| Issue 275: AAA-Key Should be Derived from AMSK | <– Date –> <– Thread –> |
From: Bernard Aboba (aboba internaut.com)
|
|
| Date: Tue, 19 Oct 2004 22:53:13 -0400 (EDT) | |
The text of Issue 275 is enclosed below. I think this issue iresolved, bu it would be helpful if someone would post a proposed resolution so that we could make sure. ----------------------------------------------------------------- Issue 275: AAA-Key Should be Derived from AMSK Submitter name: Joe Salowey Submitter email address: jsalowey [at] cisco.com Date first submitted: 10/4/2004 Reference: http://mail.frascone.com/pipermail/eap/2004-October/002860.html Document: Keying-03 Comment type: T Priority: S Section: 2.2, Appendix C, E Rationale/Explanation of issue The AAA-Key should be derived from the EMSK directly, it should either be derived from the MSK alone or form an AMSK (which is derived from the EMSK). This is to limit the exposure of the EMSK outside of the EAP framework and to ensure that the EMSK derivation maitnains computational separation of keys. Requested change: Section 2.2: Change "On both the peer and EAP server, the exported MSK and EMSK are utilized in order to calculate the AAA-Key, as described in Appendix E." To "On both the peer and EAP server, the exported MSK and keys derived from the EMSK (AMSK) are utilized in order to calculate the AAA-Key, as described in Appendix E." Figure 3 should be changed to show that the AAA-Key is derived from an AMSK Appendix C: Figure C1 should show the AMSK going to the backend server instead of the EMSK Appendix E: The EMSK should not be used directly in AAA-Key derivation. Text follows: "Where keying material is provided by the backend authentication server, a key hierarchy derived from the EMSK, can be used to provide cryptographically separate keying material for use in fast handoff. Instead of using the EMSK directly a application specific key is derived, the AMSK, as described in seciton F: AAA-Key-A = MSK(0,63) AAA-Key-B = PRF(AMSK(0,63),"EAP AAA-Key derivation for multiple attachments", AAA-Key-A,B-Called-Station-Id, Calling-Station-Id,length) AAA-Key-E = PRF(AMSK(0,63),"EAP AAA-Key derivation for multiple attachments",AAA-Key-A,E-Called-Station-Id, Calling-Station-Id, length)" [Florent Bersani] I believe this is tracked as Issue 266 (http://www.drizzle.com/~aboba/EAP/eapissues.html#Issue%20266) isn't it? Thanks for proposing text :-)) I concur. [Joe Salowey] Yes it is, we can merge them. I think there still is the whole issue whole issue of the AAA-Key usage in fast handoff which is currently under discussion. [Jari Arkko] I agree with you and Florent that this is a problem. I like your solution too -- some nits inline: > Section 2.2: > > Change > "On both the peer and EAP server, the exported MSK and EMSK are > utilized in order to calculate the AAA-Key, as described in Appendix > E." > To > > "On both the peer and EAP server, the exported MSK and keys derived from the > EMSK (AMSK) are > utilized in order to calculate the AAA-Key, as described in Appendix > E." Maybe s/EMSK (AMSK)/AMSK/ -- the AMSK is already introduced earlier as is the fact that AMSK is derived from the exported quantities. > Figure 3 should be changed to show that the AAA-Key is derived from an AMSK Yes. > Appendix C: > > Figure C1 should show the AMSK going to the backend server instead of the > EMSK Yes. > Appendix E: > > The EMSK should not be used directly in AAA-Key derivation. Text follows: > > "Where keying material is provided by the backend > authentication server, a key hierarchy derived from the EMSK, can be > used to provide cryptographically separate keying material for use in > fast handoff. Instead of using the EMSK directly a application specific > key is derived, the AMSK, as described in seciton F: Maybe: "Where keying material is provided by the backend authentication server, a key hierarchy derived from the MSK and the AMSK can be used to ..." > AAA-Key-A = MSK(0,63) > AAA-Key-B = PRF(AMSK(0,63),"EAP AAA-Key derivation for > multiple attachments", AAA-Key-A,B-Called-Station-Id, > Calling-Station-Id,length) > > AAA-Key-E = PRF(AMSK(0,63),"EAP AAA-Key derivation for > multiple attachments",AAA-Key-A,E-Called-Station-Id, > Calling-Station-Id, length)" Ok. [Joe Salowey] > Maybe s/EMSK (AMSK)/AMSK/ -- the AMSK is already introduced > earlier as is the fact that AMSK is derived from the exported > quantities. > [Joe] Yes, thanks. >> Appendix E: >> >> The EMSK should not be used directly in AAA-Key derivation. Text >> follows: >> >> "Where keying material is provided by the backend >> authentication server, a key hierarchy derived from the EMSK, can >> be used to provide cryptographically separate keying material for >> use in fast handoff. Instead of using the EMSK directly a >> application specific key is derived, the AMSK, as described in >> seciton F: > > Maybe: "Where keying material is provided by the backend > authentication server, a key hierarchy derived from the MSK > and the AMSK can be used to ..." > [Joe] perhaps "an AMSK" instead of "the AMSK". There can be more than one AMSK for different purposes. [Florent Bersani] A quick comment in-line Joseph Salowey wrote: >... > "Where keying material is provided by the backend > authentication server, a key hierarchy derived from the EMSK, can be > used to provide cryptographically separate keying material for use in > fast handoff. > I do not think that fast handoff is the only application that may benefit from such a scheme... although it is clearly a natural one! So i'd suggest being less specific and saying sth like: "Where keying material is provided by the backend authentication server, a key hierarchy derived from the EMSK *and the MSK as Jari noted* , can be used to provide cryptographically separate keying material *for different applications. Fast handoffs are an example application that may benefit from this keying material" [Joe Salowey] perhaps it should be "the EMSK and/or the MSK"
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.