70 likes | 236 Views
PEMK (PaC-EP Master Key) draft-ohba-pana-pemk-01.txt. Yoshihiro Ohba Alper Yegin. Background. PaC-EP Master Key (PEMK) was defined older revisions of PANA specification A pre-shared key used for bootstrapping a lower-layer SA between PaC and EP The key is derived from MSK
E N D
PEMK (PaC-EP Master Key)draft-ohba-pana-pemk-01.txt Yoshihiro Ohba Alper Yegin IETF70 PANA WG
Background • PaC-EP Master Key (PEMK) was defined older revisions of PANA specification • A pre-shared key used for bootstrapping a lower-layer SA between PaC and EP • The key is derived from MSK • During IETF last call, PEMK was removed from PANA specification, with suggestion to define it in a separate document • This draft is submitted as such a document IETF70 PANA WG
PEMK PEMK = prf+(MSK, "PaC-EP master key" | SID | KID | EPDID) • prf+ : defined in IKEv2 [RFC4306]. The actual pseudo-random function used for the prf+ is negotiated within PANA session (c.f., I-D.ietf-pana-pana) • MSK is a Master Session Key generated by EAP and exported to PANA. • SID: PANA session identifier • KID is the content of the PANA Key-ID AVP. • EPDID: Identifier of the EP. The EPDID format is the same of Address type of Diameter: • 2-octet AddressType + addres value • AddressType contains Address Family defined in [IANAADFAM] • How a PaC configuresthe identifier of the EP is out of the scope of this document. IETF70 PANA WG
Attributes of PEMK • Key Name: TBD • Key Scope: Between PaC and EP • Key Context: Used as the pre-shared key of the secure association protocol in the scope of PEMK • Key Lifetime: No greater than the lifetime of MSK IETF70 PANA WG
Security Considerations • Channel Binding : CB is made at the time of PEMK creation by using EPDID as a KDF parameter • Key distribution (only for split EP and PAA case) • Requirements • Key distribution from PAA to EP MUST be encrypted, integrity and replay protected with a SA between PAA and EP • The SA between PAA and EP MUST be cryptographically bound to the identities of the PAA and EP known to the PaC • The HOKEY 3-party key distribution protocol [I-D.ietf-hokey-key-mgm] is identified to satisfy the requirements IETF70 PANA WG
Thank You! IETF70 PANA WG