Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-120 Title: Recommendation for EAP Methods Used in Wireless Network Access Authentication Publication Date(s): September 2009 Withdrawal Date: October 19, 2018 Withdrawal Note: This publication is out of date. Refer to relevant standards from the Internet Engineering Task Force (IETF), http://www.ietf.org/ . Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: Title: Author(s): Publication Date(s): URL/DOI: Additional Information (if applicable) Contact: Computer Security Division (Information Technology Laboratory) Latest revision of the attached publication: Related information: https://csrc.nist.gov https://csrc.nist.gov/publications/detail/sp/800-120/archive/2009-09-17 Withdrawal N/A announcement (link): Date updated: October 19, 2018 NIST Special Publication 800-120 Recommendation for EAP Methods Used in Wireless Network Access Authentication Katrin Hoeper and Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick Gallagher, Deputy Director Abstract This Recommendation specifies security requirements for authentication methods with key establishment supported by the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal networks. KEY WORDS: EAP methods, authentication, key establishment. SP 800-120: Recommendation for EAP Methods Used in Wireless Network Access Authentication Acknowledgments The authors, Katrin Hoeper and Lily Chen, wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors gratefully acknowledge and appreciate contributions by Elaine Barker, William Burr, Sheila Frankel, Antonio Izquierdo, Ray Perlner, and Tim Polk of NIST. The authors also thank the many contributions by the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. 3 SP 800-120: Recommendation for EAP Methods Used in Wireless Network Access Authentication Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This Recommendation has been prepared for use by Federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. 4 SP 800-120: Recommendation for EAP Methods Used in Wireless Network Access Authentication Table of Contents 1. Introduction ..............................................................................................................8 2. Scope and Purpose..................................................................................................9 3. Definitions, Symbols and Abbreviations ...............................................................9 3.1 Definitions...........................................................................................................................9 3.2 Symbols and Abbreviations ..............................................................................................15 4. EAP Overview......................................................................................................... 17 4.1 EAP Communication Links and Involved Parties..........................................................17 4.2 EAP Message Flows.......................................................................................................19 4.3 EAP Protocol Stacks ......................................................................................................20 4.4 Tunnel-based EAP Methods...........................................................................................21 4.5 EAP Key Derivation and Key Hierarchy .......................................................................22 4.6 EAP Ciphersuite Negotiation.........................................................................................23 5. Vulnerabilities of EAP in Wireless Applications.................................................. 24 5.1 Wireless Links................................................................................................................24 5.2 Negotiable Cryptographic Algorithms ...........................................................................25 5.3 Sensitive Information and Data Confidentiality.............................................................26 5.4 Tunnel-based EAP Methods...........................................................................................26 5.5 Vulnerability of the Points of Attachment .....................................................................26 6. EAP Objectives for Wireless Network Access Authentications ........................ 27 6.1 Objectives and Features .................................................................................................27 6.2. Procedures ......................................................................................................................28 7. Pre-conditions for EAP.......................................................................................... 28 7.1 Secure Set Up of Long-Term Credentials......................................................................28 7.2 Secure Connections in Accessed Backend Network......................................................29 7.3 Authorization and Authentication Information of Authenticators and other Entities in the Backend Network...........................................................................................................29 8. Security Requirements for Non-tunneled EAP Methods .................................... 29 8.1 Protected Ciphersuite Negotiation .................................................................................30 5 SP 800-120: Recommendation for EAP Methods Used in Wireless Network Access Authentication 8.2 Mutual Authentication....................................................................................................31 8.3 Key Establishment..........................................................................................................32 8.3.1 Key Hierarchies and Key Derivation Functions ................................................33 8.4 Service Information Exchange.......................................................................................33 8.5 EAP Message Protections ..............................................................................................34 9. Requirements for Tunnel-based EAP Methods ................................................... 35 9.1 Tunnel-based EAP Methods...........................................................................................35 9.2 Tunnel Protocol..............................................................................................................39 9.2.1 TLS as a Tunnel Protocol...................................................................................40 9.3 Tunneled Authentication Method...................................................................................40 10. Summary................................................................................................................. 41 Annex A: Discussion of Selected EAP Methods ..................................................... 43 A.1 EAP-GPSK......................................................................................................................43 A.2 EAP-TLS.........................................................................................................................45 A.3 EAP-FAST ......................................................................................................................47 A.4 EAP-TTLSv0...................................................................................................................49 A.5 PEAP ...............................................................................................................................50 Annex B: References (Informative)............................................................................ 52 6 SP 800-120: Recommendation for EAP