eap Mailing List: Re: [Issue 278]: lifetimes of keys internal to EAP methods

[Jari Arkko (jari.arkko]

Pasi.Eronen [at] nokia.com wrote:

> However, I'm not so sure about the ast lsentence ("TSKs must 
> remain cryptographically separate from TEKs"). This requirement 
> is also repeated in Section 6.4, but I think it should actually 
> say that "it must not be possible to calculate TEKs from TSKs".

This seems to be the main requirement, yes. And doesn't it
hold for MSK too? That is,

  Must not be possible to calculate TEKs from MSK
  Must not be possible to calculate MSK from TSKs

(But 802.11i might not qualify for the latter? If so,
I'm ready to make this:

  Must not be possible to calculate TEKs from MSK
  Must not be possible to calculate TEKs from TSKs)

> The current text essentially prohibit EAP methods that use key
> wrapping (e.g., server generates a random key, encrypts it with
> a TEK, and sends it to the client). In this case, knowing the 
> TEK (and all information sent over the wire) allows you to calculate the MSK. 

Yes, I don't think there's anything fundamentally wrong with this.

> And knowing the MSK allows you to calculate 
> the TEKs in e.g. 802.11i), so they're not cryptographically
> separate (at least according to definition in Section 5.1).

Now I'm missing something. Perhaps you meant to say that knowing
the MSK allows you to calculate the TSKs in 802.11i? No fault
in the lower layer can let you calculate TEKs, assuming your requirement
in the first paragraph above holds.

> So, I'd propose replacing the last sentence with "Similarly, 
> it must not be possible to calculate TEKs from keys exported 
> outside the EAP method." (and also changing Section 6.4
> accordingly).

This is good enough for me.

--Jari