I think we still have an open issue with 5128. The following resolutions
differ from what is currently in RFC7170bis. Please review the text
changes below and indicate if it aligns with implementation and
discussion.
Thanks,
Joe
The definition of the TLS-PRF is given in 5246 as:
PRF(secret, label, seed) = P_<hash>(secret, label | seed)
This construction only defines 3 parameters and does not define a length.
I don't think current implementations include the length as an input to the
key derivation so I think the following is the correct resolution:
Original Text (Section 5.2):
The derivation
of S-IMCK is as follows:
S-IMCK[0] = session_key_seed
For j = 1 to n-1 do
IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
IMSK[j], 60)
S-IMCK[j] = first 40 octets of IMCK[j]
CMK[j] = last 20 octets of IMCK[j]
where TLS-PRF is the PRF negotiated as part of TLS handshake
[RFC5246].
Corrected Text (Section 5.2):
The derivation of S-IMCK is as follows:
S-IMCK[0] = session_key_seed
For j = 1 to n-1 do
IMCK[j] = the first 60 octets of TLS-PRF(S-IMCK[j-1],
"Inner Methods Compound Keys", IMSK[j])
S-IMCK[j] = first 40 octets of IMCK[j]
CMK[j] = last 20 octets of IMCK[j]
The TLS-PRF is defined in [RFC5246] as
PRF(secret, label, seed) = P_<hash>(secret, label | seed),
where "|" denotes concatenation.
The secret is S-IMCK[j-1], the label is ASCII value for the
text "Inner Methods Compound Keys" without quotes,
and the seed consists of IMSK[j].
In addition there are similar corrections to section 5.3
Original Text:
MSK and EMSK are generated as part of the IMCKn key hierarchy as
follows:
MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64)
EMSK = TLS-PRF(S-IMCK[j],
"Extended Session Key Generating Function", 64)
where j is the number of the last successfully executed inner EAP
method.
New Text (Section 5.3):
MSK = the first 64 octets of TLS-PRF(S-IMCK[j],
"Session Key Generating Function")
EMSK = the first 64 octets of TLS-PRF(S-IMCK[j],
"Extended Session Key Generating Function")
The TLS-PRF is defined in
[RFC5246] as
PRF(secret, label, seed) = P_<hash>(secret, label | seed),
where "|" denotes concatenation.
The secret is S-IMCK[j] where j is the number of the last generated
S-IMCK from section 5.2. The label is is the ASCII value for the
string without quotes. The seed is empty (0 length) and omitted from
the derivation.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
