Description
EAP Re-authentication (ER) is a mechanism defined within the Extensible Authentication Protocol (EAP) framework, specifically standardized by the IETF and adopted by 3GPP. It allows a supplicant (e.g., a UE) and an authenticator (e.g., a network access point) to perform a streamlined re-authentication based on previously established cryptographic material from a full EAP authentication. The process leverages an EAP Re-authentication Protocol (ERP) and uses derived keys like the rRK (re-authentication Root Key) and rMSK (re-authentication Master Session Key) to secure the exchange. Architecturally, ER involves the EAP peer, the EAP authenticator, and the EAP server, with the ERP messages typically transported within EAP-Initiate and EAP-Finish messages. The ER server, often collocated with the EAP server, manages the re-authentication state and keying material. This mechanism is integrated into 3GPP systems to support seamless mobility, especially in non-3GPP access networks interworking with the 5G Core, by minimizing authentication latency during handovers. It works by the peer initiating re-authentication with an EAP-Initiate/Re-auth-Start message, leading to a mutual authentication and key derivation without involving backend authentication servers for full credential verification. Key components include the ERP key hierarchy, the ER server's state management, and the use of cryptographically secure sequence numbers to prevent replay attacks. Its role is critical in scenarios requiring frequent authentication, such as in dense urban deployments or for IoT devices with limited power, ensuring continuous secure access with reduced signaling load on core network elements.
Purpose & Motivation
ER was created to address the performance limitations of full EAP authentication procedures, which are computationally intensive and generate significant signaling traffic. In mobile networks, especially during handovers between access points or reconnections after brief disconnections, performing a full EAP exchange each time introduces unacceptable latency and impacts user experience. Historically, without ER, each re-authentication required a round-trip to the home authentication server, increasing handover delays and potentially causing service interruptions. The motivation stemmed from the need for faster, more efficient security mechanisms in evolving network architectures like 3GPP's integration of non-3GPP access (e.g., Wi-Fi) and the demands of 5G low-latency services. ER solves these problems by enabling a lightweight re-authentication that reuses previously established trust, reducing both time and resource consumption. It addresses limitations of earlier approaches where security and efficiency were often traded off, providing a standardized method to maintain robust authentication without sacrificing performance, crucial for real-time applications and massive IoT deployments.
Key Features
- Enables fast re-authentication using pre-established keys
- Reduces signaling overhead and authentication latency
- Supports seamless handovers in mobile and non-3GPP access
- Utilizes ERP for secure key derivation and exchange
- Integrates with EAP framework and 3GPP security architecture
- Prevents replay attacks with sequence number mechanisms
Evolution Across Releases
Introduced ER as part of EAP framework adoption for non-3GPP access interworking, providing initial architecture for re-authentication to reduce full EAP exchanges during mobility events. Defined basic ERP message flows and key hierarchy for efficiency.
Defining Specifications
| Specification | Title |
|---|---|
| TS 22.826 | 3GPP TS 22.826 |
| TS 23.003 | 3GPP TS 23.003 |
| TS 23.700 | 3GPP TS 23.700 |
| TS 23.802 | 3GPP TS 23.802 |
| TS 26.922 | 3GPP TS 26.922 |
| TS 29.273 | 3GPP TS 29.273 |