| Re: Eap keying review: use of MSK/ EMSK for AMSK creation | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Mon, 7 Nov 2005 10:20:39 -0500 (EST) | |
Nakhjiri Madjid-MNAKHJI1 wrote:
--Jari
Hi Bernard,
I did some more reading in the 08 doc, and I am trying to put all the
pieces of the puzzle together.
Section 2.2. of EAP keying 08 prohibits sending EMSK down to the lower
layer (section 2.2).
So this prohibits the AAA server to take EMSK and create new keys
We may have discussed this already, but this is I believe correct. The EMSK should not be handed to the lower layer. But see below:
(AMSKs) for new applications or services. This means the EAP layer must
itself authorize each service application and calculate any AMSK that
are needed for that application. Not only we are including a role of
authorization into an EAP server, but also we are saying the EAP layer
must anticipate all applications that need to derive their keys based on
the EAP keying process. Should not be the AAA server to make
I think we can easily arrange things so that the AAA layer asks for AMSKs 1, 2, and 3, which fulfils security requirements (EMSK is not exposed) and does not require application knowledge from EAP layer. Does this work for you?
--Jari
- Re: Re: Issue: AAA Key Caching effectively prohibited?, (continued)
- Re: Re: Issue: AAA Key Caching effectively prohibited? Jari Arkko, November 1 2005
- Re: Re: Issue: AAA Key Caching effectively prohibited? Mohan Parthasarathy, November 2 2005
- Re: Re: Issue: AAA Key Caching effectively prohibited? Bernard Aboba, November 2 2005
- Re: Re: Issue: AAA Key Caching effectively prohibited? Mohan Parthasarathy, November 3 2005
- Re: Eap keying review: use of MSK/ EMSK for AMSK creation Jari Arkko, November 6 2005
- Re: Eap keying review: use of MSK/ EMSK for AMSK creation Jari Arkko, November 6 2005
Results generated by Tiger Technologies using MHonArc.