randomly generated PSK - Githubissues

commoncriteria / authserver

Authentication Server

The Unlicense

0 stars 0 forks source link

randomly generated PSK #13

Closed jfisherbah closed 2 years ago

jfisherbah commented 3 years ago

SME feedback says that PSKs should be randomly generated and there should be an appropriate requirement that covers this.

FCS_RADSEC_EXT.1.2 allows for the generation of PSKs using the DRBG claimed in FCS_RBG_EXT.1. Does this sufficiently cover this or would it be preferable to re-factor the SFRs to put the PSK generation in the actual PSK SFR (since there may be non-RADIUS uses of generated PSKs)?

ajlaing commented 3 years ago

PSK used for EAP-TLS (or EAP-TTLS) in RADIUS/DIAMETER will be consistent with the options (generated random, derived PW, OTP) being worked in the VPN PP modules. For Generated random PSK, reference to FCS_RBG_EXT.1 is preferable to hinting that the TSF should have its own RBG.

See #15 regarding PSK in RADSEC.

jfisherbah commented 2 years ago

The existence of FIA_PSK_EXT.2 appears to resolve this. Closing.