eap Mailing List: RE: About use of EMSK

[Salowey, Joe (jsalowey]

Hi Rafa,

Comments responses inline below

> -----Original Message-----
> From: Rafa Marin Lopez [mailto:rafa [at] dif.um.es] 
> Sent: Monday, February 27, 2006 8:10 AM
> To: Salowey, Joe
> Cc: eap [at] frascone.com
> Subject: Re: [eap] About use of EMSK
> 
<snip> 

> >>Thus EMSK,MSK would arrive lower layer/AAA layer. If EMSK 
> >>does not want to be exported to AAA layer or lower layer in 
> >>some point  (either EAP peer/authenticator layer
> >>or EAP layer), EMSK is removed. In strawman 10, now EMSK 
> >>appears in AAA layer (though i don't know if it will 
> >>eventually be in that way).
> >>    
> >>
> >
> >[Joe] The EMSK MUST NOT be exported to the lower layer.  
> >  
> >
> Clarified this point. In your answer you specify "only" lower 
> layer. Did 
> you forget to include AAA layer ? Or do you think AAA layer might 
> receive EMSK?.
> 

[Joe] this would depend on where you draw your AAA and EAP server
boundaries.  They are two separate entities and do not even need to be
collocated, but it is fairly common for the EAP server and AAA server to
be collocated or for the EAP server to be part of the AAA server.  How
the EAP server and AAA server divide up their responsibilities depends
upon local implementation so I would say that the AAA server may know
the EMSK as far as it may contain the EAP server. Now I am not sure what
the AAA layer is, but it may not be the same as a AAA server so I can't
really answer your question.  It would seem that the AAA layer would
include the AAA client and AAA server communication.  The EMSK does not
pass through this communication so under this definition it would not go
to the AAA layer.  


> >  
> >
> >>My question is what layer (EAP method, EAP peer/authenticator 
> >>layer, EAP layer, lower layer/AAA layer) 
> >>is intended to get EMSK to create new possible keys (AMSK)? 
> >>
> >>    
> >>
> >
> >[Joe] The AMSKs should be derived by the EAP server and the 
> EAP peer.  
> >  
> >
> Yes. But my question was a bit more specific. As you know the 
> figure 3 
> in EAP key mng fwk (v9 and v10) shows several layers.
> Thus my question was in EAP peer / EAP server (and 
> considering figure 3):
> 
> "what layer (EAP method layer, EAP peer/authenticator layer, 
> EAP layer, 
> lower layer/AAA layer) is intended to get EMSK to create new possible 
> keys (AMSK)?"
> 
> (From your previous answer, it is clear we can discard lower 
> layer as a 
> possible answer)
> 
[Joe] I'm not convinced that I understand the layers or that the layer
model is the right thing to apply here,  but given the choices my answer
is the EAP method layer. 


> Thanks.
> 
> >>is there any decision in this regard?
> >>
> >>The question is also related with 
> >>draft-aboba-eap-keying-extns-00.txt, basically what layer is 
> >>intended to  calculate this function (or similar)?
> >>AMSK = KDF(EMSK, key label, optional application data, length)
> >>
> >>Thanks.
> >>
> >>-- 
> >>------------------------------------------------------
> >>Rafael Marin Lopez
> >>Faculty of Computer Science-University of Murcia
> >>30071 Murcia - Spain
> >>Telf: +34968367645    e-mail: rafa [at] dif.um.es
> >>------------------------------------------------------
> >>
> >>_________________________________________________________________
> >>To unsubscribe or modify your subscription options, please visit:
> >>http://lists.frascone.com/mailman/listinfo/eap
> >>
> >>Arhives: http://lists.frascone.com/pipermail/eap
> >>
> >>    
> >>
> >
> >
> >  
> >
> 
> 
> -- 
> ------------------------------------------------------
> Rafael Marin Lopez
> Faculty of Computer Science-University of Murcia
> 30071 Murcia - Spain
> Telf: +34968367645    e-mail: rafa [at] dif.um.es
> ------------------------------------------------------
>