed crypto-binding validation. The conversation will appear as follows:

<- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello without PAC-Opaque extension)-> <- EAP-Request/EAP-FAST (TLS Server Key Exchange, TLS Server Hello Done) EAP-Response/EAP-FAST (TLS Client Key Exchange, TLS change_cipher_spec, TLS finished)-> <- EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished) EAP-Payload-TLV( EAP-Request/Identity)) // TLS channel established (messages sent within the TLS channel) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload TLV (EAP-Response/Identity) -> <- EAP Payload TLV (EAP-Request/ EAP-MSCHAPV2 (Challenge)) EAP Payload TLV (EAP-Response/ EAP-MSCHAPV2 (Response)) -> <- EAP Payload TLV (EAP-Request/ EAP-MSCHAPV2 (Success Request)) EAP Payload TLV (EAP-Response/ EAP-MSCHAPV2 (Success Response)) -> <- Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Result TLV (Failure), Error TLV (Error Code = 2001) -> // TLS channel torn down (messages sent in clear text) <- EAP-Failure ]]>

Where EAP-FAST is negotiated, with a sequence of EAP method followed by Vendor-Specific TLV exchange, the conversation will occur as follows:

<- EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello)-> <- EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished, EAP-Payload-TLV (EAP-Request/Identity)) // TLS channel established (Subsequent messages sent within the TLS channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV (EAP-Response/Identity) -> <- EAP-Payload-TLV (EAP-Request/Method X) EAP-Payload-TLV (EAP-Response/Method X) -> <- EAP-Payload-TLV (EAP-Request/Method X) EAP-Payload-TLV (EAP-Response/Method X)-> <- Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1 EAP-FAST Version=1, Nonce, CompoundMAC), Vendor-Specific TLV // Vendor Specific TLV exchange started after successful completion of previous method X. The Intermediate-Result and Crypto-Binding TLVs are sent with Vendor Specific TLV in this packet to minimize round-trips. // Compound MAC calculated using Keys generated from EAP methods X and the TLS tunnel. Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Vendor-Specific TLV -> // Optional additional Vendor-Specific TLV exchanges... <- Vendor-Specific TLV Vendor Specific TLV -> <- Result TLV (Success) Result-TLV (Success) -> // TLS channel torn down (messages sent in clear text) <- EAP-Success]]>