Chris Hessing wrote: > 1. EAP-FAST feeds the client and server random in to the TLS PRF in > the opposite order that TTLS and PEAP do. I can't think of a good > reason to do this. Is there some security advantage to doing this? > If not, why require implementations to handle this case for no real > gain?
This is something where TLS itself uses both orderings: when calculating the master secret from the pre-master secret, client random is first; when calculating the key block from master secret, server random is first. (I have no idea why, but it's been this way since the -00 draft from 1996.) Since EAP-FAST's "session_key_seed" comes from the end of the key block, it does not change the order (so server random is first, like in TLS). Best regards, Pasi _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
