Hi,
I have reviewed the draft, it seems that asymmetric negotiation is used to
achieve PFS, But I didn't understand how it was realized.
MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
MK_ECDHE = PRF'(IK'|CK'|SHARED_SECRET,"EAP-AKA' FS"|Identity)
K_encr = MK[0..127]
K_aut = MK[128..383]
K_re = MK_ECDHE[0..255]
MSK = MK_ECDHE[256..767]
EMSK = MK_ECDHE[768..1279]1. ECDHE's private key is not reflected in
the K_encr, MSK used SHARED_SECRET(I understand it is the private key in a
pair of keys), Ensure PFS by mixing private key?The names of SHARED SECRET and
long-term shared secrets on the SIM card should be distinguished.2.TLS1.3
support secp256r1, secp384r1, secp521r1,x25519, x448, why the draft only x25519?
Best,Meiling
From: John Mattsson
Date: 2023-01-26 22:36
To: [email protected]
Subject: Re: [Emu] I-D Action: draft-ietf-emu-aka-pfs-10.txt
Hi,
The -10 version fixes various nits found by Peter Yee.
Cheers,
John
From: Emu <[email protected]> on behalf of [email protected]
<[email protected]>
Date: Thursday, 26 January 2023 at 15:31
To: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Subject: [Emu] I-D Action: draft-ietf-emu-aka-pfs-10.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the EAP Method Update WG of the IETF.
Title : Forward Secrecy for the Extensible Authentication
Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)
Authors : Jari Arkko
Karl Norrman
Vesa Torvinen
John Preuß Mattsson
Filename : draft-ietf-emu-aka-pfs-10.txt
Pages : 32
Date : 2023-01-26
Abstract:
Many different attacks have been reported as part of revelations
associated with pervasive surveillance. Some of the reported attacks
involved compromising the smart card supply chain, such as attacking
SIM card manufacturers and operators in an effort to compromise
shared secrets stored on these cards. Since the publication of those
reports, manufacturing and provisioning processes have gained much
scrutiny and have improved. However, the danger of resourceful
attackers for these systems is still a concern. Always assuming
breach such as key compromise and minimizing the impact of breach are
essential zero-trust principles.
This specification updates RFC 9048, the improved Extensible
Authentication Protocol Method for 3GPP Mobile Network Authentication
and Key Agreement (EAP-AKA'), with an optional extension. Similarly,
this specification also updates the earlier version of the EAP-AKA'
specification in RFC 5448. The extension, when negotiated, provides
Forward Secrecy for the session key generated as a part of the
authentication run in EAP-AKA'. This prevents an attacker who has
gained access to the long-term pre-shared secret in a Subscriber
Identity Module (SIM) card from being able to decrypt any past
communications. In addition, if the attacker stays merely a passive
eavesdropper, the extension prevents attacks against future sessions.
This forces attackers to use active attacks instead.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-emu-aka-pfs/
There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-emu-aka-pfs-10
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-emu-aka-pfs-10
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
