hi all, I took a look at EAP method source code (even if crypto is not my speciality), and I'm wondering if all EAP methods shipped into freeRADIUS are compliant with RFC3748, regarding MSK and EMSK generation? This RFC states that "EAP method supporting key derivation MUST export a Master Session Key (MSK) of at least 64 octets, and an Extended Master Session Key (EMSK) of at least 64 octets." (§ 7.10) Which are the EAP methods that supports key derivation? And regarding other EAP methods, is there a way to add EMSK generation (maybe this is a stupid question)? I need those answers to see if FreeRADIUS would be able to act as a EAP RADIUS server compliant with WiMAX NWG stage 3. Many thanks for your answers Geoff. ___________________________________________________________________________ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com
Geoffroy Arnoud wrote:
I took a look at EAP method source code (even if crypto is not my speciality), and I'm wondering if all EAP methods shipped into freeRADIUS are compliant with RFC3748, regarding MSK and EMSK generation?
No. EAP-MD5 explicitely doesn't do MSK generation.
Which are the EAP methods that supports key derivation?
All of the SSL enabled methods. (PEAP, TLS, TTLS, SIM).
And regarding other EAP methods, is there a way to add EMSK generation (maybe this is a stupid question)?
src/modules/rlm_eap/libeap/eapcrypto.c It already does EMSK generation for SIM.
I need those answers to see if FreeRADIUS would be able to act as a EAP RADIUS server compliant with WiMAX NWG stage 3.
I'm not sure what that means. Can you clarify? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I need those answers to see if FreeRADIUS would be able to act as a EAP RADIUS server compliant with WiMAX NWG stage 3.
I'm not sure what that means. Can you clarify?
For WiMAX needs, during EAP authentication, EAP server must derive MSK and EMSK. MSK is provided to the NAS, and EMSK is used to derive other keys, used for mobile IP purposes and provided to NAS and/or FA and/or HA. Therefore, EMSK will have a goal and will need to be provided to some equipements. Furthermore, MIP keys are need to be provided at different times, so an interface with a key-holder may be set-up (I saw it in a RFC but I can't recal which one). Nevertheless, things are not yet standardized as shipping attributes (VSA) don't currently exist. Best regards, Geoff. ___________________________________________________________________________ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com
participants (2)
-
Alan DeKok -
Geoffroy Arnoud