List Info

Thread: Strawman -10/EMSK deletion requirement?
Strawman -10/EMSK deletion requirement?
user name
 2006-03-09 17:09:23 
Jari Arkko <mailto:jari.arkkopiuha.net> supposedly
scribbled:

> Glen Zorn (gwz) wrote:
> 
>> Joseph Salowey (jsalowey) <> supposedly
scribbled:
>> 
>> 
>> 
>>> The EMSK is the root of all AMSKs, so a
compromise of the EMSK
>>> compromises all AMSKs.  Therefore I would like
to see the EMSK
>>> protected as much as possible.  Once the EMSK
is securely deleted
>>> it cannot be compromised. 
>>> 
>>> 
>> 
>> OK, but is that not equally true of Jari's
proposed AMSK_root_0
>> approach? 
>> 
>> 
> The problem is that since EMSK is the root, its
compromise will lead
> to the compromise of all derived keys. This also holds
locally for
> the AMSK_root_0 approach. That is, if AMSK_root_0 is
compromised then
> any keys derived from that root are compromised (but
not keys in
> other apps).    

I guess I'm just confused, then (not a first!).  I thought
that the major problem was that it is basically impossible
to no which (if any) _applications_ a person would choose to
use during a session.  If that is accurate, I can't really
see how the AMSK_root_0 approach solves the problem.  If
that's not the problem, what is?

> 
> --Jari

Hope this helps,

~gwz

Why is it that most of the world's problems can't be
solved by simply
  listening to John Coltrane? -- Henry Gabriel
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
Strawman -10/EMSK deletion requirement?
user name
 2006-03-09 18:01:12 
Glen Zorn (gwz) wrote:

>
>>>      
>>>
>>The problem is that since EMSK is the root, its
compromise will lead
>>to the compromise of all derived keys. This also
holds locally for
>>the AMSK_root_0 approach. That is, if AMSK_root_0 is
compromised then
>>any keys derived from that root are compromised (but
not keys in
>>other apps).    
>>    
>>
>
>I guess I'm just confused, then (not a first!).  I
thought that the major problem was that it is basically
impossible to no which (if any) _applications_ a person
would choose to use during a session.  If that is accurate,
I can't really see how the AMSK_root_0 approach solves the
problem.  If that's not the problem, what is?
>  
>
Oh. Maybe I was confused. AMSK_root_0 does not solve that
problem. It solves the problem that if your application
requires
multiple keys (as in fast handoff to AP2, AP3, etc) then you
still
only need one AMSK from the EMSK for the application. That
AMSK_root_0 can then be used to generate all the keys that
the application in question needs.

--Jari



____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )