| Re: Proposed Resolution to Issue 314: AAA-Key Confusion | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Wed, 11 Jan 2006 06:00:23 -0800 (PST) | |
On Sun, Jan 08, 2006 at 10:31:05AM -0800, Bernard Aboba wrote: > The text of Issue 314 is available here: > http://www.drizzle.com/~aboba/EAP/eapissues3.html#Issue%20314 > > The Proposed Resolution is as follows: > > In Section 1.2, change: > > "AAA-Key > A key derived by the peer and EAP server, used by the peer and > authenticator in the derivation of Transient Session Keys (TSKs). > Where a backend authentication server is present, the AAA-Key is > transported from the backend authentication server to the > authenticator. In existing usage, the AAA-Key is always derived > from the MSK and so can be referred to using the MSK name. AAA-Key > = MSK(0,63)." > > To: > > "AAA-Key > The term "AAA-Key" is synonymous with MSK." This does not work for draft-ohba-eap-aaakey-binding-01 where AAA-Key = KDF(MSK, AAA-Key-name|key-binding-blob). Yoshihiro Ohba > > In Section 2.1, change: > > " An additional step (phase 1b) is required in deployments which > include a backend authentication server, in order to transport keying > material from the backend authentication server to the authenticator. > In order to obey the principle of Mode Independence, where a backend > server is present AAA Key transport needs to provide the exported EAP > keying material and/or derived keys required for derivation of the > TSKs. Since existing TSK derivation techniques depend solely on the > MSK, in existing AAA implementations, this is the only keying > material replicated in the AAA key transport phase 1b. " > > To: > > " An additional step (phase 1b) is required in deployments which > include a backend authentication server, in order to transport keying > material from the backend authentication server to the authenticator. > In order to obey the principle of Mode Independence, where a backend > server is present, all keying material which us required by the lower > layer needs to > be transported from the EAP server to the authenticator. > Since existing TSK derivation techniques depend solely on the > MSK, in existing implementations, this is the only keying > material replicated in the AAA key transport phase 1b. " > > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap >
-
Proposed Resolution to Issue 314: AAA-Key Confusion Bernard Aboba, January 8 2006
- Re: Proposed Resolution to Issue 314: AAA-Key Confusion Jari Arkko, January 11 2006
- Re: Proposed Resolution to Issue 314: AAA-Key Confusion Yoshihiro Ohba, January 11 2006
-
RE: Proposed Resolution to Issue 314: AAA-Key Confusion Nakhjiri Madjid-MNAKHJI1, January 10 2006
- RE: Proposed Resolution to Issue 314: AAA-Key Confusion Bernard Aboba, January 10 2006
- RE: Proposed Resolution to Issue 314: AAA-Key Confusion Nakhjiri Madjid-MNAKHJI1, January 11 2006
Results generated by Tiger Technologies using MHonArc.