| Issue: AAA Key Caching effectively prohibited? | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Tue, 1 Nov 2005 13:55:59 -0500 (EST) | |
I would like to point out one other consequence of preventing lower layers
(including AAA) from accessing the EMSK. It appears to me that this
severely restricts implementation of a key cache on the AAA server.
1. We've talked about deletion of transported keys from the AAA server. So if an MSK (or AMSK) is calculated within the AAA layer and subsequently transported, that key is destroyed and cannot be cached.
2. We've talked about how the EMSK cannot be passed down to the lower layer (including AAA). Therefore the EMSK also cannot be cached by the AAA layer.
3. Given 1) and 2) what keys *can* be cached in the AAA layer? Limited answers appear to be available. Caching of MSKs does not make much sense, even if they are not transported in a particular application, because some applications *do* transport MSKs.
It would be possible for the AAA layer to request more than one AMSK, then cache the AMSKs that are not transported.
However, this approach does not appear to enable implementation of schemes such as "Key Request" and "Pre-emptive Key Distribution", both of which appear to require the AAA layer to calculate AMSKs *on demand*.
To be able to do this, it would seem like the AAA server would need to have access to the EMSK -- since the EAP layer doesn't cache EMSKs, how else could AMSKs be calculated once EAP authentication completes? In the case of roaming systems it is not feasible to ask the EAP layer to calculate every conceivable AMSK that could be useful -- there could be thousands of them.
1. We've talked about deletion of transported keys from the AAA server. So if an MSK (or AMSK) is calculated within the AAA layer and subsequently transported, that key is destroyed and cannot be cached.
2. We've talked about how the EMSK cannot be passed down to the lower layer (including AAA). Therefore the EMSK also cannot be cached by the AAA layer.
3. Given 1) and 2) what keys *can* be cached in the AAA layer? Limited answers appear to be available. Caching of MSKs does not make much sense, even if they are not transported in a particular application, because some applications *do* transport MSKs.
It would be possible for the AAA layer to request more than one AMSK, then cache the AMSKs that are not transported.
However, this approach does not appear to enable implementation of schemes such as "Key Request" and "Pre-emptive Key Distribution", both of which appear to require the AAA layer to calculate AMSKs *on demand*.
To be able to do this, it would seem like the AAA server would need to have access to the EMSK -- since the EAP layer doesn't cache EMSKs, how else could AMSKs be calculated once EAP authentication completes? In the case of roaming systems it is not feasible to ask the EAP layer to calculate every conceivable AMSK that could be useful -- there could be thousands of them.
-
Eap keying review: use of MSK/ EMSK for AMSK creation Nakhjiri Madjid-MNAKHJI1, November 1 2005
-
RE: Eap keying review: use of MSK/ EMSK for AMSK creation Bernard Aboba, November 1 2005
- Issue: AAA Key Caching effectively prohibited? Bernard Aboba, November 1 2005
- Re: Issue: AAA Key Caching effectively prohibited? Jari Arkko, November 1 2005
- Re: Issue: AAA Key Caching effectively prohibited? Bernard Aboba, November 1 2005
- Re: Re: Issue: AAA Key Caching effectively prohibited? Jari Arkko, November 1 2005
- Re: Re: Issue: AAA Key Caching effectively prohibited? Mohan Parthasarathy, November 2 2005
-
RE: Eap keying review: use of MSK/ EMSK for AMSK creation Bernard Aboba, November 1 2005
Results generated by Tiger Technologies using MHonArc.