Closed emanjon closed 1 year ago
I don't know how this is supposed to work but there are several options for how they are used together.
AT_KDF is completely ignored when AT_KDF_FS is used.
AT_KDF determines how to derive MK, K_aut, K_re AT_KDF_FS determines how to derive MK_ECDHE, K_re, MSK, EMSK
Like 2. but the PRF used in deriving MK_ECDHE is determined by AT_KDF.
Reasons that this need to be specified is.
Ok this seems like a fair issues. Thanks for spotting this.
I see two options. Either we are (a) trying to be clever and split what impacts what (MK, K_aut) vs. everything else or (b) we only specify a specific combination (KDF=1 + FS=1 or 2) and explicitly say that future specs need to specify how new KDF or FS algorithms can be combined with others.
Both have some drawbacks ... not sure we always want to have the same split in option a. And option b leaves out a lot of room for future extensions to forget to do this.
Maybe go for option b?
I will try to make a PR.
I am fine with b.
The PR should make clear that this updates RFC 9048 with this new requirement.
Ok
A PR has been proposed: https://github.com/emu-wg/eap-aka-pfs/pull/36
Solved per the PR so that I can submit the draft (may not be able to work on Monday due to travel).
AT_KDF carries the legacy KDF value for those EAP peers that cannot or do not want to use this extension.
Gives the impression that AT_KDF is ignored when AT_KDF_FS is used...Gives the impression that they are used together...
The Specification is clear on how to derive keys when AT_KDF in {1} and AT_KDF_FS in {1,2} but does not give any descriptions on how other combinations are supposed to work.