Key Lifetime Management Transient EAP Keys (TEKs) Internal to the EAP method. Valid only for the duration of the EAP conversation. MSK, EMSK, IV Existing attributes (e.g. Session-Timeout) define the lifetime of a key that is in use. In EAP, not possible to re-key the exported keys without re-authentication (but can re-key the TSKs) Exported keys may be cached prior to session start (pre-authentication), and may continue to live after the session has ended. AAA-Key may be cached on the authenticator EMSK may be cached on the AAA server Calculated keys The lifetime of keys calculated from key material exported by EAP methods can be no larger than the lifetime of the exported keying material. |