eap Mailing List

View Index by: Date - Thread - Author
RE: issue: distributed authenticators (review of eap-keying-08 by mats naslund)
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjirimotorola.com)
Date: Thu, 5 Jan 2006 09:14:13 -0800 (PST) 
Hi Mats,

These are the exact types of issues we are trying to address in HOAKEY "group".
You have a BS that does not necessarily have pass-through authenticator or even 
AAA client functionality, but terminates the link encryption (802.16e) in your 
case and this means TSKs that are established between peer and authenticator 
are not relevant for access link. We started to introduce a new term link 
session key (LSK) for that purpose in our initial PS draft. Looking at the 
definition of LSK in the initial PS draft 

http://www.ietf.org/internet-drafts/draft-nakhjiri-aaa-hokey-ps-00.txt

I think that definition also needs to be revised. But the point is that the 
draft is trying to address the issues with using EAP keying terminology and 
methodology for design of handover key management.

The PMK is also confusing, and I think it is only mentioned because 802.11 uses 
it.

Madjid



Transient Session Keys (TSKs)
     Session keys used to protect data exchanged in a session between
     the peer and authenticator after the EAP authentication has
     successfully completed.  TSKs are appropriate for the lower layer
     ciphersuite negotiated between the ports of the EAP peer and
     authenticator.  Examples of TSK derivation are provided in Appendix
     B.

MN: Here I have some trouble... This seems to mandate that protection (on the 
network side) MUST be terminated in the authenticator.
In WiMAX, the authenticator is in the AGW, but the session protection is in the 
BS.

I.e. it is not clear why both PMK and TSK should be shared between the same two 
entities... Doesn't one shared key suufice?

   TSKs are permitted to be accessed only by the EAP peer and
   authenticator.  Since the TSKs can be determined from the transported

MN: does this imply that the authenticator always needs to be in the "base 
station"? (since the base station will know TSKs)

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
  • (no other messages in thread)

Results generated by Tiger Technologies using MHonArc.