Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

EAP Authentication Methods and EAP-Derived Cryptographic Keys

 

Both the MSK and EMSK are generated as by-products of successful EAP authentication. Various WiMAX cryptographic keys are derived from the MSK and EMSK. The following EAP authentication protocols can be used with the WiMAX mobility module:

  • EAP-TLS (Transport Layer Security) protocol

  • EAP-TTLS (Tunneled Transport Layer Security) protocol

  • EAP-AKA (Authentication and Key Agreement) protocol.

    Note

    The EAP-AKA protocol requires a license for the optional SIM authentication module.

Master Session Key (MSK)

Master Session Key (MSK)

The MSK attribute is derived as the result of successful EAP authentication. It may be sent to the ASN-GW by Steel-Belted Radius Carrier in the Access-Accept message. It is not sent to the home agent. No SPI is associated with the MSK.

Steel-Belted Radius Carrier uses the first 64 bits of keying material as the MSK.

The Session-Timeout attribute specifies the MSK lifetime. It is sent to the ASN-GW by Steel-Belted Radius Carrier in the Access-Accept message, and it indicates the maximum number of seconds of service to be provided to the user before termination of the session. You can configure the Session-Timeout attribute using Web GUI or through an external SQL or LDAP database.

It is the responsibility of the ASN-GW to reauthenticate before the MSK expires.

Extended Master Session Key (EMSK)

Extended Master Session Key (EMSK)

Steel-Belted Radius Carrier generates the Mobile IP-root key (MIP-RK) from the EMSK and then uses the MIP-RK to generate the following additional keys:

  • MN-HA CMIP4—Mobile node-home agent client Mobile IP for IPv4 key.

  • MN-HA PMIP4—Mobile node-home agent proxy Mobile IP for IPv4 key.

  • FA-RK—Foreign agent-root key.

  • RRQ-MN-HA—Registration request (part of the MIP protocol) mobile node home agent key.

Steel-Belted Radius Carrier sends these EMSK-derived keys to both the ASN-GW and the home agent.

EMSK-Derived Key Generation and Identification

EMSK-Derived Key Generation and Identification

The MN-HA CMIP4, MN-HA PMIP4, and FA-RK keys are each identified by a unique SPI value. SPI values relating to the current Mobile IP (MIP) session are unique, where the current MIP session is identified by the pseudo-identifier (outer username) associated with the session.

Note

The MIP session is not the same as the RADIUS session. The RADIUS session can be identified by its associated AAA-session-ID value.

Therefore, each MN-HA CMIP4, MN-HA PMIP4, and FA-RK key is identified by a combination of the pseudo-identifier and SPI.

MSK and EMSK-Derived Key Lifetime and Deprecation

MSK and EMSK-Derived Key Lifetime and Deprecation

When a final Account-Stop is received for the pseudo-identity from the ASN-GW, the MSK and EMSK-derived key set is destroyed. The lifetime of the keys is specified by the Session-Timeout attribute sent to the ASN-GW. It is the responsibility of the ASN-GW to reauthenticate with Steel-Belted Radius Carrier before the MSK and EMSK-derived key set expires. After the ASN-GW obtains the new keys, it communicates with the home agent using the MIP protocol enabling the home agent to obtain the new keys from Steel-Belted Radius Carrier.

After the home agent has requested the new key set (by supplying the new MN-HA-SPI value), the old key set is destroyed.

Note

For a short period of time, two key sets are active. During this time, when a new key set is used, all other older key sets are destroyed.

EMSK-Derived Key Storage and Retrieval

EMSK-Derived Key Storage and Retrieval

After the key is generated, it is stored for possible later retrieval. One or more key sets are stored for each MIP session, where a MIP session is identified by the pseudo-identifier.