| RE: About use of EMSK | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Sun, 26 Feb 2006 14:03:14 -0800 (PST) | |
> -----Original Message----- > From: Rafa Marin Lopez [mailto:rafa [at] dif.um.es] > Sent: Monday, February 20, 2006 2:13 PM > To: eap [at] frascone.com > Subject: [eap] About use of EMSK > > After last discussions in strawman -10 (and those one related > with EMSK/AMSK in November), > I am still trying to figure out what layer as specified in figure 3 > would be intended to create more keys by using MSK,EMSK > exported by EAP method. > > In section 2.2 it is said: > > "As illustrated in Figure 3, on completion of EAP authentication, EAP > methods export the Master Session Key (MSK), Extended > Master Session > Key (EMSK), Peer-ID, Server-ID, Session-ID and Key-Lifetime to the > EAP peer or authenticator layers. The Initialization > Vector (IV) is > deprecated." > > That is , EMSK, MSK arrives to next lower layer than EAP > method layer . Now EMSK,MSK are in EAP peer/authenticator > layer. Following next text: > > "The EAP peer and authenticator layers MUST NOT modify or > cache keying > material or parameters (including Channel Bindings) > passing in either > direction between the EAP method layer and the EAP layer." > > it means EMSK,MSK now arrives to EAP layer... but > > "The EAP layer also MUST NOT cache keying material or > parameters (including > Channel Bindings) passed to it, whether by the EAP > peer/authenticator > layer, the lower layer or the AAA layer." > > Thus EMSK,MSK would arrive lower layer/AAA layer. If EMSK > does not want to be exported to AAA layer or lower layer in > some point (either EAP peer/authenticator layer > or EAP layer), EMSK is removed. In strawman 10, now EMSK > appears in AAA layer (though i don't know if it will > eventually be in that way). [Joe] The EMSK MUST NOT be exported to the lower layer. > > My question is what layer (EAP method, EAP peer/authenticator > layer, EAP layer, lower layer/AAA layer) > is intended to get EMSK to create new possible keys (AMSK)? > [Joe] The AMSKs should be derived by the EAP server and the EAP peer. > is there any decision in this regard? > > The question is also related with > draft-aboba-eap-keying-extns-00.txt, basically what layer is > intended to calculate this function (or similar)? > AMSK = KDF(EMSK, key label, optional application data, length) > > Thanks. > > -- > ------------------------------------------------------ > Rafael Marin Lopez > Faculty of Computer Science-University of Murcia > 30071 Murcia - Spain > Telf: +34968367645 e-mail: rafa [at] dif.um.es > ------------------------------------------------------ > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap >
-
About use of EMSK Rafa Marin Lopez, February 20 2006
- RE: About use of EMSK Salowey, Joe, February 26 2006
-
Re: About use of EMSK Rafa Marin Lopez, February 27 2006
- Re: About use of EMSK Jari Arkko, March 5 2006
-
Re: About use of EMSK Jari Arkko, March 6 2006
- Re: About use of EMSK Yoshihiro Ohba, March 17 2006
Results generated by Tiger Technologies using MHonArc.