RE: [mobile-ip] Proposed changes to draft-ietf-mobileip-aaa-key-04.txt

To mobile-ip@sunroof.eng.sun.com
From Franck.Le@nokia.com
Date Fri, 4 May 2001 18:29:03 -0500
List-Archive <http://playground.sun.com/mobile-ip/>
List-Owner <mailto:owner-mobile-ip@sunroof.eng.sun.com>
List-Subscribe <mailto:mobile-ip-request@sunroof.eng.sun.com?body=subscribe>
List-Unsubscribe <mailto:mobile-ip-request@sunroof.eng.sun.com?body=unsubscribe>
Reply-To mobile-ip@sunroof.eng.sun.com
Sender owner-mobile-ip@sunroof.eng.sun.com 
Hello Pat,

It seems that some time ago, you mentioned that you were redefining the
extensions for the key distribution between the MN and the AAAh: the key
distribution will not be based on long term key encryption anymore but on
taking a random number as an input.

To the question "Did anyone contribute proposed text?", we replied that we
suggested such a mechanism in the following internet draft
http://search.ietf.org/internet-drafts/draft-le-mobileip-keydistribution-00.
txt, and another approach based on Diffie Hellman is also described. 
We suggested that the key distribution extensions should allow both methods;
and in addition we also proposed that the key distribution extension should
allow a mechanism such as the Temporary Shared Key concept to be used:
http://search.ietf.org/internet-drafts/draft-le-mobileip-sharedsecret-00.txt

Please Pat, what is the current situation of this extension definition ?

Best Regards,

Franck LE


-----Original Message-----
From: ext Patrice Calhoun [mailto:pcalhoun@nasnfs.Eng.Sun.COM]
Sent: 11 April, 2001 6:54 PM
To: Charles E. Perkins
Cc: mobile-ip@sunroof.eng.sun.com
Subject: Re: [mobile-ip] Proposed changes to
draft-ietf-mobileip-aaa-key-04.txt


>I don't mind the change, but if the encoding is cryptographically
>strong, it doesn't increase the security by any appreciable amount.

Well, not passing a key is certainly harder to break than having a session
key pass to the mobile, which can be intercepted (or at least monitored),
and
perhaps eventually attacked. If a key is derived, then the only way a
session
key can be cracked is by collecting lots of packets that were authenticated
from the key, and attempting a brute force attack.

The crypto-folks here much prefer keys to be derived, and want to re-use
this scheme for their networks, if we can make the appropriate changes.

>> I just had a meeting with the 3GPP2 AHAG WG chair (the group that does
all
>> cellular security), and they have concerns in regards to the above
mentioned
>> draft. Instead of having the I-D define that the keys be returned to the
>> mobile node, they would prefer that a random value be sent, and have the
>> mobile node derive the session key based on a known algorithm, such as:
>> 
>>         MD5(MN-AAA Secret + NAI + Random Value)
>
>Presumably '+' is concatenation.  

yes

> I reckon MD5 should be HMAC_MD5,
>and the input data should have the secret appended also after the
>random value. 

oh, well if we want prefix+suffix, then yes, but hmac-hd5 doesn't really
need
that. In fact, we could even support SHA-1 as well.

> Also, so that the algorithm will work with IP addresses
>when NAIs are not available, we should allow the identification
>bitstring to be the appropriate IP address.

sure.
>
>Did anyone contribute proposed text?

As soon as I get back from vacation I will. Of course, I want to make sure
that no one objects to this change before I propose any text.

PatC
Partial thread listing: