RFC (part 1 of 4): Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). RFC Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), January Canonical URL. Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in EAP Transport Layer Security (EAP-TLS), defined in RFC , is an IETF open standard that uses the . EAP-AKA is defined in RFC .

Author: Maukora Balmaran
Country: Andorra
Language: English (Spanish)
Genre: Art
Published (Last): 18 October 2010
Pages: 403
PDF File Size: 9.98 Mb
ePub File Size: 17.95 Mb
ISBN: 556-7-37044-464-1
Downloads: 75343
Price: Free* [*Free Regsitration Required]
Uploader: Zulubei

Views Read Edit View history. Permanent Identity The permanent identity of the peer, including an NAI realm portion in environments where a realm is used. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. Please see Section 4. The vector may be obtained by contacting an Authentication Eapp AuC on the mobile network; for example, per UMTS specifications, several vectors may be obtained at a time.

EAP is an authentication framework for providing the transport and usage of keying material and parameters generated by EAP methods. Because gfc success indications are not used in this example, the EAP server sends the EAP-Success packet, indicating that the authentication was successful.

In this document, both modules are referred to as identity modules. If this process is successful the AUTN is valid and the sequence number used to rc AUTN is within the correct rangethe identity module produces 417 authentication result RES and sends it to the home environment.

If the ep is correct, IK and CK can be used to protect further communications between the identity module and the home environment. AKA authentication may then be retried with a new authentication vector generated using the synchronized sequence number.


Extensible Authentication Protocolor EAPis an authentication framework frequently used in wireless networks and point-to-point connections. Used on full authentication only.

On full authentication, the peer’s identity response includes either the user’s International Mobile Subscriber Identity IMSIor a temporary identity pseudonym if identity privacy is in effect, as specified in Section 4.

Protocol for Carrying Authentication for Network Access. The standard also describes the conditions under which the AAA key management requirements described in RFC can be satisfied. Permanent Username The username portion of permanent identity, i. Format, Generation, and Usage of Peer Identities An introduction to LEAP authentication”.

Additionally a number of vendor-specific methods and new proposals exist. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase. The highest security 417 is when the “private keys” of client-side certificate are housed in smart cards.

Related Documentation

The lack of mutual authentication in GSM has also been overcome. Archived from the original on February 9, Protection, Replay Protection, and Confidentiality Targeting the weaknesses in static WEP”. Sequence number used in the authentication process, 48 bits.

From the vector, the EAP server derives the keying material, as specified in Section 6. The 3rd Generation AKA is not used in the fast re-authentication procedure. In certain circumstances, shown in Figure 4it is possible for the sequence numbers to get out of sequence.

It provides a protected communication channel, when mutual authentication is successful, for both parties to communicate and is designed for authentication over insecure networks such as IEEE From Wikipedia, the free encyclopedia. This is a requirement in RFC rfcc 7.


Extensible Authentication Protocol

The encrypted data is not shown in the figures of this section. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack. Attacks against Identity Privacy Retrieved from ” https: There are currently about 40 different methods defined.

AKA works in the following manner: The protocol only specifies chaining fap EAP mechanisms and not any specific method. Network Working Group J. Microsoft Exchange Server Unleashed. EAP-GTC carries a text challenge from the authentication server, and a reply generated by a security token.

RFC – part 1 of 4

AKA is based on challenge-response mechanisms and symmetric cryptography. This document frequently uses the following terms and abbreviations. EAP is not a wire protocol ; instead it only defines message formats.

The EAP server may also include derived keying material in the message it sends to the authenticator. Table of Epa 1. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number PIN to perform authentication.

The permanent identity is usually based on the IMSI. These include the following: Distribution of this memo is unlimited.

PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is tfc from the link layer mechanisms. Because some cryptographic properties may depend on the randomness of the nonce, attention should be paid to whether a nonce is required to be random or not.