EAP TTLS: Getting the EMSK key?
aland at deployingradius.com
Tue Jan 25 15:08:16 CET 2011
> I have installed a clean new freeRadius 2.1.10 and set it up.
> It is working fine, and I am also receiving the MSK key (without doing any
> modifications to the code).
> How come I can get the MSK key, but not the EMSK?
Because that's how it works.
> I would expect freeradius either to export both of them, or to not export
> both of them (for security reasons as you said).
No. Go read the specifications.
The EMSK is the master key. The MSK is a derived key. You can export
derived keys, with minimal security problems. Exporting the master key
is a major problem.
In any case, this has nothing to do with FreeRADIUS. Go read the
specs to see how the MSK and EMSK work. It's what *we* did.
More information about the Freeradius-Users