Re: [Dime] [HOKEY] DiME ERP: new Application ID or not ?(non-roaming case)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dime] [HOKEY] DiME ERP: new Application ID or not ?(non-roaming case)
Hi,
Thank you for yor answer, and sorry for replying so late myself.
Qin Wu a écrit :
> Hi,Sebastien:
> The MSK and EMSK both result from EAP authentiction and are used to derive other keys.
> Also both MSK and EMSK are shared between the peer and the AAA server. So MSK has the same lifetime as EMSK, what's more, the derived keys also has the same lifetime as MSK or EMSK.
>
> As regarding the second question, since the keying materials is established through the EAP exchange between the peer and the server and shared between the corresponding two entities. I am sure the peer and the AAA server should agree on the lifetime of these keys firstly. With respect to how much is the lifetime of keys, it mostly depends on the specific implementation.
>
Since ERP would use material derived from the EMSK, I guess that when
the MSK is expiring then an ERP exchange cannot occur, and therefore we
don't really have a choice here, but to use full EAP.
This brings the following conclusion (please correct me if I am wrong):
ERP is only used when the peer attaches to a new authenticator while
having a valid authentication material (EMSK).
I am not sure anyway how this is related to the {EAP or new} application
ID problem.
Best regards,
Sebastien.
--
Sebastien Decugis
Research fellow
Network Architecture Group
NICT (nict.go.jp)
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
