Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

The EAP Protected One-Time Password Protocol (EAP-POTP)
RFC 4793

Document	Type	RFC - Informational (February 2007) Was draft-nystrom-eap-potp (individual in int area)
	Author	Magnus Nyström
	Last updated	2015-10-14
	RFC stream	Internet Engineering Task Force (IETF)
	Formats	txt html pdf htmlized bibtex
IESG	Responsible AD	Jari Arkko
	Send notices to	(None)

Email authors IPR References Referenced by Search Lists

RFC 4793

Network Working Group                                        M. Nystroem
Request for Comments: 4793                                  RSA Security
Category: Informational                                    February 2007

        The EAP Protected One-Time Password Protocol (EAP-POTP)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document describes a general Extensible Authentication Protocol
   (EAP) method suitable for use with One-Time Password (OTP) tokens,
   and offers particular advantages for tokens with direct electronic
   interfaces to their associated clients.  The method can be used to
   provide unilateral or mutual authentication, and key material, in
   protocols utilizing EAP, such as PPP, IEEE 802.1X, and Internet Key
   Exchange Protocol Version 2 (IKEv2).

Nystroem                     Informational                      [Page 1]
RFC 4793                        EAP-POTP                   February 2007

Table of Contents

   1. Introduction ....................................................4
      1.1. Scope ......................................................4
      1.2. Background .................................................4
      1.3. Rationale behind the Design ................................4
      1.4. Relationship with EAP Methods in RFC 3748 ..................5
   2. Conventions Used in This Document ...............................5
   3. Authentication Model ............................................5
   4. Description of the EAP-POTP Method ..............................6
      4.1. Overview ...................................................6
      4.2. Version Negotiation ........................................9
      4.3. Cryptographic Algorithm Negotiation .......................10
      4.4. Session Resumption ........................................11
      4.5. Key Derivation and Session Identifiers ....................13
      4.6. Error Handling and Result Indications .....................13
      4.7. Use of the EAP Notification Method ........................14
      4.8. Protection against Brute-Force Attacks ....................14
      4.9. MAC Calculations in EAP-POTP ..............................16
           4.9.1. Introduction .......................................16
           4.9.2. MAC Calculation ....................................16
           4.9.3. Message Hash Algorithm .............................16
           4.9.4. Design Rationale ...................................17
           4.9.5. Implementation Considerations ......................17
      4.10. EAP-POTP Packet Format ...................................17
      4.11. EAP-POTP TLV Objects .....................................20
           4.11.1. Version TLV .......................................20
           4.11.2. Server-Info TLV ...................................21
           4.11.3. OTP TLV ...........................................23
           4.11.4. NAK TLV ...........................................33
           4.11.5. New PIN TLV .......................................35
           4.11.6. Confirm TLV .......................................38
           4.11.7. Vendor-Specific TLV ...............................41
           4.11.8. Resume TLV ........................................43
           4.11.9. User Identifier TLV ...............................46
           4.11.10. Token Key Identifier TLV .........................47
           4.11.11. Time Stamp TLV ...................................48
           4.11.12. Counter TLV ......................................49
           4.11.13. Challenge TLV ....................................50
           4.11.14. Keep-Alive TLV ...................................51
           4.11.15. Protected TLV ....................................52
           4.11.16. Crypto Algorithm TLV .............................54
   5. EAP Key Management Framework Considerations ....................57
   6. Security Considerations ........................................57
      6.1. Security Claims ...........................................57
      6.2. Passive and Active Attacks ................................58
      6.3. Denial-of-Service Attacks .................................59
      6.4. The Use of Pepper .........................................59

Nystroem                     Informational                      [Page 2]
RFC 4793                        EAP-POTP                   February 2007

      6.5. The Race Attack ...........................................60
   7. IANA Considerations ............................................60
      7.1. General ...................................................60
      7.2. Cryptographic Algorithm Identifier Octets .................61

Show full document

The EAP Protected One-Time Password Protocol (EAP-POTP) RFC 4793

The EAP Protected One-Time Password Protocol (EAP-POTP)
RFC 4793