| RE: issue: make existing vs. handoff usage of AAA-Key clearer | <– Date –> <– Thread –> |
From: Alper Yegin (alper.yegin samsung.com)
|
|
| Date: Tue, 5 Oct 2004 20:56:12 -0400 (EDT) | |
The current text is geared for generating keys and pushing them to other authenticators in advance (prior to handover). I'd recommend the other mechanism, namely pulling keys from a new authenticator in response to a handover (reactive) is also covered in this section. Alper > -----Original Message----- > From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On > Behalf Of > Jari Arkko > Sent: Tuesday, October 05, 2004 4:18 AM > To: eap [at] frascone.com > Subject: [eap] issue: make existing vs. handoff usage of AAA-Key clearer > > > Submitter name: Jari Arkko > Submitter email address: jarkko [at] piuha.net > Date first submitted: 10/5/2004 > Reference: > Document: Keying Framework > Comment type: 'T'echnical > Priority: 'S' Must fix > Section: 2.1, Appendix E > Rationale/Explanation of issue: > > Section 2.1 says: > > AAA-Key derivation is discussed in Appendix E; in > existing implementations the MSK is used as the AAA-Key. > > Then Appendix E says: > > Where a AAA-Key is generated as the result of a successful EAP > authentication, the AAA-Key is set to MSK(0,63). > > ... Where the backend > authentication server provides keying material to multiple > authenticators in order to facilitate fast handoff, it is highly > desirable for the keying material used on different authenticators to > be cryptographically separate, so that if one authenticator is > compromised, it does not lead to the compromise of other > authenticators. ... a key hierarchy derived from the EMSK, can be > used to provide cryptographically separate keying material for use in > fast handoff: > > AAA-Key-A = MSK(0,63) > AAA-Key-B = PRF(... AAA-Key-A,B-Called-Station-Id, > Calling-Station-Id,length) > > AAA-Key-E = PRF(... AAA-Key-A,E-Called-Station-Id, > Calling-Station-Id, length) > > Where: > Calling-Station-Id = STA MAC address > B-Called-Station-Id = AP B MAC address > E-Called-Station-Id = AP E MAC address > PRF = Some suitable pseudo-random function > length = length of derived key material > > What I worry about is an apparent set of two methods -- yet > AAA-Key-A and AAA-Key are equivalent. The text could be > also clearer about existing implementations that use fast > handoffs -- would they be using MSK or AAA-Key-X? And is the > AAA-Key-X method the recommended IETF method, or one > proposal among many competing ones (people who work with > fast handoff in IEEE could perhaps comment here). Finally, > "some suitable pseudo-random function" does not appear > to be sufficient for interoperability :-) > > In any case, my suggestion would be to merge the two > approaches and just say that this is the way AAA keys > need to be generated; given that the first key is the > same in any case, the remaining keys will be different > whenever fast handoffs are used. And we could use hmac-sha1 > as is already done for AMSK generation. > > Note: if people think that keying for handoff isn't > clear and stable at this time, we should avoid recommending > any specific key hierarchy for that. If that's the case > then I withdraw my issue, and suggest that we simply keep > the textual parts of appendix E and remove the rest. > > But assuming we can specify this now, here's the suggested > text for Section 2.1: > > AAA-Key derivation is discussed in Appendix E. > > and for Appendix E: > > Where a AAA-Key is generated as the result of a successful EAP > authentication with the authenticator A, the AAA-Key is based on > the MSK: > > AAA-Key = MSK(0,63) > > ... Where the backend > authentication server provides keying material to additional > authenticators in order to facilitate fast handoff, it is highly > desirable for the keying material used on different authenticators B, > C, ... to > be cryptographically separate, so that if one authenticator is > compromised, it does not lead to the compromise of other > authenticators. ... a key hierarchy derived from ... can be > used to provide cryptographically separate keying material for use in > fast handoff: > > AAA-Key-B = prf(... AAA-Key,B-Called-Station-Id, > Calling-Station-Id,length) > > AAA-Key-C = prf(... AAA-Key,C-Called-Station-Id, > Calling-Station-Id, length) > > Where: > Calling-Station-Id = STA MAC address > B-Called-Station-Id = AP B MAC address > C-Called-Station-Id = AP C MAC address > prf = hmac-sha1 > length = length of derived key material > > Here AAA-Key is derived during the initial EAP > authentication between the peer and authenticator A. Based on this > initial EAP authentication, the EMSK is also derived, which can be > used to derive AAA-Keys for fast authentication between the EAP peer > and authenticators B and C. Since the EMSK is cryptographically > separate from the MSK, each of these AAA-Keys is cryptographically > separate from each other, and are guaranteed to be unique between the > EAP peer (also known as the STA) and the authenticator (also known as > the AP). > > --Jari > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap
-
issue: make existing vs. handoff usage of AAA-Key clearer Jari Arkko, October 5 2004
-
Re: issue: make existing vs. handoff usage of AAA-Key clearer Florent Bersani, October 5 2004
- Re: issue: make existing vs. handoff usage of AAA-Key clearer Jari Arkko, October 7 2004
- RE: issue: make existing vs. handoff usage of AAA-Key clearer Alper Yegin, October 5 2004
-
Re: issue: make existing vs. handoff usage of AAA-Key clearer Florent Bersani, October 5 2004
Results generated by Tiger Technologies using MHonArc.