eap Mailing List: Re: RE: EAP key management support for handover??

[Jari Arkko (jari.arkko]

Hi Madjid

> Here are my issues:
> 1) After reading the draft a few times, I am still not clear how EMSK is derived? And what the distinction between MSK and EMSK is?
>  
They are just different pieces of key material expected to come out
of all EAP methods. MSK and EMSK are independent in the sense that
if you have MSK, you can't calculate EMSK and vice versa.

The actual derivation of both MSK and EMSK is method
depend. For instance, in EAP TLS MSK is the first 64 bytes
and the EMSK is the last 64 bytes of

 TLS-PRF-128(TMS, "client EAP encryption",
                     client.random || server.random)

> 2) on generation of AAABS-Key-A, I am wondering why there is first AMSK(0,63) and then AAA-key? Aren't they the same (according to the first expression). Is this just the notation, or the AMSK is actually used twice?
>  
AMSK(0,63) is used multiple times, but only to branch of new keys tied 
to the
specific AP identities.

> 3) Ok, so if the AAABS-key is derived based on the AMSK only and the AMSK is never transported from the AAA server, and only AAA-key is transported to the authenticator, that partly addresses my concern. But what does transferring the AAA-key to the authenticator achieve anyway?
>  
Transferring AAA-Key to the authenticator is necessary because that's
what current systems do -- AAA-Key is used to handle the keying for
the first access point.

> For every new authenticator the AAABS-key must still be derived by the AAA server?
>  
In this model, yes.

> Deriving keys from the AMSK formula not only enables cryptographic
> separation, but it addresses the domino effect as well since the EMSK
> never leaves the peer or server on which it is derived.
>
> Madjid>>agreed, however, I still now how EMSK is derived?
>  
See above.


--Jari