eap Mailing List: Re: RE: Issue: AAA Key Caching effectively prohibited?

[Bernard Aboba (bernard_aboba]

> Furthermore, it should be possible for the AAA server to not to delete
> every key it has transported to the pass-through authenticator

All existing AAA servers delete transported keys today -- and the "proof of 
security" required for EAP rests on this assumption.

The goal of AAA key management is to derive keys known to be fresh that are 
available only to mutually authenticated parties with a "need to know".   By 
deleting transported keys, the AAA server guarantees that it can never 
resend that same key.  The EAP authenticator does not really have much of a 
mechanism for knowing that the transported keys are fresh -- the Session-ID 
only allows it to guarantee against stale keys for the lifetime of the key 
cache.  However, deleting the transported keys on the AAA server means that 
the only way an EAP authenticator can receive a stale key is for the 
Session-ID to repeat, which is unlikely unless both the EAP peer and server 
have broken random number generators.  Also by deleting the transported 
keys, the EAP authenticator and peer can derive other keys (the TSKs) known 
only to those parties and not to the AAA server.