Extensible Authentication Protocol Mutual Cryptographic Binding
RFC 7029, “Extensible Authentication Protocol Mutual Cryptographic Binding”, is an Informational document published in October 2013 by S. Hartman, M. Wasserman, D. Zhang. The canonical text is published by the RFC Editor.
Abstract
As the Extensible Authentication Protocol (EAP) evolves, EAP peers rely increasingly on information received from the EAP server. EAP extensions such as channel binding or network posture information are often carried in tunnel methods; peers are likely to rely on this information. Cryptographic binding is a facility described in RFC 3748 that protects tunnel methods against man-in-the-middle attacks. However, cryptographic binding focuses on protecting the server rather than the peer. This memo explores attacks possible when the peer is not protected from man-in-the-middle attacks and recommends cryptographic binding based on an Extended Master Session Key, a new form of cryptographic binding that protects both peer and server along with other mitigations.
What “Informational” means
Published for the general information of the community. It does not define an IETF standard and carries no standards-track status.
The canonical text of RFC 7029 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7028 Multicast Mobility Routing Optimizations for Proxy Mobile IPv6
- RFC 7030 Enrollment over Secure Transport
- RFC 7027 Elliptic Curve Cryptography Brainpool Curves for Transport Layer Security
- RFC 7031 DHCPv6 Failover Requirements
- RFC 7026 Retiring TLVs from the Associated Channel Header of the MPLS Generic Associated Channel
- RFC 7032 LDP Downstream-on-Demand in Seamless MPLS
- RFC 7025 Requirements for GMPLS Applications of PCE
- RFC 7033 WebFinger