One document matched: draft-wu-dime-local-keytran-01.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc5296 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml'>
<!ENTITY rfc5295 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml'>
<!ENTITY rfc4072 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml'>
<!ENTITY rfc3588 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml'>
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc3748 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml'>
<!ENTITY rfc5216 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5216.xml'>
<!ENTITY rfc5226 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml'>
<!ENTITY rfc2989 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2989.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="compact" ?>
<rfc category="std" docName="draft-wu-dime-local-keytran-01" ipr="trust200902" updates="4072">
<front>
<title abbrev="Diameter Key Transport AVPs">Diameter Attribute-Value Pairs for Cryptographic Key Transport</title>
<author fullname="Qin Wu" initials="Q." role="editor" surname="Wu">
<organization>Huawei Technologies Co., Ltd.</organization>
<address>
<postal>
<street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia Rd.</street>
<city>Nanjing</city>
<region>Jiangsu</region>
<code>21001</code>
<country>China</country>
</postal>
<phone>+86-25-84565892</phone>
<email>sunseawq@huawei.com</email>
</address>
</author>
<author fullname="Glen Zorn" initials="G.Z." surname="Zorn" role="editor">
<organization>Network Zen</organization>
<address>
<postal>
<street>1310 East Thomas Street</street>
<street>#306</street>
<city>Seattle</city>
<region>Washington</region>
<code>98102</code>
<country>USA</country>
</postal>
<phone>+1 (206) 377-9035</phone>
<email>gwz@net-zen.net</email>
</address>
</author>
<date year="2009"/>
<abstract>
<t>
Some AAA applications require the transport of cryptographic keying material;
this document specifies a set of Attribute-Value Pairs (AVPs) providing native Diameter support of cryptographic key delivery.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
<xref target="RFC4072">The Diameter EAP application</xref> defines the EAP-Master-Session-Key and EAP-Key-Name AVPs
for the purpose of transporting cryptographic keying material derived during
the execution of certain <xref target="RFC3748">EAP</xref>
methods (for example, <xref target="RFC5216">EAP-TLS</xref>).
At most one instance of either of these AVPs is allowed in any Diameter message.
<vspace blankLines="1"/>
However, <xref target="RFC5295">recent work</xref> has specified methods to derive other keys from the keying material created during EAP method execution
that may require transport in addition to the MSK. In addition, <xref target="RFC5296">ERP</xref> specifies new keys that may need to be transported between
Diameter nodes.
<vspace blankLines="1"/>
This note specifies a set of AVPs allowing the transport of multiple cryptographic keys in a single Diameter message.
</t>
</section>
<section title="Terminology">
<t>
The following terms are used in this note.
</t>
<section title="Standards Language">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.
</t>
</section>
<section title="Technical Terms and Acronyms">
<t>
<list style="hanging">
<t hangText="AAA">
<vspace blankLines="0"/>
Authentication, Authorization, and Accounting (see below).
</t>
<t hangText="Accounting">
<vspace blankLines="0"/>
The act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation <xref target="RFC2989"/>.
</t>
<t hangText="Authentication">
<vspace blankLines="0"/>
The act of verifying a claimed identity,
in the form of a pre-existing label from a mutually known name space,
as the originator of a message (message authentication)
or as the end-point of a channel (entity authentication) <xref target="RFC2989"/>.
</t>
<t hangText="Authorization">
<vspace blankLines="0"/>
The act of determining if a particular right,
such as access to some resource,
can be granted to the presenter of a particular credential <xref target="RFC2989"/>.
</t>
<t hangText="DER">
<vspace blankLines="0"/>
<xref target="RFC4072">Diameter EAP request.</xref>
</t>
<t hangText="DEA">
<vspace blankLines="0"/>
<xref target="RFC4072">Diameter EAP Answer.</xref>
</t>
<t hangText="DSRK">
<vspace blankLines="0"/>
<xref target="RFC5295">Domain Specific Root Key</xref>.
</t>
<t hangText="EAP">
<vspace blankLines="0"/>
Extensible Authentication Protocol <xref target="RFC3748"/>.
</t>
<t hangText="EMSK">
<vspace blankLines="0"/>
<xref target="RFC3748">Extended Master Session Key</xref>.
</t>
<t hangText="ERP">
<vspace blankLines="0"/>
<xref target="RFC5296">EAP Re-authentication Protocol</xref>.
</t>
<t hangText="MSK">
<vspace blankLines="0"/>
<xref target="RFC3748">Master Session Key</xref>.
</t>
<t hangText="rMSK">
<vspace blankLines="0"/>
<xref target="RFC5296">re-authentication MSK</xref>.
This is a per-authenticator key, derived from the rRK.
</t>
<t hangText="rRK">
<vspace blankLines="0"/>
<xref target="RFC5296">re-authentication Root Key, derived from the EMSK or DSRK</xref>.
</t>
<t hangText="USRK">
<vspace blankLines="0"/>
<xref target="RFC5295">Usage Specific Root Key</xref>.
</t>
</list>
</t>
</section>
</section>
<section title="Attribute-Value Pair Definitions">
<t>
This section defines new AVPs for the transport of cryptographic keys in the
<xref target="RFC4072">Diameter EAP application</xref>,
as well as other Diameter applications.
</t>
<section title="EAP-Key AVP" anchor="K">
<t>
The EAP-Key AVP (AVP Code <AC1>) is of type <xref target="RFC3588">Grouped</xref>.
It contains the name, type and optionally, the usable lifetime of the key, as well as the keying material itself.
<figure>
<artwork>
EAP-Key ::= < AVP Header: AC1 >
{ EAP-Key-Type }
{ EAP-Keying-Material }
[ EAP-Key-Lifetime ]
[ EAP-Key-Name ]
* [ AVP ]
</artwork>
</figure>
</t>
<section title="EAP-Key-Type AVP" anchor="KT">
<t>
The EAP-Key-Type AVP (AVP Code <AC2>) is of type Enumerated and signifies the type of the key being sent.
The EAP-Key-Type MAY be included in a DER command as a signal that a certain type of key is required in the response (e.g., to support ERP).
The following values are defined in this document:
<list style="hanging">
<t hangText="MSK (0)">
<vspace blankLines="0"/>
<xref target="RFC3748"> The EAP Master Session Key.</xref>
</t>
<t hangText="DSRK (1)">
<vspace blankLines="0"/>
<xref target="RFC5295">A Domain Specific Root Key.</xref>
</t>
<t hangText="USRK (2)">
<vspace blankLines="0"/>
<xref target="RFC5295">A Usage Specific Root Key.</xref>
</t>
<t hangText="rRK (4)">
<vspace blankLines="0"/>
<xref target="RFC5296">A reauthentication Root Key.</xref>
</t>
<t hangText="rMSK (5)">
<vspace blankLines="0"/>
<xref target="RFC5296">A reauthentication Master Session Key.</xref>
</t>
</list>
If additional values are needed, they are to be assigned by IANA according to the policy stated in <xref target="IANA-KT"/>.
</t>
</section>
<section title="EAP-Key-Name AVP" anchor="KN">
<t>
The syntax and semantics of the EAP-Key-Name AVP are specified in Section 4.1.4 of RFC 4072.
</t>
</section>
<section title="EAP-Keying-Material AVP" anchor="KM">
<t>
The EAP-Keying-Material AVP (AVP Code <AC3>) is of type OctetString.
The exact usage of this keying material depends upon several factors, including the link layer in use and the type of the key;
it is beyond the scope of this document.
</t>
</section>
<section title="EAP-Key-Lifetime AVP" anchor="KL">
<t>
The EAP-Key-Lifetime AVP (AVP Code <AC4>) is of type Integer64 <xref target="RFC3588"/> representing
the period of time (in seconds) for which the keying material is valid.
<vspace blankLines="1"/>
Note: Applications using this value SHOULD consider the beginning of
the lifetime to be
the point in time when the keying material is first used.
</t>
</section>
</section>
</section>
<section title="AVP Occurrence Table">
<t>
The following table lists the AVPs that MAY be present in the DER and DEA commands <xref target="RFC4072"></xref>.
</t>
<figure align="center">
<artwork>
+---------------+
| Command-Code |
+-+-----+-----+-+
AVP Name | DER | DEA |
-------------------------------|-----+-----+
EAP-Key | 0 | 0+ |
EAP-Key-Type | 0+ | 0 |
EAP-Key-Name | 0-1 | 0-1 |
+-----+-----+
DER and DEA Commands AVP Table
</artwork>
</figure>
</section>
<section anchor="Security" title="Security Considerations">
<t>
The security considerations discussed in <xref target="RFC3588"></xref> are applicable to this document.
</t>
</section>
<section title="IANA Considerations">
<t>
Upon publication of this memo as an RFC, IANA is requested to assign values as described in the following sections.
</t>
<section title="AVP Codes" anchor="IANA-AVP">
<t>
Codes must be assigned for the following AVPs using the policy specified in RFC 3588, Section 11.1.1:
<list style="symbols">
<t>EAP-Key (<AC1>, <xref target="K"/>) </t>
<t>EAP-Key-Type (<AC2>, <xref target="KT"/>)</t>
<t>EAP-Keying-Material (<AC3>, <xref target="KM"/>)</t>
<t>EAP-Key-Lifetime (<AC4>, <xref target="KL"/>)</t>
</list>
</t>
</section>
<section title="AVP Values" anchor="IANA-KT">
<t>
New values may be assigned for the EAP-Key-Type AVP (<xref target="KT"/>)
using the "First Come, First Served" policy <xref target="RFC5226"/>.
</t>
</section>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc5226;
&rfc3588;
&rfc4072;
&rfc3748;
</references>
<references title="Informative References">
&rfc5295;
&rfc5296;
&rfc2989;
&rfc5216;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 20:42:49 |