RFC (part 1 of 4): Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). RFC Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), January Canonical URL. Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in EAP Transport Layer Security (EAP-TLS), defined in RFC , is an IETF open standard that uses the . EAP-AKA is defined in RFC .

Author: Nikozilkree Vum
Country: Tanzania
Language: English (Spanish)
Genre: Photos
Published (Last): 24 June 2011
Pages: 321
PDF File Size: 9.7 Mb
ePub File Size: 4.37 Mb
ISBN: 890-4-32346-873-5
Downloads: 64718
Price: Free* [*Free Regsitration Required]
Uploader: Vinris

The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number PIN to perform authentication. Permanent Identity The permanent identity of the peer, including an NAI realm portion in environments where a realm is used.

The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. Vectors may be stored in the EAP server for use at a later time, but they may not be reused. GSM cellular networks use a subscriber identity module card to carry out user authentication.

With rap client-side certificate, a compromised password is ewp enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage.

WPA2 and potentially authenticate the wireless hotspot. These include the following: Network Working Group J. It supports authentication techniques that are based on the following types of credentials:. Network authentication fails The AKA uses shared secrets between the Peer and the Peer’s home operator, together with a sequence number, to actually perform an authentication.


The EAP method protocol exchange is done in a minimum of four messages. The “home environment” refers to the home operator’s authentication network infrastructure. The 3rd Generation AKA is not used in the fast re-authentication procedure.

AKA is based on challenge-response mechanisms and symmetric cryptography. This page was last rc on 21 Decemberat After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection “tunnel” to authenticate the client.

Retrieved from ” https: The protocol only specifies chaining multiple EAP mechanisms and not any specific method. Key establishment to provide confidentiality and integrity during the authentication process in phase 2.

Table of Contents 1. Protocol for Carrying Authentication for Network Access. Pseudonym Identity A pseudonym identity of the peer, including an NAI realm portion in environments where a realm is used.

The peer has derived the same keying material, so the authenticator does not forward the keying material to the peer along with EAP-Success.

EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software. The lack of mutual authentication in GSM has also been overcome. Attacks against Identity Privacy This greatly simplifies the setup procedure since a certificate is not needed on every client.

The highest security available is when the “private keys” of client-side certificate are housed in smart cards. It is possible to use a different authentication credential and thereby technique in each direction.

Information on RFC » RFC Editor

The rff also describes the conditions under which the AAA key management requirements described in RFC can be satisfied. Archived from the original on 26 November EAP-AKA includes optional identity privacy support, optional result indications, and an optional fast re-authentication procedure.


The mobile network element that can authenticate subscribers in the mobile networks.

It is worth noting that the PAC file is issued on a per-user basis. Requesting the Permanent Identity Archived from the original on February 9, For example, in IEEE By using this site, you agree to the Terms of Use and Privacy Policy.

EAP Types – Extensible Authentication Protocol Types information

Brute-Force and Dictionary Attacks The underlying key exchange is resistant to active attack, passive attack, and dictionary attack.

A value generated by the peer upon experiencing a synchronization failure, bits. Webarchive template wayback links Pages using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced statements Articles with unsourced statements from April Wikipedia articles with GND identifiers.

Format, Generation, and Usage of Peer Identities An introduction to LEAP authentication”. Archived rfx the original PDF on 12 December Figure 2 shows how the EAP server rejects the Peer due to a failed authentication.

PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms. Fast re-authentication is based on keys derived on full authentication. From Wikipedia, the free encyclopedia.

This would allow for situations much like Gfc, where a wireless hotspot allows free access and does not authenticate station clients but station clients wish to use encryption IEEE