Why Derive Keys? Key derivation not required in all uses EAP can be used for authentication only Where EAP methods derive keys, it is possible to “bind” the authentication to: Subsequent data packets encrypted/integrity protected with those keys Subsequent EAP methods running within a sequence The tunnel within which EAP runs To accomplish these things, it is necessary to define a “key hierarchy” |