RFC 7029

Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding, October 2013

File formats:
icon for text file icon for PDF icon for HTML
Status:
INFORMATIONAL
Authors:
S. Hartman
M. Wasserman
D. Zhang
Stream:
IETF
Source:
emu (sec)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC7029

Discuss this RFC: Send questions or comments to the mailing list emu@ietf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 7029


Abstract

As the Extensible Authentication Protocol (EAP) evolves, EAP peers rely increasingly on information received from the EAP server. EAP extensions such as channel binding or network posture information are often carried in tunnel methods; peers are likely to rely on this information. Cryptographic binding is a facility described in RFC 3748 that protects tunnel methods against man-in-the-middle attacks. However, cryptographic binding focuses on protecting the server rather than the peer. This memo explores attacks possible when the peer is not protected from man-in-the-middle attacks and recommends cryptographic binding based on an Extended Master Session Key, a new form of cryptographic binding that protects both peer and server along with other mitigations.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.




Advanced Search