RFC (part 1 of 4): Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). RFC Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), January Canonical URL. Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in EAP Transport Layer Security (EAP-TLS), defined in RFC , is an IETF open standard that uses the . EAP-AKA is defined in RFC .
| Author: | Tocage Dounris |
| Country: | French Guiana |
| Language: | English (Spanish) |
| Genre: | Photos |
| Published (Last): | 27 December 2010 |
| Pages: | 112 |
| PDF File Size: | 10.68 Mb |
| ePub File Size: | 20.65 Mb |
| ISBN: | 336-4-27079-820-8 |
| Downloads: | 45347 |
| Price: | Free* [*Free Regsitration Required] |
| Uploader: | Brasida |
Targeting the weaknesses in static WEP”. There are currently about 40 different methods defined.
Communicating the Peer Identity to the Server Used on full authentication only. It is possible to use a different authentication credential and thereby technique in each direction.
Because protected success indications are not used in this example, the EAP server sends the EAP-Success ep, indicating that the authentication was successful. GSM cellular networks use a subscriber identity module card to carry out user authentication.
Related Documentation
The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. There have also been proposals to use IEEE The protocol only specifies chaining multiple EAP mechanisms and not any specific method.
In the 3rd generation mobile networks, AKA is used for both radio network authentication and IP multimedia service authentication purposes. The encrypted data is not shown in the figures of this section. Webarchive template wayback links Pages using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced statements Articles with unsourced statements from April Wikipedia articles with GND identifiers.
In addition to the full authentication scenarios described above, EAP-AKA includes a fast re-authentication procedure, which is specified in Section 5. R UIM is an application that is resident on devices such as smart cards, which may be fixed in the terminal or distributed by CDMA operators when removable.
Extensible Authentication Protocol
Sequence number used in the authentication process, 48 bits. Brute-Force and Dictionary Attacks The “home environment” refers to the home operator’s authentication network infrastructure. Protection, Replay Protection, and Confidentiality The EAP method protocol exchange is done in a minimum of four messages. Permanent Username The username portion of permanent identity, i.
This document frequently uses the following terms and abbreviations. By using this site, you agree to the Terms of Use and Privacy Policy. In this document, the term nonce is only used to denote random nonces, and it is not used to denote rffc. Nonce A value that is used at most once or that is never repeated within the same cryptographic context. Network authentication fails The AKA uses shared secrets between the Peer and the Peer’s home operator, together with a sequence number, to actually perform an authentication.
EAP Types – Extensible Authentication Protocol Types
EAP-AKA includes optional identity privacy support, optional result indications, and an optional fast re-authentication procedure. Microsoft Exchange Server Unleashed. Protected success indications are discussed in Section 6. It supports authentication techniques that are based on the following types of credentials:. EAP is not a wire protocol ; instead it only defines message formats. It does not specify an Internet standard of any kind.
This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase. This phase is independent of other phases; hence, any other scheme in-band or out-of-band can be used in the future.
In this case, the identity module calculates a sequence number synchronization parameter AUTS and sends it to the network. The highest security available is when the “private keys” of client-side certificate are housed in smart cards. The alternative is to use device passwords instead, but then the device is validated on the network not the user. The standard also describes the conditions under which the AAA key management requirements described in RFC can be satisfied. Network Working Group J.
Used on re-authentication only.
Distribution of this memo is unlimited. It provides a protected communication channel, when mutual authentication is successful, for both parties to communicate and is designed for authentication over insecure networks such as IEEE The password may be a low-entropy one and rf be drawn from some set of 418 passwords, like a dictionary, which is available to an attacker.
PEAPv1 was defined in draft-josefsson-pppext-eap-tls-eap through draft-josefsson-pppext-eap-tls-eap[36] and PEAPv2 was defined in versions beginning with draft-josefsson-pppext-eap-tls-eap The 3rd Generation AKA is not used in the fast re-authentication procedure.
EAP Types – Extensible Authentication Protocol Types information
Archived from the original on February 9, AKA authentication may then be retried with a new authentication vector generated using the synchronized sequence number. This is a requirement in RFC sec 7.
It is worth noting that the PAC file is issued on a per-user basis. Pseudonym Identity A pseudonym identity of the peer, including an NAI realm portion in environments where a realm is used. In addition, the private key on a smart card is typically encrypted using a PIN that only the owner of the smart card knows, minimizing its utility for a thief even akaa the card has been reported stolen and revoked.