| About use of EMSK | <– Date –> <– Thread –> |
From: Rafa Marin Lopez (rafa dif.um.es)
|
|
| Date: Mon, 20 Feb 2006 14:13:35 -0800 (PST) | |
After last discussions in strawman -10 (and those one related with EMSK/AMSK in November),
I am still trying to figure out what layer as specified in figure 3
would be intended to create more keys by using MSK,EMSK exported by EAP method.
In section 2.2 it is said:
That is , EMSK, MSK arrives to next lower layer than EAP method layer . Now EMSK,MSK are in EAP peer/authenticator layer. Following next text:
"The EAP peer and authenticator layers MUST NOT modify or cache keying
material or parameters (including Channel Bindings) passing in either
direction between the EAP method layer and the EAP layer."
it means EMSK,MSK now arrives to EAP layer... but
My question is what layer (EAP method, EAP peer/authenticator layer, EAP layer, lower layer/AAA layer) is intended to get EMSK to create new possible keys (AMSK)?
is there any decision in this regard?
Thanks.
In section 2.2 it is said:
"As illustrated in Figure 3, on completion of EAP authentication, EAP methods export the Master Session Key (MSK), Extended Master Session Key (EMSK), Peer-ID, Server-ID, Session-ID and Key-Lifetime to the EAP peer or authenticator layers. The Initialization Vector (IV) is deprecated."
That is , EMSK, MSK arrives to next lower layer than EAP method layer . Now EMSK,MSK are in EAP peer/authenticator layer. Following next text:
"The EAP peer and authenticator layers MUST NOT modify or cache keying
material or parameters (including Channel Bindings) passing in either
direction between the EAP method layer and the EAP layer."
it means EMSK,MSK now arrives to EAP layer... but
"The EAP layer also MUST NOT cache keying material or parameters (including Channel Bindings) passed to it, whether by the EAP peer/authenticator layer, the lower layer or the AAA layer."
Thus EMSK,MSK would arrive lower layer/AAA layer. If EMSK does not want to be exported to AAA layer or lower layer in some point (either EAP peer/authenticator layer or EAP layer), EMSK is removed. In strawman 10, now EMSK appears in AAA layer (though i don't know if it will eventually be in that way).
My question is what layer (EAP method, EAP peer/authenticator layer, EAP layer, lower layer/AAA layer) is intended to get EMSK to create new possible keys (AMSK)?
is there any decision in this regard?
The question is also related with draft-aboba-eap-keying-extns-00.txt, basically what layer is intended to calculate this function (or similar)? AMSK = KDF(EMSK, key label, optional application data, length)
Thanks.
-- ------------------------------------------------------ Rafael Marin Lopez Faculty of Computer Science-University of Murcia 30071 Murcia - Spain Telf: +34968367645 e-mail: rafa [at] dif.um.es ------------------------------------------------------
-
About use of EMSK Rafa Marin Lopez, February 20 2006
-
RE: About use of EMSK Salowey, Joe, February 26 2006
-
Re: About use of EMSK Rafa Marin Lopez, February 27 2006
- Re: About use of EMSK Jari Arkko, March 5 2006
- Re: About use of EMSK Jari Arkko, March 6 2006
-
Re: About use of EMSK Rafa Marin Lopez, February 27 2006
-
RE: About use of EMSK Salowey, Joe, February 26 2006
Results generated by Tiger Technologies using MHonArc.