eap Mailing List: RE: Relationship between AAA-Key and MSK/EMSK

[Joseph Salowey (jsalowey]

eap-admin [at] frascone.com wrote:
> Nick Petroni wrote:
>> On the topic of the distinction between AAA and MSK keys, it seems
>> Figure 4 in the keying document adds to the confusion (at least for
>> me). The figure shows the peer, authenticator, and backend all having
>> access to the MSK. As previously noted in this thread, sometimes AAA
>> == MSK, but potentially not. If I understand this correctly, I would
>> say the middle box, which depicts the authenticator, should have
>> "AAA" instead of "MSK". Perhaps AAA should also be indicated on the
>> peer and backend, probably in addition to MSK and EMSK.
> 
> I think that's right. Some of this was already noted in
> issue #216. But we should also show AAA-Key in the peer and the
> backend. 
>
[Joe] I still think the quantity AAA-Key is not well defined.  I'm not
quite sure what AAA-key is supposed to represent. What is it used for?
Today it is used for link-layer-encryption and it is the MSK.  Using
this key for other purposes may lead to loss of computational
independence and result in problems.   The use of the work AAA-key is
misleading in the context it is currently being used. I think it would
be better to discuss things in terms of applications specific keys, with
one of the applications being link layer encryption.  I'll create an
issue with some proposed text for discussion.

 
> --Jari
> 
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap