>>>>1. Authentication server generates Session Secret, but not
>>>>Session Key,
>>>> and sends it to both supplicant and AP.
>>>>
>
>I missed this in my previous mail. The supplicant already has the
>session secret (since it's generated by the AS and supplicant
>together) so it is only sent to the AP. Having the AS send the
>keying material to both the AP and STA would defeat the whole
>purpose of the key distribution mechanism (which is to distribute
>session keys without a previously shared secret).
>
>>>>2. AP generates both Session(Unicast) Key and Broadcast Key
>>>>and encrypts
>>>> them using Session Secret and sends to the supplicant.
>>>>
>
>The broadcast key is most probably previously generated, but
>otherwise this the behavior we've seen.
>
>>>>3. Supplicant decrypts Session(Unicast) Key and Broadcast key
>>>>using the
>>>> Session Secret that it got from Authentication Server.
>>>>
>
>using the session secret that was derived as part of the TLS
>authentication
>
Currently Dynamic WEP key generation is done using EAP/TLS.
The sequence for Dynamic WEP key generation is
1. AS and Supplicant independtly generates
Session Secret based on the Master Secret.
AS sends this Session Secret to AP in MS-MPPE-..
attributes.
2. AP generates Unicast(Session) key and encrypts it
using Session Secret and sends it to the supplicant.
(Broadcast/default key is the same for all
stations within a broadcast domain.If this is
not the case then AP generates even Broadcast key
and encrypts using Session Secret and sends it to
the supplicant)
3. Supplicant decrypts the Unicast and/or Broadcast key
using the generated Session Secret (from step 1)
Please confirm, if we are on the same page or not.
>Sorry, AFAIK there are no document that officially spells out
>all the details; the IEEE 802.1x standard, RFC 2716 and the I-D
>mentioned above together is probably the best documentation
>available on this.
>
I have all these documents. Thankyou.
>The EAPOL-Key messages originates from the AP not the authentication
>server. I'll try to make it a bit more clear (note that the below is
>based mostly on observed behavior of existing implementations).
>
> 1. trust by
> v----- shared radius key ---v
> STA AP AS (radius)
> ^ ^
> |STA --------- 2. EAP/TLS authentication --------------AS|
> derives shared secret for
> distribution of WEP keys
> based on TLS master secret
>
> ^ ^
> |AP - 3. WEP key ---------AS|
> distribution secret
> sent to AP using
> MS-MPPE-... VSAs
>
> ^ ^
> |STA 4. WEP keys sent in ---AP|
> EAPOL Key frames
> encrypted using
> the key distribution
> secret
>
>
>The three key (no pun intended) observations I make from the above
>are:
>
>1. the trust beetwen the STA and AP is derived from the trust
> between STA/AS and AP/AS - this is not a good thing
>
>2. the mechanism used to send the key distribution secret from AS
> to AP is of no interest to the STA, currently this is done using
> MS-MPPE-{Send|Recv}-Key but that could (should?) be changed
>
>3. the AS is not involved in the generation of the EAPOL-Key
> messages (and hence the WEP keys), this is all done by the AP
>
That is a pretty good description.
Do you mind, if I place this in EAP documentation?
>>Unfortunately "IEEE 802.1X RADIUS Usage Guidelines" also talks
>>about the use of these MS-MPPE-... VSAs.
>>
>
>The use of the MS-MPPE- VSAs are probably an artifact of Microsoft
>being the first to use EAP-TLS as an 802.11/1x authentication
>mechanism.
>
Hopefully this usage of VSA doesnot stand long.
>That's Task Group I of 802.11. They are discussing a number of rather
>large changes to 802.11/WEP including migrating WEP from RC4 to AES,
>a better MIC, improved per-packet WEP-key generation. Check out their
>document submission queue at <URL:http://grouper.ieee.org/groups/802/11/>
>for more information (if you've not already done that).
>
>EAPOL-Key messages may or may not become deprecated (I haven't seen
>any indications of the latter, but I don't have access to TgI internal
>documents/discussions) however that is a non-issue for the Authentication
>Server since the EAPOL-Key messages are exchanged from AP to STA.
>
My question is, if EAPOL-Key messages are to be deprecated then the
purpose/advantage of your patch is lost, as the Secret sharing between
AS & AP is no longer required.
What is your opinion?
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
