eap Mailing List: issue: aaa-key confusion (review of eap-keying-08 by mats naslund)

[Jari Arkko (jari.arkko]

Submitter name: Mats Naslund
Submitter email address: Mats.Naslund [at] ericsson.com
Reference: (this email)
Document: Keying Framework
Comment type: T
Priority: 1
Section: multiple
Rationale/Explanation of issue:

AAA-Key
    A key derived by the peer and EAP server, used by the peer and
    authenticator in the derivation of Transient Session Keys (TSKs).
    Where a backend authentication server is present, the AAA-Key is
    transported from the backend authentication server to the
    authenticator.  In existing usage, the AAA-Key is always derived
    from the MSK and so can be referred to using the MSK name.  AAA-Key
    = MSK(0,63).

MN: Isn't it the case that we MUST
have AAAk = MSK for mode independence?? Why does it only say
"in existing usage..."

The purpose of the PMK is a bit unclear to me...

  Within EAP, the primary function of the AAA protocol is to maintain
  the principle of Mode Independence, so that as far as the EAP peer is
  concerned, its conversation with the EAP authenticator, and all
  consequences of that conversation, are identical, regardless of the
  authenticator mode of operation.

MN: Doesn't this imply that AAAk MUST be equal to MSK?

  An additional step (phase 1b) is required in deployments which
  include a backend authentication server, in order to transport keying
  material from the backend authentication server to the authenticator.
  In order to obey the principle of Mode Independence, where a backend
  server is present AAA Key transport needs to provide the exported EAP
  keying material and/or derived keys required for derivation of the
  TSKs.  Since existing TSK derivation techniques depend solely on the
  MSK, in existing AAA implementations, this is the only keying
  material replicated in the AAA key transport phase 1b.

MN: again does this imply that MSK = AAAk? How else get mode independence?