| Re: Re: Issue 352: Channel Binding Issue | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 2 May 2006 09:57:21 -0700 (PDT) | |
On Mon, May 01, 2006 at 06:48:34PM -0700, Bernard Aboba wrote: > The text of Issue 352 is shown below. > > The suggested substitute text is ok as far as it goes. > > As I read the referenced document, it requires changes to EAP methods, much > the same as the transportation approach does. The peer and server have to > negotiate what channel bindings are mixed in with the keying material, > effectively producing "mixed" MSKs/EMSKs. Since the EAP method is really > just outputing an MSK/EMSK as usual (albeit with channel bindings mixed > in), no new AAA attributes or communication flow is required. > > Did I read the document correctly? Thank you for reading the document. And the answer is, if the generated "mixed" MSKs are carried in the existing AAA attributes instead of carrying the MSKs, then no AAA attributes or communication flow is required for EAP keying. [Note, however, if the "mixed" MSKs/EMSKs are used outside the scope of EAP keying (e.g., handover keying), then new AAA attributes or communication flow may be needed. This all depends on what requirements on out-of-the-scope usages will be.] Regards, Yoshihiro Ohba > ----------------------------------------------------------------------------------------------------------------- > Issue 352: Channel Binding Issue > Submitter name: Yoshihiro Ohba > Submitter email address: yohba [at] tari.toshiba.com > Date Submitted: April 25, 2006 > Reference: http://lists.frascone.com/pipermail/eap/msg04216.html > Document: Keying-12 > Comment type: T > Priority: 1 > Section: 5.11 > Rationale/Explanation of issue: > > Reference [I-D.draft-ohba-eap-aaakey-binding] should be obsoleted by > its successor, i.e., [I-D.draft-ohba-eap-channel-binding] which > provides more generic, complete and extensible way of channel binding. > Note that pre-configuration of the parameter set on AS is an important > property to achieve Channel Binding in 3-party key management. > > Change: > > " It is also possible to achieve Channel Bindings without transporting > data over EAP. For example, see [I-D.draft-ohba-eap-aaakey-binding]. > In this approach the authenticator informs the backend server about > the Channel Binding parameters using AAA, and the backend server > calculates transported keying material based on this parameter set, > making it impossible for the peer and authenticator to complete the > Secure Association Protocol if there was a mismatch in the > parameters." > > to: > > " It is also possible to achieve Channel Bindings without > transporting data over EAP. For example, see > [I-D.draft-ohba-eap-channel-binding]. In this approach the backend > server calculates transported keying material based on the > parameter set pre-configured for the authenticator, making it > impossible for the peer and authenticator to complete the Secure > Association Protocol if there was a mismatch in the parameters." > > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap >
-
Re: Issue 352: Channel Binding Issue Bernard Aboba, May 1 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
Results generated by Tiger Technologies using MHonArc.