| Re: Re: Eap keying review: use of MSK/ EMSK for AMSK creation | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 8 Nov 2005 17:42:52 -0500 (EST) | |
On Tue, Nov 08, 2005 at 04:57:29PM -0500, Nakhjiri Madjid-MNAKHJI1 wrote: > I think at least for handover or for MIP type applications we can work > with this comfortably, i.e. have an HO-AMSK and a PMIP-AMSK and so on. > And for HO, I will derive all the keys that are needed for HO-AMSK. > > However, as we discussed during HOKEY meeting last night, this makes the > assumption that the AAA nows at the time authentication, about all the > applications for which it needs AMSKs for. I think this assumption has a limitation for MIPv6 bootstrapping. In some case, the AAA server may not know which HA is to be chosen by the MN until an explicit request comes from HA x chosen by the MN. In this case, a key for HA x should be generated on-demand basis (but I am not sure whether use of AMSK or MSK is appropriate for this case). Yoshihiro Ohba > This works for now, since we > can say that a well designed system should make all AAA decisions > (especially authorization ones) at once. Still it would be nice if do > not add the limitation that prevents the AAA layer/ server to later ask > for another keys, to be exact, if we do not require deletion of EMSK > immediately after AMSK creation. I cannot come of a specific example > right now. > > Madjid > > > >So this prohibits the AAA server to take EMSK and create new keys > > > > > We may have discussed this already, but this is I believe correct. The > EMSK should not be handed to the lower layer. But see below: > > >(AMSKs) for new applications or services. This means the EAP layer > >must itself authorize each service application and calculate any AMSK > >that are needed for that application. Not only we are including a role > >of authorization into an EAP server, but also we are saying the EAP > >layer must anticipate all applications that need to derive their keys > >based on the EAP keying process. Should not be the AAA server to make > > > > > I think we can easily arrange things so that the AAA layer asks for > AMSKs 1, 2, and 3, which fulfils security requirements (EMSK is not > exposed) and does not require application knowledge from EAP layer. Does > this work for you? > > --Jari > > _______________________________________________ > eap mailing list > eap [at] lists.frascone.com > http://lists.frascone.com/mailman/listinfo/eap > > > _______________________________________________ > eap mailing list > eap [at] lists.frascone.com > http://lists.frascone.com/mailman/listinfo/eap > >
- Re: Eap keying review: use of MSK/ EMSK for AMSK creation, (continued)
- Re: Eap keying review: use of MSK/ EMSK for AMSK creation Jari Arkko, November 6 2005
- RE: Eap keying review: use of MSK/ EMSK for AMSK creation Nakhjiri Madjid-MNAKHJI1, November 1 2005
- RE: Eap keying review: use of MSK/ EMSK for AMSK creation Salowey, Joe, November 1 2005
-
RE: Re: Eap keying review: use of MSK/ EMSK for AMSK creation Nakhjiri Madjid-MNAKHJI1, November 8 2005
- Re: Re: Eap keying review: use of MSK/ EMSK for AMSK creation Yoshihiro Ohba, November 8 2005
-
RE: Re: Eap keying review: use of MSK/ EMSK for AMSK creation Vanderveen, Michaela, November 8 2005
- Re: Re: Eap keying review: use of MSK/ EMSK for AMSK creation Yoshihiro Ohba, November 8 2005
- RE: Re: Eap keying review: use of MSK/ EMSK for AMSK creation Nakhjiri Madjid-MNAKHJI1, November 9 2005
- RE: Re: Eap keying review: use of MSK/ EMSK for AMSK creation Nakhjiri Madjid-MNAKHJI1, November 9 2005
Results generated by Tiger Technologies using MHonArc.