EAP TTLS: Getting the EMSK key?

Alan DeKok aland at deployingradius.com
Tue Jan 25 15:08:16 CET 2011

Daniel wrote:
> I have installed a clean new freeRadius 2.1.10 and set it up.
> It is working fine, and I am also receiving the MSK key (without doing any
> modifications to the code).

  As expected.

> How come I can get the MSK key, but not the EMSK?

  Because that's how it works.

> I would expect freeradius either to export both of them, or to not export
> both of them (for security reasons as you said).

  No.  Go read the specifications.

  The EMSK is the master key.  The MSK is a derived key.  You can export
derived keys, with minimal security problems.  Exporting the master key
is a major problem.

  In any case, this has nothing to do with FreeRADIUS.  Go read the
specs to see how the MSK and EMSK work.  It's what *we* did.

  Alan DeKok.

More information about the Freeradius-Users mailing list