eap Mailing List: RE: Re: Issue 352: Channel Binding Issue

[Salowey, Joe (jsalowey]

> -----Original Message-----
> From: Yoshihiro Ohba [mailto:yohba [at] tari.toshiba.com] 
> Sent: Tuesday, May 02, 2006 4:23 PM
> To: Salowey, Joe
> Cc: Bernard Aboba; yohba [at] tari.toshiba.com; eap [at] frascone.com
> Subject: Re: [eap] Re: Issue 352: Channel Binding Issue
> 
> On Tue, May 02, 2006 at 04:23:22PM -0700, Salowey, Joe wrote:
> > Hmmm... 
> > 
> > Peer gets MSK from EAP and mixes it with Y to get MSKY 
> > Authenticator gets mixed MSKY in exisitng AAA attribute, 
> since this is
> > an exisitng attribute it thinks it is just the MSK and 
> mixes it with Y
> > to get MSKYY.  MSKY and MSKYY don't match.
> 
> There is some misunderstanding.  If the authenticator is supposed to
> further mix Y to get MSKYY from MSKY, then the peer is also supposed
> to further mix Y to get MSKYY from MSKY.
> 
[Joe] Yes, but how does the authenticator know if the mixing has been
done by the AAA or if it has to do the mixing. 


> Yoshihiro Ohba
> 
> 
> 
> > 
> > It seems to me a separate attribute would really be better. 
> > 
> > 
> > > -----Original Message-----
> > > From: Bernard Aboba [mailto:bernard_aboba [at] hotmail.com] 
> > > Sent: Tuesday, May 02, 2006 3:58 PM
> > > To: yohba [at] tari.toshiba.com; Salowey, Joe
> > > Cc: eap [at] frascone.com
> > > Subject: Re: [eap] Re: Issue 352: Channel Binding Issue
> > > 
> > > Right.  The method just outputs the MSK/EMSK.  As long as the 
> > > same MSK is 
> > > outputted on both the EAP peer and server, the authenticator 
> > > doesn't need to 
> > > know what channel bindings were mixed in.
> > > 
> > > 
> > > >From: Yoshihiro Ohba <yohba [at] tari.toshiba.com>
> > > >To: "Salowey, Joe" <jsalowey [at] cisco.com>
> > > >CC: Bernard Aboba <bernard_aboba [at] hotmail.com>, 
> > > yohba [at] tari.toshiba.com,      
> > > >   eap [at] frascone.com
> > > >Subject: Re: [eap] Re: Issue 352: Channel Binding Issue
> > > >Date: Tue, 02 May 2006 18:55:29 -0400
> > > >
> > > >On Tue, May 02, 2006 at 03:21:19PM -0700, Salowey, Joe wrote:
> > > > > I'm not sure that carrying "mixed" MSKs in existing 
> > > attributes is such a
> > > > > good idea,  how does the authenticator know what it 
> is getting?
> > > >
> > > >I don't think the authenticator needs to know whether the 
> > > received key
> > > >is the MSK or mixed MSK, as long as both the peer and 
> authenticator
> > > >obtains the same key.
> > > >
> > > >Yoshihiro Ohba
> > > >
> > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Bernard Aboba [mailto:bernard_aboba [at] hotmail.com]
> > > > > > Sent: Tuesday, May 02, 2006 12:27 PM
> > > > > > To: yohba [at] tari.toshiba.com
> > > > > > Cc: eap [at] frascone.com
> > > > > > Subject: Re: [eap] Re: Issue 352: Channel Binding Issue
> > > > > >
> > > > > > >Thank you for reading the document.  And the 
> answer is, if the
> > > > > > >generated "mixed" MSKs are carried in the existing AAA 
> > > attributes
> > > > > > >instead of carrying the MSKs, then no AAA attributes 
> > > or communication
> > > > > > >flow is required for EAP keying.
> > > > > >
> > > > > > It might be worth saying a few words about this in the
> > > > > > paragraph.  Overall,
> > > > > > I'm not sure whether the Channel Binding text in 
> the document
> > > > > > is all that
> > > > > > consistent/comprehesive.
> > > > > >
> > > > > >
> > > > > > 
> > > _________________________________________________________________
> > > > > > To unsubscribe or modify your subscription options, 
> > > please visit:
> > > > > > http://lists.frascone.com/mailman/listinfo/eap
> > > > > >
> > > > > > Arhives: http://lists.frascone.com/pipermail/eap
> > > > > >
> > > > >
> > > > >
> > > 
> > 
> > 
>