Issue 380: Sync with AAA Key Management Document

Issue 380: Sync with AAA Key Management Document
Submitter name: Bernard Aboba
Submitter email address: abobainternaut.com
Date Submitted: October 19, 2006
Reference: 
http://www.ietf.org/internet-drafts/draft-h
ousley-aaa-key-mgmt-04.txt
Document: KEYING-14
Comment type: Technical
Priority: S
Section: 1.2
Rationale/Explanation of issue:

The AAA Key Management document includes some definitions
not in the EAP Key Management framework document. Also,
there are some
definitions that are not identical. Also, the AAA Key
Management
document references NIST SP800-57 with respect to key
strength as well as
BCP 86 [RFC3766].

To get the two documents in sync, I would propose the
following:
Update the terminology section with the following entries:

"Key Wrap
The encryption of one symmetric cryptographic key in
another.
The algorithm used for the encryption is called a key wrap
algorithm or a key encryption algorithm. The key used in the
encryption process is called a key-encryption key (KEK).

Secure Association Protocol
An exchange that occurs between the EAP peer and
authenticator
in order to manage security associations derived from EAP
exchanges. The protocol establishes unicast and multicast
security
associations, which include symmetric keys and a context for
the use of the keys. An example of a Secure Association
Protocol is the 4-way handshake defined within [802.11i].

Transient Session Keys (TSKs)
Keys used to protect data exchanged after EAP
authentication has successfully completed, using the
ciphersuite negotiated between the EAP peer and
authenticator.

4-Way Handshake
A pairwise Authentication and Key Management Protocol (AKMP)
defined in [802.11i], which confirms mutual possession of a
Pairwise Master Key by two parties and distributes a Group
Key."

Change the 3rd paragraph in Section 3.7 from:

" As noted in [RFC3766] Section 5, this results in the
following
required RSA or DH module and DSA subgroup size in bits, for
a given
level of attack resistance in bits:"

To:

"BCP 86 [RFC3766] offers advice on appropriate key
sizes. The National
Institute for Standards and Technology (NIST) also offers
advice on appropriate key sizes in [SP800-57].

[RFC3766] Section 5 advises use of the following
required RSA or DH module and DSA subgroup size in bits, for
a given
level of attack resistance in bits:"

Add a reference to [SP800-57]:

[SP800-57]  National Institute of Standards and Technology,
"Recommendation for Key Management", Special
Publication 800-57, May 2006.


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap

Looks good to me.

--Jari

Bernard Aboba wrote:
> Issue 380: Sync with AAA Key Management Document
> Submitter name: Bernard Aboba
> Submitter email address: abobainternaut.com
> Date Submitted: October 19, 2006
> Reference: 
> http://www.ietf.org/internet-drafts/draft-h
ousley-aaa-key-mgmt-04.txt
> Document: KEYING-14
> Comment type: Technical
> Priority: S
> Section: 1.2
> Rationale/Explanation of issue:
>
> The AAA Key Management document includes some
definitions
> not in the EAP Key Management framework document. Also,
there are some
> definitions that are not identical. Also, the AAA Key
Management
> document references NIST SP800-57 with respect to key
strength as well as
> BCP 86 [RFC3766].
>
> To get the two documents in sync, I would propose the
following:
> Update the terminology section with the following
entries:
>
> "Key Wrap
> The encryption of one symmetric cryptographic key in
another.
> The algorithm used for the encryption is called a key
wrap
> algorithm or a key encryption algorithm. The key used
in the
> encryption process is called a key-encryption key
(KEK).
>
> Secure Association Protocol
> An exchange that occurs between the EAP peer and
authenticator
> in order to manage security associations derived from
EAP
> exchanges. The protocol establishes unicast and
multicast security
> associations, which include symmetric keys and a
context for
> the use of the keys. An example of a Secure Association
> Protocol is the 4-way handshake defined within
[802.11i].
>
> Transient Session Keys (TSKs)
> Keys used to protect data exchanged after EAP
> authentication has successfully completed, using the
> ciphersuite negotiated between the EAP peer and
authenticator.
>
> 4-Way Handshake
> A pairwise Authentication and Key Management Protocol
(AKMP)
> defined in [802.11i], which confirms mutual possession
of a
> Pairwise Master Key by two parties and distributes a
Group Key."
>
> Change the 3rd paragraph in Section 3.7 from:
>
> " As noted in [RFC3766] Section 5, this results in
the following
> required RSA or DH module and DSA subgroup size in
bits, for a given
> level of attack resistance in bits:"
>
> To:
>
> "BCP 86 [RFC3766] offers advice on appropriate key
sizes. The National
> Institute for Standards and Technology (NIST) also
offers
> advice on appropriate key sizes in [SP800-57].
>
> [RFC3766] Section 5 advises use of the following
> required RSA or DH module and DSA subgroup size in
bits, for a given
> level of attack resistance in bits:"
>
> Add a reference to [SP800-57]:
>
> [SP800-57]  National Institute of Standards and
Technology,
> "Recommendation for Key Management", Special
Publication 800-57, May 2006.
>
>
>
____________________________________________________________
_____
> To unsubscribe or modify your subscription options,
please visit:
> http:/
/lists.frascone.com/mailman/listinfo/eap
>
> Arhives: http://lists.
frascone.com/pipermail/eap
>
>
>   


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap