Hi ģ�h wrote:
Raghu or Henrik could probably better respond to your question but Raghu currently doesn't read the list, so I will try to descibe what i understood from the discussion with Raghu and Henrik. (i'm too lazy to search in standards because it doesn't matter much imho). > It seems that there are two keys in EAP: that's not very correct. there are no keys in eap. everything depends on the used EAP type. but well, let's say we are talking about EAP/TLS here. > 1. if authentication succeds, the Authentication Server and the wireless > client have an identical "secret key". true. those are the master keys negotiated by TLS. both sides derive a key called NSSSK. > 2.then Server sends this secret key to Access Point, this secret key is > encrypted using the shared secret between AP and Server. true. NSSSK are sent to the AP, a recv and a send key, of course encrypted by the secret key shared by radius server and the client. > 3.the AP uses the key received from Server to encrypt WEP key. AP actually produces two WEP keys, a broadcast and a unicast keys and then send those encrypted to the supplicant, using EAPOL-Key method. > My problem is: then wireless client decrypt the WEP key using the "secret > key" that mentioned in 1.,and use this WEP key to receive/transmit data > from/to AP, is that true? true. the supplicant decrypts both received keys (bcast and ucast) using the NSSSK which it has produced independently from the TLS master key. > and another question: I still cannot understand how the EAP perform "dynamic > WEP key generation", do the WEP keys generate from AP dynamicly? AP generate the actual keys. Raghu, Henrik: please correct/complete my input. Personal remark: i said it doesn't matter much, because in my opinion there are better ways to do that. i would probably never send any unicast keys to the supplicant since it can produce them on his own, but ok, it seems to work in this way for whatever reason. Ciao artur -- Artur Hecker Groupe Acc�s et Mobilit� hecker[at]enst[dot]fr D�partement Informatique et R�seaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
