Based on Jouni's analysis the derivation of the S-IMCKs is not well specified. To me it looks like the solution to handle an arbitrary number of methods that may or may not make an EMSK available would be fairly complex.
I think the most straight forward solution is to either always assume that for an EMSK generating method the EMSK is either always available or always unavailable. It seems that it is safer to always assume that the EMSK is unavailable and will therefore never be used. I think this has the following implications: - The S-IMCK is always generated from the inner method MSK or the all-zero value if the method does not generate key material. - The EMSK compound MAC is not used - Implementations must have a policy that accepts MSK MACs It would appear that from a cryptographic analysis point of view the MSK and EMSK are equivalent since these keys will only be used in these TEAP calculations and not for other purposes. There are documented drawbacks of using the MSK described in RFC7029 ( https://tools.ietf.org/html/rfc7029#page-12). If the properties of the EMSK binding are needed in the use cases currently under consideration then I think we could redefine the way the EMSK MAC to be computed from the EMSK of the inner method changing the above to - The S-IMCK is always generated from the inner method MSK or the all-zero value if the method does not generate key material. - Compute EMSK MAC from the inner-method EMSK instead of the S-IMCK Compound-MAC = MAC( EMSK[J], BUFFER ) - Implementations have a policy that prevents EMSK downgrade to MSK Hopefully there is a more elegant solution. Any ideas? Joe
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
