IETF Logo Mail Archive

Re: [Emu] Potential Notes in EAP-FAST Documents

Jouni Malinen <j@w1.fi> Thu, 12 February 2009 08:30 UTC

Return-Path: <j@w1.fi>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 867973A6A24; Thu, 12 Feb 2009 00:30:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJSByT-6c-fZ; Thu, 12 Feb 2009 00:30:26 -0800 (PST)
Received: from jmalinen.user.openhosting.com (128-177-27-249.ip.openhosting.com [128.177.27.249]) by core3.amsl.com (Postfix) with ESMTP id 8F78A3A6978; Thu, 12 Feb 2009 00:30:26 -0800 (PST)
Received: from jm (a91-155-82-88.elisa-laajakaista.fi [91.155.82.88]) (authenticated bits=0) by jmalinen.user.openhosting.com (8.13.8/8.13.8) with ESMTP id n1C8UGNH002153 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Feb 2009 03:30:18 -0500
Received: by jm (sSMTP sendmail emulation); Thu, 12 Feb 2009 10:30:16 +0200
Date: Thu, 12 Feb 2009 10:30:16 +0200
From: Jouni Malinen <j@w1.fi>
To: "Hao Zhou (hzhou)" <hzhou@cisco.com>
Message-ID: <20090212083016.GA31253@jm.kir.nu>
References: <20090211201320.GA22148@jm.kir.nu> <9958B444368E884DBB215F3FEF36F5B708F4DD04@xmb-rtp-212.amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9958B444368E884DBB215F3FEF36F5B708F4DD04@xmb-rtp-212.amer.cisco.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: Tim Polk <tim.polk@nist.gov>, emu@ietf.org, iesg@ietf.org
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 08:30:27 -0000

On Wed, Feb 11, 2009 at 10:05:57PM -0500, Hao Zhou (hzhou) wrote:

> To clarify, EAP-FAST-MSCHAPv2 is only being used during anonymous
> provisioning mode, in other cases, the normal EAP-MSCHAPv2 is being
> used. This is mentioned in draft-cam-winget-eap-fast-provisioning
> Section 3.2.3 and reflects current implementations. The design is to
> specifically minimize the risk associated with an anonymous tunnel,
> which does not apply to an authenticated tunnel.  

Thanks. Apparently, I looked at my implementation bit too quickly and
assumed it was using the implicit challenges for both provision cases,
but you are correct, the draft does indeed state this only for anonymous
provisioning and I now confirmed that that was also what my
implementation was doing. In other words, the changes I asked for the
note for draft-cam-winget-eap-fast-provisioning for the topic of when to
use EAP-MSCHAPv2 vs. EAP-FAST-MSCHAPv2 should not be made and only the
change request for draft-zhou-emu-fast-gtc would be suitable.

> As for the ISK derivation from EAP-MSCHAPv2, a further clarification is
> probably helpful. As discussed, EAP-MSCHAPv2 documentation doesn't
> really describe how MSK is generated, only referencing RFC3079. RFC3079
> only describes how two 128-bit keys are generated, but leaves out how
> these two keys are combined to form the MSK. This leaves it to be
> defined in a tunnel method specific way. It seems that EAP-FAST may have
> defined a combining algorithm different with the other method. 

I agree for the part that MSK derivation for EAP-MSCHAPv2 is not very
well defined and it did require going through multiple documents to
figure out the order.

As far as MSK derivation for an inner method being tunnel method
specific is concerned, I do not agree with that. It should be up to the
inner method specification to define how MSK is derived and tunnel
method ISK should just use that MSK.

I do not remember anymore where exactly I found this, but probably
based on the MSCHAPv2 documents and the way MS-MPPE keys are used in
other methods, I ended up with EAP-MSCHAPv2
    MSK = server MS-MPPE-Recv-Key | server MS-MPPE-Send-Key

This is the order used in EAP-PEAPv0 cryptobinding derivation.

In EAP-FAST, the opposite order is used:
    MSK = server MS-MPPE-Send-Key | server MS-MPPE-Recv-Key

> Here is what we propose to add to draft-cam-winget-eap-fast-provisioning
> Section 3.2.3 to clarify the issue. 
> 
> "The inner session key (ISK) generation for EAP-FAST-MSCHAPv2 and
> EAP-MSCHAPv2 used inside EAP-FAST MUST follow the steps below. Two 128
> bit master keys MasterSendKey and MasterReceiveKey are generated
> according to the RFC3079. They are combined to form the ISK, with
> MasterSendKey taking the first 16 octets and MasterReceiveKey taking the
> last 16 octets. "

Taken into account that MasterSendKey in RFC 3079 is defined as the
server MS-MPPE-Send-Key, this matches with the order I described above
and including this note in the draft would indeed be a helpful
clarification.

-- 
Jouni Malinen                                            PGP id EFC895FA

v2.23.0 | Report a Bug | By Email