eap Mailing List

View Index by: Date - Thread - Author
Re: About use of EMSK
From: Rafa Marin Lopez (rafadif.um.es)
Date: Mon, 27 Feb 2006 08:10:20 -0800 (PST)
Hi Joe,

I appreciate your answer... please see inline.

Salowey, Joe wrote:





-----Original Message-----
From: Rafa Marin Lopez [mailto:rafa [at] dif.um.es] Sent: Monday, February 20, 2006 2:13 PM
To: eap [at] frascone.com
Subject: [eap] About use of EMSK

After last discussions in strawman -10 (and those one related with EMSK/AMSK in November), I am still trying to figure out what layer as specified in figure 3 would be intended to create more keys by using MSK,EMSK exported by EAP method.

In section 2.2 it is said:

"As illustrated in Figure 3, on completion of EAP authentication, EAP
methods export the Master Session Key (MSK), Extended Master Session
Key (EMSK), Peer-ID, Server-ID, Session-ID and Key-Lifetime to the
EAP peer or authenticator layers. The Initialization Vector (IV) is
deprecated."

That is , EMSK, MSK arrives to next lower layer than EAP method layer . Now EMSK,MSK are in EAP peer/authenticator layer. Following next text:

"The EAP peer and authenticator layers MUST NOT modify or cache keying
material or parameters (including Channel Bindings) passing in either
direction between the EAP method layer and the EAP layer."

it means EMSK,MSK now arrives to EAP layer... but

"The EAP layer also MUST NOT cache keying material or parameters (including
Channel Bindings) passed to it, whether by the EAP peer/authenticator
layer, the lower layer or the AAA layer."

Thus EMSK,MSK would arrive lower layer/AAA layer. If EMSK does not want to be exported to AAA layer or lower layer in some point (either EAP peer/authenticator layer
or EAP layer), EMSK is removed. In strawman 10, now EMSK appears in AAA layer (though i don't know if it will eventually be in that way).



[Joe] The EMSK MUST NOT be exported to the lower layer.

Clarified this point. In your answer you specify "only" lower layer. Did you forget to include AAA layer ? Or do you think AAA layer might receive EMSK?.



My question is what layer (EAP method, EAP peer/authenticator layer, EAP layer, lower layer/AAA layer) is intended to get EMSK to create new possible keys (AMSK)?




[Joe] The AMSKs should be derived by the EAP server and the EAP peer.

Yes. But my question was a bit more specific. As you know the figure 3 in EAP key mng fwk (v9 and v10) shows several layers.
Thus my question was in EAP peer / EAP server (and considering figure 3):

"what layer (EAP method layer, EAP peer/authenticator layer, EAP layer, lower layer/AAA layer) is intended to get EMSK to create new possible keys (AMSK)?"

(From your previous answer, it is clear we can discard lower layer as a possible answer)

Thanks.

is there any decision in this regard?

The question is also related with draft-aboba-eap-keying-extns-00.txt, basically what layer is intended to calculate this function (or similar)?
AMSK = KDF(EMSK, key label, optional application data, length)

Thanks.

--
------------------------------------------------------
Rafael Marin Lopez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
Telf: +34968367645    e-mail: rafa [at] dif.um.es
------------------------------------------------------

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap









--
------------------------------------------------------
Rafael Marin Lopez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
Telf: +34968367645    e-mail: rafa [at] dif.um.es
------------------------------------------------------


Results generated by Tiger Technologies using MHonArc.