I think saying that
"The strength of the exported key material should not
be less than the
desired strength of the TSKs used in the lower layer."
May be sufficient, but perhaps we should add:
"The requirements of the lower layer TSK strength are
not communicated
through EAP."
> -----Original Message-----
> From: Bernard Aboba [mailto:bernard_aboba hotmail.com]
> Sent: Monday, May 01, 2006 6:43 PM
> To: eapfrascone.com
> Subject: [eap] Re: Issue 356: Ciphersuite Independence
>
> The text of Issue 356 is given below.
>
> Section 3.7 says the following:
>
> "In order to guard against brute force attacks,
EAP methods
> supporting key
> derivation
> need to be capable of generating keying material with
an appropriate
> effective symmetric key strength. In order to ensure
that EAP key
> generation is not the weakest link, it is RECOMMENDED
that EAP methods
> utilizing public key cryptography choose a public key
that has a
> cryptographic strength meeting the symmetric key
strength
> requirement."
>
> The text is accurate as far as it goes, but it occurs
to me
> that this is not
> the complete story. Even if the EAP keying material is
of sufficient
> strength, attacks on the transient session keys might
still
> be possible.
> For example in IKEv2, EAP is not used for key
derivation, just
> authentication; key derivation is handled by IKEv2
(e.g. DH).
> If IKEv2 does
> not negotiate adequate strength for the key derivation
(e.g.
> 512-bit key for
> DH) the TSKs will be weak regardless of how strong the
EAP
> keying material
> is, since the MSK is only used for authentication, not
key
> derivation.
> Similarly in 802.16 the TSKs are generated purely by
the Base
> Station. If
> BS does not have a good random number generator, it
would be
> possible to
> crack the TSKs without having to brute force the EAP
keying
> material. So in
> both the IKEv2 and 802.16 cases, strong EAP keying
material
> is necessary,
> but not sufficient to ensure strong TSKs.
>
> Given this, I am wondering what text is appropriate
relating
> to "system
> level coordination" in Section 1.6.4. I think we
can say
> that the strength
> of the EAP keying material should not be less than the
> strength of the
> desired TSKs. But I'm not clear what we can say about
> "coordination" beyond
> that.
>
> Can someone suggest text?
>
>
------------------------------------------------------------
--
> --------------------------------------------
> Issue 356: Ciphersuite Independence
> Submitter name: Joe Salowey
> Submitter email address: jsaloweycisco.com
> Date Submitted: April 30, 2006
> Reference: http://lists.frascone.com/pipermail/eap/msg04223.html
> Document: KEYING-12
> Comment type: 'E'ditorial
> Priority: '2' May fix
> Section: 1.6.4
> Rationale/Explanation of issue:
>
> Section 3.7 implies that there is a system level
coordination between
> the strength of the keys exported by the EAP method and
the
> strength of
> keys required by the lower layer.
>
> This section should reference this and indicate that
the
> coordination is
> done outside of EAP.
>
>
>
____________________________________________________________
_____
> To unsubscribe or modify your subscription options,
please visit:
> http:/
/lists.frascone.com/mailman/listinfo/eap
>
> Arhives: http://lists.
frascone.com/pipermail/eap
>
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|