On Wed, Feb 11, 2009 at 01:29:34PM -0800, Bernard Aboba wrote: > Are you suggesting that the version of EAP-MSCHAPv2 described in the document > differs in terms > of the MSK/EMSK derivation? Or are you suggesting that further details are > needed on how padding > is accomplished with respect to ISK derivation?
Former (for MSK part) as far as using EAP-MSCHAPv2 inside EAP-FAST is concerned (the document itself does not describe EAP-MSCHAPv2 MSK derivation). > In general, ISK derivation doesn't relate to an EAP method so much as the > tunneling method that > utilizes the keys exported by the inner method. So if the issue is purely in > the ISKs, then this > doesn't really relate to EAP-FAST-MSCHAPv2 or EAP-MSCHAPv2 so much as to > EAP-FAST > provisioning mechanism. What I noticed when implementing EAP-FAST and cryptobinding support for EAP-PEAPv0 is that I have to swap the order of MS-MPPE send/recv keys (i.e., swap octets 0..15 with 16..31) of the MSK from EAP-MSCHAPv2 between PEAPv0 and EAP-FAST uses in order to interoperate with other implementations. In other words, EAP-FAST and EAP-PEAPv0(with cryptobinding) seem to use different derivation of ISK when using EAP-MSCHAPv2 as the inner method. I do not see need for similar swapping of the ISK octets with EAP-TLS as the inner method, so I would assume the difference is indeed in how the EAP-MSCHAPv2 MSK derivation is defined. After reviewing the description of the MS-CHAPv2 key derivation, I think I ended up agreeing with the way this is done in PEAPv0+cryptobinding and the order used in deployed EAP-FAST implementations would thus not match with the EAP-MSCHAPv2 definition for MSK derivation. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
