CWSP PW0-204 Studyguide Errata
Last Post: June 21, 2010:
-
Hi George
An excellent question, and one that has caused a lot of confusion in the past.
Firstly, the book is correct.
The MSK keying material is transferred between the Authentication Server (AS) and the Supplicant. It is not transferred beween the AS and the Acess Point (AP).
If we look closely at Figure 5.19 in the book, we can see that it shows the PMK being transferred between the AS and the Authenticator (AP). It says ?SECURE CHANNEL?. But what is this secure channel ? I?ll get back to that in a minute.
Let?s first consider how we get the PMKs at both ends of the link (Supplicant and Auth Server). Typically, we will use something like EAP-TLS to assist with authentication and also to generate the Master Session Key. This MSK is transferred securely across the network using mechanisms inherent to TLS (or whatever other system is used). A secure channel has been used (set up by EAP-TLS) to transfer the MSK securely, keeping prying eyes from finding out what it is. But this is not the SECURE CHANNEL mentioned in the book.
We now have to go back a bit in time and look at where RADIUS and 802.1X came from. Back in the days of dial-up modem connections, PPP was commonly used (replacing SLIP) and it was assumed that the physical security of a telephone line was sufficient in the communications between the modem and the NAS server (modem pool block). The 802.1X RFC (802.1X was in use in LAN systems way before wireless ?needed it?) did not specify the mechanism for transfer of keys between AS and Authenticator. To get around this problem when wireless systems started using RADIUS (for example), companies such as Microsoft devised extensions to the RADIUS attributes in order to allow the secure passage of the PMK (derived at the AS from the MSK which in turn was derived via the EAP-TLS method for example) from the AS to the Authenticator. It should be noted that this is vendor specific. The MS-MPPE-RECV-KEY-ATTRIBUTE is an example of a vendor specific extension. I won?t go into all the details of the secure channel exchange process at this point.
Dave
- 1