rfc9048v6.txt   rfc9048.txt 
Internet Engineering Task Force (IETF) J. Arkko Internet Engineering Task Force (IETF) J. Arkko
Request for Comments: 9048 V. Lehtovirta Request for Comments: 9048 V. Lehtovirta
Updates: 4187, 5448 V. Torvinen Updates: 4187, 5448 V. Torvinen
Category: Informational Ericsson Category: Informational Ericsson
ISSN: 2070-1721 P. Eronen ISSN: 2070-1721 P. Eronen
Independent Independent
July 2021 October 2021
Improved Extensible Authentication Protocol Method for 3GPP Mobile Improved Extensible Authentication Protocol Method for 3GPP Mobile
Network Authentication and Key Agreement (EAP-AKA') Network Authentication and Key Agreement (EAP-AKA')
Abstract Abstract
The 3GPP mobile network Authentication and Key Agreement (AKA) is an The 3GPP mobile network Authentication and Key Agreement (AKA) is an
authentication mechanism for devices wishing to access mobile authentication mechanism for devices wishing to access mobile
networks. RFC 4187 (EAP-AKA) made the use of this mechanism possible networks. RFC 4187 (EAP-AKA) made the use of this mechanism possible
within the Extensible Authentication Protocol (EAP) framework. RFC within the Extensible Authentication Protocol (EAP) framework. RFC
skipping to change at line 229 skipping to change at line 229
Section 8 describes the IANA considerations, and Appendix A and Section 8 describes the IANA considerations, and Appendix A and
Appendix B explain the updates to RFC 5448 (EAP-AKA') and RFC 4187 Appendix B explain the updates to RFC 5448 (EAP-AKA') and RFC 4187
(EAP-AKA) that have been made in this specification. Appendix C (EAP-AKA) that have been made in this specification. Appendix C
explains some of the design rationale for creating EAP-AKA'. explains some of the design rationale for creating EAP-AKA'.
Finally, Appendix D provides test vectors. Finally, Appendix D provides test vectors.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. EAP-AKA' 3. EAP-AKA'
EAP-AKA' is an EAP method that follows the EAP-AKA specification EAP-AKA' is an EAP method that follows the EAP-AKA specification
[RFC4187] in all respects except the following: [RFC4187] in all respects except the following:
* It uses the Type code 0x32, not 0x17 (which is used by EAP-AKA). * It uses the Type code 0x32, not 0x17 (which is used by EAP-AKA).
* It carries the AT_KDF_INPUT attribute, as defined in Section 3.1, * It carries the AT_KDF_INPUT attribute, as defined in Section 3.1,
skipping to change at line 1589 skipping to change at line 1589
| 1 | EAP-AKA' with CK'/IK' | RFC 9048 | | 1 | EAP-AKA' with CK'/IK' | RFC 9048 |
+-------+-----------------------+-----------+ +-------+-----------------------+-----------+
Table 3: EAP-AKA' AT_KDF Key Derivation Table 3: EAP-AKA' AT_KDF Key Derivation
Function Values Function Values
9. References 9. References
9.1. Normative References 9.1. Normative References
[FIPS.180-4]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-4,
DOI 10.6028/NIST.FIPS.180-4, August 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>.
[RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
Protocol Method for 3rd Generation Authentication and Key
Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187,
January 2006, <https://www.rfc-editor.org/info/rfc4187>.
[RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542,
DOI 10.17487/RFC7542, May 2015,
<https://www.rfc-editor.org/info/rfc7542>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[TS-3GPP.23.003] [TS-3GPP.23.003]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Numbering, Specification Group Core Network and Terminals; Numbering,
addressing and identification (Release 16)", Version addressing and identification (Release 16)", Version
16.7.0, 3GPP Technical Specification 23.003, June 2021. 16.7.0, 3GPP Technical Specification 23.003, June 2021.
[TS-3GPP.23.501] [TS-3GPP.23.501]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; System Specification Group Services and System Aspects; System
architecture for the 5G System (5GS); (Release 16)", architecture for the 5G System (5GS); (Release 16)",
skipping to change at line 1634 skipping to change at line 1674
aspects of non-3GPP accesses (Release 16)", Version aspects of non-3GPP accesses (Release 16)", Version
16.0.0, 3GPP Technical Specification 33.402, July 2020. 16.0.0, 3GPP Technical Specification 33.402, July 2020.
[TS-3GPP.33.501] [TS-3GPP.33.501]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects; 3G Specification Group Services and System Aspects; 3G
Security; Security architecture and procedures for 5G Security; Security architecture and procedures for 5G
System (Release 16)", Version 16.7.1, 3GPP Technical System (Release 16)", Version 16.7.1, 3GPP Technical
Specification 33.501, July 2021. Specification 33.501, July 2021.
[FIPS.180-4] 9.2. Informative References
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-4,
DOI 10.6028/NIST.FIPS.180-4, August 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>.
[RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
Protocol Method for 3rd Generation Authentication and Key
Agreement (EAP-AKA)", RFC 4187, DOI 10.17487/RFC4187,
January 2006, <https://www.rfc-editor.org/info/rfc4187>.
[RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542, [Arapinis2012]
DOI 10.17487/RFC7542, May 2015, Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde,
<https://www.rfc-editor.org/info/rfc7542>. N., Redon, R., and R. Borgaonkar, "New Privacy Issues in
Mobile Telephony: Fix and Verification", in CCS '12:
Proceedings of the 2012 ACM Conference on Computer and
Communications Security, Raleigh, North Carolina, USA,
DOI 10.1145/2382196.2382221, October 2012,
<https://doi.org/10.1145/2382196.2382221>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [Basin2018]
Writing an IANA Considerations Section in RFCs", BCP 26, Basin, D., Dreier, J., Hirschi, L., Radomirović, S.,
RFC 8126, DOI 10.17487/RFC8126, June 2017, Sasse, R., and V. Stettler, "A Formal Analysis of 5G
<https://www.rfc-editor.org/info/rfc8126>. Authentication", arXiv:1806.10360,
DOI 10.1145/3243734.3243846, August 2018,
<https://doi.org/10.1145/3243734.3243846>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [Borgaonkar2018]
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, Borgaonkar, R., Hirschi, L., Park, S., and A. Shaik, "New
May 2017, <https://www.rfc-editor.org/info/rfc8174>. Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols",
in IACR Cryptology ePrint Archive, 2018.
9.2. Informative References [BT2013] Beekman, J. G. and C. Thompson, "Breaking Cell Phone
Authentication: Vulnerabilities in AKA, IMS and Android",
in 7th USENIX Workshop on Offensive Technologies, WOOT
'13, August 2013.
[TS-3GPP.35.208] [EMU-AKA-PFS]
3GPP, "3rd Generation Partnership Project; Technical Arkko, J., Norrman, K., and V. Torvinen, "Perfect-Forward
Specification Group Services and System Aspects; 3G Secrecy for the Extensible Authentication Protocol Method
Security; Specification of the MILENAGE Algorithm Set: An for Authentication and Key Agreement (EAP-AKA' PFS)", Work
example algorithm set for the 3GPP authentication and key in Progress, Internet-Draft, draft-ietf-emu-aka-pfs-05, 30
generation functions f1, f1*, f2, f3, f4, f5 and f5*; October 2020, <https://datatracker.ietf.org/doc/html/
Document 4: Design Conformance Test Data (Release 14)", draft-ietf-emu-aka-pfs-05>.
Version 16.0.0, 3GPP Technical Specification 35.208, July
2020.
[FIPS.180-1] [FIPS.180-1]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, Hash Standard", FIPS PUB 180-1,
DOI 10.6028/NIST.FIPS.180-1, April 1995, DOI 10.6028/NIST.FIPS.180-1, April 1995,
<https://csrc.nist.gov/publications/detail/fips/180/1/ <https://csrc.nist.gov/publications/detail/fips/180/1/
archive/1995-04-17>. archive/1995-04-17>.
[FIPS.180-2] [FIPS.180-2]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, Hash Standard", FIPS PUB 180-2, August 2002,
<https://csrc.nist.gov/publications/detail/fips/180/2/ <https://csrc.nist.gov/publications/detail/fips/180/2/
archive/2002-08-01>. archive/2002-08-01>.
[Heist2015]
Scahill, J. and J. Begley, "How Spies Stole the Keys to
the Encryption Castle", February 2015,
<https://firstlook.org/theintercept/2015/02/19/great-sim-
heist/>.
[Hussain2019]
Hussain, S., Echeverria, M., Chowdhury, O., Li, N., and E.
Bertino, "Privacy Attacks to the 4G and 5G Cellular Paging
Protocols Using Side Channel Information", in the
proceedings of NDSS '19, held 24-27 February, 2019, San
Diego, California, 2019.
[Kune2012] Kune, D., Koelndorfer, J., Hopper, N., and Y. Kim,
"Location Leaks on the GSM Air Interface", in the
proceedings of NDSS '12, held 5-8 February, 2012, San
Diego, California, 2012.
[MT2012] Mjølsnes, S. F. and J-K. Tsay, "A Vulnerability in the
UMTS and LTE Authentication and Key Agreement Protocols",
in Computer Network Security, Proceedings of the 6th
International Conference on Mathematical Methods, Models
and Architectures for Computer Network Security, Lecture
Notes in Computer Science, Vol. 7531, pp. 65-76,
DOI 10.1007/978-3-642-33704-8_6, October 2012,
<https://doi.org/10.1007/978-3-642-33704-8_6>.
[RFC3310] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer [RFC3310] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
Protocol (HTTP) Digest Authentication Using Authentication Protocol (HTTP) Digest Authentication Using Authentication
and Key Agreement (AKA)", RFC 3310, DOI 10.17487/RFC3310, and Key Agreement (AKA)", RFC 3310, DOI 10.17487/RFC3310,
September 2002, <https://www.rfc-editor.org/info/rfc3310>. September 2002, <https://www.rfc-editor.org/info/rfc3310>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005, DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>. <https://www.rfc-editor.org/info/rfc4086>.
skipping to change at line 1777 skipping to change at line 1828
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <https://www.rfc-editor.org/info/rfc7258>. 2014, <https://www.rfc-editor.org/info/rfc7258>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[EMU-AKA-PFS]
Arkko, J., Norrman, K., and V. Torvinen, "Perfect-Forward
Secrecy for the Extensible Authentication Protocol Method
for Authentication and Key Agreement (EAP-AKA' PFS)", Work
in Progress, Internet-Draft, draft-ietf-emu-aka-pfs-05, 30
October 2020, <https://datatracker.ietf.org/doc/html/
draft-ietf-emu-aka-pfs-05>.
[Heist2015]
Scahill, J. and J. Begley, "How Spies Stole the Keys to
the Encryption Castle", February 2015,
<https://firstlook.org/theintercept/2015/02/19/great-sim-
heist/>.
[MT2012] Mjølsnes, S. F. and J-K. Tsay, "A Vulnerability in the
UMTS and LTE Authentication and Key Agreement Protocols",
in Computer Network Security, Proceedings of the 6th
International Conference on Mathematical Methods, Models
and Architectures for Computer Network Security, Lecture
Notes in Computer Science, Vol. 7531, pp. 65-76,
DOI 10.1007/978-3-642-33704-8_6, October 2012,
<https://doi.org/10.1007/978-3-642-33704-8_6>.
[BT2013] Beekman, J. G. and C. Thompson, "Breaking Cell Phone
Authentication: Vulnerabilities in AKA, IMS and Android",
in 7th USENIX Workshop on Offensive Technologies, WOOT
'13, August 2013.
[ZF2005] Zhang, M. and Y. Fang, "Security analysis and enhancements
of 3GPP authentication and key agreement protocol", IEEE
Transactions on Wireless Communications, Vol. 4, No. 2,
DOI 10.1109/TWC.2004.842941, March 2005,
<https://doi.org/10.1109/TWC.2004.842941>.
[Basin2018]
Basin, D., Dreier, J., Hirschi, L., Radomirović, S.,
Sasse, R., and V. Stettler, "A Formal Analysis of 5G
Authentication", arXiv:1806.10360,
DOI 10.1145/3243734.3243846, August 2018,
<https://doi.org/10.1145/3243734.3243846>.
[Arapinis2012]
Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde,
N., Redon, R., and R. Borgaonkar, "New Privacy Issues in
Mobile Telephony: Fix and Verification", in CCS '12:
Proceedings of the 2012 ACM Conference on Computer and
Communications Security, Raleigh, North Carolina, USA,
DOI 10.1145/2382196.2382221, October 2012,
<https://doi.org/10.1145/2382196.2382221>.
[Borgaonkar2018]
Borgaonkar, R., Hirschi, L., Park, S., and A. Shaik, "New
Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols",
in IACR Cryptology ePrint Archive, 2018.
[Kune2012] Kune, D., Koelndorfer, J., Hopper, N., and Y. Kim,
"Location Leaks on the GSM Air Interface", in the
proceedings of NDSS '12, held 5-8 February, 2012, San
Diego, California, 2012.
[Shaik2016] [Shaik2016]
Shaik, A., Seifert, J., Borgaonkar, R., Asokan, N., and V. Shaik, A., Seifert, J., Borgaonkar, R., Asokan, N., and V.
Niemi, "Practical attacks against Privacy and Availability Niemi, "Practical attacks against Privacy and Availability
in 4G/LTE Mobile Communication Systems", in the in 4G/LTE Mobile Communication Systems", in the
proceedings of NDSS '16 held 21-24 February, 2016, San proceedings of NDSS '16 held 21-24 February, 2016, San
Diego, California, 2012. Diego, California, 2012.
[Hussain2019] [TS-3GPP.35.208]
Hussain, S., Echeverria, M., Chowdhury, O., Li, N., and E. 3GPP, "3rd Generation Partnership Project; Technical
Bertino, "Privacy Attacks to the 4G and 5G Cellular Paging Specification Group Services and System Aspects; 3G
Protocols Using Side Channel Information", in the Security; Specification of the MILENAGE Algorithm Set: An
proceedings of NDSS '19, held 24-27 February, 2019, San example algorithm set for the 3GPP authentication and key
Diego, California, 2019. generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 4: Design Conformance Test Data (Release 14)",
Version 16.0.0, 3GPP Technical Specification 35.208, July
2020.
[ZF2005] Zhang, M. and Y. Fang, "Security analysis and enhancements
of 3GPP authentication and key agreement protocol", IEEE
Transactions on Wireless Communications, Vol. 4, No. 2,
DOI 10.1109/TWC.2004.842941, March 2005,
<https://doi.org/10.1109/TWC.2004.842941>.
Appendix A. Changes from RFC 5448 Appendix A. Changes from RFC 5448
The change from RFC 5448 was to refer to a newer version of The change from RFC 5448 was to refer to a newer version of
[TS-3GPP.24.302]. This RFC includes an updated definition of the [TS-3GPP.24.302]. This RFC includes an updated definition of the
Network Name field to include 5G. Network Name field to include 5G.
Identifier usage for 5G has been specified in Section 5.3. Also, the Identifier usage for 5G has been specified in Section 5.3. Also, the
requirements for generating pseudonym usernames and fast re- requirements for generating pseudonym usernames and fast re-
authentication identities have been updated from the original authentication identities have been updated from the original
 End of changes. 12 change blocks. 
115 lines changed or deleted 115 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/