Internet DRAFT - draft-clancy-hokey-plan
draft-clancy-hokey-plan
HOKEY Working Group T. Clancy
Internet-Draft LTS
Intended status: Informational April 29, 2007
Expires: October 31, 2007
HOKEY Re-authentication Protocol Plan
draft-clancy-hokey-plan-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 31, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes a plan forward for incorporating the work of
a variety of individual submissions to satisfy the HOKEY working
group re-authentication problem statement into a single set of
working-group documents.
Clancy Expires October 31, 2007 [Page 1]
�
Internet-Draft HOKEY Plan April 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. EAP Key Delivery Protocol Document . . . . . . . . . . . . . . 3
4. HOKEY Re-Auth Protocol Document . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . . 7
7.2. Informative References . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Clancy Expires October 31, 2007 [Page 2]
�
Internet-Draft HOKEY Plan April 2007
1. Introduction
Over the past several months, there have been three documents, each
with different qualities and different levels of completeness,
submitted as solutions documents for HOKEY re-authentication.
EAP-ER [I-D.vidya-eap-er] describes a protocol for doing re-
authentication in EAP by extending EAP with additional Packet Codes.
These codes would allow a peer-initiated re-authentication request to
be communicated to the HOKEY server, and a response returned. It
also defines the necessary keying hierarchy to support re-
authentication.
The 3-party keying protocol document
[I-D.ohba-hokey-3party-keydist-ps] describes both additional protocol
requirements to movitave the use of a 3-party key distribution
protocol, and a rough strawman for what such a protocol could look
like.
EAP-HR [I-D.nakhjiri-hokey-hierarchy] describes a protocol motivated
by the 3-party keying document that uses method-based transport with
a modified EAP-Success packet. Additionally, a keying hierarchy for
re-authentication is presented.
Each document has its strengths, and this document describes a plan
for merging them into two working-group documents. The first
document will describe EMSK service key delivery, and the second will
describe the HOKEY re-authentication protocol. The plan expressed in
this document represents a variety of compromises making up the
consensus of the working group, as perceived by the chairs.
2. Terminology
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized. The key
words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in [RFC2119].
3. EAP Key Delivery Protocol Document
Any service that needs to obtain a USRK, DSRK, or DSUSRK
[I-D.ietf-hokey-emsk-hierarchy] needs to execute some sort of
protocol exchange with the EAP server to obtain that key. This
exchange may be executed in conjunction with some other protocol
action, or performed independently, depending on how the service
Clancy Expires October 31, 2007 [Page 3]
�
Internet-Draft HOKEY Plan April 2007
operates.
The goal of this document is to describe a generic protocol that
other protocols can use to obtain these root keys. This document
will not, however, specify an actual transport, as each service may
needs its own specialized transport. A generic AAA keyreq-based
approach COULD be defined in this document.
The fundamentals of the keying hierarchy necessary to support channel
bindings, along with the protocol exchanges, will be based on EAP-HR
3-party key delivery protocol [I-D.nakhjiri-hokey-hierarchy], and the
EAP-ER-Bootstrap protocol [I-D.vidya-eap-er].
EMSK
**************|*************
* +----------+----------+ *
* | | | *
* USRK DSRK IK * EMSK Hierarchy &
* | <-- Key Delivery
* +----------+----------+ * Documents
* | ***|*** | *
* DSUSRK * HRK * DSIK *
********** | *********
* +----------+----------+ *
* | | | *
* rMSK rMSK rIK *
* <-- HOKEY Re-Auth
**************************** Protocol Document
Figure 1: EAP EMSK Keying Hierarchy Division
The purpose of this document is to define the necessary USRKs and
DSUSRKs for channel binding at each layer of the keying hierarchy
(i.e. the IK and DSIK). Additionally, it shall define payloads, in
the form of opaque blobs, that a transport protocol SHOULD carry if
it requires strong security on key distribution.
For example, if KH-X represents the identity of the key holder for
key X, a 3-party protocol for a service that simply uses a USRK,
inspired by [I-D.ohba-hokey-3party-keydist-ps], might look something
like the following.
First let's define a few functions:
o SEC(K, M) = M || MIC_K(M)
Clancy Expires October 31, 2007 [Page 4]
�
Internet-Draft HOKEY Plan April 2007
o IDbind(id1, id2, id3, N, K) = SEC(K, id1 || id2 || id3 || N)
o KeyTransport(K) = K or ENC(K), depending on service
The IDbind(.) blob is a basic channel binding blob that binds three
identities together with a nonce using a secret key. Using this
building block, the protocol would look like:
1. peer -> KH-USRK: IDbind(peer, EAP Server, KH-USRK, NonceA, IK)
2. KH-USRK -> EAP Server: IDbind(peer, EAP Server, KH-USRK, NonceA,
IK)
3. EAP Server -> KH-USRK: IDbind(peer, EAP Server, KH-USRK,
NonceA+1, IK), KeyTransport(USRK)
4. KH-USRK -> peer: IDbind(peer, EAP Server, KH-USRK, NonceA+1, IK)
This protocol binds the three identities with a fresh nonce, and
returns the USRK to the service. For a service that utilizes a DSRK,
the above exchange would be similar, but include additional payloads.
1. peer -> KH-DSUSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK),
IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK)
2. KH-DSUSRK -> KH-DSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA,
IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK)
3. KH-DSRK -> EAP Server: IDbind(peer, EAP Server, KH-DSRK, NonceA,
IK)
4. EAP Server -> KH-DSRK: IDbind(peer, EAP Server, KH-DSRK,
NonceA+1, IK), KeyTransport(DSRK)
5. KH-DSRK -> KH-DSUSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA+1,
IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1, DSIK),
KeyTransport(DSUSRK)
6. KH-DSUSRK -> peer: IDbind(peer, EAP Server, KH-DSRK, NonceA+1,
IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1, DSIK)
This is still a single round trip, just relayed through a variety of
intermediate nodes. Note that if KH-DSRK already held the DSRK, the
protocol would simplify to:
1. peer -> KH-DSUSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA, IK),
IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK)
2. KH-DSUSRK -> KH-DSRK: IDbind(peer, EAP Server, KH-DSRK, NonceA,
IK), IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA, DSIK)
3. KH-DSRK -> KH-DSUSRK: IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1,
DSIK), KeyTransport(DSUSRK)
4. KH-DSUSRK -> peer: IDbind(peer, KH-DSRK, KH-DSUSRK, NonceA+1,
DSIK)
Note that the peer doesn't need to know if the KH-DSRK already holds
the DSRK. The initial message is the same.
Clancy Expires October 31, 2007 [Page 5]
�
Internet-Draft HOKEY Plan April 2007
If a particular service does not need the strong security properties
of a 3-party key distribution protocol, the key holder identities in
the request can be NULL, provided they are correct in the response
packets. This provides basic channel binding properties, but not
peer consent. Also a service may also elect to not use this protocol
at all. It's provided as a set of building blocks whereby different
services can use a common protocol to securely interact with EMSKs
and DSRKs.
The point of the above protocol example was not to provide a complete
description, but illustrate what needs to be defined. In particular,
formally defining something like the IDbind(.) and KeyTransport(.)
primitives is necessary. These blobs can then be carried by any
underlying protocol, including HOKEY.
Currently only EAP-ER formally specifies a protocol for delivering
the HRK to the HOKEY server. Consequently section 6.2 of the EAP-ER
document [I-D.vidya-eap-er] will serve as a starting point for
development of this protocol. It shall be generalized to work for an
arbitrary USRK or DSUSRK, and also define the IK and DSIK in terms of
the KDF specified by [I-D.ietf-hokey-emsk-hierarchy].
4. HOKEY Re-Auth Protocol Document
EAP-ER shall be adopted as a working group document to satisfy the
HOKEY Re-Auth Protocol requirement, subject to a variety of caveats:
o Its name shall be changed to the HOKEY protocol.
o It shall include support for channel bindings by including the NAS
ID of the authenticator and ID of the EAP server in the integrity
protected portions of the EAP-ER response from the EAP server to
the authenticator and peer. Reusing the IDbind(.) primitive in
the previous protocol would be desirable.
o A new, optional message shall be added to support authenticator-
initiated re-authentication. This message shall be generalized
such that it is a "new" version of the EAP-Request/Identity.
o The EAP-Initiate/Reauth packet shall be converted into a "new"
version of the EAP-Response/Identity.
o The EAP-Finish/Reauth packet shall be converted into a "new"
version of the EAP-Success.
These "new" packet codes shall be designed in a generic fashion, such
that they could be used by future EAP extensions. For example, the
Identity codes could natively include network selection information,
rather than embedding them into the prompt and client NAI fields.
The "new" EAP-Success could include native support for protected
results indication.
Clancy Expires October 31, 2007 [Page 6]
�
Internet-Draft HOKEY Plan April 2007
5. Security Considerations
TBD.
6. IANA Considerations
This document does not introduce any new IANA considerations.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References
[I-D.ietf-hokey-emsk-hierarchy]
Salowey, J., "Specification for the Derivation of Usage
Specific Root Keys (USRK) from an Extended Master Session
Key (EMSK)", draft-ietf-hokey-emsk-hierarchy-00 (work in
progress), January 2007.
[I-D.nakhjiri-hokey-hierarchy]
Nakhjiri, M., "Keying and signaling for wireless access
and handover using EAP (EAP-HR)",
draft-nakhjiri-hokey-hierarchy-04 (work in progress),
April 2007.
[I-D.ohba-hokey-3party-keydist-ps]
Ohba, Y., "Problem Statement and Requirements on a 3-Party
Key Distribution Protocol for Handover Keying",
draft-ohba-hokey-3party-keydist-ps-01 (work in progress),
March 2007.
[I-D.vidya-eap-er]
Narayanan, V. and L. Dondeti, "EAP Extensions for
Efficient Re-authentication", draft-vidya-eap-er-02 (work
in progress), January 2007.
Clancy Expires October 31, 2007 [Page 7]
�
Internet-Draft HOKEY Plan April 2007
Author's Address
T. Charles Clancy
DoD Laboratory for Telecommunication Sciences
8080 Greenmead Drive
College Park, MD
USA
Email: clancy@LTSnet.net
Clancy Expires October 31, 2007 [Page 8]
�
Internet-Draft HOKEY Plan April 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Clancy Expires October 31, 2007 [Page 9]
�
