| RE: RE: EAP key management support for handover?? | <– Date –> <– Thread –> |
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri motorola.com)
|
|
| Date: Mon, 2 May 2005 08:47:50 -0400 (EDT) | |
Hi Jari,
Thank you for pointing the formula to me. Actually I went through the EAP draft
a few hours after my email and did find the formula on EMSK. I guess now
Bernard's point with the key derivation makes a bit more sense:
AAA-Key = MSK(0,63)
AMSK = KDF(EMSK, "EAP AAA-Key derivation for multiple attachments",
length)
AAABS-Key-A = prf(AMSK(0,63),"EAP AAA-Key derivation for
multiple attachments", AAA-Key, BS-A-Id,
Peer-Id,length)
AAA-key is derived from MSK, while AMSK is derived from EMSK and AAABS-key is
derived from both. Part of MSK is sent to the authenticator in form of AAA-key.
EMSK stays as a whole in the peer and server, which I guess means AMSK is
derived only at the peer and the server. I see your point about using
AMSK(0,63) multiple times for multiple AAABS-keys, however
I am trying to understand what the reasoning for the fact that both AMSK and
AAA key are used for AAABS-key derivation?
Say I want to derive the keys for one BS, this would mean I would calculate
AAABS-key for the BS (authenticator) at the server and push AAABS-key to that
BS. What would the purpose of pushing the AAA-key to that authenticator be? You
say AAA-key is sent for "keying at the first access point"?
I would appreciate some clarification on this.
Thanks,
Madjid
-----Original Message-----
From: Jari Arkko [mailto:jari.arkko [at] piuha.net]
Sent: Monday, May 02, 2005 3:09 AM
To: Nakhjiri Madjid-MNAKHJI1
Cc: 'Bernard Aboba'; eap [at] frascone.com
Subject: Re: [eap] RE: EAP key management support for handover??
Hi Madjid
>Here are my issues:
>1) After reading the draft a few times, I am still not clear how EMSK is
>derived? And what the distinction between MSK and EMSK is?
>
>
They are just different pieces of key material expected to come out
of all EAP methods. MSK and EMSK are independent in the sense that
if you have MSK, you can't calculate EMSK and vice versa.
The actual derivation of both MSK and EMSK is method
depend. For instance, in EAP TLS MSK is the first 64 bytes
and the EMSK is the last 64 bytes of
TLS-PRF-128(TMS, "client EAP encryption",
client.random || server.random)
>2) on generation of AAABS-Key-A, I am wondering why there is first AMSK(0,63)
>and then AAA-key? Aren't they the same (according to the first expression). Is
>this just the notation, or the AMSK is actually used twice?
>
>
AMSK(0,63) is used multiple times, but only to branch of new keys tied
to the
specific AP identities.
>3) Ok, so if the AAABS-key is derived based on the AMSK only and the AMSK is
>never transported from the AAA server, and only AAA-key is transported to the
>authenticator, that partly addresses my concern. But what does transferring
>the AAA-key to the authenticator achieve anyway?
>
>
Transferring AAA-Key to the authenticator is necessary because that's
what current systems do -- AAA-Key is used to handle the keying for
the first access point.
>For every new authenticator the AAABS-key must still be derived by the AAA
>server?
>
>
In this model, yes.
>Deriving keys from the AMSK formula not only enables cryptographic
>separation, but it addresses the domino effect as well since the EMSK
>never leaves the peer or server on which it is derived.
>
>Madjid>>agreed, however, I still now how EMSK is derived?
>
>
See above.
--Jari
-
Re: EAP key management support for handover?? Bernard Aboba, April 27 2005
-
RE: EAP key management support for handover?? Nakhjiri Madjid-MNAKHJI1, April 30 2005
- Re: RE: EAP key management support for handover?? Jari Arkko, May 2 2005
- RE: RE: EAP key management support for handover?? Nakhjiri Madjid-MNAKHJI1, May 2 2005
-
RE: EAP key management support for handover?? Nakhjiri Madjid-MNAKHJI1, April 30 2005
Results generated by Tiger Technologies using MHonArc.