wdiff rfc7170.original rfc7170.txt

EMU Working Group
Internet Engineering Task Force (IETF) H. Zhou
Internet-Draft
Request for Comments: 7170 N. Cam-Winget
Intended status:
Category: Standards Track J. Salowey
Expires: July 13, 2014
ISSN: 2070-1721 Cisco Systems
S. Hanna
Juniper Networks
January 9,
April 2014

Tunnel EAP Method Extensible Authentication Protocol (TEAP) Version 1
draft-ietf-emu-eap-tunnel-method-10.txt

Abstract

This document defines the Tunnel Extensible Authentication Protocol
(TEAP) version 1. TEAP is a tunnel based tunnel-based EAP method that enables
secure communication between a peer and a server by using the
Transport Layer Security (TLS) protocol to establish a mutually
authenticated tunnel. Within the tunnel, Type-Length-Value (TLV) TLV objects are used to
convey authentication related authentication-related data between the EAP peer and the EAP
server.

Status of This Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.

Information about the current status of six months this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on July 13, 2014.
http://www.rfc-editor.org/info/rfc7170.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 4
1.1. Specification Requirements . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Architectural Model . . . . . . . . . . . . . . . . . . . 7 6
2.2. Protocol Layering Protocol-Layering Model . . . . . . . . . . . . . . . . . 7
3. TEAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Version Negotiation . . . . . . . . . . . . . . . . . . . 9 8
3.2. TEAP Authentication Phase 1: Tunnel Establishment . . . . 10 9
3.2.1. TLS Session Resume Using Server State . . . . . . . . 11
3.2.2. TLS Session Resume Using a PAC . . . . . . . . . . . 12 11
3.2.3. Transition between Abbreviated and Full TLS Handshake 13
3.3. TEAP Authentication Phase 2: Tunneled Authentication . . 14 13
3.3.1. EAP Sequences . . . . . . . . . . . . . . . . . . . . 14
3.3.2. Optional Password Authentication . . . . . . . . . . 15 14
3.3.3. Protected Termination and Acknowledged Result
Indication . . . . . . . . . . . . . . . . . . . . . 15
3.4. Determining Peer-Id and Server-Id . . . . . . . . . . . . 16
3.5. TEAP Session Identifier . . . . . . . . . . . . . . . . . 17 16
3.6. Error Handling . . . . . . . . . . . . . . . . . . . . . 17
3.6.1. Outer Layer Outer-Layer Errors . . . . . . . . . . . . . . . . . 18 17
3.6.2. TLS Layer Errors . . . . . . . . . . . . . . . . . . 18 17
3.6.3. Phase 2 Errors . . . . . . . . . . . . . . . . . . . 19 18
3.7. Fragmentation . . . . . . . . . . . . . . . . . . . . . . 19
3.8. Peer Services . . . . . . . . . . . . . . . . . . . . . . 20
3.8.1. PAC Provisioning . . . . . . . . . . . . . . . . . . 21
3.8.2. Certificate Provisioning Within within the Tunnel . . . . . 22 21
3.8.3. Server Unauthenticated Provisioning Mode . . . . . . 23 22
3.8.4. Channel Binding . . . . . . . . . . . . . . . . . . . 23
4. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24 23
4.1. TEAP Message Format . . . . . . . . . . . . . . . . . . . 24 23
4.2. TEAP TLV Format and Support . . . . . . . . . . . . . . . 26
4.2.1. General TLV Format . . . . . . . . . . . . . . . . . 27
4.2.2. Authority-ID TLV . . . . . . . . . . . . . . . . . . 29 28
4.2.3. Identity-Type TLV . . . . . . . . . . . . . . . . . . 30 29
4.2.4. Result TLV . . . . . . . . . . . . . . . . . . . . . 31 30
4.2.5. NAK TLV . . . . . . . . . . . . . . . . . . . . . . . 32 31
4.2.6. Error TLV . . . . . . . . . . . . . . . . . . . . . . 34 32
4.2.7. Channel-Binding TLV . . . . . . . . . . . . . . . . . 37 35
4.2.8. Vendor-Specific TLV . . . . . . . . . . . . . . . . . 38 36
4.2.9. Request-Action TLV . . . . . . . . . . . . . . . . . 39 37
4.2.10. EAP-Payload TLV . . . . . . . . . . . . . . . . . . . 41 39
4.2.11. Intermediate-Result TLV . . . . . . . . . . . . . . . 42 40
4.2.12. PAC TLV Format . . . . . . . . . . . . . . . . . . . 44 41
4.2.12.1. Formats for PAC Attributes . . . . . . . . . . . 44 42
4.2.12.2. PAC-Key . . . . . . . . . . . . . . . . . . . . 45 43
4.2.12.3. PAC-Opaque . . . . . . . . . . . . . . . . . . . 46 43
4.2.12.4. PAC-Info . . . . . . . . . . . . . . . . . . . . 47 44
4.2.12.5. PAC-Acknowledgement TLV . . . . . . . . . . . . 49 46
4.2.12.6. PAC-Type TLV . . . . . . . . . . . . . . . . . . 50 47
4.2.13. Crypto-Binding TLV . . . . . . . . . . . . . . . . . 50 47
4.2.14. Basic-Password-Auth-Req TLV . . . . . . . . . . . . . 53 50
4.2.15. Basic-Password-Auth-Resp TLV . . . . . . . . . . . . 54 51
4.2.16. PKCS#7 TLV . . . . . . . . . . . . . . . . . . . . . 56 52
4.2.17. PKCS#10 TLV . . . . . . . . . . . . . . . . . . . . . 57 53
4.2.18. Trusted-Server-Root TLV . . . . . . . . . . . . . . . 58 54
4.3. TLV Rules . . . . . . . . . . . . . . . . . . . . . . . . 59 55
4.3.1. Outer TLVs . . . . . . . . . . . . . . . . . . . . . 60 56
4.3.2. Inner TLVs . . . . . . . . . . . . . . . . . . . . . 60 56
5. Cryptographic Calculations . . . . . . . . . . . . . . . . . 61 57
5.1. TEAP Authentication Phase 1: Key Derivations . . . . . . 61 57
5.2. Intermediate Compound Key Derivations . . . . . . . . . . 62 58
5.3. Computing the Compound MAC . . . . . . . . . . . . . . . 64 60
5.4. EAP Master Session Key Generation . . . . . . . . . . . . 64 60
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 61
7. Security Considerations . . . . . . . . . . . . . . . . . . . 69 65
7.1. Mutual Authentication and Integrity Protection . . . . . 70 66
7.2. Method Negotiation . . . . . . . . . . . . . . . . . . . 70 66
7.3. Separation of Phase 1 and Phase 2 Servers . . . . . . . . 71 66
7.4. Mitigation of Known Vulnerabilities and Protocol
Deficiencies . . . . . . . . . . . . . . . . . . . . . . 71 67
7.4.1. User Identity Protection and Verification . . . . . . 72 68
7.4.2. Dictionary Attack Resistance . . . . . . . . . . . . 73 69
7.4.3. Protection against Man-in-the-Middle Attacks . . . . 73 69
7.4.4. PAC Binding to User Identity . . . . . . . . . . . . 74 70
7.5. Protecting against Forged Clear Text Cleartext EAP Packets . . . . 74 . 70
7.6. Server Certificate Validation . . . . . . . . . . . . . . 75 71
7.7. Tunnel PAC Considerations . . . . . . . . . . . . . . . . 75 71
7.8. Security Claims . . . . . . . . . . . . . . . . . . . . . 76 72
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 77 73
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 77 73
9.1. Normative References . . . . . . . . . . . . . . . . . . 77 73
9.2. Informative References . . . . . . . . . . . . . . . . . 78 74
Appendix A. Evaluation Against Tunnel Based against Tunnel-Based EAP Method
Requirements . . . . . . . . . . . . . . . . . . . . 81 78
A.1. Requirement 4.1.1 4.1.1: RFC Compliance . . . . . . . . . . . . 81 78
A.2. Requirement 4.2.1 4.2.1: TLS Requirements . . . . . . . . . . . 81 78
A.3. Requirement 4.2.1.1.1 Cipher Suite 4.2.1.1.1: Ciphersuite Negotiation . . . . . 81 78
A.4. Requirement 4.2.1.1.2 4.2.1.1.2: Tunnel Data Protection Algorithms . 81 78
A.5. Requirement 4.2.1.1.3 4.2.1.1.3: Tunnel Authentication and Key
Establishment . . . . . . . . . . . . . . . . . . . . . . 82 78
A.6. Requirement 4.2.1.2 4.2.1.2: Tunnel Replay Protection . . . . . . 82 78
A.7. Requirement 4.2.1.3 4.2.1.3: TLS Extensions . . . . . . . . . . . 82 79
A.8. Requirement 4.2.1.4 4.2.1.4: Peer Identity Privacy . . . . . . . . 82 79
A.9. Requirement 4.2.1.5 4.2.1.5: Session Resumption . . . . . . . . . 82 79
A.10. Requirement 4.2.2 4.2.2: Fragmentation . . . . . . . . . . . . . 82 79
A.11. Requirement 4.2.3 4.2.3: Protection of Data External to Tunnel . 82 79
A.12. Requirement 4.3.1 4.3.1: Extensible Attribute Types . . . . . . 83 79
A.13. Requirement 4.3.2 4.3.2: Request/Challenge Response Operation . 83 79
A.14. Requirement 4.3.3 4.3.3: Indicating Criticality of Attributes . 83 79
A.15. Requirement 4.3.4 Vendor Specific 4.3.4: Vendor-Specific Support . . . . . . . . 83 80
A.16. Requirement 4.3.5 4.3.5: Result Indication . . . . . . . . . . . 83 80
A.17. Requirement 4.3.6 4.3.6: Internationalization of Display
Strings 83 . . . . . . . . . . . . . . . . . . . . . . . . . 80
A.18. Requirement 4.4 4.4: EAP Channel Binding Channel-Binding Requirements . . . . 83 80
A.19. Requirement 4.5.1.1 4.5.1.1: Confidentiality and Integrity . . . . 83 80
A.20. Requirement 4.5.1.2 4.5.1.2: Authentication of Server . . . . . . 84 80
A.21. Requirement 4.5.1.3 4.5.1.3: Server Certificate Revocation
Checking . . . . . . . . . . . . . . . . . . . . . . . . 84 80
A.22. Requirement 4.5.2 4.5.2: Internationalization . . . . . . . . . 84 80
A.23. Requirement 4.5.3 Meta-data 4.5.3: Metadata . . . . . . . . . . . . . . . 84 81
A.24. Requirement 4.5.4 4.5.4: Password Change . . . . . . . . . . . . 84 81
A.25. Requirement 4.6.1 4.6.1: Method Negotiation . . . . . . . . . . 84 81
A.26. Requirement 4.6.2 4.6.2: Chained Methods . . . . . . . . . . . . 84 81
A.27. Requirement 4.6.3 4.6.3: Cryptographic Binding with the TLS
Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 84 81
A.28. Requirement 4.6.4 Peer Initiated . . . . . . . . . . 4.6.4: Peer-Initiated EAP Authentication . . 85 81
A.29. Requirement 4.6.5 4.6.5: Method Meta-data Metadata . . . . . . . . . . . 85 81
Appendix B. Major Differences from EAP-FAST . . . . . . . . . . 85 81
Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 85 82
C.1. Successful Authentication . . . . . . . . . . . . . . . . 86 82
C.2. Failed Authentication . . . . . . . . . . . . . . . . . . 87 83
C.3. Full TLS Handshake using Certificate-based Cipher Suite Using Certificate-Based Ciphersuite . 89 85
C.4. Client authentication Authentication during Phase 1 with identity
privacy Identity
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 90 86
C.5. Fragmentation and Reassembly . . . . . . . . . . . . . . 92 88
C.6. Sequence of EAP Methods . . . . . . . . . . . . . . . . . 94 90
C.7. Failed Crypto-binding Crypto-Binding . . . . . . . . . . . . . . . . . . 96 92
C.8. Sequence of EAP Method with Vendor-Specific TLV Exchange 97 93
C.9. Peer Requests Inner Method After after Server Sends Result TLV 99 95
C.10. Channel Binding . . . . . . . . . . . . . . . . . . . . . 101
Appendix D. Major Differences from Previous Revisions . . . . . 102
D.1. Changes from -06 . . . . . . . . . . . . . . . . . . . . 102
D.2. Changes from -05 . . . . . . . . . . . . . . . . . . . . 103
D.3. Changes from -04 . . . . . . . . . . . . . . . . . . . . 103
D.4. Changes from -03 . . . . . . . . . . . . . . . . . . . . 104
D.5. Changes from -02 . . . . . . . . . . . . . . . . . . . . 104
D.6. Changes from -01 . . . . . . . . . . . . . . . . . . . . 105
D.7. Changes from -00 . . . . . . . . . . . . . . . . . . . . 105 97

1. Introduction

A tunnel-based Extensible Authentication Protocol (EAP) tunnel method is an
EAP method that establishes a secure tunnel and executes other EAP
methods under the protection of that secure tunnel. An A tunnel-based
EAP tunnel method can be used in any lower layer lower-layer protocol that supports EAP
authentication. There are several existing tunnel-based EAP tunnel methods
that use Transport Layer Security (TLS) [RFC5246] to establish the
secure tunnel. EAP methods supporting this include Protected EAP
(PEAP) [PEAP], EAP Tunneled Transport Layer Security EAP (TTLS) [RFC5281] (EAP-TTLS)
[RFC5281], and EAP Flexible Authentication via Secure Tunneling (EAP-FAST) (EAP-
FAST) [RFC4851]. However, they all are either vendor specific vendor-specific or
informational
informational, and the industry calls for a standard-track tunnel Standards Track tunnel-
based EAP method. [RFC6678] outlines the list of requirements for a
standard
tunnel based tunnel-based EAP method.

Since the introduction of its introduction, EAP-FAST [RFC4851] a few years ago, it has been widely adopted in
a variety of devices and platforms. It has been adopted by the EMU
working group as the basis for the standard tunnel
based tunnel-based EAP method.
This document describes the Tunnel Extensible Authentication Protocol
(TEAP) version 1, based on EAP-FAST [RFC4851] with some minor changes, changes
to meet the requirements outlined in [RFC6678] for a standard tunnel tunnel-
based EAP method.

1.1. Specification Requirements

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] .
[RFC2119].

1.2. Terminology

Much of the terminology in this document comes from [RFC3748].
Additional terms are defined below:

Protected Access Credential (PAC)

Credentials distributed to a peer for future optimized network
authentication. The PAC consists of a minimum of two components:
a shared secret and an opaque element. The shared secret
component contains the pre-shared key between the peer and the
authentication server. The opaque part is provided to the peer
and is presented to the authentication server when the peer wishes
to obtain access to network resources. The opaque element and
shared secret are used with TLS stateless session resumption
defined in [RFC5077] to establish a protected TLS session. The
secret key and opaque part may be distributed using RFC 5077 [RFC5077]
messages or using TLVs within the TEAP tunnel. Finally, a PAC may
optionally include other information that may be useful to the
peer.

Type-Length-Value (TLV)
The TEAP protocol utilizes objects in Type-Length-Value (TLV) TLV format. The TLV format
is defined in Section 4.2.

2. Protocol Overview

TEAP authentication occurs in two phases after the initial EAP
Identity request/response exchange. In the first phase, TEAP employs
the TLS [RFC5246] handshake to provide an authenticated key exchange
and to establish a protected tunnel. Once the tunnel is established,
the second phase begins with the peer and server engaging in further
conversations to establish the required authentication and
authorization policies. TEAP makes use of Type-Length-Value TLV objects
(TLVs) to carry out
the inner authentication, results results, and other information, such as channel binding
channel-binding information.

TEAP makes use of the TLS SessionTicket Extension [RFC5077] extension [RFC5077], which
supports TLS session resumption without requiring session-specific
state stored at the server. In this document, the SessionTicket is
referred to as the Protected Access Credential opaque data (or PAC-
Opaque). The PAC-Opaque may be distributed through the use of the
NewSessionTicket message or through a mechanism that uses TLVs within
phase
Phase 2 of TEAP. The secret key used to resume the session in TEAP
is referred to as the Protected Access Credential key (or PAC-Key).
When the NewSessionTicket message is used to distribute the PAC-
Opaque, the PAC-Key is the Master Secret master secret for the session. If TEAP
phase
Phase 2 is used to distribute the PAC-Opaque, then the PAC-Key is
distributed along with the PAC-Opaque. TEAP implementations MUST
support the RFC 5077 [RFC5077] mechanism for distributing a PAC-Opaque PAC-Opaque, and it
is RECOMMENDED that implementations support the capability to
distribute the ticket and secret key within the TEAP tunnel.

The TEAP conversation is used to establish or resume an existing
session to typically establish network connectivity between a peer
and the network. Upon successful execution of TEAP, both the EAP peer and
EAP server both derive strong session key material that can then be
communicated to the network access server (NAS) for use in
establishing a link layer link-layer security association.

2.1. Architectural Model

The network architectural model for TEAP usage is shown below:

TEAP Architectural Model

The entities depicted above are logical entities and may or may not
correspond to separate network components. For example, the TEAP
server and inner method server might be a single entity; or the
authenticator and TEAP server might be a single entity; or the
functions of the authenticator, TEAP server, and inner method server
might be combined into a single physical device. For example,
typical IEEE 802.11 deployments place the Authenticator authenticator in an access
point (AP) while a Radius RADIUS server may provide the TEAP and inner
method server components. The above diagram illustrates the division
of labor among entities in a general manner and shows how a
distributed system might be constructed; however, actual systems
might be realized more simply. The security considerations in
Section 7.3 provides provide an additional discussion of the implications of
separating the TEAP server from the inner method server.

2.2. Protocol Layering Protocol-Layering Model

TEAP packets are encapsulated within EAP; EAP in turn requires a
transport protocol. TEAP packets encapsulate TLS, which is then used
to encapsulate user authentication information. Thus, TEAP messaging
can be described using a layered model, where each layer encapsulates
the layer above it. The following diagram clarifies the relationship
between protocols:

+---------------------------------------------------------------+
| Inner EAP Method | Other TLV information |
|---------------------------------------------------------------|
| TLV Encapsulation (TLVs) |
|---------------------------------------------------------------|
| TLS | Optional Outer TLVs |
|---------------------------------------------------------------|
| TEAP |
|---------------------------------------------------------------|
| EAP |
|---------------------------------------------------------------|
| Carrier Protocol (EAP over LAN, RADIUS, Diameter, etc.) |
+---------------------------------------------------------------+

Protocol Layering

Protocol-Layering Model
The TLV layer is a payload with Type-Length-Value (TLV) Objects TLV objects as defined in
Section 4.2. The TLV objects are used to carry arbitrary parameters
between an EAP peer and an EAP server. All conversations in the TEAP
protected tunnel are encapsulated in a TLV layer.

TEAP packets may include TLVs both inside and outside the TLS tunnel.
The term "Outer TLVs" is used to refer to optional TLVs outside the
TLS tunnel, which are only allowed in the first two messages in the
TEAP protocol. That is the first EAP server to peer EAP-server-to-peer message and
first peer to EAP server peer-to-EAP-server message. If the message is fragmented, the
whole set of messages is counted as one message. The term "Inner
TLVs" is used to refer to TLVs sent within the TLS tunnel. In TEAP
Phase 1, Outer TLVs are used to help establishing establish the TLS tunnel, but no
Inner TLVs are used. In Phase 2 of the TEAP conversation, TLS
records may encapsulate zero or more Inner TLVs, but no Outer TLVs.

Methods for encapsulating EAP within carrier protocols are already
defined. For example, IEEE 802.1X [IEEE.802-1X.2004] [IEEE.802-1X.2013] may be used to
transport EAP between the peer and the authenticator; RADIUS
[RFC3579] or Diameter [RFC4072] may be used to transport EAP between
the authenticator and the EAP server.

3. TEAP Protocol

The operation of the protocol, including Phase 1 and Phase 2, is the
topic of this section. The format of TEAP messages is given in
Section 4 4, and the cryptographic calculations are given in Section 5.

3.1. Version Negotiation

TEAP packets contain a 3-bit version Version field, following the TLS Flags
field, which enables future TEAP implementations to be backward
compatible with previous versions of the protocol. This
specification documents the TEAP version 1 protocol; implementations
of this specification MUST use a version Version field set to 1.

Version negotiation proceeds as follows:

1. In the first EAP-Request sent with EAP type=TEAP, the EAP server
MUST set the version Version field to the highest version it supports.

2a. If the EAP peer supports this version of the protocol, it
responds with an EAP-Response of EAP type=TEAP, including the
version number proposed by the TEAP server.

2b. If the TEAP peer does not support the proposed version but
supports a lower version, it responds with an EAP-Response of
EAP type=TEAP and sets the version Version field to its highest
supported version.

2c. If the TEAP peer only supports versions higher than the version
proposed by the TEAP server, then use of TEAP will not be
possible. In this case, the TEAP peer sends back an EAP-Nak
either to negotiate a different EAP type or to indicate no other
EAP types are a available.

3a. If the TEAP server does not support the version number proposed
by the TEAP peer, it it MUST either terminate the conversation with
an EAP-Failure EAP Failure or negotiate a new EAP type.

3b. If the TEAP server does support the version proposed by the TEAP
peer, then the conversation continues using the version proposed
by the TEAP peer.

The version negotiation procedure guarantees that the TEAP peer and
server will agree to the latest version supported by both parties.
If version negotiation fails, then use of TEAP will not be possible,
and another mutually acceptable EAP method will need to be negotiated
if authentication is to proceed.

The TEAP version is not protected by TLS; TLS and hence can be modified in
transit. In order to detect a modification of the TEAP version, the
peers MUST exchange the TEAP version number received during version
negotiation using the Crypto-Binding TLV described in Section 4.2.13.
The receiver of the Crypto-Binding TLV MUST verify that the version
received in the Crypto-Binding TLV matches the version sent by the
receiver in the TEAP version negotiation. If the Crypto-Binding TLV
fails to be validated, then it is a fatal error and is handled as
described in Section 3.6.3.

3.2. TEAP Authentication Phase 1: Tunnel Establishment

TEAP relies on the TLS handshake [RFC5246] to establish an
authenticated and protected tunnel. The TLS version offered by the
peer and server MUST be TLS version 1.2 [RFC5246] or later. This
version of the TEAP implementation MUST support the following TLS
ciphersuites:

TLS_RSA_WITH_AES_128_CBC_SHA [RFC5246]

TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC5246]

This version of the TEAP implementation SHOULD support the following
TLS ciphersuite:

TLS_RSA_WITH_AES_256_CBC_SHA [RFC5246]

Other ciphersuites MAY be supported. It is REQUIRED that anonymous
ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA [RFC5246] only
be used in the case when the inner authentication method provides
mutual authentication, key generation, and resistance to man-in-the-
middle and dictionary attack. attacks. TLS ciphersuites that do not provide
confidentiality MUST NOT be used. During the TEAP Phase 1
conversation, the TEAP endpoints MAY negotiate TLS compression.
During TLS tunnel establishment, TLS extensions MAY be used. For
instance, the Certificate Status Request extension [RFC6066] and multiple
certificate status request the
Multiple Certificate Status Request extension [RFC6961] can be used
to leverage a certificate-status protocol such as OCSP Online Certificate
Status Protocol (OCSP) [RFC6960] to check the validity of server
certificates. TLS renegotiation indications defined in RFC 5746
[RFC5746] MUST be supported.

The EAP server initiates the TEAP conversation with an EAP request
containing a TEAP/Start packet. This packet includes a set Start (S)
bit, the TEAP version as specified in Section 3.1, and an authority
identity TLV. The TLS payload in the initial packet is empty. The
authority identity TLV (Authority-ID TLV) is used to provide the peer
a hint of the server's identity that may be useful in helping the
peer select the appropriate credential to use. Assuming that the
peer supports TEAP, the conversation continues with the peer sending
an EAP-Response packet with EAP type of TEAP with the Start (S) bit
clear and the version as specified in Section 3.1. This message
encapsulates one or more TLS handshake messages. If the TEAP version
negotiation is successful successful, then the TEAP conversation continues until
the EAP server and EAP peer are ready to enter Phase 2. When the
full TLS handshake is performed, then the first payload of TEAP Phase
2 MAY be sent along with a server-finished handshake message to
reduce the number of round trips.

TEAP implementations MUST support mutual peer authentication during
tunnel establishment using the TLS ciphersuites specified in this
section. The TEAP peer does not need to authenticate as part of the
TLS exchange, exchange but can alternatively be authenticated through
additional exchanges carried out in Phase 2.

The TEAP tunnel protects peer identity information exchanged during
phase
Phase 2 from disclosure outside the tunnel. Implementations that
wish to provide identity privacy for the peer identity need to
carefully consider what information is disclosed outside the tunnel
prior to phase Phase 2. TEAP implementations SHOULD support the immediate
renegotiation of a TLS session to initiate a new handshake message
exchange under the protection of the current cipher suite. ciphersuite. This
allows support for protection of the peer's identity when using TLS
client authentication. An example of the exchanges using TLS
renegotiation to protect privacy is shown in Appendix C.

The following sections describe resuming a TLS session based on
server-side or client-side state.

3.2.1. TLS Session Resume Using Server State

TEAP session resumption is achieved in the same manner TLS achieves
session resume. To support session resumption, the server and peer
minimally cache the Session ID, master secret, and ciphersuite. The
peer attempts to resume a session by including a valid Session ID
from a previous TLS handshake in its ClientHello message. If the
server finds a match for the Session ID and is willing to establish a
new connection using the specified session state, the server will
respond with the same Session ID and proceed with the TEAP Phase 1
tunnel establishment based on a TLS abbreviated handshake. After a
successful conclusion of the TEAP Phase 1 conversation, the
conversation then continues on to Phase 2.

3.2.2. TLS Session Resume Using a PAC

TEAP supports the resumption of sessions based on server state being
stored on the client side using the TLS SessionTicket extension
techniques described in [RFC5077]. This version of TEAP supports the
provisioning of a ticket called a Protected Access Credential (PAC)
through the use of the NewSessionTicket handshake described in
[RFC5077], as well as provisioning of a PAC inside the protected
tunnel. Implementations MUST support the TLS Ticket Extension extension
[RFC5077] mechanism for distributing a PAC and may provide additional
ways to provision the PAC, such as manual configuration. Since the
PAC mentioned here is used for establishing the TLS Tunnel, tunnel, it is
more specifically referred to as the Tunnel PAC. The Tunnel PAC is a
security credential provided by the EAP server to a peer and
comprised of:

1. PAC-Key: this is the key used by the peer as the TLS master
secret to establish the TEAP Phase 1 tunnel. The PAC-Key is a
strong high-entropy
strong, high-entropy, at minimum 48-octet key and is typically
the master secret from a previous TLS session. The PAC-Key is a
secret and MUST be treated accordingly. Otherwise, if leaked, it
could lead to user credentials being compromised if sent within
the tunnel established using the PAC-Key. In the case that a PAC-
Key
PAC-Key is provisioned to the peer through another means means, it MUST
have its confidentiality and integrity protected by a mechanism,
such as the TEAP phase Phase 2 tunnel. The PAC-Key MUST be stored
securely by the peer.

2. PAC-Opaque: this is a variable length variable-length field containing the ticket
that is sent to the EAP server during the TEAP Phase 1 tunnel
establishment based on RFC 5077. [RFC5077]. The PAC-Opaque can only be
interpreted by the EAP server to recover the required information
for the server to validate the peer's identity and
authentication. The PAC-Opaque includes the PAC-Key and other
TLS session parameters. It may contain the PAC's peer identity.
The PAC-Opaque format and contents are specific to the PAC
issuing server. The PAC-Opaque may be presented in the clear, so
an attacker MUST NOT be able to gain useful information from the
PAC-Opaque itself. The server issuing the PAC-Opaque needs to
ensure it is protected with strong cryptographic keys and
algorithms. The PAC-Opaque may be distributed using the
NewSessionTicket message defined in RFC 5077 [RFC5077], or it may be
distributed through another mechanism such as the phase Phase 2 TLVs
defined in this document.

3. PAC-Info: this is an optional variable length variable-length field used to
provide, at a minimum, the authority identity of the PAC issuer.
Other useful but not mandatory information, such as the PAC-Key
lifetime, may also be conveyed by the PAC issuing PAC-issuing server to the
peer during PAC provisioning or refreshment. PAC-Info is not
included if the NewSessionTicket message is used to provision the
PAC.

The use of the PAC is based on the SessionTicket extension defined in
[RFC5077]. The EAP server initiates the TEAP conversation as normal.
Upon receiving the Authority-ID TLV from the server, the peer checks
to see if it has an existing valid PAC-Key and PAC-Opaque for the
server. If it does, then it obtains the PAC-Opaque and puts it in
the SessionTicket extension in the ClientHello. It is RECOMMENDED in
TEAP that the peer include an empty Session ID in a ClientHello
containing a PAC-Opaque. This version of TEAP supports the
NewSessionTicket Handshake message as described in [RFC5077] for
distribution of a new PAC, as well as the provisioning of PAC inside
the protected tunnel. If the PAC-Opaque included in the
SessionTicket extension is valid and the EAP server permits the
abbreviated TLS handshake, it will select the cipher suite ciphersuite from
information within the PAC-Opaque and finish with the abbreviated TLS
handshake. If the server receives a Session ID and a PAC-Opaque in
the SessionTicket extension in a ClientHello, it should place the
same Session ID in the ServerHello if it is resuming a session based
on the PAC-Opaque. The conversation then proceeds as described in
[RFC5077] until the handshake completes or a fatal error occurs.
After the abbreviated handshake completes, the peer and the server
are ready to commence Phase 2.

3.2.3. Transition between Abbreviated and Full TLS Handshake

If session resumption based on server-side or client-side state
fails, the server can gracefully fall back to a full TLS handshake.
If the ServerHello received by the peer contains an empty Session ID
or a Session ID that is different than in the ClientHello, the server
may fall back to a full handshake. The peer can distinguish the
server's intent of negotiating to negotiate a full or abbreviated TLS handshake by
checking the next TLS handshake messages in the server response to
the ClientHello. If ChangeCipherSpec follows the ServerHello in
response to the ClientHello, then the server has accepted the session
resumption and intends to negotiate the abbreviated handshake.
Otherwise, the server intends to negotiate the full TLS handshake. A
peer can request that a new PAC to be provisioned after the full TLS
handshake and mutual authentication of the peer and the server. A
peer SHOULD NOT request that a new PAC to be provisioned after the
abbreviated handshake, as requesting a new session ticket based on
resumed session is not permitted. In order to facilitate the
fallback to a full handshake handshake, the peer SHOULD include cipher suites ciphersuites
that allow for a full handshake and possibly PAC provisioning so the
server can select one of these in case session resumption fails. An
example of the transition is shown in Appendix C.

3.3. TEAP Authentication Phase 2: Tunneled Authentication

The second portion of the TEAP Authentication authentication occurs immediately
after successful completion of Phase 1. Phase 2 occurs even if both
peer and authenticator are authenticated in the Phase 1 TLS
negotiation. Phase 2 MUST NOT occur if the Phase 1 TLS handshake
fails, as that will compromise the security as the tunnel has not
been established successfully. Phase 2 consists of a series of
requests and responses encapsulated in TLV objects defined in
Section 4.2. Phase 2 MUST always end with a Crypto-Binding TLV
exchange described in Section 4.2.13 and a protected termination
exchange described in Section 3.3.3. The TLV exchange may include
the execution of zero or more EAP methods within the protected tunnel
as described in Section 3.3.1. A server MAY proceed directly to the
protected termination exchange if it does not wish to request further
authentication from the peer. However, the peer and server MUST NOT
assume that either will skip inner EAP methods or other TLV
exchanges, as the other peer might have a different security policy.
The peer may have roamed to a network that requires conformance with
a different authentication policy, or the peer may request the server
take additional action (e.g., channel binding) through the use of the
Request-Action TLV as defined in Section 4.2.9.

3.3.1. EAP Sequences

EAP [RFC3748] prohibits use of multiple authentication methods within
a single EAP conversation in order to limit vulnerabilities to man-
in-the-middle attacks. TEAP addresses man-in-the-middle attacks
through support for cryptographic protection of the inner EAP
exchange and cryptographic binding of the inner authentication
method(s) to the protected tunnel. EAP methods are executed serially
in a sequence. This version of TEAP does not support initiating
multiple EAP methods simultaneously in parallel. The methods need
not be distinct. For example, EAP-TLS could be run twice as an inner
method, first using machine credentials followed by a second instance
using user credentials.

EAP method messages are carried within EAP-Payload TLVs defined in
Section 4.2.10. If more than one method is going to be executed in
the tunnel, then upon method completion, the server MUST send an
Intermediate-Result TLV indicating the result. The peer MUST respond
to the Intermediate-Result TLV indicating its result. If the result
indicates success, the Intermediate-Result TLV MUST be accompanied by
a Crypto-Binding TLV. The Crypto-Binding TLV is further discussed in
Section
Sections 4.2.13 and Section 5.3. The Intermediate-Result TLVs can be
included with other TLVs such as EAP-Payload TLVs starting a new EAP
conversation or with the Result TLV used in the protected termination
exchange.

If both peer and server indicate success, then the method is
considered complete. If either indicates failure, then the method is
considered failed. The result of failure of an EAP method does not
always imply a failure of the overall authentication. If one
authentication method fails, the server may attempt to authenticate
the peer with a different method.

3.3.2. Optional Password Authentication

The use of EAP-FAST-GTC as defined in RFC 5421 [RFC5421] is NOT
RECOMMENDED with TEAPv1 because EAP-FAST-GTC is not compliant with
EAP-GTC defined in [RFC3748]. Implementations should instead make
use of the password authentication TLVs defined in this
specification. The authentication server initiates password
authentication by sending a Basic-Password-Auth-Req TLV defined in
Section 4.2.14. If the peer wishes to participate in password
authentication
authentication, then it responds with a Basic-Password-Auth-Resp TLV
as defined in Section 4.2.15 that contains the username and password.
If it does not wish to perform password authentication authentication, then it
responds with a NAK TLV indicating the rejection of the Basic-
Password-Auth-Req TLV. Upon receiving the response, the server
indicates the success or failure of the exchange using an
Intermediate-Result TLV. Multiple roundtrips round trips of password
authentication requests and responses MAY be used to support some
"housecleaning" functions such as a password change, or pin change pin, etc. before a
user is authenticated.

3.3.3. Protected Termination and Acknowledged Result Indication

A successful TEAP Phase 2 conversation MUST always end in a
successful Crypto-Binding TLV and Result TLV exchange. A TEAP server
may initiate the Crypto-Binding TLV and Result TLV exchange without
initiating any EAP conversation in TEAP Phase 2. After the final
Result TLV exchange, the TLS tunnel is terminated terminated, and a clear text
EAP-Success cleartext
EAP Success or EAP-Failure EAP Failure is sent by the server. Peers implementing
TEAP MUST NOT accept a clear-text cleartext EAP success Success or failure packet prior
to the peer and server reaching synchronized protected result
indication.

The Crypto-Binding TLV exchange is used to prove that both the peer
and server participated in the tunnel establishment and sequence of
authentications. It also provides verification of the TEAP type,
version negotiated, outer and Outer TLVs exchanged before the TLS tunnel
establishment. The Crypto-Binding TLV MUST be exchanged and verified
before the final Result TLV exchange, regardless of whether or not
there is an inner EAP method authentication or not. authentication. The Crypto-Binding TLV
and Intermediate-Result TLV MUST be included to perform Cryptographic
Binding cryptographic
binding after each successful EAP method in a sequence of one or more
EAP methods. The server may send the final Result TLV along with an
Intermediate-Result TLV and a Crypto-Binding TLV to indicate its
intention to end the conversation. If the peer requires nothing more
from the server, it will respond with a Result TLV indicating success
accompanied by a Crypto-Binding TLV and Intermediate-Result TLV if
necessary. The server then tears down the tunnel and sends a clear
text EAP-Success
cleartext EAP Success or EAP-Failure. EAP Failure.

If the peer receives a Result TLV indicating success from the server,
but its authentication policies are not satisfied (for example example, it
requires a particular authentication mechanism be run or it wants to
request a PAC), it may request further action from the server using
the Request-Action TLV. The Request-Action TLV is sent with a Status
field indicating what EAP Success/Failure result the peer would
expect if the requested action is not granted. The value of the
Action field indicates what the peer would like to do next. The
format and values for the Request-Action TLV are defined in
Section 4.2.9.

Upon receiving the Request-Action TLV TLV, the server may process the
request or ignore it, based on its policy. If the server ignores the
request, it proceeds with termination of the tunnel and send sends the
clear text
cleartext EAP Success or Failure message based on the Status field of
the peer's Request-Action TLV. If the server honors and processes
the request, it continues with the requested action. The
conversation completes with a Result TLV exchange. The Result TLV
may be included with the TLV that completes the requested action.

Error handling for Phase 2 is discussed in Section 3.6.3.

3.4. Determining Peer-Id and Server-Id

The Peer-Id and Server-Id [RFC5247] may be determined based on the
types of credentials used during either the TEAP tunnel creation or
authentication. In the case of multiple peer authentications, all
authenticated peer identities and their corresponding identity types
(Section 4.2.3) need to be exported. In the case of multiple server
authentications, all authenticated server identities need to be
exported.

When X.509 certificates are used for peer authentication, the Peer-Id
is determined by the subject and subjectAltName fields in the peer
certificate. As noted in [RFC5280]:

The subject field identifies the entity associated with the public
key stored in the subject public key field. The subject name MAY
be carried in the subject field and/or the subjectAltName
extension. . . . If subject naming information is present only in
the subjectAltName extension (e.g., a key bound only to an email
address or URI), then the subject name MUST be an empty sequence
and the subjectAltName extension MUST be critical.

Where it is non-empty, the subject field MUST contain an X.500
distinguished name (DN).

If an inner EAP method is run, then the Peer-Id is obtained from the
inner method.

When the server uses an X.509 certificate to establish the TLS
tunnel, the Server-Id is determined in a similar fashion as stated
above for the Peer-Id; Peer-Id, e.g., the subject and subjectAltName fields in
the server certificate defines define the Server-Id.

3.5. TEAP Session Identifier

The EAP session identifier [RFC5247] is constructed using the tls-
unique from the phase Phase 1 outer tunnel at the beginning of phase Phase 2 as
defined by section Section 3.1 of [RFC5929]. The Session-Id is defined as
follows:

Session-Id = teap_type || tls-unique

where teap_type is the EAP method type Type assigned to TEAP

tls-unique = tls-unique from the phase Phase 1 outer tunnel at the
beginning of phase Phase 2 as defined by section Section 3.1 of [RFC5929]

|| means concatenation

3.6. Error Handling

TEAP uses the following error handling error-handling rules summarized below:

1. Errors in the outer EAP packet layer are handled as defined in
Section 3.6.1.

2. Errors in the TLS layer are communicated via TLS alert messages
in all phases of TEAP.

3. The Intermediate-Result TLVs carry success or failure indications
of the individual EAP methods in TEAP Phase 2. Errors within the
EAP conversation in Phase 2 are expected to be handled by
individual EAP methods.

4. Violations of the Inner TLV rules are handled using Result TLVs
together with Error TLVs.

5. Tunnel compromised Tunnel-compromised errors (errors caused by Crypto-Binding a failed or missing) missing
Crypto-Binding) are handled using Result TLVs and Error TLVs.

3.6.1. Outer Layer Outer-Layer Errors

Errors on the TEAP outer packet outer-packet layer are handled in the following
ways:

1. If Outer TLVs are invalid or contain unknown values, they will be
ignored.

2. The entire TEAP packet will be ignored if other fields (version,
length, flags, etc.) are inconsistent with this specification.

3.6.2. TLS Layer Errors

If the TEAP server detects an error at any point in the TLS Handshake handshake
or the TLS layer, the server SHOULD send a TEAP request encapsulating
a TLS record containing the appropriate TLS alert message rather than
immediately terminating the conversation so as to allow the peer to
inform the user of the cause of the failure and possibly allow for a
restart of the conversation. The peer MUST send a TEAP response to
an alert message. The EAP-Response packet sent by the peer may
encapsulate a TLS ClientHello handshake message, in which case the
TEAP server MAY allow the TEAP conversation to be restarted, or it
MAY contain a TEAP response with a zero-length message, in which case
the server MUST terminate the conversation with an EAP-Failure EAP Failure
packet. It is up to the TEAP server whether or not to allow
restarts, and and, if so, allowed, how many times the conversation can be
restarted. Per TLS
[RFC5226], [RFC5246], TLS restart is only allowed for non-fatal non-
fatal alerts. A TEAP server implementing restart capability SHOULD
impose a limit on the number of restarts, so as to protect against
denial-of-service attacks. If the TEAP server does not allow
restarts, it MUST terminate the conversation with an EAP-Failure EAP Failure
packet.

If the TEAP peer detects an error at any point in the TLS layer, the
TEAP peer SHOULD send a TEAP response encapsulating a TLS record
containing the appropriate TLS alert message. The server may restart
the conversation by sending an a TEAP request packet encapsulating the
TLS HelloRequest handshake message. The peer may allow the TEAP
conversation to be restarted restarted, or it may terminate the conversation by
sending an a TEAP response with an a zero-length message.

3.6.3. Phase 2 Errors

Any time the peer or the server finds a fatal error outside of the
TLS layer during Phase 2 TLV processing, it MUST send a Result TLV of
failure and an Error TLV with the appropriate error code. For errors
involving the processing of the sequence of exchanges, such as a
violation of TLV rules (e.g., multiple EAP-Payload TLVs), the error
code is Unexpected TLVs Exchanged. For errors involving a tunnel
compromise, the error-code error code is Tunnel Compromise Error. Upon sending
a Result TLV with a fatal Error TLV TLV, the sender terminates the TLS
tunnel. Note that a server will still wait for a message from the
peer after it sends a failure, however failure; however, the server does not need to
process the contents of the response message.

For the inner method, retransmission is not needed and SHOULD NOT be
attempted, as the outer Outer TLS tunnel can be considered a reliable
transport. If there is a non-fatal error handling the inner method,
instead of silently dropping the inner method request or response and
not responding, the receiving side SHOULD use an Error TLV with error
code Inner Method Error to indicate an error processing the current
inner method. The side receiving the Error TLV MAY decide to start a
new inner method instead or send back a Result TLV to terminate the
TEAP authentication session.

If a server receives a Result TLV of failure with a fatal Error TLV,
it MUST send a clear text EAP-Failure. cleartext EAP Failure. If a peer receives a Result
TLV of failure, it MUST respond with a Result TLV indicating failure.
If the server has sent a Result TLV of failure, it ignores the peer
response, and it MUST send a clear text EAP-Failure. cleartext EAP Failure.

3.7. Fragmentation

A single TLS record may be up to 16384 octets in length, but a TLS
message may span multiple TLS records, and a TLS certificate message
may
may, in principle principle, be as long as 16 MB. This is larger than the
maximum size for a message on most media types, therefore types; therefore, it is
desirable to support fragmentation. Note that in order to protect
against reassembly lockup and denial-of-service attacks, it may be
desirable for an implementation to set a maximum size for one such
group of TLS messages. Since a typical certificate chain is rarely
longer than a few thousand octets, and no other field is likely to be
anywhere near as long, a reasonable choice of maximum acceptable
message length might be 64 KB. This is still a fairly large message
packet size so an a TEAP implementation MUST provide its own support for
fragmentation and reassembly. Section 3.1 of [RFC3748] discusses
determining the MTU usable by EAP EAP, and section Section 4.3 discusses
retransmissions in EAP.

Since EAP is a lock-step protocol, fragmentation support can be added
in a simple manner. In EAP, fragments that are lost or damaged in
transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a
fragment offset field.

TEAP fragmentation support is provided through the addition of flag
bits within the EAP-Response and EAP-Request packets, as well as a
TLS
Message Length field of four octets. Flags include the Length
included (L), More fragments (M), and TEAP Start (S) bits. The L
flag is set to indicate the presence of the four-octet TLS Message Length field,
field and MUST be set for the first fragment of a fragmented TLS
message or set of messages. It MUST NOT be present for any other
message. The M flag is set on all but the last fragment. The S flag
is set only within the TEAP start message sent from the EAP server to
the peer. The TLS Message Length field is four octets, octets and provides the
total length of the TLS message or set of messages that is being
fragmented; may be fragmented over the data
fields of multiple packets; this simplifies buffer allocation.

When a TEAP peer receives an EAP-Request packet with the M bit set,
it MUST respond with an EAP-Response with EAP-Type EAP Type of TEAP and no
data. This serves as a fragment ACK. The EAP server MUST wait until
it receives the EAP-Response before sending another fragment. In
order to prevent errors in processing of fragments, the EAP server
MUST increment the Identifier field for each fragment contained
within an EAP-Request, and the peer MUST include this Identifier
value in the fragment ACK contained within the EAP-Response.
Retransmitted fragments will contain the same Identifier value.

Similarly, when the TEAP server receives an EAP-Response with the M
bit set, it responds with an EAP-Request with EAP-Type EAP Type of TEAP and no
data. This serves as a fragment ACK. The EAP peer MUST wait until
it receives the EAP-Request before sending another fragment. In
order to prevent errors in the processing of fragments, the EAP
server MUST increment the Identifier value for each fragment ACK
contained within an EAP-Request, and the peer MUST include this
Identifier value in the subsequent fragment contained within an EAP-
Response.

3.8. Peer Services

Several TEAP services services, including server unauthenticated provisioning,
PAC provisioning, certificate provisioning provisioning, and channel binding binding,
depend on the peer trusting the TEAP server. Peers MUST authenticate
the server before these peer services are used. TEAP peer
implementations MUST have a configuration where authentication fails
if server authentication cannot be achieved. In many cases cases, the
server will want to authenticate the peer before providing these
services as well well.

TEAP peers MUST track whether or not server authentication has taken
place. Server authentication results if the peer trusts the provided
server certificate. Typically Typically, this involves both validating the
certificate to a trust anchor and confirming the entity named by the
certificate is the intended server. Server authentication also
results when the procedures of in Section 3.2 are used to resume a
session in which the
the peer and server was were previously mutually
authenticated. Alternatively, peer services can be used if an inner
EAP method providing mutual authentication and an Extended Master
Session Key (EMSK) is executed and cryptographic binding with the
EMSK compound
MAC Compound Message Authentication Code (MAC) is correctly
validated (Section 4.2.13). This is further described in
Section 3.8.3.

An additional complication arises when a tunnel method authenticates
multiple parties such as authenticating both the peer machine and the
peer user to the EAP server. Depending on how authentication is
achieved, only some of these parties may have confidence in it. For
example
example, if a strong shared secret is used to mutually authenticate
the user and the EAP server, the machine may not have confidence that
the EAP server is the authenticated party if the machine cannot trust
the user not to disclose the shared secret to an attacker. In these
cases, the parties who participate in the authentication need to be
considered when evaluating whether to use peer services.

3.8.1. PAC Provisioning

To request provisioning of a PAC, a peer sends a PAC TLV as defined
in Section 4.2.12 containing a PAC Attribute as defined in
Section 4.2.12.1 of PAC Type PAC-Type set to the appropriate value. The peer
MUST successfully authenticate the EAP server and validate the the
Crypto-Binding TLV as defined in Section 4.2.13 before issuing the
request. The peer MUST send separate PAC TLVs for each type of PAC
it wants to be provisioned. Multiple PAC TLVs can be sent in the
same packet or in different packets. The EAP server will send the
PACs after its internal policy has been satisfied, or it MAY ignore
the request or request additional authentications if its policy
dictates. The server MAY cache the request and provision the PACs
requested after all of its internal policies have been satisfied. If
a peer receives a PAC with an unknown type, it MUST ignore it.

A PAC-TLV PAC TLV containing a PAC-Acknowledge attribute MUST be sent by the
peer to acknowledge the receipt of the Tunnel PAC. A PAC-TLV PAC TLV
containing a PAC-Acknowledge attribute MUST NOT be used by the peer
to acknowledge the receipt of other types of PACs. If the peer
receives a PAC TLV with an unknown attribute, it SHOULD ignore the
unknown attribute.

3.8.2. Certificate Provisioning Within within the Tunnel

Provisioning of a peer's certificate is supported in TEAP by
performing the Simple PKI Request/Response from [RFC5272] using
PKCS#10 and PKCS#7 TLVs, respectively. A peer sends the Simple PKI
Request using a PKCS#10 CertificateRequest [RFC2986] encoded into the
body of a PKCS#10 TLV (see Section 4.2.17). The TEAP Server server issues a
Simple PKI Response using a PKCS#7 [RFC2315] degenerate "certs-only" "Certificates
Only" message encoded into the body of a PKCS#7 TLV (see
Section 4.2.16), only after an authentication method has run and
provided an identity proof on the peer prior to a certificate is
being issued.

In order to provide linking identity and proof-of-possession by
including information specific to the current authenticated TLS
session within the signed certification request, the peer generating
the request SHOULD obtain the tls-unique value from the TLS subsystem
as defined in Channel "Channel Bindings for TLS TLS" [RFC5929]. The TEAP peer
operations between obtaining the tls_unique value through generation
of the CSR Certification Signing Request (CSR) that contains the current
tls_unique value and the subsequent verification of this value by the
TEAP server are the "phases of the application protocol during which application- layer
application-layer authentication occurs" that are protected by the
synchronization interoperability mechanism described in the Channel
interoperability note in "Channel Bindings for TLS
[RFC5929] section 3.1 interoperability notes. TLS" ([RFC5929],
Section 3.1). When performing renegotiation, TLS
"secure_renegotiation" [RFC5746] MUST be used.

The tls-unique value is base 64-encoded base-64-encoded as specified in Section 4 of
[RFC4648]
[RFC4648], and the resulting string is placed in the certification
request challenge-password challengePassword field ( [RFC2985], ([RFC2985], Section 5.4.1). The
challenge-password
challengePassword field is limited to 255 bytes (section octets (Section 7.4.9 of
[RFC5246] indicates that no existing cipher suite ciphersuite would result in an
issue with this limitation). If tls-unique information is not
embedded within the certification request request, the challenge-password challengePassword
field MUST be empty to indicate that the peer did not include the
optional channel-binding information (any value submitted is verified
by the server as tls-unique information).

The server SHOULD verify the tls-unique information. This ensures
that the authenticated TEAP peer is in possession of the private key
used to sign the certification request.

The Simple PKI Request/Response generation and processing rules of
[RFC5272] SHALL apply to TEAP, with the exception of error
conditions. In the event of an error, the TEAP Server server SHOULD respond
with an Error TLV using the most descriptive error code possible; it
MAY ignore the PKCS#10 request which that generated the error.

3.8.3. Server Unauthenticated Provisioning Mode

In Server Unauthenticated Provisioning Mode, an unauthenticated
tunnel is established in phase 1 Phase 1, and the peer and server negotiate
an EAP method in phase Phase 2 that supports mutual authentication and key
derivation that is resistant to attacks such as Man-in-the-middle man-in-the-middle and
dictionary attacks. This provisioning mode enables the bootstrapping
of peers when the peer lacks a strong credential usable for mutual
authentication with the ability to authenticate the server
during phase Phase 1. This includes both cases of where in which the cipher suite ciphersuite
negotiated does not provide authentication or and in which the cipher suite
ciphersuite negotiated provides the authentication but the peer is
unable to validate the identity of the server for some reason.

Upon successful completion of the EAP method in phase Phase 2, the peer and
server exchange a Crypto-Binding TLV to bind the inner method with
the outer tunnel and ensure that a man-in-the-middle attack has not
been attempted.

Support for the Server Unauthenticated Provisioning Mode is optional.
The cipher suite ciphersuite TLS_DH_anon_WITH_AES_128_CBC_SHA is RECOMMENDED when
using server unauthenticated mode, Server Unauthenticated Provisioning Mode, but other anonymous
ciphersuites MAY be supported as long as the TLS pre-master secret is
generated from contribution from both peers. Phase 2 EAP methods
used in Server Unauthenticated Provisioning Mode MUST provide mutual
authentication, provide key generation, and be resistant to
dictionary attack. Example inner methods include EAP-pwd [RFC5931]
and EAP-EKE [RFC6124].

3.8.4. Channel Binding

[RFC6677] defines EAP channel bindings to solve the "lying NAS" and
the "lying provider" problems, using a process in which the EAP peer
gives information about the characteristics of the service provided
by the authenticator to the AAA Authentication, Authorization, and
Accounting (AAA) server protected within the EAP method. This allows
the server to verify the authenticator is providing information to
the peer that is consistent with the information received from this
authenticator as well as the information stored about this
authenticator.

TEAP supports EAP channel binding using the Channel-Binding TLV
defined in Section 4.2.7. If the TEAP server wants to request the
channel binding
channel-binding information from the peer, it sends an empty Channel-
Binding TLV to indicate the request. The peer responds to the
request by sending a Channel-Binding TLV containing channel binding a channel-binding
message as defined in [RFC6677]. The server validates the channel channel-
binding message and sends back a Channel-Binding TLV with a result
code. If the server didn't initiate the channel binding channel-binding request and
the peer still wants to send the channel binding channel-binding information to the
server, it can do that by using the Request-Action TLV along with the
Channel-Binding TLV.Peer TLV. The peer MUST only sends channel binding send channel-binding
information after it has successfully authenticated the server and
established the protected tunnel.

4. Message Formats

The following sections describe the message formats used in TEAP.
The fields are transmitted from left to right in network byte order.

4.1. TEAP Message Format

A summary of the TEAP Request/Response packet format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | Ver | Message Length :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: Message Length | Outer TLV Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: Outer TLV Length | TLS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Outer TLVs...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Code

The code Code field is one octet in length and is defined as follows:

1 Request

2 Response

Identifier

The Identifier field is one octet and aids in matching responses
with requests. The Identifier field MUST be changed on each
Request packet. The Identifier field in the Response packet MUST
match the Identifier field from the corresponding request.

Length

The Length field is two octets and indicates the length of the EAP
packet including the Code, Identifier, Length, Type, Flags, Ver,
Message Length, TLS Data, and Outer TLVs fields. Octets outside
the range of the Length field should be treated as Data Link Layer
padding and should be ignored on reception.

Type

TBD

55 for TEAP

Flags

0 1 2 3 4
+-+-+-+-+-+
|L M S O R|
+-+-+-+-+-+
L Length included; set to indicate the presence of the four
octet four-octet
Message Length field. It MUST be present for the first
fragment of a fragmented message. It MUST NOT be present for
any other message message.

M More fragments; set on all but the last fragment fragment.

S TEAP start; set in a TEAP Start message sent from the server to
the peer peer.

O Outer TLV length included; set to indicate the presence of the
four-octet Outer TLV Length field. It MUST be present only in
the initial request and response messages. If the initial
message is fragmented, then it MUST be present only on the
first fragment fragment.

R Reserved (MUST be zero and ignored upon receipt)

Ver

This field contains the version of the protocol. This document
describes version 1 (001 in binary) of TEAP.

Message Length

The Message Length field is four octets, octets and is present only if the
L bit is set. This field provides the total length of the message
that may be fragmented over the data fields of multiple packets.

Outer TLV Length

The Outer TLV Length field is four octets, octets and is present only if
the O bit is set. This field provides the total length of the
Outer TLVs if present.

TLS Data

When the TLS Data field is present, it consists of an encapsulated
TLS packet in TLS record format. A TEAP packet with Flags and
Version fields, but with zero length TLS data Data field, is used to
indicate TEAP acknowledgement for either a fragmented message, a
TLS Alert message message, or a TLS Finished message.

Outer TLVs

The Outer TLVs consist of the optional data used to help
establishing establish
the TLS tunnel in TLV format. They are only allowed in the first
two messages in the TEAP protocol. That is the first EAP server to peer EAP-server-
to-peer message and first peer to EAP server peer-to-EAP-server message. The start
of the Outer TLVs can be derived from the EAP Length field and
Outer TLV Length field.

4.2. TEAP TLV Format and Support

The TLVs defined here are standard Type-Length-Value (TLV) TLV objects. The TLV objects could be used
to carry arbitrary parameters between an EAP peer and EAP server
within the protected TLS tunnel.

The EAP peer may not necessarily implement all the TLVs supported by
the EAP server. To allow for interoperability, TLVs are designed to
allow an EAP server to discover if a TLV is supported by the EAP
peer, peer
using the NAK TLV. The mandatory bit in a TLV indicates whether
support of the TLV is required. If the peer or server does not
support a TLV marked mandatory, then it MUST send a NAK TLV in the
response, and all the other TLVs in the message MUST be ignored. If
an EAP peer or server finds an unsupported TLV that is marked as
optional, it can ignore the unsupported TLV. It MUST NOT send an a NAK
TLV for a TLV that is not marked mandatory. If all TLVs in a message
are marked optional and none are understood by the peer, then a NAK
TLV or Result TLV could be sent to the other side in order to
continue the conversation.

Note that a peer or server may support a TLV with the mandatory bit
set,
set but may not understand the contents. The appropriate response to
a supported TLV with content that is not understood is defined by the
individual TLV specification.

EAP implementations compliant with this specification MUST support
TLV exchanges, exchanges as well as the processing of mandatory/optional
settings on the TLV. Implementations conforming to this
specification MUST support the following TLVs:

Authority-ID TLV

Identity-Type TLV

Result TLV

NAK TLV

Error TLV

Request-Action TLV

EAP-Payload TLV
Intermediate-Result TLV

Crypto-Binding TLV

Basic-Password-Auth-Req TLV

Basic-Password-Auth-Resp TLV

4.2.1. General TLV Format

TLVs are defined as described below. The fields are transmitted from
left to right.

0 Optional TLV

1 Mandatory TLV

Reserved, set to zero (0)

TLV Type

A 14-bit field, denoting the TLV type. Allocated Types types include:

0 Unassigned

1 Authority-ID TLV (Section 4.2.2)

2 Identity-Type TLV (Section 4.2.3)

3 Result TLV (Section 4.2.4)

4 NAK TLV (Section 4.2.5)

5 Error TLV (Section 4.2.6)

6 Channel-Binding TLV (Section 4.2.7)
7 Vendor-Specific TLV (Section 4.2.8)

8 Request-Action TLV (Section 4.2.9)

9 EAP-Payload TLV (Section 4.2.10)

10 Intermediate-Result TLV (Section 4.2.11)

11 PAC TLV (Section 4.2.12)

12 Crypto-Binding TLV (Section 4.2.13)

13 Basic-Password-Auth-Req TLV (Section 4.2.14)

14 Basic-Password-Auth-Resp TLV (Section 4.2.15)

15 PKCS#7 TLV (Section 4.2.16)

16 PKCS#10 TLV (Section 4.2.17)

17 Server-Trusted-Root Trusted-Server-Root TLV (Section 4.2.18)

Length

The length of the Value field in octets.

Value

The value of the TLV.

4.2.2. Authority-ID TLV

Mandatory, set to one (1)

Reserved, set to zero (0)
TLV Type

1 for - Authority-ID

Length

The Length filed field is two octets, which octets and contains the length of the ID
field in octets.

Hint of the identity of the server, server to help the peer to match the
credentials available for the server. It should be unique across
the deployment.

4.2.3. Identity-Type TLV

The Identity-Type TLV allows an EAP server to send a hint to help the
EAP peer select the right type of identity; identity, for example; example, user or
machine. TEAPv1 implementations MUST support this TLV. Only one
Identity-Type TLV SHOULD be present in the TEAP request or response
packet. The Identity-Type TLV request MUST come with an EAP-Payload
TLV or Basic-Password-Auth-Req TLV. If the EAP peer does have an
identity corresponding to the identity type requested, then the peer
SHOULD respond with an Identity-Type TLV with the requested type. If
the Identity-Type field does not contain one of the known values or
if the EAP peer does not have an identity corresponding to the
identity type requested, then the peer SHOULD respond with an
Identity-Type TLV with the one of available identity types. If the
server receives an identity type in the response that does not match
the requested type, then the peer does not possess the requested
credential type type, and the server SHOULD proceed with authentication
for the credential type proposed by the peer or peer, proceed with requesting
another credential type, or simply apply the network policy based on
the configured policy, e.g., sending Result TLV with Failure.

The Identity-Type TLV is defined as follows:

M
0 (Optional)

Reserved, set to zero (0)

TLV Type

2 for - Identity-Type TLV

Length

Identity-Type

The Identity-Type field is two octets. Values include:

1 User

2 Machine

4.2.4. Result TLV

The Result TLV provides support for acknowledged success and failure
messages for protected termination within TEAP. If the Status field
does not contain one of the known values, then the peer or EAP server
MUST treat this as a fatal error of Unexpected TLVs Exchanged. The
behavior of the Result TLV is further discussed in Section Sections 3.3.3 and
Section
3.6.3. A Result TLV indicating failure MUST NOT be accompanied by
the following TLVs: NAK, EAP-Payload TLV, or Crypto-
Binding Crypto-Binding TLV. The
Result TLV is defined as follows:

Mandatory, set to one (1)

Reserved, set to zero (0)
TLV Type

3 for - Result TLV

Length

Status

The Status field is two octets. Values include:

1 Success

2 Failure

4.2.5. NAK TLV

The NAK TLV allows a peer to detect TLVs that are not supported by
the other peer. A TEAP packet can contain 0 or more NAK TLVs. A NAK
TLV should not be accompanied by other TLVs. A NAK TLV MUST NOT be
sent in response to a message containing a Result TLV, instead a
Result TLV of failure should be sent indicating failure and an Error
TLV of Unexpected TLVs Exchanged. The NAK TLV is defined as follows:

Mandatory, set to one (1)

Reserved, set to zero (0)

TLV Type

4 for - NAK TLV

Length
>=6

Vendor-Id

The Vendor-Id field is four octets, octets and contains the Vendor-Id of
the TLV that was not supported. The high-order octet is 0 0, and
the low-order three octets are the Structure of Management
Information (SMI) Network Management Private Enterprise Code Number of
the Vendor in network byte order. The Vendor-Id field MUST be
zero for TLVs that are not Vendor-Specific TLVs.

NAK-Type

The NAK-Type field is two octets. The field contains the Type type of
the TLV that was not supported. A TLV of this Type type MUST have been
included in the previous packet.

TLVs

This field contains a list of zero or more TLVs, each of which
MUST NOT have the mandatory bit set. These optional TLVs are for
future extensibility to communicate why the offending TLV was
determined to be unsupported.

4.2.6. Error TLV

The Error TLV allows an EAP peer or server to indicate errors to the
other party. A TEAP packet can contain 0 or more Error TLVs. The
Error-Code field describes the type of error. Error Codes codes 1-999
represent successful outcomes (informative messages), 1000-1999
represent warnings, and codes 2000-2999 represent fatal errors. A fatal
Error TLV MUST be accompanied by a Result TLV indicating
failure failure, and
the conversation is terminated as described in Section 3.6.3.

Many of the error codes below refer to errors in inner method
processing that may be retrieved if made available by the inner
method. Implementations MUST take care that error messages do not
reveal too much information to an attacker. For example, the usage
of error message 1031 (User account credentials incorrect) is NOT
RECOMMENDED, because it allows an attacker to determine valid
usernames by differentiating this response from other responses. It
should only be used for troubleshooting purposes.

The Error TLV is defined as follows:

Mandatory, set to one (1)

Reserved, set to zero (0)

TLV Type

5 for - Error TLV

Length

Error-Code

The Error-Code field is four octets. Currently defined values for
Error-Code include:

1 User account expires soon

2 User account credential expires soon

3 User account authorisations authorizations change soon

4 Clock skew detected

5 Contact administrator

6 User account credentials change required

1001 Inner Method Error

1002 Unspecified authentication infrastructure problem

1003 Unspecified authentication failure

1004 Unspecified authorisation authorization failure
1005 User account credentials unavailable

1006 User account expired

1007 User account locked: try again later

1008 User account locked: admin intervention required

1009 Authentication infrastructure unavailable

1010 Authentication infrastructure not trusted

1011 Clock skew too great

1012 Invalid inner realm

1013 Token out of sync: administrator intervention required

1014 Token out of sync: PIN change required

1015 Token revoked

1016 Tokens exhausted

1017 Challenge expired

1018 Challenge algorithm mismatch

1019 Client certificate not supplied

1020 Client certificate rejected

1021 Realm mismatch between inner and outer identity

1022 Unsupported Algorithm In Certificate Signing Request

1023 Unsupported Extension In Certificate Signing Request

1024 Bad Identity In Certificate Signing Request

1025 Bad Certificate Signing Request

1026 Internal CA Error

1027 General PKI Error

1028 Inner method's channel binding channel-binding data required but not
supplied
1029 Inner method's channel binding channel-binding data did not include required
information

1030 Inner method's channel binding failed

1031 User account credentials incorrect [USAGE NOT RECOMMENDED]

2001 Tunnel Compromise Error

2002 Unexpected TLVs Exchanged

4.2.7. Channel-Binding TLV

The Channel-Binding TLV provides a mechanism for carrying channel channel-
binding data from the peer to the EAP server and a channel binding channel-binding
response from the EAP server to the peer as described in [RFC6677].
TEAPv1 implementations MAY support this TLV, which cannot be
responded to with a NAK TLV. If the Channel-Binding data field does
not contain one of the known values or if the EAP server does not
support this TLV, then the server MUST ignore the value. The
Channel-Binding TLV is defined as follows:

0 (Optional)

Reserved, set to zero (0)

TLV Type

6 for - Channel-Binding TLV

Length

variable

Data
The data field contains a channel-binding message as defined in
section
Section 5.3 of [RFC6677].

4.2.8. Vendor-Specific TLV

The Vendor-Specific TLV is available to allow vendors to support
their own extended attributes not suitable for general usage. A
Vendor-Specific TLV attribute can contain one or more TLVs, referred
to as Vendor TLVs. The TLV-type TLV type of a Vendor-TLV is defined by the
vendor. All the Vendor TLVs inside a single Vendor-Specific TLV
belong to the same vendor. There can be multiple Vendor-Specific
TLVs from different vendors in the same message. Error handling in
the Vendor TLV could use the vendor's own specific error handling error-handling
mechanism or use the standard TEAP error codes defined.

Vendor TLVs may be optional or mandatory. Vendor TLVs sent with
Result TLVs MUST be marked as optional. If the Vendor-Specific TLV
is marked as mandatory, then it is expected that the receiving side
needs to recognize the vendor ID, parse all Vendor TLVs within within, and
deal with error handling within the Vendor-Specific TLV as defined by
the vendor.

The Vendor-Specific TLV is defined as follows:

0 or 1

Reserved, set to zero (0)

TLV Type

7 for Vendor Specific - Vendor-Specific TLV

Length
4 + cumulative length of all included Vendor TLVs

Vendor-Id

The Vendor-Id field is four octets, octets and contains the Vendor-Id of
the TLV. The high-order octet is 0 0, and the low-order 3 octets
are the SMI Network Management Private Enterprise Code Number of the
Vendor in network byte order.

Vendor TLVs

This field is of indefinite length. It contains vendor-
specific Vendor-Specific
TLVs, in a format defined by the vendor.

4.2.9. Request-Action TLV

The Request-Action TLV MAY be sent by both the peer and the server in
response to a successful or failure failed Result TLV. It allows the peer or
server to request the other side to negotiate additional EAP methods
or process TLVs specified in the response packet. The receiving side
MUST process this TLV. The processing for the TLV is as follows:

The receiving entity MAY choose to process any of the TLVs that
are included in the message.

If the receiving entity chooses NOT to process any TLV in the
list, then it sends back a Result TLV with the same code in the
Status field of the Request-Action TLV.

If multiple Request-Action TLVs are in the request, the session
can continue if any of the TLVs in any Request-Action TLV is are
processed.

If multiple Request-Action TLVs are in the request and none of
them is processed, then the most fatal status should be used in
the Result TLV returned. If a status code in the Request-Action
TLV is not understood by the receiving entity, then it should be
treated as a fatal error.

After processing the TLVs or EAP method in the request, another
round of Result TLV exchange would occur to synchronize the final
status on both sides.

The peer or the server MAY send multiple Request-Action TLVs to the
other side. Two Request-Action TLVs MUST NOT occur in the same TEAP
packet if they have the same Status value. The order of processing
multiple Request-Action TLVs is implementation dependent. If the
receiving side process processes the optional (non-fatal) items first, it is
possible that the fatal items will disappear at a later time. If the
receiving side processes the fatal items first, the communication
time will be shorter.

The peer or the server MAY return a new set of Request-Action TLVs
after one or more of the requested items has been processed and the
other side has signaled it wants to end the EAP conversation.

The Request-Action TLV is defined as follows:

Mandatory

Mandatory, set to one (1)

Reserved, set to zero (0)

TLV Type

8 for - Request-Action TLV

Length

2 + cumulative length of all included TLVs

Status

The Status field is one octet. This indicates the result if the
server does not process the action requested by the peer. Values
include:

1 Success

2 Failure

Action

The Action field is one octet. Values include:

1 Process-TLV

2 Negotiate-EAP

TLVs

This field is of indefinite length. It contains TLVs that the
peer wants the server to process.

4.2.10. EAP-Payload TLV

To allow piggybacking an EAP request or response with other TLVs, the
EAP-Payload TLV is defined, which includes an encapsulated EAP packet
and a list of optional TLVs. The optional TLVs are provided for
future extensibility to provide hints about the current EAP
authentication. Only one EAP-Payload TLV is allowed in a message.
The EAP-Payload TLV is defined as follows:

Mandatory, set to one (1)

Reserved, set to zero (0)

TLV Type

9 for - EAP-Payload TLV

Length

length of embedded EAP packet + cumulative length of additional
TLVs

EAP packet
This field contains a complete EAP packet, including the EAP
header (Code, Identifier, Length, Type) fields. The length of
this field is determined by the Length field of the encapsulated
EAP packet.

TLVs

This (optional) field contains a list of TLVs associated with the
EAP packet field. The TLVs MUST NOT have the mandatory bit set.
The total length of this field is equal to the Length field of the
EAP-Payload TLV, minus the Length field in the EAP header of the
EAP packet field.

4.2.11. Intermediate-Result TLV

The Intermediate-Result TLV provides support for acknowledged
intermediate Success and Failure messages between multiple inner EAP
methods within EAP. An Intermediate-Result TLV indicating success
MUST be accompanied by a Crypto-Binding TLV. The optional TLVs
associated with this TLV are provided for future extensibility to
provide hints about the current result. The Intermediate-Result TLV
is defined as follows:

Mandatory, set to one (1)

Reserved, set to zero (0)

TLV Type

10 for - Intermediate-Result TLV

Length

2 + cumulative length of the embedded associated TLVs

Status
The Status field is two octets. Values include:

1 Success

2 Failure

TLVs

This field is of indeterminate length, length and contains zero or more of
the TLVs associated with the Intermediate Result TLV. The TLVs in
this field MUST NOT have the mandatory bit set.

4.2.12. PAC TLV Format

The PAC TLV provides support for provisioning the Protected Access
Credential (PAC). The PAC TLV carries the PAC and related
information within PAC attribute fields. Additionally, the PAC TLV
MAY be used by the peer to request provisioning of a PAC of the type
specified in the PAC Type PAC-Type PAC attribute. The PAC TLV MUST only be
used in a protected tunnel providing encryption and integrity
protection. A general PAC TLV format is defined as follows:

0 or 1

Reserved, set to zero (0)

TLV Type

11 - PAC TLV

Length

Two octets containing the length of the PAC attributes Attributes field in
octets.

PAC Attributes
A list of PAC attributes in the TLV format.

4.2.12.1. Formats for PAC Attributes

Each PAC attribute in a PAC TLV is formatted as a TLV defined as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

The Type field is two octets, denoting the attribute type.
Allocated Types types include:

1 - PAC-Key

2 - PAC-Opaque

3 - PAC-Lifetime

4 - A-ID

5 - I-ID

6 - Reserved

7 - A-ID-Info

8 - PAC-Acknowledgement

9 - PAC-Info

10 - PAC-Type

Length

Two octets containing the length of the Value field in octets.

Value

The value of the PAC attribute.

4.2.12.2. PAC-Key

The PAC-Key is a secret key distributed in a PAC attribute of type
PAC-Key. The PAC-Key attribute is included within the PAC TLV
whenever the server wishes to issue or renew a PAC that is bound to a
key such as a Tunnel PAC. The key is a randomly generated octet
string, which
string that is 48 octets in length. The generator of this key is the
issuer of the credential, which is identified by the Authority
Identifier (A-ID).

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Key ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

1 - PAC-Key

Length

2-octet length indicating the length of the key key.

Key

The value of the PAC-Key.

4.2.12.3. PAC-Opaque

The PAC-Opaque attribute is included within the PAC TLV whenever the
server wishes to issue or renew a PAC.

The PAC-Opaque is opaque to the peer peer, and thus the peer MUST NOT
attempt to interpret it. A peer that has been issued a PAC-Opaque by
a server stores that data and presents it back to the server
according to its PAC Type. PAC-Type. The Tunnel PAC is used in the ClientHello
SessionTicket extension field defined in [RFC5077]. If a peer has
opaque data issued to it by multiple servers, then it stores the data
issued by each server separately according to the A-ID. This
requirement allows the peer to maintain and use each opaque datum as
an independent PAC pairing, with a PAC-Key mapping to a PAC-Opaque
identified by the A-ID. As there is a one-to-one correspondence
between the PAC-Key and PAC-Opaque, the peer determines the PAC-Key
and corresponding PAC-Opaque based on the A-ID provided in the TEAP/
Start message and the A-ID provided in the PAC-Info when it was
provisioned with a PAC-Opaque.

The PAC-Opaque attribute format is summarized as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

2 - PAC-Opaque

Length

The Length filed field is two octets, which contains the length of the
Value field in octets.

Value

The Value field contains the actual data for the PAC-Opaque. It
is specific to the server implementation.

4.2.12.4. PAC-Info

The PAC-Info is comprised of a set of PAC attributes as defined in
Section 4.2.12.1. The PAC-Info attribute MUST contain the A-ID, A
-ID-Info, and PAC-Type attributes. Other attributes MAY be included
in the PAC-Info to provide more information to the peer. The PAC-
Info attribute MUST NOT contain the PAC-Key, PAC-Acknowledgement,
PAC-Info, or PAC-Opaque attributes. The PAC-Info attribute is
included within the PAC TLV whenever the server wishes to issue or
renew a PAC.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
9 - PAC-Info

Length

2-octet Length field containing the length of the attributes Attributes field in
octets.

Attributes

The attributes Attributes field contains a list of PAC attributes. Each
mandatory and optional field type is defined as follows:

3 - PAC-LIFETIME PAC-Lifetime

This is a 4-octet quantity representing the expiration time of
the credential expressed as the number of seconds, excluding
leap seconds, after midnight UTC, January 1, 1970. This
attribute MAY be provided to the peer as part of the PAC-Info.

4 - A-ID

The A-ID is the identity of the authority that issued the PAC.
The A-ID is intended to be unique across all issuing servers to
avoid namespace collisions. The A-ID is used by the peer to
determine which PAC to employ. The A-ID is treated as an
opaque octet string. This attribute MUST be included in the
PAC-Info attribute. The A-ID MUST match the Authority-ID the
server used to establish the tunnel. One method for generating
the A-ID is to use a high-quality random number generator to
generate a random number. An alternate method would be to take
the hash of the public key or public key certificate belonging
to a server represented by the A-ID.

5 - I-ID

Initiator identifier Identifier (I-ID) is the peer identity associated
with the credential. This identity is derived from the inner
authentication or from the client-side authentication during
tunnel establishment if inner authentication is not used. The
server employs the I-ID in the TEAP phase Phase 2 conversation to
validate that the same peer identity used to execute TEAP phase Phase
1 is also used in at minimum one inner authentication in TEAP phase
Phase 2. If the server is enforcing the I-ID validation on the
inner authentication, then the I-ID MUST be included in the
PAC-Info, to enable the peer to also enforce a unique PAC for
each unique user. If the I-ID is missing from the PAC-Info, it
is assumed that the Tunnel PAC can be used for multiple users
and the peer will not enforce the unique-Tunnel-PAC-per-user
policy.

7 - A-ID-Info

Authority Identifier Information is intended to provide a
user-friendly user-
friendly name for the A-ID. It may contain the enterprise name
and server name in a human-readable format. This TLV serves as
an aid to the peer to better inform the
end-user end user about the
A-ID. The name is encoded in UTF-8 [RFC3629] format. This
attribute MUST be included in the PAC-Info.

10 - PAC-type PAC-Type

The PAC-Type is intended to provide the type of PAC. This
attribute SHOULD be included in the PAC-Info. If the PAC-
Type PAC-Type
is not present, then it defaults to a Tunnel PAC (Type 1).

4.2.12.5. PAC-Acknowledgement TLV

The PAC-Acknowledgement is used to acknowledge the receipt of the
Tunnel PAC by the peer. The peer includes the PAC-Acknowledgement
TLV in a PAC-TLV PAC TLV sent to the server to indicate the result of the
processing and storing of a newly provisioned Tunnel PAC. This TLV
is only used when Tunnel PAC is provisioned.

Type

8 - PAC-Acknowledgement

Length

The length of this field is two octets containing a value of 2.

Result

The resulting value MUST be one of the following:

1 - Success
2 - Failure

4.2.12.6. PAC-Type TLV

The PAC-Type TLV is a TLV intended to specify the PAC type. PAC-Type. It is
included in a PAC-TLV PAC TLV sent by the peer to request PAC provisioning
from the server. Its format is described below:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PAC Type PAC-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

10 - PAC-Type

Length

2-octet Length field with a value of 2

PAC Type 2.

PAC-Type

This 2-octet field defines the type of PAC being requested or
provisioned. The following values are defined:

1 - Tunnel PAC

4.2.13. Crypto-Binding TLV

The Crypto-Binding TLV is used to prove that both the peer and server
participated in the tunnel establishment and sequence of
authentications. It also provides verification of the TEAP type,
version negotiated, outer and Outer TLVs exchanged before the TLS tunnel
establishment.

The Crypto-Binding TLV MUST be exchanged and verified before the
final Result TLV exchange, regardless of whether there is an inner
EAP method authentication or not. It MUST be included with the
Intermediate-Result TLV to perform Cryptographic Binding cryptographic binding after each
successful EAP method in a sequence of EAP methods, before proceeding
with another inner EAP method.

The Crypto-Binding TLV is valid only if the following checks pass:

o The Crypto-Binding TLV version is supported supported.

o The MAC verifies correctly correctly.

o The received version in the Crypto-Binding TLV matches the version
sent by the receiver during the EAP version negotiation negotiation.

o The subtype is set to the correct value value.

If any of the above checks fails, then the TLV is invalid. An
invalid Crypto-Binding TLV is a fatal error and is handled as
described in Section 3.6.3

The Crypto-Binding TLV is defined as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Version | Received Ver.| Flags|Sub-Type|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Nonce ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ EMSK Compound MAC ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ MSK Compound MAC ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Mandatory, set to one (1)

Reserved, set to zero (0)

TLV Type

12 for - Crypto-Binding TLV
Length

Reserved

Reserved, set to zero (0)

Version

The Version field is a single octet, which is set to the version
of Crypto-Binding TLV the TEAP method is using. For an
implementation compliant with this version of TEAP, the version
number MUST be set to one (1).

Received Version Ver

The Received Version Ver field is a single octet and MUST be set to the
TEAP version number received during version negotiation. Note
that this field only provides protection against downgrade
attacks, where a version of EAP requiring support for this TLV is
required on both sides.

Flags

The Flags field is four bits. Defined values include

1 EMSK Compound MAC is present

2 MSK Compound MAC is present

3 Both EMSK and MSK Compound MAC are present

Sub-Type

The Sub-Type field is four bits. Defined values include

0 Binding Request

1 Binding Response

Nonce

The Nonce field is 32 octets. It contains a 256-bit nonce that is
temporally unique, used for compound Compound MAC key derivation at each
end. The nonce in a request MUST have its least significant bit
set to zero (0) (0), and the nonce in a response MUST have the same
value as the request nonce except the least significant bit MUST
be set to one (1).

EMSK Compound MAC

The EMSK Compound MAC field is 20 octets. This can be the Server
MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the
MAC is described in Section 5.3.

MSK Compound MAC

The MSK Compound MAC field is 20 octets. This can be the Server
MAC (B1_MAC) or the Client MAC (B2_MAC). The computation of the
MAC is described in Section 5.3.

4.2.14. Basic-Password-Auth-Req TLV

The Basic-Password-Auth-Req TLV is used by the authentication server
to request a username and password from the peer. It contains an
optional user prompt message for the request. The peer is expected
to obtain the username and password and send them in a Basic-
Password-Auth-Resp TLV.

The Basic-Password-Auth-Req TLV is defined as follows:

0 (Optional)

Reserved, set to zero (0)

TLV Type

13 for - Basic-Password-Auth-Req TLV

Length

variable
Prompt

optional user prompt message in UTF-8 [RFC3629] format

4.2.15. Basic-Password-Auth-Resp TLV

The Basic-Password-Auth-Resp TLV is used by the peer to respond to a
Basic-Password-Auth-Req TLV with a username and password. The TLV
contains a username and password. The username and password are in
UTF-8 [RFC3629] format.

The Basic-Password-Auth-Resp TLV is defined as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Userlen | Username
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... Username ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Passlen | Password
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... Password ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

0 (Optional)

Reserved, set to zero (0)

TLV Type

14 for - Basic-Password-Auth-Resp TLV

Length

variable

Userlen

Length of Username field in octets

Username
Username in UTF-8 [RFC3629] format

Passlen

Length of Password field in octets

Password

Password in UTF-8 [RFC3629] format

4.2.16. PKCS#7 TLV

The PKCS#7 TLV is used by the EAP server to deliver (a) certificate(s) to
the peer. The format consists of a certificate or certificate chain
in binary DER encoding [X.690] in a degenerate
certificates-only Certificates Only
PKCS#7 SignedData Content as defined in [RFC5652].

When used in response to a Trusted-Server-Root TLV request from the
peer, the EAP server MUST send the PKCS#7 TLV inside a Trusted-
Server-Root TLV. When used in response to a PKCS#10 certificate
enrollment request from the peer, the EAP server MUST send the PKCS#7
TLV without a Trusted-Server-Root TLV. The PKCS#7 TLV is always
marked as optional, which cannot be responded to with a NAK TLV.
TEAP implementations that support the Trusted-Server-Root TLV or the
PKCS#10 TLV MUST support this TLV. Peers MUST NOT assume that the
certificates in a PKCS#7 TLV are in any order.

TEAP Servers servers MAY return self-signed certificates. Peers that handle
self-signed certificates or trust anchors MUST NOT implicitly trust
these certificates merely due to their presence in the certificate
bag. Note: Peers are advised to take great care in deciding whether
to use a received certificate as a trust anchor. The authenticated
nature of the tunnel in which a PKCS#7 bag is received can provide a
level of authenticity to the certificates contained therein. Peers
are advised to take into account the implied authority of the EAP
server and to constrain the trust it can achieve through the trust
anchor received in a PKCS#7 TLV.

The PKCS#7 TLV is defined as follows:

0 - Optional TLV

Reserved, set to zero (0)

TLV Type

15 - PKCS#7 TLV

Length

The length of the PKCS #7 PKCS#7 Data field.

PKCS #7

PKCS#7 Data

This field contains the DER-encoded X.509 certificate or
certificate chain in a Certificates-Only PKCS#7 SignedData
message.

4.2.17. PKCS#10 TLV

The PKCS#10 TLV is used by the peer to initiate the "simple PKI"
Request/Response from [RFC5272]. The format of the request is as
specified in Section 6.4 of [RFC4945]. The PKCS#10 TLV is always
marked as optional, which cannot be responded to with a NAK TLV.

The PKCS#10 TLV is defined as follows:

0 - Optional TLV

Reserved, set to zero (0)

TLV Type
16 - PKCS#10 TLV

Length

The length of the PKCS #10 PKCS#10 Data field.

PKCS #10

PKCS#10 Data

This field contains the DER-encoded PKCS#10 certificate request.

4.2.18. Trusted-Server-Root TLV

Trusted-Server-Root TLV facilitates the request and delivery of a
trusted server root certificate. The Trusted-Server-Root TLV can be
exchanged in regular TEAP authentication mode or provisioning mode.
The Trusted-Server-Root TLV is always marked as optional, optional and cannot
be responded to with a Negative Acknowledgement (NAK) TLV. The
Trusted-Server-Root TLV MUST only be sent as an inner Inner TLV (inside the
protection of the tunnel).

After the peer has determined that it has successfully authenticated
the EAP server and validated the Crypto-Binding TLV, it MAY send one
or more Trusted-Server-Root TLVs (marked as optional) to request the
trusted server root certificates from the EAP server. The EAP server
MAY send one or more root certificates with a Public Key
Cryptographic System #7 (PKCS#7) TLV inside Server-Trusted-Root the Trusted-Server-Root
TLV. The EAP server MAY also choose not to honor the request.

The Trusted-Server-Root TLV allows the peer to send a request to the
EAP server for a list of trusted roots. The server may respond with
one or more root certificates in PKCS#7 [RFC2315] format.

If the EAP server sets the credential format to PKCS#7-Server-
Certificate-Root, then the Trusted-Server-Root TLV should contain the
root of the certificate chain of the certificate issued to the EAP
server packaged in a PKCS#7 TLV. If the Server server certificate is a
self-signed certificate, then the root is the self-signed
certificate.

If the Trusted-Server-Root TLV credential format contains a value
unknown to the peer, then the EAP peer should ignore the TLV.

The Trusted-Server-Root TLV is defined as follows:

0 - Optional TLV

Reserved, set to zero (0)

TLV Type

17 - Trusted-Server-Root TLV

Length

>=2 octets

Credential-Format

The Credential-Format field is two octets. Values include:

1 - PKCS#7-Server-Certificate-Root

Cred TLVs

This field is of indefinite length. It contains TLVs associated
with the credential format. The peer may leave this field empty
when using this TLV to request server trust roots.

4.3. TLV Rules

To save round trips, multiple TLVs can be sent in the a single TEAP
packet. However, multiple EAP Payload TLVs, or multiple Basic Password
Authentication TLVs, or an EAP Payload TLV with a Basic Password
Authentication TLV within one single TEAP packet, packet is not supported in
this version and MUST NOT be sent. If the peer or EAP server
receives multiple EAP Payload TLVs, then it MUST terminate the
connection with the Result TLV. The order of TLVs in TEAP does not
matter, except one should always process the Identity-Type TLV before
processing the EAP TLV or Basic Password Authentication TLV as the
Identity-Type TLV is a hint to the type of identity that is to be
authenticated.

The following table defines define the meaning of the table entries in the sections
below:

0 This TLV MUST NOT be present in the message.

0+ Zero or more instances of this TLV MAY be present in the
message.

0-1 Zero or one instance of this TLV MAY be present in the message.

1 Exactly one instance of this TLV MUST be present in the
message.

4.3.1. Outer TLVs

The following table provides a guide to which TLVs may be included in
the TEAP packet outside the TLS channel, which kind of packets, and
in what quantity:

Request Response Success Failure TLVs
0-1 0 0 0 Authority-ID
0-1 0-1 0 0 Identity-Type
0+ 0+ 0 0 Vendor-Specific

Outer-TLVs

Outer TLVs MUST be marked as optional. Vendor-TLVs inside Vendor-
Specific TLV MUST be marked as optional when included in Outer TLVs.
Outer-TLVs
Outer TLVs MUST NOT be included in messages after the first two TEAP
messages sent by peer and EAP-server respectively. That is the first
EAP server to peer
EAP-server-to-peer message and first peer to EAP server peer-to-EAP-server message. If
the message is fragmented, the whole set of messages is counted as
one message. If Outer-TLVs Outer TLVs are included in messages after the first
two TEAP messages, they MUST be ignored.

4.3.2. Inner TLVs

The following table provides a guide to which inner Inner TLVs may be
encapsulated in TLS in TEAP Phase 2, in which kind of packets, and in
what quantity. The messages are as follows: Request is a TEAP
Request, Response is a TEAP Response, Success is a message containing
a successful Result TLV, and Failure is a message containing a failed
Result TLV.

Request Response Success Failure TLVs
0-1 0-1 0 0 Identity-Type
0-1 0-1 1 1 Result
0+ 0+ 0 0 NAK
0+ 0+ 0+ 0+ Error
0-1 0-1 0 0 Channel-Binding
0+ 0+ 0+ 0+ Vendor-Specific [NOTE1]
0+ 0+ 0+ 0+ Request-Action
0-1 0-1 0 0 EAP-Payload
0-1 0-1 0-1 0-1 Intermediate-Result
0+ 0+ 0+ 0 PAC-TLV PAC TLV
0-1 0-1 0-1 0-1 Crypto-Binding
0-1 0 0 0 Basic-Password-Auth-Req
0 0-1 0 0 Basic-Password-Auth-Resp
0-1 0 0-1 0 PKCS#7
0 0-1 0 0 PKCS#10
0-1 0-1 0-1 0 Server-Trusted-Root

[NOTE1] Trusted-Server-Root

NOTE: Vendor TLVs (included in Vendor-Specific TLVs) sent with a
Result TLV MUST be marked as optional.

5. Cryptographic Calculations

For key derivation and crypto-binding, TEAP uses the PRF Pseudorandom
Function (PRF) and MAC algorithms negotiated in the underlying TLS
session. Since these algorithms depend on the TLS version and cipher suite,
ciphersuite, TEAP implementations need a mechanism to determine the
version and cipher
suite ciphersuite in use for a particular session. The
implementation can then use this information to determine which PRF
and MAC algorithm to use.

5.1. TEAP Authentication Phase 1: Key Derivations

With TEAPv1, the TLS master secret is generated as specified in TLS.
If a PAC is used used, then the master secret is obtained as described in
[RFC5077].

TEAPv1 makes use of the TLS Keying Material Exporters defined in
[RFC5705] to derive the session_key_seed. The Label label used in the
derivation is "EXPORTER: teap session key seed". The length of the
session key seed material is 40 octets. No context data is used in
the export process.

The session_key_seed is used by the TEAP Authentication authentication Phase 2
conversation to both cryptographically bind the inner method(s) to
the tunnel as well as generate the resulting TEAP session keys. The
other quantities TLS keying materials are used derived and used as they are defined in
[RFC5246].

5.2. Intermediate Compound Key Derivations

The session_key_seed derived as part of TEAP Phase 2 is used in TEAP
Phase 2 to generate an Intermediate Compound Key (IMCK) used to
verify the integrity of the TLS tunnel after each successful inner
authentication and in the generation of Master Session Key (MSK) and
Extended Master Session Key (EMSK) defined in [RFC3748]. Note that
the IMCK MUST be recalculated after each successful inner EAP method.

The first step in these calculations is the generation of the base
compound key, IMCK[n] from the session_key_seed session_key_seed, and any session keys
derived from the successful execution of nth inner EAP methods. The
inner EAP method(s) may provide Inner Method Session Keys (IMSK), (IMSKs),
IMSK1..IMSKn, corresponding to inner method 1 through n.

If an inner method supports export of an Extended Master Session Key
(EMSK), then the IMSK SHOULD be derived from the EMSK as defined in
[RFC5295]. The usage label used is "TEAPbindkey@ietf.org" "TEAPbindkey@ietf.org", and the
length is 64 octets. Optional data parameter is not used in the
derivation.

IMSK = First 32 octets of KDF(EMSK, TLS-PRF(EMSK, "TEAPbindkey@ietf.org" |
"\0" | 64)

where "|" denotes concatenation, "EMSK" EMSK is the EMSK from the inner
method, "TEAPbindkey@ietf.org" consists of the 4 ASCII
values value for the letters,
label "TEAPbindkey@ietf.org" (without quotes), "\0" = is a NULL
octet (0x00 in hex), length is the 2-octet unsigned integer in
network byte order, KDF and TLS-PRF is defined in [RFC5295]. the PRF negotiated as part of
TLS handshake [RFC5246].

If an inner method does not support export of an Extended Master
Session Key (EMSK), then IMSK is the MSK of the inner method. The
MSK is truncated at 32 octets if it is longer than 32 octets or
padded to a length of 32 octets with zeros if it is less than 32
octets.

However, it's possible that the peer and server sides might not have
the same capability to export EMSK. In order to maintain maximum
flexibility while prevent downgrading attack, the following mechanism
is in place: place.

On the sender of the Crypto-Binding TLV side:

If the EMSK is not available, then the sender computes the Compound
MAC using the MSK of the inner method.

If the EMSK is available, available and the sender's policy accepts MSK based MSK-based
MAC, then it the sender computes two Compound MAC values. The first
is computed with the EMSK. The second one is computed using the
MSK. Both MACs are then sent to the other side.

If the EMSK is available, available but the sender's policy does not allow
downgrade
downgrading to MSK generated MSK-generated MAC, then it the sender SHOULD only send EMSK based
EMSK-based MAC.

On the receiver of the Crypto-Binding TLV side:

If the EMSK is not available and a MSK based an MSK-based Compound MAC was
sent, then the receiver validates the Compound MAC and sends back a MSK based
an MSK-based Compound MAC response.

If the EMSK is not available and no MSK based MSK-based Compound MAC was
sent, then the receiver handles like an invalid Crypto-Binding TLV
with a fatal error.

If the EMSK is available and an EMSK based EMSK-based Compound MAC was sent,
then the receiver validates it and creates a response Compound MAC
using the EMSK.

If the EMSK is available, available but no EMSK based EMSK-based Compound MAC was sent, sent
and its policy accepts MSK based MSK-based MAC, then the receiver validates
it using the MSK and and, if successful, generates and returns a MSK an MSK-
based Compound MAC.

If the EMSK is available, available but no EMSK Compound MAC was sent, sent and its
policy does not accept MSK based MSK-based MAC, then it the receiver handles
like an invalid Crypto-Binding TLV with a fatal error.

If the ith inner method does not generate an EMSK or MSK, then IMSKi
is set to zero (e.g., MSKi = 32 octets of 0x00s). If an inner method
fails, then it is not included in this calculation. The derivations derivation
of S-IMCK is as follows:

S-IMCK[0] = session_key_seed
For j = 1 to n-1 do
IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
IMSK[j], 60)
S-IMCK[j] = first 40 octets of IMCK[j]
CMK[j] = last 20 octets of IMCK[j]

where TLS-PRF is the PRF negotiated as part of TLS handshake
[RFC5246].

5.3. Computing the Compound MAC

For authentication methods that generate keying material, further
protection against man-in-the-middle attacks is provided through
cryptographically binding keying material established by both TEAP
Phase 1 and TEAP Phase 2 conversations. After each successful inner
EAP authentication, EAP EMSK and/or MSKs are cryptographically
combined with key material from TEAP Phase 1 to generate a compound
session key, CMK. Compound
Session Key (CMK). The CMK is used to calculate the Compound MAC as
part of the Crypto-Binding TLV described in Section 4.2.13, which
helps provide assurance that the same entities are involved in all
communications in TEAP. During the calculation of the Compound-MAC Compound MAC,
the MAC field is filled with zeros.

The Compound MAC computation is as follows:

CMK = CMK[j]
Compound-MAC = MAC( CMK, BUFFER )

where j is the number of the last successfully executed inner EAP
method, MAC is the MAC function negotiated in TLS 1.2 [RFC5246], and
BUFFER is created after concatenating these fields in the following
order:

1 The entire Crypto-Binding TLV attribute with both the EMSK and MSK
Compound MAC fields zeroed out.

2 The EAP Type sent by the other party in the first TEAP message.

3 All the Outer-TLVs Outer TLVs from the first TEAP message sent by EAP server
to peer. If a single TEAP message is fragmented into multiple
TEAP packets; packets, then the Outer-TLVs Outer TLVs in all the fragments of that
message MUST be included.

4 All the Outer-TLVs Outer TLVs from the first TEAP message sent by the peer to
the EAP server. If a single TEAP message is fragmented into
multiple TEAP packets, then the Outer-TLVs Outer TLVs in all the fragments of
that message MUST be included.

5.4. EAP Master Session Key Generation
TEAP Authentication authentication assures the master session key Master Session Key (MSK) and Extended
Master Session Key (EMSK) output from the EAP method are the result
of all authentication conversations by generating an Intermediate
Compound Key (IMCK). The IMCK is mutually derived by the peer and
the server as described in Section 5.2 by combining the MSKs from
inner EAP methods with key material from TEAP Phase 1. The resulting
MSK and EMSK are generated as part of the IMCKn key hierarchy as
follows:

MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64)
EMSK = TLS-PRF(S-IMCK[j],
"Extended Session Key Generating Function", 64)

where j is the number of the last successfully executed inner EAP
method.

The EMSK is typically only known to the TEAP peer and server and is
not provided to a third party. The derivation of additional keys and
transportation of these keys to a third party is are outside the scope
of this document.

If no EAP methods have been negotiated inside the tunnel or no EAP
methods have been successfully completed inside the tunnel, the MSK
and EMSK will be generated directly from the session_key_seed meaning
S-IMCK = session_key_seed.

6. IANA Considerations

This section provides guidance to the Internet Assigned Numbers
Authority (IANA) regarding registration of values related to the TEAP
protocol, in accordance with BCP 26, 26 [RFC5226].

The EAP Method Type number 55 has been assigned for TEAP needs to be assigned. TEAP.

The document defines a registry for TEAP TLV types, which may be
assigned by Specification Required as defined in [RFC5226].
Section 4.2 defines the TLV types that initially populate the
registry. A summary of the TEAP TLV types is given below:

0 Unassigned

1 Authority-ID TLV

2 Identity-Type TLV

3 Result TLV

4 NAK TLV
5 Error TLV

6 Channel-Binding TLV

7 Vendor-Specific TLV

8 Request-Action TLV

9 EAP-Payload TLV

10 Intermediate-Result TLV

11 PAC TLV

12 Crypto-Binding TLV

13 Basic-Password-Auth-Req TLV

14 Basic-Password-Auth-Resp TLV

15 PKCS#7 TLV

16 PKCS#10 TLV

17 Trusted-Server-Root TLV

The Identity-Type defined in Section 4.2.3 contains an Identity Type identity type
code which that is assigned on a Specification Required basis as defined in
[RFC5226]. The initial types defined are:

1 User

2 Machine

The Result TLV defined in Section 4.2.4, Request-Action TLV defined
in Section 4.2.9, and Intermediate-Result TLV defined in
Section 4.2.11 contain a Status code which that is assigned on a
Specification Required basis as defined in [RFC5226]. The initial
types defined are:

1 Success

2 Failure

The Error-TLV defined in Section 4.2.6 requires an error-code. error code. TEAP
Error-TLV error-codes error codes are assigned based on a Specification Required
basis as defined in [RFC5226]. The initial list of error codes is as
follows:

1 User account expires soon

2 User account credential expires soon

3 User account authorisations authorizations change soon

4 Clock skew detected

5 Contact administrator

6 User account credentials change required

1001 Inner Method Error

1002 Unspecified authentication infrastructure problem

1003 Unspecified authentication failure

1004 Unspecified authorisation authorization failure

1005 User account credentials unavailable

1006 User account expired

1007 User account locked: try again later

1008 User account locked: admin intervention required

1009 Authentication infrastructure unavailable

1010 Authentication infrastructure not trusted

1011 Clock skew too great

1012 Invalid inner realm

1013 Token out of sync: administrator intervention required

1014 Token out of sync: PIN change required

1015 Token revoked

1016 Tokens exhausted

1017 Challenge expired

1018 Challenge algorithm mismatch
1019 Client certificate not supplied

1020 Client certificate rejected

1021 Realm mismatch between inner and outer identity

1022 Unsupported Algorithm In Certificate Signing Request

1023 Unsupported Extension In Certificate Signing Request

1024 Bad Identity In Certificate Signing Request

1025 Bad Certificate Signing Request

1026 Internal CA Error

1027 General PKI Error

1028 Inner method's channel binding channel-binding data required but not supplied

1029 Inner method's channel binding channel-binding data did not include required
information

1030 Inner method's channel binding failed

1031 User account credentials incorrect [USAGE NOT RECOMMENDED]

2001 Tunnel Compromise Error

2002 Unexpected TLVs Exchanged

The Request-Action TLV defined in Section 4.2.9 contains an action
code which that is assigned on a Specification Required basis as defined in
[RFC5226]. The initial actions defined are:

1 Process-TLV

2 Negotiate-EAP

The PAC Attribute defined in Section 4.2.12.1 contains a Type code
which
that is assigned on a Specification Required basis as defined in
[RFC5226]. The initial types defined are:

1 PAC-key PAC-Key

2 PAC-Opaque

3 PAC-Lifetime
4 A-ID

5 I-ID

6 Reserved

7 A-ID-Info

8 PAC-Acknowledgement

9 PAC-Info

10 PAC-Type

The PAC-Type defined in Section 4.2.12.6 contains a Type type code which that is
assigned on a Specification Required basis as defined in [RFC5226].
The initial types type defined are: is:

1 Tunnel PAC

The Trusted-Server-Root TLV defined in Section 4.2.18 contains a
Credential-Format code which that is assigned on a Specification Required
basis as defined in [RFC5226]. The initial types type defined are: is:

1 PKCS#7-Server-Certificate-Root

The various values under the Vendor-Specific TLV are assigned by
Private Use and do not need to be assigned by IANA.

TEAP registers the label "EXPORTER: teap session key seed" in the TLS
Exporter Label Registry [RFC5705]. This label is used in derivation
as defined in Section 5.1.

TEAP registers a TEAP binding usage label from the "USRK "User Specific
Root Keys (USRK) Key Labels" name space defined in [RFC5295] with a
value "TEAPbindkey@ietf.org".

7. Security Considerations

TEAP is designed with a focus on wireless media, where the medium
itself is inherent to eavesdropping. Whereas in wired media, media an
attacker would have to gain physical access to the wired medium; medium,
wireless media enables anyone to capture information as it is
transmitted over the air, enabling passive attacks. Thus, physical
security can not be assumed assumed, and security vulnerabilities are far
greater. The threat model used for the security evaluation of TEAP
is defined in EAP [RFC3748].

7.1. Mutual Authentication and Integrity Protection

TEAP as

As a whole, TEAP provides message and integrity protection by
establishing a secure tunnel for protecting the authentication
method(s). The confidentiality and integrity protection is defined
by TLS and provides the same security strengths afforded by TLS
employing a strong entropy shared master secret. The integrity of
the key generating authentication methods executed within the TEAP
tunnel is verified through the calculation of the Crypto-Binding TLV.
This ensures that the tunnel endpoints are the same as the inner
method endpoints.

The Result TLV is protected and conveys the true Success or Failure
of TEAP, and it should be used as the indicator of its success or
failure respectively. However, as EAP terminates with either a clear
text
cleartext EAP Success or Failure, a peer will also receive a clear text
cleartext EAP Success or Failure. The received clear text cleartext EAP Success
or Failure MUST match that received in the Result TLV; the peer
SHOULD silently discard those clear text cleartext EAP success Success or failure Failure
messages that do not coincide with the status sent in the protected
Result TLV.

7.2. Method Negotiation

As is true for any negotiated EAP protocol, NAK packets used to
suggest an alternate authentication method are sent unprotected and and,
as such, are subject to spoofing. During unprotected EAP method
negotiation, NAK packets may be interjected as active attacks to
negotiate down to a weaker form of authentication, such as EAP-MD5
(which only provides one-way authentication and does not derive a
key). Both the peer and server should have a method selection policy
that prevents them from negotiating down to weaker methods. Inner
method negotiation resists attacks because it is protected by the
mutually authenticated TLS tunnel established. Selection of TEAP as
an authentication method does not limit the potential inner
authentication methods, so TEAP should be selected when available.

An attacker cannot readily determine the inner EAP method used,
except perhaps by traffic analysis. It is also important that peer
implementations limit the use of credentials with an unauthenticated
or unauthorized server.

7.3. Separation of Phase 1 and Phase 2 Servers

Separation of the TEAP Phase 1 from the Phase 2 conversation is NOT
RECOMMENDED. Allowing the Phase 1 conversation to be terminated at a
different server than the Phase 2 conversation can introduce
vulnerabilities if there is not a proper trust relationship and
protection for the protocol between the two servers. Some
vulnerabilities include:

o Loss of identity protection

o Offline dictionary attacks

o Lack of policy enforcement

o Man-in-the-middle attacks (as described in [RFC7029])

There may be cases where a trust relationship exists between the
Phase 1 and Phase 2 servers, such as on a campus or between two
offices within the same company, where there is no danger in
revealing the inner identity and credentials of the peer to entities
between the two servers. In these cases, using a proxy solution
without end-to-end protection of TEAP MAY be used. The TEAP
encrypting/decrypting gateway MUST, at a minimum, provide support for
IPsec, TLS TLS, or similar protection in order to provide confidentiality
for the portion of the conversation between the gateway and the EAP
server. In addition, separation of the inner and outer method
servers allows for crypto-binding based on the inner method MSK to be
thwarted as described in [RFC7029]. Implementation and deployment
SHOULD adopt various mitigation strategies described in [RFC7029].
If the inner method is deriving EMSK, then this threat is mitigated
as TEAP utilizes the mutual crypto-binding based on EMSK as described
in [RFC7029].

7.4. Mitigation of Known Vulnerabilities and Protocol Deficiencies

TEAP addresses the known deficiencies and weaknesses in the EAP
method. By employing a shared secret between the peer and server to
establish a secured tunnel, TEAP enables:

o Per packet Per-packet confidentiality and integrity protection

o User identity protection

o Better support for notification messages

o Protected EAP inner method negotiation

o Sequencing of EAP methods

o Strong mutually derived master session keys MSKs

o Acknowledged success/failure indication
o Faster re-authentications through session resumption

o Mitigation of dictionary attacks

o Mitigation of man-in-the-middle attacks

o Mitigation of some denial-of-service attacks

It should be noted that in TEAP, as in many other authentication
protocols, a denial-of-service attack can be mounted by adversaries
sending erroneous traffic to disrupt the protocol. This is a problem
in many authentication or key agreement protocols and is therefore
noted for TEAP as well.

TEAP was designed with a focus on protected authentication methods
that typically rely on weak credentials, such as password-based
secrets. To that extent, the TEAP Authentication authentication mitigates several
vulnerabilities, such as dictionary attacks, by protecting the weak
credential-based authentication method. The protection is based on
strong cryptographic algorithms in TLS to provide message
confidentiality and integrity. The keys derived for the protection
relies on strong random challenges provided by both peer and server
as well as an established key with strong entropy. Implementations
should follow the recommendation in [RFC4086] when generating random
numbers.

7.4.1. User Identity Protection and Verification

The initial identity request response exchange is sent in cleartext
outside the protection of TEAP. Typically Typically, the Network Access
Identifier (NAI) [RFC4282] in the identity response is useful only
for the realm of information that is used to route the authentication
requests to the right EAP server. This means that the identity
response may contain an anonymous identity and just contain realm
information. In other cases, the identity exchange may be eliminated
altogether if there are other means for establishing the destination
realm of the request. In no case should an intermediary place any
trust in the identity information in the identity response since it
is unauthenticated and may not have any relevance to the
authenticated identity. TEAP implementations should not attempt to
compare any identity disclosed in the initial cleartext EAP Identity
response packet with those Identities authenticated in Phase 2.

Identity request-response request/response exchanges sent after the TEAP tunnel is
established are protected from modification and eavesdropping by
attackers.

Note that since TLS client certificates are sent in the clear, if
identity protection is required, then it is possible for the TLS
authentication to be re-negotiated renegotiated after the first server
authentication. To accomplish this, the server will typically not
request a certificate in the server_hello, then server_hello; then, after the
server_finished message is sent, sent and before TEAP Phase 2, the server
MAY send a TLS hello_request. This allows the peer to perform client
authentication by sending a client_hello if it wants to, to or send a
no_renegotiation alert to the server indicating that it wants to
continue with TEAP Phase 2 instead. Assuming that the peer permits
renegotiation by sending a client_hello, then the server will respond
with server_hello, a certificate certificate, and certificate_request messages.
The peer replies with certificate, client_key_exchange client_key_exchange, and
certificate_verify messages. Since this re-negotiation renegotiation occurs within
the encrypted TLS channel, it does not reveal client certificate
details. It is possible to perform certificate authentication using
an EAP method (for example: example, EAP-TLS) within the TLS session in TEAP
Phase 2 instead of using TLS handshake renegotiation.

7.4.2. Dictionary Attack Resistance

TEAP was designed with a focus on protected authentication methods
that typically rely on weak credentials, such as password-based
secrets. TEAP mitigates dictionary attacks by allowing the
establishment of a mutually authenticated encrypted TLS tunnel
providing confidentiality and integrity to protect the weak
credential based
credential-based authentication method.

7.4.3. Protection against Man-in-the-Middle Attacks

Allowing methods to be executed both with and without the protection
of a secure tunnel opens up a possibility of a man-in-the-middle
attack. To avoid man-in-the-middle attacks it is recommended to
always deploy authentication methods with the protection of TEAP.
TEAP provides protection from man-in-the-middle attacks even if a
deployment chooses to execute inner EAP methods both with and without
TEAP protection, protection. TEAP prevents this attack in two ways:

1. By using the PAC-Key to mutually authenticate the peer and server
during TEAP Authentication authentication Phase 1 establishment of a secure
tunnel.

2. By using the keys generated by the inner authentication method
(if the inner methods are key generating) in the crypto-binding
exchange and in the generation of the key material exported by
the EAP method described in Section 5.

TEAP crypto binding does not guarantee man-in-the-middle protection
if the client allows a connection to an untrusted server, such as in
the case where the client does not properly validate the server's
certificate. If the TLS
cipher suite ciphersuite derives the master secret solely
from the contribution of secret data from one side of the
conversation (such as ciphersuites based on RSA key
transport based ciphersuites) transport), then
an attacker who can insert themselves
in convince the conversation if client to connect and engage in
authentication can impersonate the client to another server certificate is not verified even if a
strong inner method is executed within the tunnel. If the TLS
ciphersuite derives the master secret from the contribution of
secrets from both sides of the conversation (such as in Diffie-
Hellman ciphersuites
based cipher suites) on Diffie-Hellman), then crypto binding can detect an attacker
in the conversation if a strong inner method is used.

7.4.4. PAC Binding to User Identity

A PAC may be bound to a user identity. A compliant implementation of
TEAP MUST validate that an identity obtained in the PAC-Opaque field
matches at minimum one of the identities provided in the TEAP Phase 2
authentication method. This validation provides another binding to
ensure that the intended peer (based on identity) has successfully
completed the TEAP Phase 1 and proved identity in the Phase 2
conversations.

7.5. Protecting against Forged Clear Text Cleartext EAP Packets

EAP Success and EAP Failure packets are, in general, sent in clear
text
cleartext and may be forged by an attacker without detection. Forged
EAP Failure packets can be used to attempt to convince an EAP peer to
disconnect. Forged EAP Success packets may be used to attempt to
convince a peer that authentication has succeeded, even though the
authenticator has not authenticated itself to the peer.

By providing message confidentiality and integrity, TEAP provides
protection against these attacks. Once the peer and AS authentication
server (AS) initiate the TEAP Authentication authentication Phase 2, compliant TEAP
implementations MUST silently discard all clear text cleartext EAP messages,
unless both the TEAP peer and server have indicated success or
failure using a protected mechanism. Protected mechanisms include
the TLS alert mechanism and the protected termination mechanism
described in Section 3.3.3.

The success/failure decisions within the TEAP tunnel indicate the
final decision of the TEAP authentication conversation. After a
success/failure result has been indicated by a protected mechanism,
the TEAP peer can process unprotected EAP Success and EAP Failure
messages; however however, the peer MUST ignore any unprotected EAP success Success
or
failure Failure messages where the result does not match the result of the
protected mechanism.

To abide by [RFC3748], the server sends a clear text cleartext EAP Success or
EAP Failure packet to terminate the EAP conversation. However, since
EAP Success and EAP Failure packets are not retransmitted, the final
packet may be lost. While a TEAP protected TEAP-protected EAP Success or EAP
Failure packet should not be a final packet in a TEAP conversation,
it may occur based on the conditions stated above, so an EAP peer
should not rely upon the unprotected EAP success Success and failure Failure
messages.

7.6. Server Certificate Validation

As part of the TLS negotiation, the server presents a certificate to
the peer. The peer SHOULD verify the validity of the EAP server
certificate,
certificate and SHOULD also examine the EAP server name presented in
the certificate, certificate in order to determine whether the EAP server can be
trusted. When performing server certificate validation validation,
implementations MUST provide support for the rules in [RFC5280] for
validating certificates against a known trust anchor. In addition,
implementations MUST support matching the realm portion of the peer's
NAI against a SubjectAltName of type dNSName within the server
certificate. However, in certain deployments, this might not be
turned on. Please note that in the case where the EAP authentication
is remote, the EAP server will not reside on the same machine as the
authenticator, and therefore therefore, the name in the EAP server's
certificate cannot be expected to match that of the intended
destination. In this case, a more appropriate test might be whether
the EAP server's certificate is signed by a CA certification authority
(CA) controlling the intended domain and whether the authenticator
can be authorized by a server in that domain.

7.7. Tunnel PAC Considerations

Since the Tunnel PAC is stored by the peer, special care should be
given to the overall security of the peer. The Tunnel PAC MUST be
securely stored by the peer to prevent theft or forgery of any of the
Tunnel PAC components. In particular, the peer MUST securely store
the PAC-Key and protect it from disclosure or modification.
Disclosure of the PAC-Key enables an attacker to establish the TEAP
tunnel; however, disclosure of the PAC-Key does not reveal the peer
or server identity or compromise any other peer's PAC credentials.
Modification of the PAC-Key or PAC-Opaque components of the Tunnel
PAC may also lead to denial of service as the tunnel establishment
will fail. The PAC-Opaque component is the effective TLS ticket
extension used to establish the tunnel using the techniques of
[RFC5077]. Thus, the security considerations defined by [RFC5077]
also apply to the PAC- Opaque. PAC-Opaque. The PAC-Info may contain information
about the Tunnel PAC such as the identity of the PAC issuer and the
Tunnel PAC lifetime for use in the management of the Tunnel PAC. The
PAC-Info should be securely stored by the peer to protect it from
disclosure and modification.

7.8. Security Claims

This section provides the needed security claim requirement for EAP
[RFC3748].

Auth. mechanism: Certificate based, shared secret based Certificate-based, shared-secret-based, and
various tunneled authentication mechanisms.

Ciphersuite negotiation: Yes

Mutual authentication: Yes

Integrity protection: Yes, Yes. Any method executed within the TEAP
tunnel is integrity protected. The
cleartext EAP headers outside the tunnel are
not integrity protected.

Replay protection: Yes

Confidentiality: Yes

Key derivation: Yes

Key strength: See Note 1 below.

Dictionary attack prot.: Yes

Fast reconnect: Yes

Cryptographic binding: Yes

Session independence: Yes

Fragmentation: Yes

Key Hierarchy: Yes

Channel binding: Yes

Notes
1. BCP 86 [RFC3766] offers advice on appropriate key sizes. The
National Institute for Standards and Technology (NIST) also
offers advice on appropriate key sizes in [NIST-SP-800-57].
[RFC3766]
[RFC3766], Section 5 advises use of the following required RSA or
DH (Diffie-Hellman) module and DSA (Digital Signature Algorithm)
subgroup size in bits, bits for a given level of attack resistance in
bits. Based on the table below, a 2048-bit RSA key is required
to provide 128-bit 112-bit equivalent key strength:

Attack Resistance RSA or DH Modulus DSA subgroup
(bits) size (bits) size (bits)
----------------- ----------------- ------------
70 947 129
80 1228 148
90 1553 167
100 1926 186
150 4575 284
200 8719 383
250 14596 482

8. Acknowledgements

The TEAP v1 design and protocol

This specification is based on EAP-FAST [RFC4851], which included the
ideas and hard efforts of Nancy Cam-
Winget, Cam-Winget, David McGrew, Joe Salowey, Hao
Zhou, Pad Jakkahalli, Mark Krischer, Doug Smith, and Glen Zorn of
Cisco Systems, Inc.

The TLV processing was inspired from work on the Protected Extensible
Authentication Protocol version 2 (PEAPv2) with Ashwin Palekar, Dan
Smith, Sean Turner Turner, and Simon Josefsson.

The method for linking identity and proof-of-possession by placing
the tls-unique value in the challengePassword field of the CSR as
described in Section 3.8.2 was inspired by the technique described in
"Enrollment over Secure Transport" [RFC7030].

Helpful review comments were provided by Russ Housley, Jari Arkko,
Ilan Frenkel, Jeremy Steiglitz, Dan Harkins, Sam Hartman, Jim Schaad,
Barry Leiba, Stephen Farrell, Chris Lonvick Lonvick, and Josh Howlett.

9. References

9.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004.

[RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
"Transport Layer Security (TLS) Session Resumption without
Server-Side State", RFC 5077, January 2008.

[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri,
"Specification for the Derivation of Root Keys from an
Extended Master Session Key (EMSK)", RFC 5295, August
2008.

[RFC5705] Rescorla, E., "Keying Material Exporters for Transport
Layer Security (TLS)", RFC 5705, March 2010.

[RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
"Transport Layer Security (TLS) Renegotiation Indication
Extension", RFC 5746, February 2010.

[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, July 2010.

[RFC6677] Hartman, S., Clancy, T., and K. Hoeper, "Channel-Binding
Support for Extensible Authentication Protocol (EAP)
Methods", RFC 6677, July 2012.

9.2. Informative References

[IEEE.802-1X.2004]

[IEEE.802-1X.2013]
IEEE, "Local and Metropolitan Area Networks: Port-Based
Network Access Control", IEEE Standard 802.1X, December 2004.
2013.

[NIST-SP-800-57]
National Institute of Standards and Technology,
"Recommendation for Key Management", NIST Special
Publication 800-57, May 2006. July 2012.

[PEAP] Microsoft Corporation, "[MS-PEAP]: Protected Extensible
Authentication Protocol (PEAP) Specification", August
2009. (PEAP)", February 2014.

[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", RFC 2315, March 1998.

[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985,
November 2000.

[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.

[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.

[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.

[RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
Public Keys Used For Exchanging Symmetric Keys", BCP 86,
RFC 3766, April 2004.

[RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible
Authentication Protocol (EAP) Method Requirements for
Wireless LANs", RFC 4017, March 2005.

[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072,
August 2005.

[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005.

[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", RFC 4282, December 2005.

[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.

[RFC4851] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "The
Flexible Authentication via Secure Tunneling Extensible
Authentication Protocol Method (EAP-FAST)", RFC 4851, May
2007.

[RFC4945] Korver, B., "The Internet IP Security PKI Profile of IKEv1
/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007.

[RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication,
Authorization, and Accounting (AAA) Key Management", BCP
132, RFC 4962, July 2007.

[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible
Authentication Protocol (EAP) Key Management Framework",
RFC 5247, August 2008.

[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
(CMC)", RFC 5272, June 2008.

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.

[RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication
Protocol Tunneled Transport Layer Security Authenticated
Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.

[RFC5421] Cam-Winget, N. and H. Zhou, "Basic Password Exchange
within the Flexible Authentication via Secure Tunneling
Extensible Authentication Protocol (EAP-FAST)", RFC 5421,
March 2009.

[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, September 2009.

[RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication
Protocol (EAP) Authentication Using Only a Password", RFC
5931, August 2010.

[RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
Extension Definitions", RFC 6066, January 2011.

[RFC6124] Sheffer, Y., Zorn, G., Tschofenig, H., and S. Fluhrer, "An
EAP Authentication Method Based on the Encrypted Key
Exchange (EKE) Protocol", RFC 6124, February 2011.

[RFC6678] Hoeper, K., Hanna, S., Zhou, H., and J. Salowey,
"Requirements for a Tunnel-Based Extensible Authentication
Protocol (EAP) Method", RFC 6678, July 2012.

[RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A.,
Galperin, S., and C. Adams, "X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol - OCSP",
RFC 6960, June 2013.

[RFC6961] Pettersen, Y., "The Transport Layer Security (TLS)
Multiple Certificate Status Request Extension", RFC 6961,
June 2013.

[RFC7029] Hartman, S., Wasserman, M., and D. Zhang, "Extensible
Authentication Protocol (EAP) Mutual Cryptographic
Binding", RFC 7029, October 2013.

[RFC7030] Pritikin, M., Yee, P., and D. Harkins, "Enrollment over
Secure Transport", RFC 7030, October 2013.

[X.690] ITU-T, "ITU-T Recommendation X.690 ASN.1 "ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T Recommendation
X.690, November 2008.

Appendix A. Evaluation Against Tunnel Based against Tunnel-Based EAP Method Requirements

This section evaluates all tunnel based tunnel-based EAP method requirements
described in [RFC6678] against TEAP version 1.

A.1. Requirement 4.1.1 4.1.1: RFC Compliance

TEAP v1

TEAPv1 meets this requirement by being compliant to with RFC 3748, 3748
[RFC3748], RFC
4017, 4017 [RFC4017], RFC 5247, 5247 [RFC5247], and RFC 4962. 4962
[RFC4962]. It is also compliant with the "cryptographic algorithm
agility" requirement by leveraging TLS 1.2 for all cryptographic
algorithm negotiation.

A.2. Requirement 4.2.1 4.2.1: TLS Requirements

Requirement 4.2.1 states:

The tunnel based method MUST support TLS version 1.2 [RFC5246] and
may support earlier versions greater than SSL 2.0 to enable the
possibility of backwards compatibility.

TEAP v1

TEAPv1 meets this requirement by mandating TLS version 1.2 support as
defined in Section 3.2.

A.3. Requirement 4.2.1.1.1 Cipher Suite 4.2.1.1.1: Ciphersuite Negotiation

Requirement 4.2.1.1.1 states:

Hence, the tunnel method MUST provide integrity protected cipher
suite negotiation with secure integrity algorithms and integrity
keys.

TEAP v1

TEAPv1 meets this requirement by using TLS to provide protected
cipher suite
ciphersuite negotiation.

A.4. Requirement 4.2.1.1.2 4.2.1.1.2: Tunnel Data Protection Algorithms

Requirement 4.2.1.1.2 states:

The tunnel method MUST provide at least one mandatory to implement
cipher suite that provides the equivalent security of 128-bit AES for
encryption and message authentication.

TEAP v1

TEAPv1 meets this requirement by mandating
TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory to implement cipher suite mandatory-to-implement ciphersuite
as defined in Section 3.2.

A.5. Requirement 4.2.1.1.3 4.2.1.1.3: Tunnel Authentication and Key Establishment

TEAP v1

TEAPv1 meets this requirement by mandating
TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory to implement cipher suite
which mandatory-to-implement ciphersuite
that provides certificate-based authentication of the server and is
approved by NIST. The mandatory to implement cipher suites mandatory-to-implement ciphersuites only
include cipher suites ciphersuites that use strong cryptographic algorithms. They
do not include cipher suites ciphersuites providing mutually anonymous
authentication or static Diffie-Hellman cipher suites ciphersuites as defined in
Section 3.2.

A.6. Requirement 4.2.1.2 4.2.1.2: Tunnel Replay Protection

TEAP v1

TEAPv1 meets this requirement by using TLS to provide sufficient
replay protection.

A.7. Requirement 4.2.1.3 4.2.1.3: TLS Extensions

TEAP v1

TEAPv1 meets this requirement by allowing TLS extensions, such as TLS
Certificate Status Request extension [RFC6066] and SessionTicket
extension [RFC5077] [RFC5077], to be used during TLS tunnel establishment.

A.8. Requirement 4.2.1.4 4.2.1.4: Peer Identity Privacy

TEAP v1

TEAPv1 meets this requirement by establishment of the TLS tunnel and
protection of inner method identities specific identities. to the inner method. In addition, the
peer certificate can be sent confidentially (i.e. (i.e., encrypted).

A.9. Requirement 4.2.1.5 4.2.1.5: Session Resumption

TEAP v1

TEAPv1 meets this requirement by mandating support of TLS session
resumption as defined in Section 3.2.1 and TLS Session Resume Using session resume using a
PAC as defined in Section 3.2.2 .

A.10. Requirement 4.2.2 4.2.2: Fragmentation

TEAP v1

TEAPv1 meets this requirement by leveraging fragmentation support
provided by TLS as defined in Section 3.7.

A.11. Requirement 4.2.3 4.2.3: Protection of Data External to Tunnel

TEAP v1

TEAPv1 meets this requirement by including the TEAP version number
received in the computation of crypto-binding the Crypto-Binding TLV as defined in
Section 4.2.13.

A.12. Requirement 4.3.1 4.3.1: Extensible Attribute Types

TEAP v1

TEAPv1 meets this requirement by using an extensible TLV data layer
inside the tunnel as defined in Section 4.2.

A.13. Requirement 4.3.2 4.3.2: Request/Challenge Response Operation

TEAP v1

TEAPv1 meets this requirement by allowing multiple TLVs to be sent in
a single EAP request or response packet, while maintaining the
half-duplex half-
duplex operation typical of EAP.

A.14. Requirement 4.3.3 4.3.3: Indicating Criticality of Attributes

TEAP v1

TEAPv1 meets this requirement by having a mandatory bit in each TLV
to indicate whether it is mandatory to support or not as defined in
Section 4.2.

A.15. Requirement 4.3.4 Vendor Specific 4.3.4: Vendor-Specific Support

TEAP v1

TEAPv1 meets this requirement by having a Vendor-Specific TLV to
allow vendors to define their own attributes as defined in
Section 4.2.8.

A.16. Requirement 4.3.5 4.3.5: Result Indication

TEAP v1

TEAPv1 meets this requirement by having a Result TLV to exchange the
final result of the EAP authentication so both the peer and server
have a synchronized state as defined in Section 4.2.4.

A.17. Requirement 4.3.6 4.3.6: Internationalization of Display Strings

TEAP v1

TEAPv1 meets this requirement by supporting UTF-8 format in Basic-
Password-Auth-Req the
Basic-Password-Auth-Req TLV as defined in Section 4.2.14 and Basic-
Password-Auth-Resp the
Basic-Password-Auth-Resp TLV as defined in Section 4.2.15.

A.18. Requirement 4.4 4.4: EAP Channel Binding Channel-Binding Requirements

TEAP v1

TEAPv1 meets this requirement by having a Channel-Binding TLV to
exchange the EAP channel binding channel-binding data as defined in Section 4.2.7.

A.19. Requirement 4.5.1.1 4.5.1.1: Confidentiality and Integrity

TEAP v1

TEAPv1 meets this requirement by running the password authentication
inside a protected TLS tunnel.

A.20. Requirement 4.5.1.2 4.5.1.2: Authentication of Server

TEAP v1

TEAPv1 meets this requirement by mandating authentication of the
server before establishment of the protected TLS and then running
inner password authentication as defined in Section 3.2.

A.21. Requirement 4.5.1.3 4.5.1.3: Server Certificate Revocation Checking

TEAP v1

TEAPv1 meets this requirement by supporting TLS Certificate Status
Request extension [RFC6066] during tunnel establishment.

A.22. Requirement 4.5.2 4.5.2: Internationalization

TEAP v1

TEAPv1 meets this requirement by supporting UTF-8 format in Basic-
Password-Auth-Req TLV as defined in Section 4.2.14 and Basic-
Password-Auth-Resp TLV as defined in Section 4.2.15.

A.23. Requirement 4.5.3 Meta-data

TEAP v1 4.5.3: Metadata

TEAPv1 meets this requirement by supporting Identity-Type TLV as
defined in Section 4.2.3 to indicate whether the authentication is
for a user or a machine.

A.24. Requirement 4.5.4 4.5.4: Password Change

TEAP v1

TEAPv1 meets this requirement by supporting multiple Basic-Password-
Auth-Req TLV and Basic-Password-Auth-Resp TLV exchanges within a
single EAP authentication, which allows "housekeeping"" functions
such as password change.

A.25. Requirement 4.6.1 4.6.1: Method Negotiation

TEAP v1

TEAPv1 meets this requirement by supporting inner EAP method
negotiation within the protected TLS tunnel.

A.26. Requirement 4.6.2 4.6.2: Chained Methods

TEAP v1

TEAPv1 meets this requirement by supporting inner EAP method chaining
within protected TLS tunnel tunnels as defined in Section 3.3.1.

A.27. Requirement 4.6.3 4.6.3: Cryptographic Binding with the TLS Tunnel

TEAP v1

TEAPv1 meets this requirement by supporting cryptographic binding of
the inner EAP method keys with the keys derived from the TLS tunnel
as defined in Section 4.2.13.

A.28. Requirement 4.6.4 Peer Initiated

TEAP v1 4.6.4: Peer-Initiated EAP Authentication

TEAPv1 meets this requirement by supporting the Request-Action TLV as
defined in Section 4.2.9 to allow a peer to initiate another inner
EAP method.

A.29. Requirement 4.6.5 4.6.5: Method Meta-data

TEAP v1 Metadata

TEAPv1 meets this requirement by supporting the Identity-Type TLV as
defined in Section 4.2.3 to indicate whether the authentication is
for a user or a machine.

Appendix B. Major Differences from EAP-FAST

This document is a new standard tunnel EAP method based on revision
of the EAP-FAST version 1 [RFC4851] which that contains improved flexibility,
particularly for negotiation of cryptographic algorithms. The major
changes are:

1. The EAP method name have has been changed from EAP-FAST to TEAP,
hence it would require TEAP; this
change thus requires that a new EAP method type to Type be assigned.

2. This version of TEAP MUST support TLS 1.2 [RFC5246].

3. The key derivation now makes use of TLS keying material exporters
[RFC5705] and the PRF and hash function negotiated in TLS. This
is to simplify implementation and better support cryptographic
algorithm agility.

4. TEAP is in full conformance with TLS Ticket ticket extension [RFC5077]
as described in Section 3.2.2.

5. Support of is provided for passing optional outer Outer TLVs in the first
two message exchanges, in addition to the Authority-ID TLV data
in EAP-FAST.

6. Basic password authentication on the TLV level has been added in
addition to the existing inner EAP method.

7. Additional TLV types have been defined to support EAP channel
binding and meta-data. metadata. They are the Identity-Type TLV and Channel-
Binding
Channel-Binding TLVs, defined in Section 4.2.

Appendix C. Examples

C.1. Successful Authentication

The following exchanges show a successful TEAP authentication with
basic password authentication and optional PAC refreshment, the refreshment. The
conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
PAC-Opaque in SessionTicket extension)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)

EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)

TLS channel established
(messages sent within the TLS channel)

<- Basic-Password-Auth-Req TLV, Challenge

Basic-Password-Auth-Resp TLV, Response with both
user name
username and password) ->

optional additional exchanges (new pin mode,
password change change, etc.) ...

<- Crypto-Binding TLV (Request),
Result TLV (Success),
(Optional PAC TLV)

Crypto-Binding TLV(Response),
Result TLV (Success),
(PAC TLV Acknowledgment)
(PAC-Acknowledgement TLV) ->

TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Success

C.2. Failed Authentication

The following exchanges show a failed TEAP authentication due to
wrong user credentials, the credentials. The conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity

EAP-Response/
Identity (MyID1) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
PAC-Opaque in SessionTicket extension)->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)

EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)

TLS channel established
(messages sent within the TLS channel)

<- Basic-Password-Auth-Req TLV, Challenge

Basic-Password-Auth-Resp TLV, Response with both
user name
username and password) ->

<- Result TLV (Failure)

Result TLV (Failure) ->

TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Failure

C.3. Full TLS Handshake using Certificate-based Cipher Suite Using Certificate-Based Ciphersuite

In the case within TEAP Phase 1 where an abbreviated TLS handshake is tried and failed
tried, fails, and falls back to certificate based the certificate-based full TLS handshake occurs within
TEAP Phase 1,
handshake, the conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->

// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello
[PAC-Opaque extension])-> with
PAC-Opaque in SessionTicket extension)->

// Peer sends PAC-Opaque of Tunnel PAC along with a list of
ciphersuites supported. If the server rejects the PAC-
Opaque, if it falls through to the full TLS handshake handshake.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload-TLV[EAP-Request/
Identity])
// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel tunnel.

EAP-Payload-TLV
[EAP-Response/Identity (MyID2)]->

// identity protected by TLS.

<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->

// Method X exchanges followed by Protected Termination

<- Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Response),
Result-TLV (Success) ->

// TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Success

C.4. Client authentication Authentication during Phase 1 with identity privacy Identity Privacy

In the case where a certificate based certificate-based TLS handshake occurs within
TEAP Phase 1, 1 and client certificate authentication and identity
privacy is desired, desired (and therefore TLS renegotiation is being used to
transmit the peer credentials in the protected TLS tunnel, tunnel), the
conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->

// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_key_exchange,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload-TLV[EAP-Request/
Identity])

// TLS channel established
(EAP Payload messages sent within the TLS channel)

// peer sends TLS client_hello to request TLS renegotiation

TLS client_hello ->

<- TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->

<- TLS change_cipher_spec,
TLS finished,
Crypto-Binding TLV (Request),
Result TLV (Success)

Crypto-Binding TLV (Response),
Result-TLV (Success)) ->

//TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Success

C.5. Fragmentation and Reassembly

In the case where TEAP fragmentation is required, the conversation
will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1 ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 2: M bit set)
EAP-Response/
EAP-Type=TEAP, V=1 ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 3)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished)
(Fragment 1: L, M bits set)->

<- EAP-Request/
EAP-Type=TEAP, V=1
EAP-Response/
EAP-Type=TEAP, V=1
(Fragment 2)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
[EAP-Payload-TLV[
EAP-Request/Identity]])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel tunnel.

EAP-Payload-TLV
[EAP-Response/Identity (MyID2)]->

// identity protected by TLS.

<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->

// Method X exchanges followed by Protected Termination

<- Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Response),
Result-TLV (Success) ->

// TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Success

C.6. Sequence of EAP Methods

When TEAP is negotiated, negotiated with a sequence of EAP method X followed by
method Y, the conversation will occur as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
Identity-Type TLV,
EAP-Payload-TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel

Identity_Type TLV
EAP-Payload-TLV
[EAP-Response/Identity] ->

<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->

// Optional additional X Method exchanges...

<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X]->

<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Identity-Type TLV,
EAP Payload TLV [EAP-Type=Y],

// Next EAP conversation started after successful completion
of previous method X. The Intermediate-Result and Crypto-
Binding TLVs are sent in next packet to minimize round- round
trips. In this example, an identity request is not sent
before negotiating EAP-Type=Y.

// Compound MAC calculated using Keys keys generated from
EAP methods method X and the TLS tunnel.

Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
EAP-Payload-TLV [EAP-Type=Y] ->

// Optional additional Y Method exchanges...

<- EAP Payload TLV [
EAP-Type=Y]

EAP Payload TLV
[EAP-Type=Y] ->

<- Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Response),
Result-TLV (Success) ->

// Compound MAC calculated using Keys keys generated from EAP
methods X and Y and the TLS tunnel. Compound Keys keys are
generated using Keys keys generated from EAP methods X and Y; Y
and the TLS tunnel.

// TLS channel torn down (messages sent in clear text) cleartext)

<- EAP-Success

C.7. Failed Crypto-binding Crypto-Binding

The following exchanges show a failed crypto-binding validation. The
conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello without
PAC-Opaque in SessionTicket extension)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS Server Key Exchange
TLS Server Hello Done)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS Client Key Exchange
TLS change_cipher_spec,
TLS finished)
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec
TLS finished)
EAP-Payload-TLV[
EAP-Request/Identity])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel tunnel.

EAP-Payload TLV/
EAP Identity Response ->

<- EAP Payload TLV, EAP-Request,
(EAP-MSCHAPV2, Challenge)

EAP Payload TLV, EAP-Response,
(EAP-MSCHAPV2, Response) ->

<- EAP Payload TLV, EAP-Request,
(EAP-MSCHAPV2, Success Request)

EAP Payload TLV, EAP-Response,
(EAP-MSCHAPV2, Success Response) ->

<- Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result-TLV (Success),
Result TLV (Failure)
Error TLV with
(Error Code = 2001) ->

// TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Failure

C.8. Sequence of EAP Method with Vendor-Specific TLV Exchange

When TEAP is negotiated, negotiated with a sequence of EAP method methods followed by a
Vendor-Specific TLV exchange, the conversation will occur as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload-TLV[
EAP-Request/Identity])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel tunnel.

EAP-Payload-TLV
[EAP-Response/Identity] ->

<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X]->

<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Vendor-Specific TLV,

// Vendor Specific Vendor-Specific TLV exchange started after successful
completion of previous method X. The Intermediate-Result
and Crypto-Binding TLVs are sent with Vendor Specific Vendor-Specific TLV
in next packet to minimize round-trips. round trips.

// Compound MAC calculated using Keys keys generated from
EAP methods method X and the TLS tunnel.

Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
Vendor-Specific TLV ->

// Optional additional Vendor-Specific TLV exchanges...

<- Vendor-Specific TLV

Vendor Specific

Vendor-Specific TLV ->
<- Result TLV (Success)

Result-TLV (Success) ->

// TLS channel torn down (messages sent in clear text) cleartext)

<- EAP-Success

C.9. Peer Requests Inner Method After after Server Sends Result TLV

In the case where the peer is authenticated during Phase 1 and the
server sends back result TLV, a Result TLV but the peers peer wants to request another
inner method, the conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->

// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
Crypto-Binding TLV (Request),
Result TLV (Success))

// TLS channel established
(TLV Payload messages sent within the TLS channel)

Crypto-Binding TLV(Response),
Request-Action TLV
(Status=Failure, Action=Negotiate-EAP)->

<- EAP-Payload-TLV
[EAP-Request/Identity]

EAP-Payload-TLV
[EAP-Response/Identity] ->

<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]

EAP-Payload-TLV
[EAP-Response/EAP-Type=X]->

<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
Result-TLV (Success)) ->

//TLS

// TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Success

C.10. Channel Binding

The following exchanges show a successful TEAP authentication with
basic password authentication and channel binding using a Request-
Action TLV, the TLV. The conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
PAC-Opaque in SessionTicket extension)->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)

EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)

TLS channel established
(messages sent within the TLS channel)

<- Basic-Password-Auth-Req TLV, Challenge

Basic-Password-Auth-Resp TLV, Response with both
user name
username and password) ->

optional additional exchanges (new pin mode,
password change change, etc.) ...

<- Crypto-Binding TLV (Request),
Result TLV (Success),

Crypto-Binding TLV(Response),
Request-Action TLV
(Status=Failure, Action=Process-TLV,
TLV=Channel-Binding TLV)->

<- Channel-Binding TLV (Response),
Result TLV (Success),

Result-TLV (Success) ->

TLS channel torn down
(messages sent in clear text) cleartext)

<- EAP-Success

Appendix D. Major Differences from Previous Revisions

D.1. Changes from -06

1 Removed Design Goals

2 Added restriction on ciphersuites that do not provide
confidentiality in section 3.2

3 Added clarification of TLS unique used during certificate
provisioning in section 3.8.2

4 Specified DER encoding for PKCS#7 and PKCS#10 TLVs

5 Removed details of PKCS#7 package to RFC5652
6 Moved RFC 4851 to informative reference

7 Additional editorial changes to address Security AD review
comments.

D.2. Changes from -05

1 Section 3.3.3, clarified that Intermediate Result TLV and Crypto-
Binding TLV MUST be exchanged after each EAP method, even with a
single inner EAP method.

2 Section 3.5, clarified that tls-unique is from Phase outer TLS
tunnel before beginning of the Phase 2.

3 Section 3.6.3, added text to handle processing inner method error.

4 Section 3.8, added a section titled Peer Services, stressing
mutual authentication before rest of peer services.

5 Section 3.8,4, added a section describing channel binding flows.

6 Section 7.6, changed SHOULD to MUST for matching server
certificate realm portion.

7 Update references from I-Ds to RFCs.

D.3. Changes from -04

1 Section 3.2, clarified that requesting new PAC in abbreviated
handshake is not permitted.

2 Section 3.6.2, clarified that TLS restart is not allowed for fatal
Alerts.

3 Section 3.6.3, added text to handle processing inner method error.

4 Section 4.1, clarified Flags bit usage.

5 Section 4.2.3, clarified Identity-Type TLV usage.

6 Section 4.2.8, clarified mandatory bit in Vendor-Specific TLV.

7 Section 4.2.13, added Compound MAC presence indicator in Crypto-
Binding TLV.

D.4. Changes from -03

1 Section 4.1, added optional Outer TLV Length field and flag in
TEAP packet format.

2 Section 4.3, added TLV processing rules and rules for outer TLVs.

3 Section 5.2, changed IMCK generation from MSK based to either EMSK
or MSK with corresponding rules.

4 Section 4.2.13, introduced two Compound MAC fields for Crypto-
Binding TLV.

5 Section 3.4, clarified that all authenticated Peer-Ids, Server-Ids
and their identity types need to be exported.

6 Section 5.1, changed TLS Keying Material Exporter label to
"EXPORTER: teap session key seed".

7 Section 4.2.9, clarified Request-Action TLV processing.

D.5. Changes from -02

1 Section 3.3.3, clarified protected termination and use of crypto-
binding TLV.

2 Section 3.5, changed Session ID to use tls-unique and added
reference to RFC5247.

3 Section 3.9, added the use of tls-unique to the certificate
enrollment request.

4 Section 4.2.9, modified Request-Action TLV to include Status code
and optional TLVs.

5 Section 3.4, clarified that all authenticated Peer-Ids need to be
exported.

6 Section 5.1, changed TLS Keying Material Exporter label to "teap
session key seed".

7 Section 5.2, changed Intermediate Compound Key Derivation from MSK
to EMSK generated by inner method.

8 Section 6, added missing IANA considerations.

9 Section 7.3, added more security considerations for separation of
Phase 1 and Phase 2 servers.

10 Appendix C, updated examples with Request-Action TLV, channel
binding, and sending certificate after TLS renegotiation.

D.6. Changes from -01

1 In Version Negotiation section, clarified what the peer needs to
do if the supported version is higher than what the server
proposed.

2 Section 3.2, clarified the requirement for using anonymous cipher
suites.

3 Clarified that Crypto-binding TLV is always exchanged and
validated, even without inner methods.

4 Section 3.4, clarified that all authenticated Peer-Ids need to be
exported.

5 Clarified that channel-binding TLV can be used to transmit data
bidirectionally.

6 Updated obsolete RFC references

7 Renumbered TLVs to eliminate gaps

8 Updated examples with basic password authentication TLVs.

9 Added Certificate Provisioning Within the Tunnel.

10 Added Server Unauthenticated Provisioning Mode.

D.7. Changes from -00

1 Changed protocol name to TEAP: Tunnel EAP Method

2 Changed version of protocol to version 1

3 Revised introduction

4 Moved differences section to appendix

5 Revised design goals section

6 Revised PAC definition

7 Revised protocol description to be in line with RFC 5077 PAC
distribution
8 Revised EAP Sequences Section

9 Added section on PAC provisioning within tunnel

10 Added outer TLVs to the message format

11 Renumbered TLVs

12 Included PAC TLVs

13 Added Authority ID TLV

14 Added PKCS#7 and server trust root TLV definitions

15 Added PKCS#10 TLV

16 PKCS#10 TLV

17 Added EAP-Type and outer TLVs to crypto binding compound MAC

Authors' Addresses

Hao Zhou
Cisco Systems
4125 Highlander Parkway
Richfield, OH 44286
US

EMail: hzhou@cisco.com
Nancy Cam-Winget
Cisco Systems
3625 Cisco Way
San Jose, CA 95134
US

EMail: ncamwing@cisco.com

Joseph Salowey
Cisco Systems
2901 3rd Ave
Seattle, WA 98121
US

EMail: jsalowey@cisco.com

Stephen Hanna
Juniper Networks
79 Parsons Street
Brighton, MA 02135
US

EMail: shanna@juniper.net