| rfc9930v2.txt | rfc9930.txt | |||
|---|---|---|---|---|
| skipping to change at line 3071 ¶ | skipping to change at line 3071 ¶ | |||
| session_key_seed = TLS-Exporter( | session_key_seed = TLS-Exporter( | |||
| "EXPORTER: teap session key seed",, 40) | "EXPORTER: teap session key seed",, 40) | |||
| No context data is used in the export process. | No context data is used in the export process. | |||
| The session_key_seed is used by the TEAP authentication Phase 2 | The session_key_seed is used by the TEAP authentication Phase 2 | |||
| conversation to both cryptographically bind the Inner Method(s) to | conversation to both cryptographically bind the Inner Method(s) to | |||
| the tunnel as well as generate the resulting TEAP session keys. The | the tunnel as well as generate the resulting TEAP session keys. The | |||
| other TLS keying materials are derived and used as defined in | other TLS keying materials are derived and used as defined in | |||
| [RFC5246]. | [RFC8446]. | |||
| 6.2. Intermediate Compound Key Derivations | 6.2. Intermediate Compound Key Derivations | |||
| As TEAP can run multiple Inner Methods, there needs to be a way to | As TEAP can run multiple Inner Methods, there needs to be a way to | |||
| cryptographically bind each Inner Method to the TLS tunnel and to | cryptographically bind each Inner Method to the TLS tunnel and to | |||
| cryptographically bind each method to the previous one. This binding | cryptographically bind each method to the previous one. This binding | |||
| is done by deriving a number of intermediate keys and exchanging that | is done by deriving a number of intermediate keys and exchanging that | |||
| information in the Crypto-Binding TLV. | information in the Crypto-Binding TLV. | |||
| The key derivation is complicated by a number of factors. An inner | The key derivation is complicated by a number of factors. An inner | |||
| skipping to change at line 4627 ¶ | skipping to change at line 4627 ¶ | |||
| change thus requires that a new EAP Type be assigned. | change thus requires that a new EAP Type be assigned. | |||
| 2. This version of TEAP MUST support TLS 1.2 [RFC5246]. TLS 1.1 and | 2. This version of TEAP MUST support TLS 1.2 [RFC5246]. TLS 1.1 and | |||
| earlier MUST NOT be used with TEAP. | earlier MUST NOT be used with TEAP. | |||
| 3. The key derivation now makes use of TLS keying material exporters | 3. The key derivation now makes use of TLS keying material exporters | |||
| [RFC5705] and the PRF and hash function negotiated in TLS. This | [RFC5705] and the PRF and hash function negotiated in TLS. This | |||
| is to simplify implementation and better support cryptographic | is to simplify implementation and better support cryptographic | |||
| algorithm agility. | algorithm agility. | |||
| 4. TEAP is in full conformance with TLS ticket extension [RFC5077]. | 4. TEAP is in full conformance with the SessionTicket extension | |||
| [RFC5077]. | ||||
| 5. Support is provided for passing optional Outer TLVs in the first | 5. Support is provided for passing optional Outer TLVs in the first | |||
| two message exchanges, in addition to the Authority-ID TLV data | two message exchanges, in addition to the Authority-ID TLV data | |||
| in EAP-FAST. | in EAP-FAST. | |||
| 6. Basic password authentication on the TLV level has been added in | 6. Basic password authentication on the TLV level has been added in | |||
| addition to the existing inner EAP method. | addition to the existing inner EAP method. | |||
| 7. Additional TLV types have been defined to support EAP channel | 7. Additional TLV types have been defined to support EAP channel | |||
| binding and metadata. They are the Identity-Type TLV and | binding and metadata. They are the Identity-Type TLV and | |||
| End of changes. 2 change blocks. | ||||
| 2 lines changed or deleted | 3 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||