| RE: the outcome of EMSK and AMSK discussion? | <– Date –> <– Thread –> |
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri motorola.com)
|
|
| Date: Wed, 23 Nov 2005 11:37:10 -0800 (PST) | |
Hi Joe, Just following up some old discussions. I am assuming we are close to the end of last call, so What was the result of all the discussions and its impact on the document. Will you send another rev? Qs: AAA server versus EAP server? Their roles? Are you adding the KDF as another entity? Does the AAA server (lower layer at backend EAP server) get the AMSK after requesting it from the EAP layer (which holds the EMSK)? Is EMSK cached at all or is it deleted right away? Can we assume one AMSK per applications authorized by AAA server? Thanks, Madjid [Joe] One problem we have is that AAA is not an EAP entity which makes this discussion rather difficult. I'm OK with defining another entity that can handle the key derivation, but its not the AAA. It may be contained within the AAA and accessed by the AAA etc. Perhaps the EAP server exports a KDF that can be used to retrieve AMSKs based on the EMSK. This EAP-KDF component controls access to the keying material by restricting which other components can obtain keys for a certain application so that one application can retrieve another applications keys. Beyond this the application is responsible for access control of the AMSK and any keys derived from it. > Madjid>>What if you need AMSK for multiple applications. Why are we > using the "M" is the MSK and EMSK then? > [Joe] Not sure what you mean. The EMSK is used to derive AMSK. That is its sole purpose. Once the keys are derived it can be removed. Using the EMSK directly can lead to a problem where a compromise in one application compromises all applications. > > Should not be the AAA server to make authorization decisions and > > generate keys for the services > accordingly > > > (say a master key for an access technology or a master key > to provide > > handover support)? > > > > [Joe] Yes the AAA server should, however it is also possible to use > EAP without AAA so we have to be careful with terminology. > > Madjid>>What key could the AAA server use. It does not get > the EMSK and > it has to dump MSK or AMSK as soon as it transports it, what if > another application comes along and now you don't have any keys left? > [Joe] The AAA can do what it wants with a AMSK it receives according to the definition of the application that uses the AMSK. Caching or deriving other keys from the AMSK is entirely possible.
-
RE: the outcome of EMSK and AMSK discussion? Nakhjiri Madjid-MNAKHJI1, November 23 2005
- RE: the outcome of EMSK and AMSK discussion? Salowey, Joe, November 28 2005
- RE: the outcome of EMSK and AMSK discussion? Nakhjiri Madjid-MNAKHJI1, November 30 2005
Results generated by Tiger Technologies using MHonArc.