| Re: Issue: Use of term lower layer | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Tue, 13 Dec 2005 05:37:30 -0800 (PST) | |
Joe,
to
--Jari
Agreed. How about this:"EAP keying material and parameters provided to a lower layer other than AAA MUST NOT be transported to another entity."
To
"EAP keying material and parameters provided to a lower
layer MUST NOT[Joe] OK, but I think the original text would cause problems with .11r
be transported to another entity."Seems to prohibit distributed authenticators, including 802.11r. I'd be OK with this if we didn't exclude transportation of keys derived from the provided keys.
as well. In any case I'm OK with the lower layer doing what ever it
wants with the keys once it has them. I think what we want to avoid is
the same keys and parameters being sent to more than one lower
layer/application.
"In order to preserve the security of keys derived within EAP methods, lower layers other than AAA MUST NOT export keys passed down by EAP methods. This implies that EAP keying material or parameters passed down to a lower layer are for the exclusive use of that lower layer and MUST NOT be used within another lower layer. This prevents compromise of one lower layer from compromising other applications using EAP keying parameters.
EAP keying material and parameters provided to a lower layer other than AAA MUST NOT be transported to another entity. For example, EAP keying material and parameters passed down to the EAP peer lower layer MUST NOT leave the peer; EAP keying material and parameters passed down or transported to the EAP authenticator lower layer MUST NOT leave the authenticator."
to
"In order to preserve the security of keys derived within EAP methods, EAP keying material or parameters passed down to a lower layer are for the exclusive use of that lower layer. This prevents compromise of one lower layer from compromising other applications using EAP keying parameters.
EAP keying material and parameters provided to a lower layer MUST NOT be transported to another entity. The same applies to other keying material derived from the EAP keying material, if the EAP keying material can be computed from the other material without breaking some cryptographic assumption, such as inverting a one-way function. For example, MSK passed down to the EAP peer lower layer or transported to the authenticator MUST NOT leave the peer. "
--Jari
- Re: Issue: Use of term lower layer, (continued)
- Re: Issue: Use of term lower layer Jari Arkko, December 13 2005
- Re: Issue: Use of term lower layer Yoshihiro Ohba, December 13 2005
- RE: Issue: Use of term lower layer Alper Yegin, December 19 2005
- Re: Issue: Use of term lower layer Jari Arkko, December 13 2005
- Re: Issue: Use of term lower layer Jari Arkko, December 14 2005
Results generated by Tiger Technologies using MHonArc.