| RE: Issue: AAA Key Caching effectively prohibited? | <– Date –> <– Thread –> |
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri motorola.com)
|
|
| Date: Tue, 8 Nov 2005 17:21:14 -0500 (EST) | |
Ok, let me think loud, EMSK is not cached, can I use AMSK to design some sort of EAP-method independent fast re-authentication procedure without worrying if the method I am using has fast re-auth or not? To answer to the other points, re-authentication may have to be done even when you are not doing HO. Anyway, regardless of that point, Having to go to AAA server once is different from doing a full EAP-TLS exchange involving several roundtrips. -----Original Message----- From: Jari Arkko [mailto:jari.arkko [at] piuha.net] Sent: Saturday, November 05, 2005 6:18 PM To: Nakhjiri Madjid-MNAKHJI1 Cc: eap [at] frascone.com Subject: Re: Issue: AAA Key Caching effectively prohibited? Nakhjiri Madjid-MNAKHJI1 wrote: >Several EAP methods (EAP-AKA) are adding fast re-authentication >procedures, based on the knowledge of master key (have to read the >draft again, to see which key is needed) after the initial >authentication. If you delete the key, you cannot perform fast re-authentications. > > Methods do indeed have fast re-auth schemes. However, the keys they use are internal to the methods (TEKs) and not exported or visible to the EAP layer, lower layer, or AAA. That is, they do not need EMSK or AMSK support. Caching of TEKs is allowed by the keying framework. Section 3.3 says: EAP methods may cache local keying material which may persist for multiple EAP conversations when fast reconnect is used [RFC 3748]. For example, EAP methods based on TLS (such as EAP-TLS [RFC2716]) derive and cache the TLS Master Secret, typically for substantial time periods. Anyway, the use of such fast re-auth schemes helps with expensive auth procedures (such as in TLS) or when there's a potentially high volume of operations to the long-term secret that you may wish to optimize (such as in SIM/AKA). However, this does not help minimize AAA transactions to the home network. That is, its not a fast handoff mechanism if "fast handoff" is defined as an operation that does not need another transaction all the way back to the home network. --Jari
- Re: RE: Issue: AAA Key Caching effectively prohibited?, (continued)
-
Re: RE: Issue: AAA Key Caching effectively prohibited? Yoshihiro Ohba, November 3 2005
- Re: RE: Issue: EMSK transported to other parties? Bernard Aboba, November 3 2005
- Re: RE: Issue: EMSK transported to other parties? Yoshihiro Ohba, November 3 2005
- Re: RE: Issue: EMSK transported to other parties? Jari Arkko, November 7 2005
-
Re: RE: Issue: AAA Key Caching effectively prohibited? Yoshihiro Ohba, November 3 2005
Results generated by Tiger Technologies using MHonArc.