One question related to EAP-TLS is what do we do with other TLS-based EAP
methods?
i.e. EAP-TTLS, PEAP, and EAP-FAST all define key derivations based on the PRF
in TLS 1.2. Since that's no longer available with TLS 1.3, *all* of these
methods will not work with TLS 1.3.
The simplest way to fix this is to change the key derivation in
draft-mattsson-eap-tls13-03:
Key_Material = TLS-Exporter("client EAP encryption KM", "", 128)
IV = TLS-Exporter("client EAP encryption IV", "", 64)
Session-Id = TLS-Exporter("client EAP encryption ID", "", 64)
The second argument to the TLS-Exporter function is the "context". In this
case, an empty string. That could be changed to a one-byte value containing
the EAP type. This changes nothing (effectively) for EAP-TLS. Plus, it allows
natural extensions to the other TLS-based EAP methods. They could just change
that one byte, and enable TLS 1.3.
Even if that isn't done, I think the proposal is the simplest way to fix the
other EAP methods. The EAP-TLS document could then just say "other EAP methods
based on TLS can change the byte to their EAP type".
I think a minor change to the draft && one sentence is preferable to writing
a new document to define this change.
Or, the charter already has a line item for:
- Define session identifiers for fast re-authentication for
EAP-SIM, EAP-AKA, and EAP-AKA’. The lack of this definition
is a recently discovered bug in the original RFCs.
I owe the WG a document for that. If the above change isn't accepted, I can
add some text on TLS 1.3 key derivation, too. The document could then be a
generic "fix keys in EAP methods" document.
Alan DeKok.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
