rfc9048v1.txt   rfc9048.txt 
skipping to change at line 35 skipping to change at line 35
EAP-AKA' differs from EAP-AKA by providing a key derivation function EAP-AKA' differs from EAP-AKA by providing a key derivation function
that binds the keys derived within the method to the name of the that binds the keys derived within the method to the name of the
access network. The key derivation function has been defined in the access network. The key derivation function has been defined in the
3rd Generation Partnership Project (3GPP). EAP-AKA' allows its use 3rd Generation Partnership Project (3GPP). EAP-AKA' allows its use
in EAP in an interoperable manner. EAP-AKA' also updates the in EAP in an interoperable manner. EAP-AKA' also updates the
algorithm used in hash functions, as it employs SHA-256 / HMAC- algorithm used in hash functions, as it employs SHA-256 / HMAC-
SHA-256 instead of SHA-1 / HMAC-SHA-1, which is used in EAP-AKA. SHA-256 instead of SHA-1 / HMAC-SHA-1, which is used in EAP-AKA.
This version of the EAP-AKA' specification defines the protocol This version of the EAP-AKA' specification defines the protocol
behavior for both 4G and 5G deployments, whereas the previous version behavior for both 4G and 5G deployments, whereas the previous version
defined protocol behavior for 4G deployments only. defined protocol behavior for 4G deployments only. While EAP-AKA' as
defined in RFC 5448 is not obsolete, this document defines the most
recent and fully backwards-compatible specification of EAP-AKA'.
This document updates both RFCs 4187 and 5448.
Status of This Memo Status of This Memo
This document is not an Internet Standards Track specification; it is This document is not an Internet Standards Track specification; it is
published for informational purposes. published for informational purposes.
This document is a product of the Internet Engineering Task Force This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents Internet Engineering Steering Group (IESG). Not all documents
skipping to change at line 165 skipping to change at line 168
secure against bidding down attacks that attempt to force the secure against bidding down attacks that attempt to force the
participants to use the least secure function. See Section 4 participants to use the least secure function. See Section 4
for further information. for further information.
This specification makes the following changes from RFC 5448: This specification makes the following changes from RFC 5448:
* Updates the reference that specifies how the Network Name field is * Updates the reference that specifies how the Network Name field is
constructed in the protocol. This update ensures that EAP-AKA' is constructed in the protocol. This update ensures that EAP-AKA' is
compatible with 5G deployments. RFC 5448 referred to the Release compatible with 5G deployments. RFC 5448 referred to the Release
8 version of [TS-3GPP.24.302]. This document points to the first 8 version of [TS-3GPP.24.302]. This document points to the first
5G version, Release 15. 5G version, Release 16.
* Specifies how EAP and EAP-AKA' use identifiers in 5G. Additional * Specifies how EAP and EAP-AKA' use identifiers in 5G. Additional
identifiers are introduced in 5G, and for interoperability, it is identifiers are introduced in 5G, and for interoperability, it is
necessary that the right identifiers are used as inputs in the key necessary that the right identifiers are used as inputs in the key
derivation. In addition, for identity privacy it is important derivation. In addition, for identity privacy it is important
that when privacy-friendly identifiers in 5G are used, no that when privacy-friendly identifiers in 5G are used, no
trackable, permanent identifiers are passed in EAP-AKA', either. trackable, permanent identifiers are passed in EAP-AKA', either.
* Specifies session identifiers and other exported parameters, as * Specifies session identifiers and other exported parameters, as
those were not specified in [RFC5448] despite requirements set those were not specified in [RFC5448] despite requirements set
skipping to change at line 195 skipping to change at line 198
* Describes the privacy and pervasive monitoring considerations * Describes the privacy and pervasive monitoring considerations
related to EAP-AKA'. related to EAP-AKA'.
* Adds summaries of the attributes. * Adds summaries of the attributes.
Some of the updates are small. For instance, the reference update to Some of the updates are small. For instance, the reference update to
[TS-3GPP.24.302] does not change the 3GPP specification number, only [TS-3GPP.24.302] does not change the 3GPP specification number, only
the version. But this reference is crucial for the correct the version. But this reference is crucial for the correct
calculation of the keys that result from running the EAP-AKA' method, calculation of the keys that result from running the EAP-AKA' method,
so an update of the RFC with the newest version pointer may be so an RFC update pointing to the newest version was warranted.
warranted.
Note: Any further updates in 3GPP specifications that affect, Note: Any further updates in 3GPP specifications that affect,
for instance, key derivation is something that EAP-AKA' for instance, key derivation is something that EAP-AKA'
implementations need to take into account. Upon such updates, implementations need to take into account. Upon such updates,
there will be a need to update both this specification and the there will be a need to update both this specification and the
implementations. implementations.
It is an explicit non-goal of this specification to include any other It is an explicit non-goal of this specification to include any other
technical modifications, addition of new features, or other changes. technical modifications, addition of new features, or other changes.
The EAP-AKA' base protocol is stable and needs to stay that way. If The EAP-AKA' base protocol is stable and needs to stay that way. If
skipping to change at line 520 skipping to change at line 522
processing the received EAP-Request/AKA'-Challenge as specified in processing the received EAP-Request/AKA'-Challenge as specified in
[RFC4187] and Section 3.1 of this document. If not, it behaves as if [RFC4187] and Section 3.1 of this document. If not, it behaves as if
AT_MAC had been incorrect and fails the authentication. If the peer AT_MAC had been incorrect and fails the authentication. If the peer
receives multiple EAP-Request/AKA'-Challenge messages with differing receives multiple EAP-Request/AKA'-Challenge messages with differing
AT_KDF attributes without having requested negotiation, the peer MUST AT_KDF attributes without having requested negotiation, the peer MUST
behave as if AT_MAC had been incorrect and fail the authentication. behave as if AT_MAC had been incorrect and fail the authentication.
Note that the peer may also request sequence number resynchronization Note that the peer may also request sequence number resynchronization
[RFC4187]. This happens after AT_KDF negotiation has already [RFC4187]. This happens after AT_KDF negotiation has already
completed. That is, the EAP-Request/AKA'-Challenge and, possibly, completed. That is, the EAP-Request/AKA'-Challenge and, possibly,
the EAP-Response/AKA'-Challenge message are exchanged first to the EAP-Response/AKA'-Challenge messages are exchanged first to
determine a mutually acceptable key derivation function, and only determine a mutually acceptable key derivation function, and only
then is the possible AKA'-Synchronization-Failure message sent. The then is the possible AKA'-Synchronization-Failure message sent. The
AKA'-Synchronization-Failure message is sent as a response to the AKA'-Synchronization-Failure message is sent as a response to the
newly received EAP-Request/AKA'-Challenge, which is the last message newly received EAP-Request/AKA'-Challenge, which is the last message
of the AT_KDF negotiation. Note that if the first proposed KDF is of the AT_KDF negotiation. Note that if the first proposed KDF is
acceptable, then last message is at the same time the first EAP- acceptable, then the first EAP-Request/AKA'-Challenge message is also
Request/AKA'-Challenge message. The AKA'-Synchronization-Failure the last message. The AKA'-Synchronization-Failure message MUST
message MUST contain the AUTS parameter as specified in [RFC4187] and contain the AUTS parameter as specified in [RFC4187] and a copy the
a copy the AT_KDF attributes as they appeared in the last message of AT_KDF attributes as they appeared in the last message of the AT_KDF
the AT_KDF negotiation. If the AT_KDF attributes are found to differ negotiation. If the AT_KDF attributes are found to differ from their
from their earlier values, the peer and server MUST behave as if earlier values, the peer and server MUST behave as if AT_MAC had been
AT_MAC had been incorrect and fail the authentication. incorrect and fail the authentication.
3.3. Key Derivation 3.3. Key Derivation
Both the peer and server MUST derive the keys as follows. Both the peer and server MUST derive the keys as follows.
AT_KDF parameter has the value 1 AT_KDF parameter has the value 1
In this case, MK is derived and used as follows: In this case, MK is derived and used as follows:
MK = PRF'(IK'|CK',"EAP-AKA'"|Identity) MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
K_encr = MK[0..127] K_encr = MK[0..127]
skipping to change at line 635 skipping to change at line 637
3.4. Hash Functions 3.4. Hash Functions
EAP-AKA' uses SHA-256 / HMAC-SHA-256, not SHA-1 / HMAC-SHA-1 (see EAP-AKA' uses SHA-256 / HMAC-SHA-256, not SHA-1 / HMAC-SHA-1 (see
[FIPS.180-4] and [RFC2104]) as in EAP-AKA. This requires a change to [FIPS.180-4] and [RFC2104]) as in EAP-AKA. This requires a change to
the pseudorandom function (PRF) as well as the AT_MAC and the pseudorandom function (PRF) as well as the AT_MAC and
AT_CHECKCODE attributes. AT_CHECKCODE attributes.
3.4.1. PRF' 3.4.1. PRF'
The PRF' construction is the same one IKEv2 uses (see Section 2.13 of The PRF' construction is the same one IKEv2 uses (see Section 2.13 of
[RFC7296]; this is the same function as was defined [RFC4306] that [RFC7296]; the definition of this function has not changed since
RFC 5448 referred to). The function takes two arguments. K is a [RFC4306], which was referenced by [RFC5448]). The function takes
256-bit value and S is a byte string of arbitrary length. PRF' is two arguments. K is a 256-bit value and S is a byte string of
defined as follows: arbitrary length. PRF' is defined as follows:
PRF'(K,S) = T1 | T2 | T3 | T4 | ... PRF'(K,S) = T1 | T2 | T3 | T4 | ...
where: where:
T1 = HMAC-SHA-256 (K, S | 0x01) T1 = HMAC-SHA-256 (K, S | 0x01)
T2 = HMAC-SHA-256 (K, T1 | S | 0x02) T2 = HMAC-SHA-256 (K, T1 | S | 0x02)
T3 = HMAC-SHA-256 (K, T2 | S | 0x03) T3 = HMAC-SHA-256 (K, T2 | S | 0x03)
T4 = HMAC-SHA-256 (K, T3 | S | 0x04) T4 = HMAC-SHA-256 (K, T3 | S | 0x04)
... ...
skipping to change at line 689 skipping to change at line 691
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Second, the checkcode is a hash value, calculated with SHA-256 Second, the checkcode is a hash value, calculated with SHA-256
[FIPS.180-4], over the data specified in Section 10.13 of [RFC4187]. [FIPS.180-4], over the data specified in Section 10.13 of [RFC4187].
3.5. Summary of Attributes for EAP-AKA' 3.5. Summary of Attributes for EAP-AKA'
Table 1 identifies which attributes may be found in which kinds of Table 1 identifies which attributes may be found in which kinds of
messages, and in what quantity. messages, and in what quantity.
Messages are denoted with numbers in parentheses as follows: Messages are denoted with numbers as follows:
(1) EAP-Request/AKA-Identity 1 EAP-Request/AKA-Identity
(2) EAP-Response/AKA-Identity 2 EAP-Response/AKA-Identity
(3) EAP-Request/AKA-Challenge 3 EAP-Request/AKA-Challenge
(4) EAP-Response/AKA-Challenge 4 EAP-Response/AKA-Challenge
(5) EAP-Request/AKA-Notification 5 EAP-Request/AKA-Notification
(6) EAP-Response/AKA-Notification 6 EAP-Response/AKA-Notification
(7) EAP-Response/AKA-Client-Error 7 EAP-Response/AKA-Client-Error
(8) EAP-Request/AKA-Reauthentication 8 EAP-Request/AKA-Reauthentication
(9) EAP-Response/AKA-Reauthentication 9 EAP-Response/AKA-Reauthentication
(10) EAP-Response/AKA-Authentication-Reject 10 EAP-Response/AKA-Authentication-Reject
(11) EAP-Response/AKA-Synchronization-Failure 11 EAP-Response/AKA-Synchronization-Failure
The column denoted with "E" indicates whether the attribute is a The column denoted with "E" indicates whether the attribute is a
nested attribute that MUST be included within AT_ENCR_DATA. nested attribute that MUST be included within AT_ENCR_DATA.
In addition, the numbered columns indicate the quantity of the In addition, the numbered columns indicate the quantity of the
attribute within the message as follows: attribute within the message as follows:
"0" Indicates that the attribute MUST NOT be included in the "0" Indicates that the attribute MUST NOT be included in the
message. message.
skipping to change at line 744 skipping to change at line 746
in cases specified in this document, but MAY be included in in cases specified in this document, but MAY be included in
the future versions of the protocol. the future versions of the protocol.
The attribute table is shown below. The table is largely the same as The attribute table is shown below. The table is largely the same as
in the EAP-AKA attribute table ([RFC4187], Section 10.1), but changes in the EAP-AKA attribute table ([RFC4187], Section 10.1), but changes
how many times AT_MAC may appear in an EAP-Response/AKA'-Challenge how many times AT_MAC may appear in an EAP-Response/AKA'-Challenge
message as it does not appear there when AT_KDF has to be sent from message as it does not appear there when AT_KDF has to be sent from
the peer to the server. The table also adds the AT_KDF and the peer to the server. The table also adds the AT_KDF and
AT_KDF_INPUT attributes. AT_KDF_INPUT attributes.
+====================+===+===+===+===+===+===+===+===+===+====+====+=+ +======================+===+===+===+===+===+===+=+====+=====+==+==+=+
|Attribute |(1)|(2)|(3)|(4)|(5)|(6)|(7)|(8)|(9)|(10)|(11)|E| | Attribute |1 |2 |3 |4 |5 |6 |7|8 | 9 |10|11|E|
+====================+===+===+===+===+===+===+===+===+===+====+====+=+ +======================+===+===+===+===+===+===+=+====+=====+==+==+=+
|AT_PERMANENT_ID_REQ |0-1|0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_PERMANENT_ID_REQ |0-1|0 |0 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_ANY_ID_REQ |0-1|0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_ANY_ID_REQ |0-1|0 |0 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_FULLAUTH_ID_REQ |0-1|0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_FULLAUTH_ID_REQ |0-1|0 |0 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_IDENTITY |0 |0-1|0 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_IDENTITY |0 |0-1|0 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_RAND |0 |0 |1 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_RAND |0 |0 |1 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_AUTN |0 |0 |1 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_AUTN |0 |0 |1 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_RES |0 |0 |0 |1 |0 |0 |0 |0 |0 |0 |0 |N| | AT_RES |0 |0 |0 |1 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_AUTS |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |1 |N| | AT_AUTS |0 |0 |0 |0 |0 |0 |0|0 | 0 |0 |1 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_NEXT_PSEUDONYM |0 |0 |0-1|0 |0 |0 |0 |0 |0 |0 |0 |Y| | AT_NEXT_PSEUDONYM |0 |0 |0-1|0 |0 |0 |0|0 | 0 |0 |0 |Y|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_NEXT_REAUTH_ID |0 |0 |0-1|0 |0 |0 |0 |0-1|0 |0 |0 |Y| | AT_NEXT_REAUTH_ID |0 |0 |0-1|0 |0 |0 |0|0-1 | 0 |0 |0 |Y|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_IV |0 |0 |0-1|0* |0-1|0-1|0 |1 |1 |0 |0 |N| | AT_IV |0 |0 |0-1|0* |0-1|0-1|0|1 | 1 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_ENCR_DATA |0 |0 |0-1|0* |0-1|0-1|0 |1 |1 |0 |0 |N| | AT_ENCR_DATA |0 |0 |0-1|0* |0-1|0-1|0|1 | 1 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_PADDING |0 |0 |0-1|0* |0-1|0-1|0 |0-1|0-1|0 |0 |Y| | AT_PADDING |0 |0 |0-1|0* |0-1|0-1|0|0-1 | 0-1 |0 |0 |Y|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_CHECKCODE |0 |0 |0-1|0-1|0 |0 |0 |0-1|0-1|0 |0 |N| | AT_CHECKCODE |0 |0 |0-1|0-1|0 |0 |0|0-1 | 0-1 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_RESULT_IND |0 |0 |0-1|0-1|0 |0 |0 |0-1|0-1|0 |0 |N| | AT_RESULT_IND |0 |0 |0-1|0-1|0 |0 |0|0-1 | 0-1 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_MAC |0 |0 |1 |0-1|0-1|0-1|0 |1 |1 |0 |0 |N| | AT_MAC |0 |0 |1 |0-1|0-1|0-1|0|1 | 1 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_COUNTER |0 |0 |0 |0 |0-1|0-1|0 |1 |1 |0 |0 |Y| | AT_COUNTER |0 |0 |0 |0 |0-1|0-1|0|1 | 1 |0 |0 |Y|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_COUNTER_TOO_SMALL|0 |0 |0 |0 |0 |0 |0 |0 |0-1|0 |0 |Y| | AT_COUNTER_TOO_SMALL |0 |0 |0 |0 |0 |0 |0|0 | 0-1 |0 |0 |Y|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_NONCE_S |0 |0 |0 |0 |0 |0 |0 |1 |0 |0 |0 |Y| | AT_NONCE_S |0 |0 |0 |0 |0 |0 |0|1 | 0 |0 |0 |Y|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_NOTIFICATION |0 |0 |0 |0 |1 |0 |0 |0 |0 |0 |0 |N| | AT_NOTIFICATION |0 |0 |0 |0 |1 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_CLIENT_ERROR_CODE|0 |0 |0 |0 |0 |0 |1 |0 |0 |0 |0 |N| | AT_CLIENT_ERROR_CODE |0 |0 |0 |0 |0 |0 |1|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_KDF |0 |0 |1+ |0+ |0 |0 |0 |0 |0 |0 |1+ |N| | AT_KDF |0 |0 |1+ |0+ |0 |0 |0|0 | 0 |0 |1+|N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
|AT_KDF_INPUT |0 |0 |1 |0 |0 |0 |0 |0 |0 |0 |0 |N| | AT_KDF_INPUT |0 |0 |1 |0 |0 |0 |0|0 | 0 |0 |0 |N|
+--------------------+---+---+---+---+---+---+---+---+---+----+----+-+ +----------------------+---+---+---+---+---+---+-+----+-----+--+--+-+
Table 1: The Attribute Table Table 1: The Attribute Table
4. Bidding Down Prevention for EAP-AKA 4. Bidding Down Prevention for EAP-AKA
As discussed in [RFC3748], negotiation of methods within EAP is As discussed in [RFC3748], negotiation of methods within EAP is
insecure. That is, a man-in-the-middle attacker may force the insecure. That is, a man-in-the-middle attacker may force the
endpoints to use a method that is not the strongest that they both endpoints to use a method that is not the strongest that they both
support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be support. This is a problem, as we expect EAP-AKA and EAP-AKA' to be
negotiated via EAP. negotiated via EAP.
In order to prevent such attacks, this RFC specifies a new mechanism In order to prevent such attacks, this RFC specifies a mechanism for
for EAP-AKA that allows the endpoints to securely discover the EAP-AKA that allows the endpoints to securely discover the
capabilities of each other. This mechanism comes in the form of the capabilities of each other. This mechanism comes in the form of the
AT_BIDDING attribute. This allows both endpoints to communicate AT_BIDDING attribute. This allows both endpoints to communicate
their desire and support for EAP-AKA' when exchanging EAP-AKA their desire and support for EAP-AKA' when exchanging EAP-AKA
messages. This attribute is not included in EAP-AKA' messages. It messages. This attribute is not included in EAP-AKA' messages. It
is only included in EAP-AKA messages, which are protected with the is only included in EAP-AKA messages, which are protected with the
AT_MAC attribute. This approach is based on the assumption that EAP- AT_MAC attribute. This approach is based on the assumption that EAP-
AKA' is always preferable (see Section 7). If during the EAP-AKA AKA' is always preferable (see Section 7). If during the EAP-AKA
authentication process it is discovered that both endpoints would authentication process it is discovered that both endpoints would
have been able to use EAP-AKA', the authentication process SHOULD be have been able to use EAP-AKA', the authentication process SHOULD be
aborted, as a bidding down attack may have happened. aborted, as a bidding down attack may have happened.
skipping to change at line 862 skipping to change at line 864
Note that we assume (Section 7) that EAP-AKA' is always stronger than Note that we assume (Section 7) that EAP-AKA' is always stronger than
EAP-AKA. As a result, this specification does not provide protection EAP-AKA. As a result, this specification does not provide protection
against bidding "down" attacks in the other direction, i.e., against bidding "down" attacks in the other direction, i.e.,
attackers forcing the endpoints to use EAP-AKA'. attackers forcing the endpoints to use EAP-AKA'.
4.1. Summary of Attributes for EAP-AKA 4.1. Summary of Attributes for EAP-AKA
The appearance of the AT_BIDDING attribute in EAP-AKA exchanges is The appearance of the AT_BIDDING attribute in EAP-AKA exchanges is
shown below, using the notation from Section 3.5: shown below, using the notation from Section 3.5:
+============+===+===+===+===+===+===+===+====+=====+======+======+=+ +============+===+===+===+===+===+===+===+===+===+====+====+===+
| Attribute |(1)|(2)|(3)|(4)|(5)|(6)|(7)|(8) | (9) | (10) | (11) |E| | Attribute | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | E |
+============+===+===+===+===+===+===+===+====+=====+======+======+=+ +============+===+===+===+===+===+===+===+===+===+====+====+===+
| AT_BIDDING |0 |0 |1 |0 |0 |0 |0 |0 | 0 | 0 | 0 |N| | AT_BIDDING | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N |
+------------+---+---+---+---+---+---+---+----+-----+------+------+-+ +------------+---+---+---+---+---+---+---+---+---+----+----+---+
Table 2: AT_BIDDING Attribute Appearance Table 2: AT_BIDDING Attribute Appearance
5. Peer Identities 5. Peer Identities
EAP-AKA' peer identities are as specified in [RFC4187], Section 4.1, EAP-AKA' peer identities are as specified in [RFC4187], Section 4.1,
with the addition of some requirements specified in this section. with the addition of some requirements specified in this section.
EAP-AKA' includes optional identity privacy support that can be used EAP-AKA' includes optional identity privacy support that can be used
to hide the cleartext permanent identity and thereby make the to hide the cleartext permanent identity and thereby make the
subscriber's EAP exchanges untraceable to eavesdroppers. EAP-AKA' subscriber's EAP exchanges untraceable to eavesdroppers. EAP-AKA'
can also use the privacy-friendly identifiers specified for 5G can also use the privacy-friendly identifiers specified for 5G
skipping to change at line 906 skipping to change at line 908
There are four types of usernames: There are four types of usernames:
(1) Regular usernames. These are external names given to EAP-AKA' (1) Regular usernames. These are external names given to EAP-AKA'
peers. The regular usernames are further subdivided into to peers. The regular usernames are further subdivided into to
categories: categories:
(a) Permanent usernames, for instance, IMSI-based usernames. (a) Permanent usernames, for instance, IMSI-based usernames.
(b) Privacy-friendly temporary usernames, for instance, 5G GUTI (b) Privacy-friendly temporary usernames, for instance, 5G GUTI
(5G Globally Unique Temporary Identifier) or 5G privacy (5G Globally Unique Temporary Identifier) or 5G privacy
identifiers (see Section 5.3.2), for instance, SUCI identifiers (see Section 5.3.2) such as SUCI (Subscription
(Subscription Concealed Identifier). Concealed Identifier).
(2) EAP-AKA' pseudonym usernames. For example, (2) EAP-AKA' pseudonym usernames. For example,
2s7ah6n9q@example.com might be a valid pseudonym identity. In 2s7ah6n9q@example.com might be a valid pseudonym identity. In
this example, 2s7ah6n9q is the pseudonym username. this example, 2s7ah6n9q is the pseudonym username.
(3) EAP-AKA' fast re-authentication usernames. For example, (3) EAP-AKA' fast re-authentication usernames. For example,
43953754@example.com might be a valid fast re-authentication 43953754@example.com might be a valid fast re-authentication
identity and 43953754 the fast re-authentication username. identity and 43953754 the fast re-authentication username.
The permanent, privacy-friendly temporary, and pseudonym usernames The permanent, privacy-friendly temporary, and pseudonym usernames
skipping to change at line 1006 skipping to change at line 1008
SUbscription Concealed Identifier (SUCI) [TS-3GPP.23.501] SUbscription Concealed Identifier (SUCI) [TS-3GPP.23.501]
[TS-3GPP.33.501] [TS-3GPP.23.003]. SUPI is globally unique and [TS-3GPP.33.501] [TS-3GPP.23.003]. SUPI is globally unique and
allocated to each subscriber. However, it is only used internally in allocated to each subscriber. However, it is only used internally in
the 5G network and is privacy sensitive. The SUCI is a privacy- the 5G network and is privacy sensitive. The SUCI is a privacy-
preserving identifier containing the concealed SUPI, using public key preserving identifier containing the concealed SUPI, using public key
cryptography to encrypt the SUPI. cryptography to encrypt the SUPI.
Given the choice between these two types of identifiers, EAP-AKA' Given the choice between these two types of identifiers, EAP-AKA'
ensures interoperability as follows: ensures interoperability as follows:
* Where identifiers are used within EAP-AKA' -- such as key * Where identifiers are used within EAP-AKA' (such as key
derivation -- specify what values exactly should be used, to avoid derivation) determine the exact values of the identity to be used,
ambiguity (see Section 5.3.1). to avoid ambiguity (see Section 5.3.1).
* Where identifiers are carried within EAP-AKA' packets -- such as * Where identifiers are carried within EAP-AKA' packets (such as in
in the AT_IDENTITY attribute -- specify which identifiers should the AT_IDENTITY attribute) determine which identifiers should be
be filled in (see Section 5.3.2). filled in (see Section 5.3.2).
In 5G, the normal mode of operation is that identifiers are only In 5G, the normal mode of operation is that identifiers are only
transmitted outside EAP. However, in a system involving terminals transmitted outside EAP. However, in a system involving terminals
from many generations and several connectivity options via 5G and from many generations and several connectivity options via 5G and
other mechanisms, implementations and the EAP-AKA' specification need other mechanisms, implementations and the EAP-AKA' specification need
to prepare for many different situations, including sometimes having to prepare for many different situations, including sometimes having
to communicate identities within EAP. to communicate identities within EAP.
The following sections clarify which identifiers are used and how. The following sections clarify which identifiers are used and how.
skipping to change at line 1091 skipping to change at line 1093
When used in EAP-AKA', the format of the SUCI MUST be as specified in When used in EAP-AKA', the format of the SUCI MUST be as specified in
[TS-3GPP.23.003], Section 28.7.3, with the semantics defined in [TS-3GPP.23.003], Section 28.7.3, with the semantics defined in
[TS-3GPP.23.003], Section 2.2B. Also, in contrast to [RFC5448], in [TS-3GPP.23.003], Section 2.2B. Also, in contrast to [RFC5448], in
5G EAP-AKA' does not use the "0" nor the "6" prefix in front of the 5G EAP-AKA' does not use the "0" nor the "6" prefix in front of the
identifier. identifier.
For an example of an IMSI in NAI format, see [TS-3GPP.23.003], For an example of an IMSI in NAI format, see [TS-3GPP.23.003],
Section 28.7.3. Section 28.7.3.
Otherwise, the peer SHOULD employ an IMSI, SUPI, or NAI as it is Otherwise, the peer SHOULD employ an IMSI, SUPI, or NAI [RFC7542] as
configured to use. it is configured to use.
6. Exported Parameters 6. Exported Parameters
When not using fast re-authentication, the EAP-AKA' Session-Id is the When not using fast re-authentication, the EAP-AKA' Session-Id is the
concatenation of the EAP Type value (0x32, one byte) with the concatenation of the EAP-AKA' Type value (0x32, one byte) with the
contents of the RAND field from the AT_RAND attribute followed by the contents of the RAND field from the AT_RAND attribute followed by the
contents of the AUTN field in the AT_AUTN attribute: contents of the AUTN field in the AT_AUTN attribute:
Session-Id = 0x32 || RAND || AUTN Session-Id = 0x32 || RAND || AUTN
When using fast re-authentication, the EAP-AKA' Session-Id is the When using fast re-authentication, the EAP-AKA' Session-Id is the
concatenation of the EAP Type value (0x32) with the contents of the concatenation of the EAP-AKA' Type value (0x32) with the contents of
NONCE_S field from the AT_NONCE_S attribute followed by the contents the NONCE_S field from the AT_NONCE_S attribute followed by the
of the MAC field from the AT_MAC attribute from the EAP-Request/AKA- contents of the MAC field from the AT_MAC attribute from the EAP-
Reauthentication: Request/AKA-Reauthentication:
Session-Id = 0x32 || NONCE_S || MAC Session-Id = 0x32 || NONCE_S || MAC
The Peer-Id is the contents of the Identity field from the The Peer-Id is the contents of the Identity field from the
AT_IDENTITY attribute, using only the Actual Identity Length bytes AT_IDENTITY attribute, using only the Actual Identity Length bytes
from the beginning. Note that the contents are used as they are from the beginning. Note that the contents are used as they are
transmitted, regardless of whether the transmitted identity was a transmitted, regardless of whether the transmitted identity was a
permanent, pseudonym, or fast EAP re-authentication identity. If no permanent, pseudonym, or fast EAP re-authentication identity. If no
AT_IDENTITY attribute was exchanged, the exported Peer-Id is the AT_IDENTITY attribute was exchanged, the exported Peer-Id is the
identity provided from the EAP Identity Response packet. If no EAP identity provided from the EAP Identity Response packet. If no EAP
skipping to change at line 1541 skipping to change at line 1543
domains or devices using the same technology. domains or devices using the same technology.
8. IANA Considerations 8. IANA Considerations
IANA has updated the "Extensible Authentication Protocol (EAP) IANA has updated the "Extensible Authentication Protocol (EAP)
Registry" and the "EAP-AKA and EAP-SIM Parameters" registry so that Registry" and the "EAP-AKA and EAP-SIM Parameters" registry so that
entries that pointed to RFC 5448 now point to this RFC instead. entries that pointed to RFC 5448 now point to this RFC instead.
8.1. Type Value 8.1. Type Value
EAP-AKA' has the EAP Type value 0x32 in the "Method Types" IANA has updated the reference for EAP-AKA' (0x32) in the "Method
subregistry withint the "Extensible Authentication Protocol (EAP) Types" subregistry under the "Extensible Authentication Protocol
Registry". Per Section 6.2 of [RFC3748], this allocation can be made (EAP) Registry" to point to this document. Per Section 6.2 of
with Designated Expert and Specification Required [RFC8126]. [RFC3748], this allocation can be made with Specification Required
[RFC8126].
8.2. Attribute Type Values 8.2. Attribute Type Values
EAP-AKA' shares its attribute space and subtypes with EAP-SIM EAP-AKA' shares its attribute space and subtypes with EAP-SIM
[RFC4186] and EAP-AKA [RFC4187]. No new registries are needed. [RFC4186] and EAP-AKA [RFC4187]. No new registries are needed.
However, the Attribute Type values 23 for AT_KDF_INPUT (Section 3.1) IANA has updated the reference for AT_KDF_INPUT (23) and AT_KDF (24)
and 24 for AT_KDF (Section 3.2) have been assigned in the "Attribute in the "Attribute Types (Non-Skippable Attributes 0-127)" subregistry
Types (Non-Skippable Attributes 0-127)" subregistry within the "EAP- under the "EAP-AKA and EAP-SIM Parameters" registry to point to this
AKA and EAP-SIM Parameters" registry. document. AT_KDF_INPUT and AT_KDF are defined in Sections 3.1 and
3.2, respectively, of this document.
Finally, the Attribute Type value 136 has been assigned for IANA has also updated the reference for AT_BIDDING (136) in the
AT_BIDDING (Section 4) in the "Attribute Types (Skippable Attributes "Attribute Types (Skippable Attributes 128-255)" subregistry of the
128-255)" subregistry. "EAP-AKA and EAP-SIM Parameters" registry to point to this document.
AT_BIDDING is defined in Section 4.
8.3. Key Derivation Function Namespace 8.3. Key Derivation Function Namespace
IANA has also created a new namespace for "EAP-AKA' AT_KDF Key IANA has updated the reference for the "EAP-AKA' AT_KDF Key
Derivation Function values". This namespace exists under the "EAP- Derivation Function Values" subregistry to point to this document.
AKA and EAP-SIM Parameters" registry. The initial contents of this This subregistry appears under the "EAP-AKA and EAP-SIM Parameters"
namespace are given below; new values can be created through the registry. The references for following entries have also been
Specification Required policy [RFC8126]. updated to point to this document. New values can be created through
the Specification Required policy [RFC8126].
+=========+=======================+===========+ +=======+=======================+===========+
| Value | Description | Reference | | Value | Description | Reference |
+=========+=======================+===========+ +=======+=======================+===========+
| 0 | Reserved | RFC 9048 | | 0 | Reserved | RFC 9048 |
+---------+-----------------------+-----------+ +-------+-----------------------+-----------+
| 1 | EAP-AKA' with CK'/IK' | RFC 9048 | | 1 | EAP-AKA' with CK'/IK' | RFC 9048 |
+---------+-----------------------+-----------+ +-------+-----------------------+-----------+
| 2-65535 | Unassigned | |
+---------+-----------------------+-----------+
Table 3: EAP-AKA' AT_KDF Key Derivation Table 3: EAP-AKA' AT_KDF Key Derivation
Function Values Function Values
9. References 9. References
9.1. Normative References 9.1. Normative References
[TS-3GPP.23.003] [TS-3GPP.23.003]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Numbering, Specification Group Core Network and Terminals; Numbering,
addressing and identification (Release 16)", Version addressing and identification (Release 16)", Version
16.5.0, 3GPP Technical Specification 23.003, December 16.7.0, 3GPP Technical Specification 23.003, June 2021.
2020.
[TS-3GPP.23.501] [TS-3GPP.23.501]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; System
Security; Security architecture and procedures for 5G architecture for the 5G System (5GS); (Release 16)",
System; (Release 16)", Version 16.7.0, 3GPP Technical Version 16.9.0, 3GPP Technical Specification 23.501, June
Specification 23.501, December 2020. 2021.
[TS-3GPP.24.302] [TS-3GPP.24.302]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Access to Specification Group Core Network and Terminals; Access to
the 3GPP Evolved Packet Core (EPC) via non-3GPP access the 3GPP Evolved Packet Core (EPC) via non-3GPP access
networks; Stage 3; (Release 16)", Version 16.4.0, 3GPP networks; Stage 3; (Release 16)", Version 16.4.0, 3GPP
Technical Specification 24.302, July 2020. Technical Specification 24.302, July 2020.
[TS-3GPP.24.501] [TS-3GPP.24.501]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Access to Specification Group Core Network and Terminals; Non-
the 3GPP Evolved Packet Core (EPC) via non-3GPP access Access-Stratum (NAS) protocol for 5G System (5GS); Stage
networks; Stage 3; (Release 16)", Version 16.7.0, 3GPP 3; (Release 16)", Version 16.9.0, 3GPP Draft Technical
Draft Technical Specification 24.501, December 2020. Specification 24.501, June 2021.
[TS-3GPP.33.102] [TS-3GPP.33.102]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Security architecture (Release 16)", Version Security; Security architecture (Release 16)", Version
16.0.0, 3GPP Technical Specification 33.102, July 2020. 16.0.0, 3GPP Technical Specification 33.102, July 2020.
[TS-3GPP.33.402] [TS-3GPP.33.402]
3GPP, "3GPP System Architecture Evolution (SAE); Security 3GPP, "3GPP System Architecture Evolution (SAE); Security
aspects of non-3GPP accesses (Release 16)", Version aspects of non-3GPP accesses (Release 16)", Version
16.0.0, 3GPP Technical Specification 33.402, July 2020. 16.0.0, 3GPP Technical Specification 33.402, July 2020.
[TS-3GPP.33.501] [TS-3GPP.33.501]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Security architecture and procedures for 5G Security; Security architecture and procedures for 5G
System (Release 16)", Version 16.5.0, 3GPP Technical System (Release 16)", Version 16.7.1, 3GPP Technical
Specification 33.501, December 2020. Specification 33.501, July 2021.
[FIPS.180-4] [FIPS.180-4]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-4, Hash Standard", FIPS PUB 180-4,
DOI 10.6028/NIST.FIPS.180-4, August 2015, DOI 10.6028/NIST.FIPS.180-4, August 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/ <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>. NIST.FIPS.180-4.pdf>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
skipping to change at line 1680 skipping to change at line 1683
9.2. Informative References 9.2. Informative References
[TS-3GPP.35.208] [TS-3GPP.35.208]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Specification of the MILENAGE Algorithm Set: An Security; Specification of the MILENAGE Algorithm Set: An
example algorithm set for the 3GPP authentication and key example algorithm set for the 3GPP authentication and key
generation functions f1, f1*, f2, f3, f4, f5 and f5*; generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 4: Design Conformance Test Data (Release 14)", Document 4: Design Conformance Test Data (Release 14)",
Version 15.0.0, 3GPP Technical Specification 35.208, Version 16.0.0, 3GPP Technical Specification 35.208, July
October 2018. 2020.
[FIPS.180-1] [FIPS.180-1]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, Hash Standard", FIPS PUB 180-1,
DOI 10.6028/NIST.FIPS.180-1, April 1995, DOI 10.6028/NIST.FIPS.180-1, April 1995,
<https://csrc.nist.gov/publications/detail/fips/180/1/ <https://csrc.nist.gov/publications/detail/fips/180/1/
archive/1995-04-17>. archive/1995-04-17>.
[FIPS.180-2] [FIPS.180-2]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
skipping to change at line 1802 skipping to change at line 1805
and Architectures for Computer Network Security, Lecture and Architectures for Computer Network Security, Lecture
Notes in Computer Science, Vol. 7531, pp. 65-76, Notes in Computer Science, Vol. 7531, pp. 65-76,
DOI 10.1007/978-3-642-33704-8_6, October 2012, DOI 10.1007/978-3-642-33704-8_6, October 2012,
<https://doi.org/10.1007/978-3-642-33704-8_6>. <https://doi.org/10.1007/978-3-642-33704-8_6>.
[BT2013] Beekman, J. G. and C. Thompson, "Breaking Cell Phone [BT2013] Beekman, J. G. and C. Thompson, "Breaking Cell Phone
Authentication: Vulnerabilities in AKA, IMS and Android", Authentication: Vulnerabilities in AKA, IMS and Android",
in 7th USENIX Workshop on Offensive Technologies, WOOT in 7th USENIX Workshop on Offensive Technologies, WOOT
'13, August 2013. '13, August 2013.
[ZF2005] Zhang, M. and Y. Fang, "Breaking Cell Phone [ZF2005] Zhang, M. and Y. Fang, "Security analysis and enhancements
Authentication: Vulnerabilities in AKA, IMS and Android", of 3GPP authentication and key agreement protocol", IEEE
IEEE Transactions on Wireless Communications, Vol. 4, No. Transactions on Wireless Communications, Vol. 4, No. 2,
2, March 2005. DOI 10.1109/TWC.2004.842941, March 2005,
<https://doi.org/10.1109/TWC.2004.842941>.
[Basin2018] [Basin2018]
Basin, D., Dreier, J., Hirschi, L., Radomirović, S., Basin, D., Dreier, J., Hirschi, L., Radomirović, S.,
Sasse, R., and V. Stettler, "A Formal Analysis of 5G Sasse, R., and V. Stettler, "A Formal Analysis of 5G
Authentication", arXiv:1806.10360, Authentication", arXiv:1806.10360,
DOI 10.1145/3243734.3243846, August 2018, DOI 10.1145/3243734.3243846, August 2018,
<https://doi.org/10.1145/3243734.3243846>. <https://doi.org/10.1145/3243734.3243846>.
[Arapinis2012] [Arapinis2012]
Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde, Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde,
skipping to change at line 1849 skipping to change at line 1853
[Hussain2019] [Hussain2019]
Hussain, S., Echeverria, M., Chowdhury, O., Li, N., and E. Hussain, S., Echeverria, M., Chowdhury, O., Li, N., and E.
Bertino, "Privacy Attacks to the 4G and 5G Cellular Paging Bertino, "Privacy Attacks to the 4G and 5G Cellular Paging
Protocols Using Side Channel Information", in the Protocols Using Side Channel Information", in the
proceedings of NDSS '19, held 24-27 February, 2019, San proceedings of NDSS '19, held 24-27 February, 2019, San
Diego, California, 2019. Diego, California, 2019.
Appendix A. Changes from RFC 5448 Appendix A. Changes from RFC 5448
The first change from RFC 5448 was to refer to a newer version of The change from RFC 5448 was to refer to a newer version of
[TS-3GPP.24.302]. The new version includes an updated definition of [TS-3GPP.24.302]. This RFC includes an updated definition of the
the Network Name field to include 5G. Network Name field to include 5G.
Second, identifier usage for 5G has been specified in Section 5.3. Identifier usage for 5G has been specified in Section 5.3. Also, the
Also, the requirements for generating pseudonym usernames and fast requirements for generating pseudonym usernames and fast re-
re-authentication identities have been updated from the original authentication identities have been updated from the original
definition in RFC 5448, which referenced RFC 4187. See Section 5. definition in RFC 5448, which referenced RFC 4187. See Section 5.
Third, exported parameters for EAP-AKA' have been defined in Exported parameters for EAP-AKA' have been defined in Section 6, as
Section 6, as required by [RFC5247], including the definition of required by [RFC5247], including the definition of those parameters
those parameters for both full authentication and fast re- for both full authentication and fast re-authentication.
authentication.
The security, privacy, and pervasive monitoring considerations have The security, privacy, and pervasive monitoring considerations have
been updated or added. See Section 7. been updated or added. See Section 7.
The references to [RFC2119], [RFC7542], [RFC7296], [RFC8126], The references to [RFC2119], [RFC4306], [RFC7296], [FIPS.180-1] and
[FIPS.180-1] and [FIPS.180-2] have been updated to their most recent [FIPS.180-2] have been updated to their most recent versions, and
versions, and language in this document has been changed accordingly. language in this document has been changed accordingly. However,
However, this is merely an update to a newer RFC, but the actual these are merely reference updates to newer specifications; the
protocol functions are the same as defined in the earlier RFCs. actual protocol functions are the same as defined in the earlier
RFCs.
Similarly, references to all 3GPP technical specifications have been Similarly, references to all 3GPP technical specifications have been
updated to their 5G versions (Release 16) or otherwise most recent updated to their 5G versions (Release 16) or otherwise most recent
version when there has not been a 5G-related update. version when there has not been a 5G-related update.
Finally, a number of clarifications have been made, including a Finally, a number of clarifications have been made, including a
summary of where attributes may appear. summary of where attributes may appear.
Appendix B. Changes to RFC 4187 Appendix B. Changes to RFC 4187
In addition to specifying EAP-AKA', this document also mandates a In addition to specifying EAP-AKA', this document also mandates a
change to another EAP method -- EAP-AKA that was defined in RFC 4187. change to another EAP method -- EAP-AKA that was defined in RFC 4187.
This change was already mandated in RFC 5448 but repeated here to This change was already mandated in RFC 5448 but repeated here to
ensure that the latest EAP-AKA' specification contains the ensure that the latest EAP-AKA' specification contains the
instructions about the necessary bidding down feature in EAP-AKA as instructions about the necessary bidding down prevention feature in
well. EAP-AKA as well.
The changes to RFC 4187 relate only to the bidding down prevention The changes to RFC 4187 relate only to the bidding down prevention
support defined in Section 4. In particular, this document does not support defined in Section 4. In particular, this document does not
change how the Master Key (MK) is calculated or any other aspect of change how the Master Key (MK) is calculated or any other aspect of
EAP-AKA. The provisions in this specification for EAP-AKA' do not EAP-AKA. The provisions in this specification for EAP-AKA' do not
apply to EAP-AKA, outside of Section 4. apply to EAP-AKA, outside of Section 4.
Appendix C. Importance of Explicit Negotiation Appendix C. Importance of Explicit Negotiation
Choosing between the traditional and revised AKA key derivation Choosing between the traditional and revised AKA key derivation
 End of changes. 44 change blocks. 
160 lines changed or deleted 164 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/