Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

EAP Authentication Methods and EAP-Derived Cryptographic Keys

Both the MSK and EMSK are generated as by-products of successful EAP authentication. Various WiMAX cryptographic keys are derived from the MSK and EMSK. The following EAP authentication protocols can be used with the WiMAX mobility module:

  • EAP-TLS (Transport Layer Security) protocol
  • EAP-TTLS (Tunneled Transport Layer Security) protocol
  • EAP-AKA (Authentication and Key Agreement) protocol.

    Note: The EAP-AKA protocol requires a license for the optional SIM authentication module.

Master Session Key (MSK)

The MSK attribute is derived as the result of successful EAP authentication. It may be sent to the ASN-GW by Steel-Belted Radius Carrier in the Access-Accept message. It is not sent to the home agent. No SPI is associated with the MSK.

Steel-Belted Radius Carrier uses the first 64 bits of keying material as the MSK.

The Session-Timeout attribute specifies the MSK lifetime. It is sent to the ASN-GW by Steel-Belted Radius Carrier in the Access-Accept message, and it indicates the maximum number of seconds of service to be provided to the user before termination of the session. You can configure the Session-Timeout attribute using Web GUI or through an external SQL or LDAP database.

It is the responsibility of the ASN-GW to reauthenticate before the MSK expires.

Extended Master Session Key (EMSK)

Steel-Belted Radius Carrier generates the Mobile IP-root key (MIP-RK) from the EMSK and then uses the MIP-RK to generate the following additional keys:

  • MN-HA CMIP4—Mobile node-home agent client Mobile IP for IPv4 key.
  • MN-HA PMIP4—Mobile node-home agent proxy Mobile IP for IPv4 key.
  • FA-RK—Foreign agent-root key.
  • RRQ-MN-HA—Registration request (part of the MIP protocol) mobile node home agent key.

Steel-Belted Radius Carrier sends these EMSK-derived keys to both the ASN-GW and the home agent.

EMSK-Derived Key Generation and Identification

The MN-HA CMIP4, MN-HA PMIP4, and FA-RK keys are each identified by a unique SPI value. SPI values relating to the current Mobile IP (MIP) session are unique, where the current MIP session is identified by the pseudo-identifier (outer username) associated with the session.

Note: The MIP session is not the same as the RADIUS session. The RADIUS session can be identified by its associated AAA-session-ID value.

Therefore, each MN-HA CMIP4, MN-HA PMIP4, and FA-RK key is identified by a combination of the pseudo-identifier and SPI.

MSK and EMSK-Derived Key Lifetime and Deprecation

When a final Account-Stop is received for the pseudo-identity from the ASN-GW, the MSK and EMSK-derived key set is destroyed. The lifetime of the keys is specified by the Session-Timeout attribute sent to the ASN-GW. It is the responsibility of the ASN-GW to reauthenticate with Steel-Belted Radius Carrier before the MSK and EMSK-derived key set expires. After the ASN-GW obtains the new keys, it communicates with the home agent using the MIP protocol enabling the home agent to obtain the new keys from Steel-Belted Radius Carrier.

After the home agent has requested the new key set (by supplying the new MN-HA-SPI value), the old key set is destroyed.

Note: For a short period of time, two key sets are active. During this time, when a new key set is used, all other older key sets are destroyed.

EMSK-Derived Key Storage and Retrieval

After the key is generated, it is stored for possible later retrieval. One or more key sets are stored for each MIP session, where a MIP session is identified by the pseudo-identifier.

Modified: 2018-01-11