> From: Raghu [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 11, 2002 11:29 PM > > Currently Dynamic WEP key generation is done using EAP/TLS. > The sequence for Dynamic WEP key generation is > > 1. AS and Supplicant independtly generates > Session Secret based on the Master Secret. > AS sends this Session Secret to AP in MS-MPPE-.. > attributes. > > 2. AP generates Unicast(Session) key and encrypts it > using Session Secret and sends it to the supplicant. > (Broadcast/default key is the same for all > stations within a broadcast domain.If this is > not the case then AP generates even Broadcast key > and encrypts using Session Secret and sends it to > the supplicant)
I think I confused you a bit regarding the broadcast key. The broadcast key needs to be sent to the supplicant both if it is individual to that STA or if it is common to all STAs in the BSS (which I think it always is). A better description of step two could be: 2. AP generates Unicast(Session) key. The unicast key and the broadcast/default key of the BSS are encrypted using the Session Secret and sent to the supplicant in separate EAPOL-Key messages. > (Broadcast/default key is the same for all > stations within a broadcast domain.If this is > not the case then AP generates even Broadcast key > and encrypts using Session Secret and sends it to > the supplicant) > 3. Supplicant decrypts the Unicast and/or Broadcast key > using the generated Session Secret (from step 1) > > Please confirm, if we are on the same page or not. This seems correct to me (with above comment). > That is a pretty good description. > Do you mind, if I place this in EAP documentation? I don't mind at all. Does that mean that you are also including the patch? The description above is kind of meaningless without the code. > My question is, if EAPOL-Key messages are to be deprecated then the > purpose/advantage of your patch is lost, as the Secret sharing between > AS & AP is no longer required. > What is your opinion? If the EAPOL-Key message is deprecated (which I personally am not worried about) then a new mechanism for distributing WEP keys are needed and that mechanism would then have to be implemented. In my opinion this would result in a new 802.1x/802.11/EAP mechanism that no longer is EAP-TLS (it wouldn't even be 802.1x in its current form, EAPOL-Key is part of that standard, §7.6). Best regards, Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
