On Thu, 19 Jun 2025 at 22:36, Alan DeKok <alan.dekok= [email protected]> wrote:
> Just reviewing it yet again, both RFC 7170 and 7170bis have the > following text for the Crypto-Binding TLV: > > Nonce > > > The Nonce field is 32 octets. It contains a 256-bit nonce that is > > temporally unique, used for Compound-MAC key derivation at each > > end. The nonce in a request MUST have its least significant bit > > set to zero (0), and the nonce in a response MUST have the same > > value as the request nonce except the least significant bit MUST > > be set to one (1). > > > Except that the Nonce is *not* used for the Compound-MAC key derivation > at each end. > > Do implementations set / check the Nonce field as discussed above? > Would it make sense to just ignore this field? See section '5.3. Computing the Compound MAC' in the original TEAP RFC and step 1 therein. https://datatracker.ietf.org/doc/html/rfc7170#section-5.3 1 The entire Crypto-Binding TLV attribute with both the EMSK and MSK Compound MAC fields zeroed out. This could be clarified to say something like this: 1 The entire Crypto-Binding TLV attribute with both the EMSK and MSK Compound MAC fields zeroed out. Nonce is used untouched. If flip a bit in received or sent nonce right when it's packed into a message, I see, for example, in eapol_test this before failure: EAP-TEAP: MSK Compound MAC did not match Or do you mean something else about nonce? -- Heikki Vatiainen [email protected]
_______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
