Just to make sure I understand this: You are saying that in addition to the interoperability issues described in Tim's note with respect to the EAP-FAST-MSCHAPv2, that this document also does not conform to the key derivation specified in EAP MS-CHAPv2, and that as a result it can't interoperate with existing implementations of EAP MS-CHAPv2, for regular non-provisioning uses?
________________________________ > Date: Wed, 11 Feb 2009 22:58:11 +0000 > From: da...@mitton.com > To: j...@w1.fi > CC: bernard_ab...@hotmail.com; emu@ietf.org > Subject: Re: Re: [Emu] Key derivation differences > > Earlier, I felt like asking if there were any independently developed > implementations of EAP-FAST, now I see one. > > > And we see what gets discovered when you attempt interoperabilty testing with > real running code. > > Dave. > > > Feb 11, 2009 05:13:19 PM, j...@w1.fi wrote: > > On Wed, Feb 11, 2009 at 01:29:34PM -0800, Bernard Aboba wrote: > >> Are you suggesting that the version of EAP-MSCHAPv2 described in the >> document differs in terms >> of the MSK/EMSK derivation? Or are you suggesting that further details are >> needed on how padding >> is accomplished with respect to ISK derivation? > > Former (for MSK part) as far as using EAP-MSCHAPv2 inside EAP-FAST is > concerned (the document itself does not describe EAP-MSCHAPv2 MSK > derivation). > >> In general, ISK derivation doesn't relate to an EAP method so much as the >> tunneling method that >> utilizes the keys exported by the inner method. So if the issue is purely in >> the ISKs, then this >> doesn't really relate to EAP-FAST-MSCHAPv2 or EAP-MSCHAPv2 so much as to >> EAP-FAST >> provisioning mechanism. > > What I noticed when implementing EAP-FAST and cryptobinding support for > EAP-PEAPv0 is that I have to swap the order of MS-MPPE send/recv keys > (i.e., swap octets 0..15 with 16..31) of the MSK from EAP-MSCHAPv2 > between PEAPv0 and EAP-FAST uses in order to interoperate with other > implementations. > > In other words, EAP-FAST and EAP-PEAPv0(with cryptobinding) seem to use > different derivation of ISK when using EAP-MSCHAPv2 as the inner method. > I do not see need for similar swapping of the ISK octets with EAP-TLS as > the inner method, so I would assume the difference is indeed in how the > EAP-MSCHAPv2 MSK derivation is defined. After reviewing the description > of the MS-CHAPv2 key derivation, I think I ended up agreeing with the > way this is done in PEAPv0+cryptobinding and the order used in deployed > EAP-FAST implementations would thus not match with the EAP-MSCHAPv2 > definition for MSK derivation. > > -- > Jouni Malinen PGP id EFC895FA > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
