| Re: Issue: Use of a label in derivation of keys from the MSK | <– Date –> <– Thread –> |
From: Lakshminath Dondeti (ldondeti qualcomm.com)
|
|
| Date: Fri, 23 Nov 2007 16:02:37 -0800 (PST) | |
On 11/22/2007 5:00 PM, Bernard_Aboba [at] hotmail.com wrote:
It depends on the link layer. I will try and stick to the link layer we are all familiar with, but the wording gets a bit fuzzy in that case.
In 802.11 networks (my knowledge may be a bit rusty here, so please correct me)
PMK = MSK[0 .. 255],
PTK = f(PMK, <additional-data>)
So, key separation is achieved by using different parts (first 256 and the second 256 bits) of the MSK and then key labels from thereon.
I agree that we should specify the requirement for key separation. I don't think it is necessary to say anything about key labels per se.
If we are to do this, we should summarize all the known uses of the MSK: In some cases it is used for deriving traffic keys and in other cases, traffic keys along with other MSK-equivalent keys.
Not sure what "MSK-equivalent" means here. Can you explain?
It depends on the link layer. I will try and stick to the link layer we are all familiar with, but the wording gets a bit fuzzy in that case.
In 802.11 networks (my knowledge may be a bit rusty here, so please correct me)
PMK = MSK[0 .. 255],
PTK = f(PMK, <additional-data>)
PMK-R0 = MSK[256 .. 511] PMK-R1 = f(PMK-R0, <...>) PTK = f(PMK-R1, <additional-data>)
So, key separation is achieved by using different parts (first 256 and the second 256 bits) of the MSK and then key labels from thereon.
Some specifications achieve key separation by using different parts of the MSK for different purposes and use key labels for key separation thereafter.
Can you give an example of an EAP lower layer that does this? IEEE 802.11i, r
and 16e all use a portion of the MSK (PMK) as a root and don't use the rest.
I think they do this to enable future key hierarchy extensions.
Others use labels alone for key separation.
802.11i, 11r, and 1af would fall into this category.
The MSK is also used as a substitute for LTCs in the IKEv2 context.
Yes.
Given the complexity of the state of affairs, a simple statement along the lines of "use key labels for key separation" is not really accurate.
The document already describes existing practices, so the issue is not really "accuracy". The issue is having advice that could have guided the PANA protocol specification (where there was no root key derived from the MSK, and also no label used, so that cryptographically separate branches could not be created).
I agree that we should specify the requirement for key separation. I don't think it is necessary to say anything about key labels per se.
regards, Lakshminath
regards, Lakshminath
- Re: Issue: Use of a label in derivation of keys from the MSK, (continued)
- Re: Issue: Use of a label in derivation of keys from the MSK Narayanan, Vidya, November 20 2007
- Re: Issue: Use of a label in derivation of keys from the MSK Bernard_Aboba, November 20 2007
- Re: Issue: Use of a label in derivation of keys from the MSK Lakshminath Dondeti, November 22 2007
- Re: Issue: Use of a label in derivation of keys from the MSK Bernard_Aboba, November 22 2007
- Re: Issue: Use of a label in derivation of keys from the MSK Lakshminath Dondeti, November 23 2007
Results generated by Tiger Technologies using MHonArc.