TSK Freshness: Examples IKEv2 EAP used only for authentication, not TSK generation TSKs are generated using nonces from both parties TSKs are unknown to EAP server even if it does not delete transported keys Compromise of EAP keying material does not lead to disclosure of TSKs 802.16e EAP keying material only used for key wrap, authentication/integrity, not TSK generation TSKs are generated by the EAP authenticator and transported, so EAP peer does not know TSKs are fresh TSKs are unknown to EAP server even if it does not delete transported keys Compromise of EAP keying material leads to compromise of TSKs 802.11i TSKs generated from EAP keying material Nonce exchange required to guarantee freshness if EAP keying material is cached TSKS are known to EAP server if it does not delete transported keys Compromise of EAP keying material leads to compromise of TSKs PPP TSKs generated directly from EAP keying material, no nonce exchange EAP peer and authenticator do not mutually authenticate or identify each other Caching of EAP keying material is not possible since it leads to TSK reuse Compromise of EAP keying material reveals TSKs |