Re: [HOKEY] AD review of draft-ietf-hokey-erp-aak

Hi,Sujing:
Sorry for late reply.
I think you ask a very good question.
In the figure 3 of this draft,  ERP/AAK uses key hierarchy to generate
pRK, pRK further derive one new Integrity key pIK. The purpose of pIK
is to integrity protect ERP/AAK message.
And you propose to reuse rIK  to protect ERP/AAK message, since 
ERP/AAK message is still a ERP message. The only change to ERP is 
i)add some a few TLV/TV extensions to support ERP/AAK, e.g., pMSK lifetime, pRK lifetime, 
CAP Identifier.
ii) add flag bit in the ERP message to indicate this is for ERP/AAK usage.
I think this proposal makes a good use of existing key materials and  looks reasonable .
but I am not sure if using rIK cause some confliction or have potential impact to original ERP usage.
We will think about it. Thanks for your valuable comments.

Regards!
-Qin
  ----- Original Message ----- 
  From: zhou.sujing@zte.com.cn 
  To: Qin Wu 
  Cc: Cao,Zhen ; Glen Zorn ; hokey@ietf.org ; hokey-bounces@ietf.org ; Stephen Farrell 
  Sent: Friday, December 02, 2011 2:46 PM
  Subject: ´ð¸´: Re: [HOKEY] AD review of draft-ietf-hokey-erp-aak

  Hi,Qin 

  > Hi, Stephen:
  > Thank for your valuable review. 
  > Here is my answer to the main issues I think and I skip most of 
  > editorial issues or nits issues.  
  > My coauthors will address the remaining issues.
  > ----------------------------------------
  > #7, p5 - "The rIK is used to protect this message." Is that right?
  > How is rIK used to protect the message when the message contain
  > rIK?  I also wondered what "protect" means exactly - are the flags
  > etc. all protected and how? 
  > 
  > [Qin] I think rIK should be corrected as pIK. pIK is used to protect
  > the ERP message
  > exchanged between the peer and the EA server. MSK used for normal 
  > EAP exchange should be further derived into
  > other child keys. Alternatively, the pMSK can be derived into child 
  > keys. These child keys protect the ERP 
  > message exchanged between the peer and SAP.

  I reviewed this darft, and IMO it may be OK to let rIK unchanged, 
  since your are encapsulating AAK in ERP (am I right?), and ERP msgs are integrity protected 
  by rIK. 
  If changed to pIK, then it will another matter. 

  I am not sure what exactly is in your  mind. 

  Regards! 

  -Sujing Zhou 

  > 
  > #8, p5 - If I'm an authenticated user and I send the message at
  > step 2 to the SAP, then can I get the SAP to forward the message to
  > anything on the Internet? If not, where does it say how that's
  > controlled? I guess the SAP knows based on its config and/or the
  > authentication state of the peer but if so you should probably say
  > that?
  > 
  > [Qin]: SAP plays the role of authenticator should encapsulate the ERP message
  > into AAA message and route the AAA message based on Realm part of KeyName-NAI.
  > 
  > #15, p8 - You can only have one keyName-NAI in the message and that
  > MAY have either the home domain name or the domain name to which
  > the peer is currently attached for ite realm part.  How does anyone
  > know which to include when? Seems underspecified or missing a
  > reference?
  > 
  > [Qin]: This was discussed on the list many times. Based on the discussion,
  > we take the following way:
  > The peer should know where to send the message? If the peer
  > communicate with the home server, the peer should carry home domain name
  > in the keyName-NAI. If the peer communicate with the local server, the peer
  > should carry local domain name in the keyName-NAI.
  > The authenticator or local ER server in the path can know if the 
  > KeyName-NAI carry 
  > local domain name by comparing the domain name carried in KeyName-
  > NAI with local 
  > domain name it has already known.
  > 
  > #16, p8 - How are CAP-Identifier and "Sequence number" TLVs
  > "associated"?
  > 
  > [Qin]: Suppose multiple CAP-identifiers are carried in the ERP message,
  > the same number of Sequence number TLVs should be carried with 
  > associated CAP-identifier.
  > We can rely on the order to associate each other.
  > 
  > #18, p8 - Exactly how is the sequence number used in the
  > calculation of the pMSK for each CAP? Can these be re-used? (Across
  > reboots?) Do they need to be random? That all needs stating I
  > think.
  > 
  > [Qin]: This was discussed on the list before. The results is:
  > If we carry three CAP-Identifiers, we should also send three 
  > Sequence number TLVs 
  > with associated CAP-Identifiers. The Sequence number for each CAP 
  > MUST not be reused.
  > 
  > #20, p8 - authentication tag - where is the input to the HMAC
  > function specified? (Its not here anyway.) I think someone needs to
  > say how this is calculated. That means both the plaintext (message)
  > input (e.g. are any header bits in/excluded?) and the key input
  > (which key?). It could be that this just needs a reference if its
  > done the same as some other RFC. An example would be great to give.
  > 
  > [Qin]: We should base on HMAC mechanims specified in RFC2104,
  > Use the integrity algorithm indicated in the Cryptosuite field to 
  > calculate authentication tag value. rIK will be used for calculation.
  > The message used to calculate authentication tag should exclude authentication
  > tag field and but not exclude header bits.
  > 
  > #22, p8 - You need references for the HMAC functions.
  > 
  > [Qin] It should be RFC2104.
  > 
  > #23, p8 - Should/are the choices for cryptosuites in some IANA
  > registry?  If not, why not? If so, where?
  > 
  > [Qin] RFC5296 has already created registries for'Re-authentication
  >    Cryptosuites'. These crytosuites can be reused for ERP-AAK.
  > 
  > #36, p11 - Is it ok for "different sequence numbers" to mean "just
  > increment" or not?  Is it ok for sequence numbers to be re-used say
  > after the peer reboots?  I think you need to say. 
  > 
  > [Qin] See the above answer to #16, #18.
  > 
  > 
  > Regards!
  > -Qin
  > ----- Original Message ----- 
  > From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
  > To: <hokey@ietf.org>
  > Sent: Tuesday, November 22, 2011 2:39 AM
  > Subject: [HOKEY] AD review of draft-ietf-hokey-erp-aak
  > 
  > 
  > > 
  > > Hi all,
  > > 
  > > Here's my review of this. There are a lot of comments,
  > > but quite a few are very nitty or are things where I
  > > probably just need to be told that I don't know enough
  > > about ERP. (Which is true of course:-)
  > > 
  > > Some are non trivial however, and there are a lot of nits,
  > > so I've put this into the revised-ID-needed state.
  > > 
  > > Probably best is to handle any easy ones via email and
  > > then setup a skype chat for whatever's left. Let me
  > > know...
  > > 
  > > Cheers,
  > > S.
  > > 
  > >
  > 
  > 
  > --------------------------------------------------------------------------------
  > 
  > 
  > > _______________________________________________
  > > HOKEY mailing list
  > > HOKEY@ietf.org
  > > https://www.ietf.org/mailman/listinfo/hokey
  > >
  > _______________________________________________
  > HOKEY mailing list
  > HOKEY@ietf.org
  > https://www.ietf.org/mailman/listinfo/hokey
  > 

--------------------------------------------------------
ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender.
This message has been scanned for viruses and Spam by ZTE Anti-Spam system.