eap Mailing List: Re: EAP-AKA Key derivation

[Thomas Otto (t.otto]

Hi Jari, all, 

> Clarifying question:
>
> Is the problem that the KDF specification is unclear,
> or that a NIST publication is needed to implement it?

I was wondering why EAP-SIM and EAP-AKA use such a complicated
key derivation function. I do not know what the Secure Hash Standard is,
so I would have to read in NIST documents about it.

I think the construction used by IKEv2

prf+(K,S) = T1 + T2 + T3 + T4 + ...
where
T1 = prf (K, S + 0x01)
T2 = prf(K, T1 + S + 0x02)
T3 = prf(K, T2 + S + 0x03)
T4 = prf(K, T3 + S + 0x04)
...

is more convenient for key derivation. It seems to work nicely. 
Note that DSS-KDF has already patched one time, namely after Daniel
Bleichenbacher found an attack on the first version. Apparently, the
construction of the KDF has been long time not well understood.

What I am just interested in, is the reason of the authors of EAP-SIM
and EAP-AKA for having adopted the DSS-KDF. 

Thomas


_________
PS. The IPsec Working Group has discussed the IKEv2-KDF very
extensively, e.g. in November 2002 here
http://www.vpnc.org/ietf-ipsec/02.ipsec/msg02655.html

>

> Thomas Otto wrote:
> >Hi all,
> >
> >EAP-AKA uses the DSS key derivation function (KDF) to derive
> >export keying material.
> >
> >Although the draft describes the KDF briefly (see below), I would
> >not be able to ... say implement this function. Rather I would have
> >to look in NIST publication what the SHS actually is ... :-(
> >
> >So, does anyone know why this burden is in EAP-AKA?