| issue: make existing vs. handoff usage of AAA-Key clearer | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Tue, 5 Oct 2004 07:19:28 -0400 (EDT) | |
Submitter name: Jari Arkko Submitter email address: jarkko [at] piuha.net Date first submitted: 10/5/2004 Reference: Document: Keying Framework Comment type: 'T'echnical Priority: 'S' Must fix Section: 2.1, Appendix E Rationale/Explanation of issue:
Section 2.1 says:
AAA-Key derivation is discussed in Appendix E; in existing implementations the MSK is used as the AAA-Key.
Then Appendix E says:
Where a AAA-Key is generated as the result of a successful EAP authentication, the AAA-Key is set to MSK(0,63).
... Where the backend authentication server provides keying material to multiple authenticators in order to facilitate fast handoff, it is highly desirable for the keying material used on different authenticators to be cryptographically separate, so that if one authenticator is compromised, it does not lead to the compromise of other authenticators. ... a key hierarchy derived from the EMSK, can be used to provide cryptographically separate keying material for use in fast handoff:
AAA-Key-A = MSK(0,63)
AAA-Key-B = PRF(... AAA-Key-A,B-Called-Station-Id,
Calling-Station-Id,length) AAA-Key-E = PRF(... AAA-Key-A,E-Called-Station-Id,
Calling-Station-Id, length)Where: Calling-Station-Id = STA MAC address B-Called-Station-Id = AP B MAC address E-Called-Station-Id = AP E MAC address PRF = Some suitable pseudo-random function length = length of derived key material
What I worry about is an apparent set of two methods -- yet AAA-Key-A and AAA-Key are equivalent. The text could be also clearer about existing implementations that use fast handoffs -- would they be using MSK or AAA-Key-X? And is the AAA-Key-X method the recommended IETF method, or one proposal among many competing ones (people who work with fast handoff in IEEE could perhaps comment here). Finally, "some suitable pseudo-random function" does not appear to be sufficient for interoperability :-)
In any case, my suggestion would be to merge the two approaches and just say that this is the way AAA keys need to be generated; given that the first key is the same in any case, the remaining keys will be different whenever fast handoffs are used. And we could use hmac-sha1 as is already done for AMSK generation.
Note: if people think that keying for handoff isn't clear and stable at this time, we should avoid recommending any specific key hierarchy for that. If that's the case then I withdraw my issue, and suggest that we simply keep the textual parts of appendix E and remove the rest.
But assuming we can specify this now, here's the suggested text for Section 2.1:
AAA-Key derivation is discussed in Appendix E.
and for Appendix E:
Where a AAA-Key is generated as the result of a successful EAP authentication with the authenticator A, the AAA-Key is based on the MSK:
AAA-Key = MSK(0,63)
... Where the backend authentication server provides keying material to additional authenticators in order to facilitate fast handoff, it is highly desirable for the keying material used on different authenticators B, C, ... to be cryptographically separate, so that if one authenticator is compromised, it does not lead to the compromise of other authenticators. ... a key hierarchy derived from ... can be used to provide cryptographically separate keying material for use in fast handoff:
AAA-Key-B = prf(... AAA-Key,B-Called-Station-Id,
Calling-Station-Id,length) AAA-Key-C = prf(... AAA-Key,C-Called-Station-Id,
Calling-Station-Id, length)Where: Calling-Station-Id = STA MAC address B-Called-Station-Id = AP B MAC address C-Called-Station-Id = AP C MAC address prf = hmac-sha1 length = length of derived key material
Here AAA-Key is derived during the initial EAP authentication between the peer and authenticator A. Based on this initial EAP authentication, the EMSK is also derived, which can be used to derive AAA-Keys for fast authentication between the EAP peer and authenticators B and C. Since the EMSK is cryptographically separate from the MSK, each of these AAA-Keys is cryptographically separate from each other, and are guaranteed to be unique between the EAP peer (also known as the STA) and the authenticator (also known as the AP).
--Jari
-
issue: make existing vs. handoff usage of AAA-Key clearer Jari Arkko, October 5 2004
-
Re: issue: make existing vs. handoff usage of AAA-Key clearer Florent Bersani, October 5 2004
- Re: issue: make existing vs. handoff usage of AAA-Key clearer Jari Arkko, October 7 2004
- RE: issue: make existing vs. handoff usage of AAA-Key clearer Alper Yegin, October 5 2004
-
Re: issue: make existing vs. handoff usage of AAA-Key clearer Florent Bersani, October 5 2004
Results generated by Tiger Technologies using MHonArc.