|
List Info
Thread: Issue 380: Sync with AAA Key Management Document
|
|
| Issue 380: Sync with AAA Key Management
Document |
|
2006-10-20 16:20:42 |
|
Looks good to me too, except that the SAP should not read that it establishes multicast SAs, I believe in 802.11i that's optional. Perhaps something like
"The protocol establishes unicast and optionally multicast security
associations, which include symmetric keys and a context for..."
Michaela
----- Original Message ---- From: Jari Arkko <jari.arkko piuha.net>
To: Bernard Aboba <bernard_abobahotmail.com>
Cc: eapfrascone.com
Sent: Friday, October 20, 2006 2:45:53 AM
Subject: Re: [eap] Issue 380: Sync with AAA Key Management Document
Looks good to me. --Jar i
Bernard Aboba wrote:
>; Issue 380: Sync with AAA Key Management Document
> Submitter name: Bernard Aboba
> Submitter email address: abobainternaut.com
> Date Submitted: October 19, 2006
> Reference:
> http://www.ietf.org/internet-drafts/draft-housley-aaa-key-mgmt-04.txt
> Document: KEYING-14
> Comment type: Technical
> Priority: S
> Section: 1.2
> Rationale/Explanation of issue:
>;
> The AAA Key Management document includes some definitions
> not in the EAP Key Management framework document. Also, there are some
> definitions that are not identical. Also, the AAA Key Management
> document references NIST SP800-57 with respect to key strength as well as
> BCP 86 [RFC3766].
>
> To get the two documents in sync, I would
propose the following:
> Update the terminology section with the following entries:
>
> "Key Wrap
> The encryption of one symmetric cryptographic key in another.
> The algorithm used for the encryption is called a key wrap
> algorithm or a key encryption algorithm. The key used in the
> encryption process is called a key-encryption key (KEK).
>;
> Secure Association Protocol
> An exchange that occurs between the EAP peer and authenticator
> in order to manage security associations derived from EAP
> exchanges. The protocol establishes unicast and multicast security
> associations, which include symmetric keys and a context for
> the use of the keys. An example of a Secure Association
> Protocol is the 4-way handshake defined within [802.11i].
>
> Transient Session Keys (TSKs)
>; Keys used to protect data exchanged after EAP
> authentication has successfully
completed, using the
> ciphersuite negotiated between the EAP peer and authenticator.
>
> 4-Way Handshake
> A pairwise Authentication and Key Management Protocol (AKMP)
>; defined in [802.11i], which confirms mutual possession of a
> Pairwise Master Key by two parties and distributes a Group Key."
>
> Change the 3rd paragraph in Section 3.7 from:
>
> " As noted in [RFC3766] Section 5, this results in the following
> required RSA or DH module and DSA subgroup size in bits, for a given
> level of attack resistance in bits:"
>;
> To:
>
> "BCP 86 [RFC3766] offers advice on appropriate key sizes. The National
> Institute for Standards and Technology (NIST) also offers
>; advice on appropriate key sizes in [SP800-57].
>
> [RFC3766] Section 5 advises use of the following
> required RSA or DH module and DSA subgroup size in bits, for a given
> level of
attack resistance in bits:"
>;
> Add a reference to [SP800-57]:
>
> [SP800-57] ;National Institute of Standards and Technology,
> "Recommendation for Key Management", Special Publication 800-57, May 2006.
>
>
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
>; http://lists.frascone.com/mailman/listinfo/eap
>
> Arhives: http://lists.frascone.com/pipermail/eap
>
>
>;
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.frascone.com/pipermail/eap
|
| Issue 380: Sync with AAA Key Management
Document |
|
2006-10-20 16:38:48 |
Good catch.
>From: "M. Vanderveen" <mvandervnyahoo.com>
>To: Jari Arkko <jari.arkkopiuha.net>, Bernard
Aboba
><bernard_abobahotmail.com>
>CC: eapfrascone.com
>Subject: Re: [eap] Issue 380: Sync with AAA Key
Management Document
>Date: Fri, 20 Oct 2006 09:20:42 -0700 (PDT)
>
>Looks good to me too, except that the SAP should not
read that it
>establishes multicast SAs, I believe in 802.11i that's
optional. Perhaps
>something like
>
>"The protocol establishes unicast and optionally
multicast security
>associations, which include symmetric keys and a context
for..."
>
>Michaela
>
>
>----- Original Message ----
>From: Jari Arkko <jari.arkkopiuha.net>
>To: Bernard Aboba <bernard_abobahotmail.com>
>Cc: eapfrascone.com
>Sent: Friday, October 20, 2006 2:45:53 AM
>Subject: Re: [eap] Issue 380: Sync with AAA Key
Management Document
>
>
>Looks good to me.
>
>--Jari
>
>Bernard Aboba wrote:
> > Issue 380: Sync with AAA Key Management Document
> > Submitter name: Bernard Aboba
> > Submitter email address: abobainternaut.com
> > Date Submitted: October 19, 2006
> > Reference:
> > http://www.ietf.org/internet-drafts/draft-h
ousley-aaa-key-mgmt-04.txt
> > Document: KEYING-14
> > Comment type: Technical
> > Priority: S
> > Section: 1.2
> > Rationale/Explanation of issue:
> >
> > The AAA Key Management document includes some
definitions
> > not in the EAP Key Management framework document.
Also, there are some
> > definitions that are not identical. Also, the AAA
Key Management
> > document references NIST SP800-57 with respect to
key strength as well
>as
> > BCP 86 [RFC3766].
> >
> > To get the two documents in sync, I would propose
the following:
> > Update the terminology section with the following
entries:
> >
> > "Key Wrap
> > The encryption of one symmetric cryptographic key
in another.
> > The algorithm used for the encryption is called a
key wrap
> > algorithm or a key encryption algorithm. The key
used in the
> > encryption process is called a key-encryption key
(KEK).
> >
> > Secure Association Protocol
> > An exchange that occurs between the EAP peer and
authenticator
> > in order to manage security associations derived
from EAP
> > exchanges. The protocol establishes unicast and
multicast security
> > associations, which include symmetric keys and a
context for
> > the use of the keys. An example of a Secure
Association
> > Protocol is the 4-way handshake defined within
[802.11i].
> >
> > Transient Session Keys (TSKs)
> > Keys used to protect data exchanged after EAP
> > authentication has successfully completed, using
the
> > ciphersuite negotiated between the EAP peer and
authenticator.
> >
> > 4-Way Handshake
> > A pairwise Authentication and Key Management
Protocol (AKMP)
> > defined in [802.11i], which confirms mutual
possession of a
> > Pairwise Master Key by two parties and distributes
a Group Key."
> >
> > Change the 3rd paragraph in Section 3.7 from:
> >
> > " As noted in [RFC3766] Section 5, this
results in the following
> > required RSA or DH module and DSA subgroup size in
bits, for a given
> > level of attack resistance in bits:"
> >
> > To:
> >
> > "BCP 86 [RFC3766] offers advice on
appropriate key sizes. The National
> > Institute for Standards and Technology (NIST) also
offers
> > advice on appropriate key sizes in [SP800-57].
> >
> > [RFC3766] Section 5 advises use of the following
> > required RSA or DH module and DSA subgroup size in
bits, for a given
> > level of attack resistance in bits:"
> >
> > Add a reference to [SP800-57]:
> >
> > [SP800-57] National Institute of Standards and
Technology,
> > "Recommendation for Key Management",
Special Publication 800-57, May
>2006.
> >
> >
> >
____________________________________________________________
_____
> > To unsubscribe or modify your subscription
options, please visit:
> > http:/
/lists.frascone.com/mailman/listinfo/eap
> >
> > Arhives: http://lists.
frascone.com/pipermail/eap
> >
> >
> >
>
>
>________________________________________________________
_________
>To unsubscribe or modify your subscription options,
please visit:
>http:/
/lists.frascone.com/mailman/listinfo/eap
>
>Arhives: http://lists.
frascone.com/pipermail/eap
>
>
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
| Issue 380: Sync with AAA Key Management
Document |
|
2006-10-22 14:11:50 |
There is one more definition in the AAA Key Management
document, that is not
in the Keying Framework:
Lower Layer Identity
A name used to identify the EAP peer and authenticator
within the
lower layer.
>From: "Bernard Aboba" <bernard_abobahotmail.com>
>To: mvandervnyahoo.com, jari.arkkopiuha.net
>CC: eapfrascone.com
>Subject: Re: [eap] Issue 380: Sync with AAA Key
Management Document
>Date: Fri, 20 Oct 2006 09:38:48 -0700
>
>Good catch.
>
>
> >From: "M. Vanderveen" <mvandervnyahoo.com>
> >To: Jari Arkko <jari.arkkopiuha.net>, Bernard
Aboba
> ><bernard_abobahotmail.com>
> >CC: eapfrascone.com
> >Subject: Re: [eap] Issue 380: Sync with AAA Key
Management Document
> >Date: Fri, 20 Oct 2006 09:20:42 -0700 (PDT)
> >
> >Looks good to me too, except that the SAP should
not read that it
> >establishes multicast SAs, I believe in 802.11i
that's optional. Perhaps
> >something like
> >
> >"The protocol establishes unicast and
optionally multicast security
> >associations, which include symmetric keys and a
context for..."
> >
> >Michaela
> >
> >
> >----- Original Message ----
> >From: Jari Arkko <jari.arkkopiuha.net>
> >To: Bernard Aboba <bernard_abobahotmail.com>
> >Cc: eapfrascone.com
> >Sent: Friday, October 20, 2006 2:45:53 AM
> >Subject: Re: [eap] Issue 380: Sync with AAA Key
Management Document
> >
> >
> >Looks good to me.
> >
> >--Jari
> >
> >Bernard Aboba wrote:
> > > Issue 380: Sync with AAA Key Management
Document
> > > Submitter name: Bernard Aboba
> > > Submitter email address: abobainternaut.com
> > > Date Submitted: October 19, 2006
> > > Reference:
> > > http://www.ietf.org/internet-drafts/draft-h
ousley-aaa-key-mgmt-04.txt
> > > Document: KEYING-14
> > > Comment type: Technical
> > > Priority: S
> > > Section: 1.2
> > > Rationale/Explanation of issue:
> > >
> > > The AAA Key Management document includes some
definitions
> > > not in the EAP Key Management framework
document. Also, there are some
> > > definitions that are not identical. Also, the
AAA Key Management
> > > document references NIST SP800-57 with
respect to key strength as well
> >as
> > > BCP 86 [RFC3766].
> > >
> > > To get the two documents in sync, I would
propose the following:
> > > Update the terminology section with the
following entries:
> > >
> > > "Key Wrap
> > > The encryption of one symmetric cryptographic
key in another.
> > > The algorithm used for the encryption is
called a key wrap
> > > algorithm or a key encryption algorithm. The
key used in the
> > > encryption process is called a key-encryption
key (KEK).
> > >
> > > Secure Association Protocol
> > > An exchange that occurs between the EAP peer
and authenticator
> > > in order to manage security associations
derived from EAP
> > > exchanges. The protocol establishes unicast
and multicast security
> > > associations, which include symmetric keys
and a context for
> > > the use of the keys. An example of a Secure
Association
> > > Protocol is the 4-way handshake defined
within [802.11i].
> > >
> > > Transient Session Keys (TSKs)
> > > Keys used to protect data exchanged after EAP
> > > authentication has successfully completed,
using the
> > > ciphersuite negotiated between the EAP peer
and authenticator.
> > >
> > > 4-Way Handshake
> > > A pairwise Authentication and Key Management
Protocol (AKMP)
> > > defined in [802.11i], which confirms mutual
possession of a
> > > Pairwise Master Key by two parties and
distributes a Group Key."
> > >
> > > Change the 3rd paragraph in Section 3.7 from:
> > >
> > > " As noted in [RFC3766] Section 5, this
results in the following
> > > required RSA or DH module and DSA subgroup
size in bits, for a given
> > > level of attack resistance in bits:"
> > >
> > > To:
> > >
> > > "BCP 86 [RFC3766] offers advice on
appropriate key sizes. The National
> > > Institute for Standards and Technology (NIST)
also offers
> > > advice on appropriate key sizes in
[SP800-57].
> > >
> > > [RFC3766] Section 5 advises use of the
following
> > > required RSA or DH module and DSA subgroup
size in bits, for a given
> > > level of attack resistance in bits:"
> > >
> > > Add a reference to [SP800-57]:
> > >
> > > [SP800-57] National Institute of Standards
and Technology,
> > > "Recommendation for Key
Management", Special Publication 800-57, May
> >2006.
> > >
> > >
> > >
____________________________________________________________
_____
> > > To unsubscribe or modify your subscription
options, please visit:
> > > http:/
/lists.frascone.com/mailman/listinfo/eap
> > >
> > > Arhives: http://lists.
frascone.com/pipermail/eap
> > >
> > >
> > >
> >
> >
>
>________________________________________________________
_________
> >To unsubscribe or modify your subscription options,
please visit:
> >http:/
/lists.frascone.com/mailman/listinfo/eap
> >
> >Arhives: http://lists.
frascone.com/pipermail/eap
> >
> >
>
>
>________________________________________________________
_________
>To unsubscribe or modify your subscription options,
please visit:
>http:/
/lists.frascone.com/mailman/listinfo/eap
>
>Arhives: http://lists.
frascone.com/pipermail/eap
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
| Issue 380: Sync with AAA Key Management
Document |
|
2006-10-22 14:29:25 |
Found yet another one:
Key Scope
The parties to whom a key is available.
>There is one more definition in the AAA Key Management
document, that is
>not
>in the Keying Framework:
>
>Lower Layer Identity
> A name used to identify the EAP peer and
authenticator within the
> lower layer.
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
[1-4]
|
|