How to catch the MSK (Master Session Key) from Wpa_supplicant?

Jouni Malinen j
Tue Apr 15 10:25:24 PDT 2008 

On Mon, Apr 14, 2008 at 04:45:54PM -0300, Douglas Diniz wrote:

> The interface is very simple. I just receive a eap packet from SS software
> and send it to wpa supplicant. Just it. I only check the eap message to
> search for a eap success. If the message is a success I expect that the next
> message from wpa supplicant is the msk. I dont need any eap state machine
> here (I hope).

OK. If you are only using fixed configuration (no user interaction
during authentication) and do not use the double EAP mode defined in
802.16e, this may be enough.

> I had two options:
> 
> 1-) Incorporate the wpa supplicant to Ss software, creating a function
> interface to the Ss's software. This need a lot of time.
> 
> 2-) Create this module to receive messages from SS and send to wpa
> supplicant.

I would describe option (1) a bit differently: integrate the EAP peer
functionality from wpa_supplicant (not full wpa_supplicant) to SS since
WiMax does not really use much of the other functionality from
wpa_supplicant. Or well, the configuration parser could probably be
shared, too.

> In fact i'm installing wpa supplicant in SS's host and send the messages
> over localhost. So, the interface is secure.
> 
> In my place, what you would do?

I do not have good enough understanding of the particular project to say
what would be best option here. I understand that option (2) may look
like the easiest solution for this case. However, I'm looking this from
a bit different view point since I would prefer to make sure that the
interfaces in wpa_supplicant provide functionality that would fit well
into any WiMax design in addition to 802.11-based solutions.

Anyway, I would suggest at least taking a quick look at the EAP peer
example (use of EAP peer functionality from wpa_supplicant as a library
for another program) that is available in the Git repository:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree;f=eap_example;hb=HEAD

I wrote this example especially with non-802.1X uses in mind and WiMax
is mentioned as one example case. The example code includes minimal
setup for using EAP peer functionality and this could be used linked
together with rest of the SS software to implement PMK EAP.

Unfortunately, I do not have any WiMax hardware to play with, so I
haven't experimented with what exactly would be needed in wpa_supplicant
to make it fit well with WiMax design. The EAP peer example should work
fine in this type of use, but it would also be interesting to see a more
complete reference design for WiMax authentication to be added in the
future.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list