| Re: Issue 356: Ciphersuite Independence | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Mon, 1 May 2006 18:42:43 -0700 (PDT) | |
The text of Issue 356 is given below.
Section 3.7 says the following:
"In order to guard against brute force attacks, EAP methods supporting key derivation
need to be capable of generating keying material with an appropriate
effective symmetric key strength. In order to ensure that EAP key
generation is not the weakest link, it is RECOMMENDED that EAP methods
utilizing public key cryptography choose a public key that has a
cryptographic strength meeting the symmetric key strength requirement."
The text is accurate as far as it goes, but it occurs to me that this is not the complete story. Even if the EAP keying material is of sufficient strength, attacks on the transient session keys might still be possible. For example in IKEv2, EAP is not used for key derivation, just authentication; key derivation is handled by IKEv2 (e.g. DH). If IKEv2 does not negotiate adequate strength for the key derivation (e.g. 512-bit key for DH) the TSKs will be weak regardless of how strong the EAP keying material is, since the MSK is only used for authentication, not key derivation. Similarly in 802.16 the TSKs are generated purely by the Base Station. If BS does not have a good random number generator, it would be possible to crack the TSKs without having to brute force the EAP keying material. So in both the IKEv2 and 802.16 cases, strong EAP keying material is necessary, but not sufficient to ensure strong TSKs.
Given this, I am wondering what text is appropriate relating to "system level coordination" in Section 1.6.4. I think we can say that the strength of the EAP keying material should not be less than the strength of the desired TSKs. But I'm not clear what we can say about "coordination" beyond that.
Can someone suggest text?
Section 3.7 says the following:
"In order to guard against brute force attacks, EAP methods supporting key derivation
need to be capable of generating keying material with an appropriate
effective symmetric key strength. In order to ensure that EAP key
generation is not the weakest link, it is RECOMMENDED that EAP methods
utilizing public key cryptography choose a public key that has a
cryptographic strength meeting the symmetric key strength requirement."
The text is accurate as far as it goes, but it occurs to me that this is not the complete story. Even if the EAP keying material is of sufficient strength, attacks on the transient session keys might still be possible. For example in IKEv2, EAP is not used for key derivation, just authentication; key derivation is handled by IKEv2 (e.g. DH). If IKEv2 does not negotiate adequate strength for the key derivation (e.g. 512-bit key for DH) the TSKs will be weak regardless of how strong the EAP keying material is, since the MSK is only used for authentication, not key derivation. Similarly in 802.16 the TSKs are generated purely by the Base Station. If BS does not have a good random number generator, it would be possible to crack the TSKs without having to brute force the EAP keying material. So in both the IKEv2 and 802.16 cases, strong EAP keying material is necessary, but not sufficient to ensure strong TSKs.
Given this, I am wondering what text is appropriate relating to "system level coordination" in Section 1.6.4. I think we can say that the strength of the EAP keying material should not be less than the strength of the desired TSKs. But I'm not clear what we can say about "coordination" beyond that.
Can someone suggest text?
---------------------------------------------------------------------------------------------------------- Issue 356: Ciphersuite Independence Submitter name: Joe Salowey Submitter email address: jsalowey [at] cisco.com Date Submitted: April 30, 2006 Reference: http://lists.frascone.com/pipermail/eap/msg04223.html Document: KEYING-12 Comment type: 'E'ditorial Priority: '2' May fix Section: 1.6.4 Rationale/Explanation of issue:
Section 3.7 implies that there is a system level coordination between the strength of the keys exported by the EAP method and the strength of keys required by the lower layer.
This section should reference this and indicate that the coordination is done outside of EAP.
-
Re: Issue 356: Ciphersuite Independence Bernard Aboba, May 1 2006
- RE: Re: Issue 356: Ciphersuite Independence Salowey, Joe, May 2 2006
Results generated by Tiger Technologies using MHonArc.