3.1.5.5 Cryptobinding

By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.

To facilitate this, a two-way handshake between the PEAP peer and the PEAP server is initiated with two messages: the cryptobinding request (sent from the PEAP server to PEAP peer) and the cryptobinding response (sent from the PEAP peer to PEAP server); both messages use the same format (see Cryptobinding TLV (section 2.2.8.1.1)).

Implementations MAY<8> choose to support the cryptobinding feature of PEAP.

The Compound_MAC field in the cryptobinding packet MUST be the output of an HMAC-SHA1-160 operation, as specified in [RFC2104] and [RFC3174]. The HMAC-SHA1-160 operation requires the data and the key as inputs, both of which are derived from the PEAP phase 1 and the inner method. For more details on how an implementation generates the data used in the HMAC-SHA1-160 operation for the cryptobinding packet, see section 3.1.5.5.1. For more details on how an implementation generates the key used in the HMAC-SHA1-160 operation for the cryptobinding packet, see section 3.1.5.5.2.