eap Mailing List: RE: Relationship between AAA-Key and MSK/EMSK

[John Vollbrecht (jrv]

This brings up a point that I haven't been able to understand - see below
--On Friday, February 6, 2004 9:18 AM -0800 Joseph Salowey 
<jsalowey [at] cisco.com> wrote:

> Hi Hannes,
>
> I agree the definition of the AAA-key seems incomplete, I think the
> definition is any key that is used by the authenticator and supplicant
> to derive keys for data traffic protection (I don't think AAA-key is the
> best name since it doesn't have to involve a AAA in the basic case).
> In the case of standard 802.11 this AAA-Key the same as the MSK.  In the
> fast handoff example I believe additional AAA-keys are pushed to
> neighboring access points.  In order to provide computational
> independence from the MSK they should be derived from the EMSK.
I don't understand why we would derive a MSK and EMSK that are at the same 
level, then use the MSK for the current AP but derive new keys from the 
EMSK for other APs.

It seems to me that it would be more consistent to derive all keys the same 
way, perhaps from the MSK.   But then I don't understand the value of the 
EMSK, since everything can be derived from the MSK.

I had thought that the MSK was meant to allow backward compatibility with 
existing Key mechanisms, and the EMSK would do future things.  Perhaps this 
is the case, but it seems to me that deriving everything the same way would 
be more consistent and easier to understand.

Is the MSK mean to be equivalent to the EMSK except that the MSK is only 
used for existing implementations, or am I misunderstanding something?

> I have submitted an issue in email
> http://mail.frascone.com/pipermail/eap/2004-January/002143.html (which
> has not yet been assigned a number) which describes how to derive keys
> from the EMSK for specific purposes.   I think appendix e needs to be
> updated as discussed in Issue 214
> http://www.drizzle.com/~aboba/EAP/eapissues.html#Issue%20214.  I haven't
> had time to take a detailed look at Jari's proposal.  I'm not sure why
> the A-AAA-Key is needed in this derivation but it is equivalent to the
> MSK.
>
> Could you provide some more context from your discussion?  What exactly
> are you deriving keys to do? In my opinion it is best to use the MSK as
> in the case of 802.11 (single authenticator to supplicant).  If keys are
> going to be used for other purposes, between other parties or in other
> ways they should be derived from the EMSK.
>
> Thanks,
>
> Joe
>
>
> eap-admin [at] frascone.com wrote:
> > hi all,
> >
> > this issue come up when we discussed (Yoshi, Alper, Jari) the
> > relationship between the AAA-key and the MSK/EMSK in PANA .
> >
> > it is said that the AAA-Key is derived from the MSK and EMSK.
> >
> > the eap-keying document does not specify how this key
> > derivation is achieved.
> > worse, in Section 4.2.1 the text says:
> >
> > "  The AAA-Key is derived from the keying material exported by the EAP
> >    method (MSK and EMSK).  This derivation occurs on the AAA
> > server.  In
> >    many existing protocols that use EAP, the AAA-Key and MSK are
> >    equivalent, but more complicated mechanisms are possible (see
> > Appendix E for details). "
> >
> > appendix e, however, does not help since it talks only about
> > a very special case, namely fast handoff.
> >
> > we dicussed this issue in one of the eap keying design team
> > phone conferences but it got lost somehow.
> >
> > it would be more helpful to provide a proposal for AAA-Key to
> > MSK/EMSK key derivation.
> >
> > ciao
> > hannes
> > _______________________________________________
> > eap mailing list
> > eap [at] frascone.com
> > http://mail.frascone.com/mailman/listinfo/eap
>
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap