Re: [Emu] Key derivation differences
Jouni Malinen <j@w1.fi> Thu, 12 February 2009 08:49 UTC
Return-Path: <j@w1.fi>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C843928C0E7 for <emu@core3.amsl.com>; Thu, 12 Feb 2009 00:49:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zKx-yER3eEe for <emu@core3.amsl.com>; Thu, 12 Feb 2009 00:49:04 -0800 (PST)
Received: from jmalinen.user.openhosting.com (128-177-27-249.ip.openhosting.com [128.177.27.249]) by core3.amsl.com (Postfix) with ESMTP id DE3563A68CC for <emu@ietf.org>; Thu, 12 Feb 2009 00:49:03 -0800 (PST)
Received: from jm (a91-155-82-88.elisa-laajakaista.fi [91.155.82.88]) (authenticated bits=0) by jmalinen.user.openhosting.com (8.13.8/8.13.8) with ESMTP id n1C8n4iY015091 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Feb 2009 03:49:06 -0500
Received: by jm (sSMTP sendmail emulation); Thu, 12 Feb 2009 10:49:04 +0200
Date: Thu, 12 Feb 2009 10:49:04 +0200
From: Jouni Malinen <j@w1.fi>
To: Bernard Aboba <bernard_aboba@hotmail.com>
Message-ID: <20090212084904.GB31253@jm.kir.nu>
References: <1079005519.16371.1234393091734.JavaMail.mail@webmail06> <BLU137-W24B11EAD564880FE81AEDF93BA0@phx.gbl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BLU137-W24B11EAD564880FE81AEDF93BA0@phx.gbl>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: emu@ietf.org
Subject: Re: [Emu] Key derivation differences
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 08:49:04 -0000
On Wed, Feb 11, 2009 at 03:56:08PM -0800, Bernard Aboba wrote: > You are saying that in addition to the interoperability issues described in > Tim's note with respect to the EAP-FAST-MSCHAPv2, that this document > also does not conform to the key derivation specified in EAP MS-CHAPv2, > and that as a result it can't interoperate with existing implementations of > EAP MS-CHAPv2, for regular non-provisioning uses? I'm not sure I would go as far as saying it does not conform to a specification taken into account the unclear situation on how MSK derivation for EAP-MSCHAPv2 is defined. More exact statement would be that EAP-FAST ISK and PEAPv0/cryptobinding ISK derivations use different order of MS-MPPE-Send-Key and MS-MPPE-Recv-Key in the EAP-MSCHAPv2 MSK. In other words, implementations that try to use the same EAP-MSCHAPv2 implementation (including the rules for MSK derivation) would not interoperate with both deployed EAP-FAST and EAP-PEAPv0/cryptobinding implementations. Depending on the Send/Recv key order in the MSK, one of the tunnel methods using the MSK from EAP-MSCHAPv2 would need to swap the keys. In my particular case, I ended up implementing EAP-FAST first and found the issue when trying to interoperate with EAP-PEAPv0 cryptobinding after that. As far as which use is correct is concerned, it is not exactly trivial thing to figure out, but my current interpretation of various specifications related to MS-MPPE keys is that the order used in PEAPv0 cryptobinding would match with the order used in other methods. Anyway, having a single document describing EAP-MSCHAPv2, including MSK derivation, would be a useful thing to have for anyone who wants to implement these things. The use of MS-MPPE Send/Recv keys that are different for server and peer side instead of defining the same derivation of full MSK for both server and peer make it very easy to get this wrong. I ended up having to figure this out by testing against deployed implementations and getting surprised that the same code does not work with both uses. Anyway, like I mentioned before, this EAP-MSCHAPv2 MSK difference is not strictly speaking an issue that would be specific to draft-cam-winget-eap-fast-provisioning; it would have been useful to describe it in RFC 4851. Anyway, it looks like the authors are willing to include the additional description in draft-cam-winget-eap-fast-provisioning and for the goal of describing a deployed protocol and allowing vendors to implement it in interoperable way, it is useful to get this described somewhere and this draft looks like the best place to do so at this point. -- Jouni Malinen PGP id EFC895FA
- [Emu] Key derivation differences Bernard Aboba
- Re: [Emu] Key derivation differences Jouni Malinen
- Re: [Emu] Key derivation differences David Mitton
- Re: [Emu] Key derivation differences Bernard Aboba
- Re: [Emu] Key derivation differences Jouni Malinen
- Re: [Emu] Key derivation differences Pasi.Eronen
- Re: [Emu] Key derivation differences Bernard Aboba
- Re: [Emu] Key derivation differences Joseph Salowey (jsalowey)
- Re: [Emu] Key derivation differences Hao Zhou (hzhou)
- Re: [Emu] Key derivation differences Pasi.Eronen
- Re: [Emu] Key derivation differences Bernard Aboba
- Re: [Emu] Key derivation differences Bernard Aboba
- Re: [Emu] Key derivation differences Jouni Malinen