eap Mailing List

View Index by: Date - Thread - Author
RE: issue: key separation (review of eap-keying-08 by matsnaslund)
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjirimotorola.com)
Date: Thu, 5 Jan 2006 09:24:06 -0800 (PST) 
 
Question: 

Say, I have a local key distribution center (LKDC) within the network that can 
receive the MSK or something similar from the AAA/EAP server and generate other 
keys (say for handover). I am guessing the requirement below mean this LKDC has 
to be a AAA client or even more specific a collocated AAA client/ pass-through 
authenticator? so that the AAA layer receives the MSK?


-----Original Message-----
From: Jari Arkko [mailto:jari.arkko [at] piuha.net] 
Sent: Wednesday, November 30, 2005 11:33 PM
To: eap [at] frascone.com
Cc: "Mats Näslund (KI/EAB)"
Subject: [eap] issue: key separation (review of eap-keying-08 by matsnaslund)

Submitter name: Mats Naslund
Submitter email address: Mats.Naslund [at] ericsson.com
Reference: (this email)
Document: Keying Framework
Comment type: T
Priority: 1
Section: multiple
Rationale/Explanation of issue:

   In order to preserve the security of keys derived within EAP methods,
   lower layers other than AAA MUST NOT export keys passed down by EAP
   methods.  This implies that EAP keying material or parameters passed
   down to a lower layer are for the exclusive use of that lower layer
   and MUST NOT be used within another lower layer.  This prevents
   compromise of one lower layer from compromising other applications
   using EAP keying parameters.

MN: I guess this is "key separation"... But if this is a MUST requirement, why 
not here standardize a way to do it? I.e.

    lower_layer_key = f(MSK, layer_ID).

   In order to provide method independence, key
   management of exported or derived keys SHOULD NOT be provided within
   EAP methods.

MN: does this exclude that EAP can provide key separation?

   Since neither EAP nor EAP methods provide key management support, it
   is RECOMMENDED that key management facilities be provided within the
   Secure Association Protocol.  This includes:

MN: But if the MSK is always sent to the SA protocol, it really does not help 
if the SA protocol does e.g. key separation. Compromise of the "entity" hosting 
the SA protocol would still compromise the MSK. I guess I am asking: is there a 
"middle layer" missing, between EAP and the SA procotol that takes care of key 
separation?
  • (no other messages in thread)

Results generated by Tiger Technologies using MHonArc.