eap Mailing List: Re: Issue: AAA-Key should be derived from AMSK

[Jari Arkko (jari.arkko]

I agree with you and Florent that this is a problem.
I like your solution too -- some nits inline:

> Section 2.2:
>
> Change 
> "On both the peer and EAP server, the exported MSK and EMSK are
>    utilized in order to calculate the AAA-Key, as described in Appendix
>    E."
> To
>
> "On both the peer and EAP server, the exported MSK and keys derived from the
> EMSK (AMSK) are
>    utilized in order to calculate the AAA-Key, as described in Appendix
>    E."

Maybe s/EMSK (AMSK)/AMSK/ -- the AMSK is already introduced earlier
as is the fact that AMSK is derived from the exported quantities.

> Figure 3 should be changed to show that the AAA-Key is derived from an AMSK

Yes.

> Appendix C:
>
> Figure C1 should show the AMSK going to the backend server instead of the
> EMSK

Yes.

> Appendix E:
>
> The EMSK should not be used directly in AAA-Key derivation. Text follows:
>
>  "Where keying material is provided by the backend
>    authentication server, a key hierarchy derived from the EMSK, can be
>    used to provide cryptographically separate keying material for use in
>    fast handoff.  Instead of using the EMSK directly a application specific
>    key is derived, the AMSK, as described in seciton F:

Maybe: "Where keying material is provided by the backend authentication
server, a key hierarchy derived from the MSK and the AMSK can be
used to ..."

>    AAA-Key-A = MSK(0,63)
>    AAA-Key-B = PRF(AMSK(0,63),"EAP AAA-Key derivation for
>                multiple attachments", AAA-Key-A,B-Called-Station-Id,
>                Calling-Station-Id,length)
>
>    AAA-Key-E = PRF(AMSK(0,63),"EAP AAA-Key derivation for
>                multiple attachments",AAA-Key-A,E-Called-Station-Id,
>                Calling-Station-Id, length)"

Ok.

--Jari