| RE: Strawman -10 | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Wed, 1 Mar 2006 16:00:10 -0800 (PST) | |
> -----Original Message----- > From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri [at] motorola.com] > Sent: Wednesday, March 01, 2006 2:44 PM > To: Salowey, Joe; Bernard Aboba > Cc: eap [at] frascone.com > Subject: RE: [eap] Strawman -10 > > > The difference is subtle, but potentially important for issues such > as > > crypto-agility. Allowing the lower layer to obtain the > EMSK enables > > the lower layer to negotiate the PRFs used in AMSK > generation, whereas > > > this is not possible if AMSK generation is handled in the > EAP layer. > > It also maintains backward compatibility so that a lower > layer using > > the AMSK can be introduced without requiring changes to > existing EAP > > implementations. > > > > As long as the EAP peer does not need to be aware of whether the > > authenticator is configured in standalone or pass-through mode, I > > think that the requirements of mode independence have been met. > > [Joe] This worries me. It ties the key derivation to the lower layer, > which could be problematic. A goal of the EMSK to AMSK > derivation is to > contain the problem of a misbehaving lower layer to the lower layer > itself. A lower layer that determines the key derivation algorithm > conflicts with this goal. What happens if there are multiple AMSKs > being derived for different purposes? Who decides the KDF? > > > I think I would prefer to see a default KDF specified with the > capability of an EAP method to override it with a KDF of its own. > > Madjid>> Are you saying all EMSK-AMSK generations will have to follow > the same KDF defined based on EAP method? And ruling out use of > different KDFs for different AMSKs? > [Joe] Yes. A single coordinated KDF definition is a robust and deterministic way to avoid one key derivation scheme compromising other keys derived from another scheme. > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap >
- RE: Strawman -10, (continued)
- RE: Strawman -10 Salowey, Joe, February 1 2006
- RE: Strawman -10 Nakhjiri Madjid-MNAKHJI1, March 1 2006
- RE: Strawman -10 Nakhjiri Madjid-MNAKHJI1, March 1 2006
- RE: Strawman -10 Salowey, Joe, March 1 2006
- RE: Strawman -10 Salowey, Joe, March 1 2006
Results generated by Tiger Technologies using MHonArc.