How to catch the MSK (Master Session Key) from Wpa_supplicant?

Douglas Diniz dgdiniz
Mon Apr 14 12:45:54 PDT 2008 

>This ethernet interface between SS and wpa_supplicant sounds vendor
>specific design. Is that correct or is it based on some standard? I
>don't know what resulted in that kind of design (i.e., separation of EAP
>peer from SS into a separate device), but if that is indeed the best
>choice for the product, use of EAPOL frames sounds like a suitable
>mechanism here. This is just something that I would not have first
>expected from a WiMax product ;-).

The interface is very simple. I just receive a eap packet from SS software
and send it to wpa supplicant. Just it. I only check the eap message to
search for a eap success. If the message is a success I expect that the next
message from wpa supplicant is the msk. I dont need any eap state machine
here (I hope).

I had two options:

1-) Incorporate the wpa supplicant to Ss software, creating a function
interface to the Ss's software. This need a lot of time.

2-) Create this module to receive messages from SS and send to wpa
supplicant.

>OK. It sounds like the SS <-> supplicant interface is indeed vendor
>specific and as such, so would be the MSK delivery mechanism. I'm
>assuming the ethernet interface here is considered secure (e.g., it is
>just using a cross-over cable inside the box and without any external
>access). If not, the MSK delivery mechanism would need to be encrypted
>with something..

In fact i'm installing wpa supplicant in SS's host and send the messages
over localhost. So, the interface is secure.

In my place, what you would do?

Thanks.......

On Mon, Apr 14, 2008 at 3:24 PM, Jouni Malinen <j at w1.fi> wrote:

> On Mon, Apr 14, 2008 at 02:57:41PM -0300, Douglas Diniz wrote:
>
> > Between Freeradius and Bs, and wpa supplicant and Ss, the interface is
> > ethernet. When Ss receive a eapol packet from wpa supplicant I send the
> raw
> > eap packet as a payload inside a specific message that the Ss software
> will
> > handle and send to Bs.
> > When Bs receive this message, the Bs software will send this  raw eap
> > payload to me, and I will send it to freeradius over a Radius Message.
>
> This ethernet interface between SS and wpa_supplicant sounds vendor
> specific design. Is that correct or is it based on some standard? I
> don't know what resulted in that kind of design (i.e., separation of EAP
> peer from SS into a separate device), but if that is indeed the best
> choice for the product, use of EAPOL frames sounds like a suitable
> mechanism here. This is just something that I would not have first
> expected from a WiMax product ;-).
>
> > At the end of authentication, I must use the Msk as I said. The Bs and
> Ss
> > softwares are already implemented to process the Msk. My job finish when
> I
> > send the msk to Bs and SS.
> >
> > The manufactor of the Bs/Ss software has this scenario implemented, and
> i'm
> > in contact to discover how they send the msk to Bs/Ss.
>
> OK. It sounds like the SS <-> supplicant interface is indeed vendor
> specific and as such, so would be the MSK delivery mechanism. I'm
> assuming the ethernet interface here is considered secure (e.g., it is
> just using a cross-over cable inside the box and without any external
> access). If not, the MSK delivery mechanism would need to be encrypted
> with something..
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080414/00fe82b9/attachment-0001.htm

More information about the Hostap mailing list