A new version of the draft draft-urien-eap-smartcard has been posted to the IETF
and is available at
http://www.ietf.org/internet-drafts/draft-urien-eap-smartcard-10.txt
In this new version we introduce two new services, the first (Get-Exported-Parameter, section 7.15)
is used to collect exported parameters, the second securely computes AMKS keys (section 7.16)
(see details below)
Best Regards
Pascal Urien
http://www.infres.enst.fr/~urien/openeapsmartcard/
7.15 Get-Exported-Parameter Status: Optional. Security: Secure(BEARER) According to [EAP-KEY], EAP methods export a set of parameters that MAY be used by other EAP layers. In this draft, each attribute is identified by an index, and is read thanks to the Get-Exported- Parameter(index) command. Six indexes are defined, that are associated to the following attributes, Index 1: Peer-ID. The peer identity authenticated by the EAP method. Index 2: Server-ID: It is the optional server identity, authenticated by the EAP method. Index 3: Method-ID. EAP method specifications deriving keys MUST specify a temporally unique method identifier known as the Method-ID. Index 4: Session-ID. The Session-ID uniquely identifies an EAP session between an EAP peer (as identified by the Peer-ID) and server (as identified by the Server-ID). Index 5: Key-Lifetime. While EAP itself does not support key lifetime negotiation, it is possible to specify methods that do. Index 6: Channel Bindings. Channel Bindings include lower layer parameters that are verified for consistency between the EAP peer and server. In order to avoid introducing media dependencies, EAP methods that transport Channel Binding data MUST treat this data as opaque octets. 7.16 Get-AMSK According to [RFC 4017] EMSK is an "additional keying material derived between the EAP client and server that is exported by the EAP method. The EMSK is at least 64 octets in length. The EMSK is not shared with the authenticator or any other third party. The EMSK is reserved for future uses that are not yet defined". It has been suggested in [EAP-EXT] to derive Application-specific Master Session Keys (AMSKs)from EMSK. As an illustration AMSK MAY be obtained by a Key Derivation Function (KDF), such as AMSK = KDF(EMSK, label, length) The Get-AMSK(index,label) command is used to compute AMSK key, identified by an index and optionally associated to a label, needed to its calculation.
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
