Cryptographic Key Transport [RFC6734] AVPs
Diameter Attribute-Value Pairs for Cryptographic Key Transport (RFC6734)
This interface defines a set of Diameter attribute-value pairs (AVPs) that facilitate the transport of multiple cryptographic keys within a single Diameter message. Building upon the Diameter EAP application defined in [RFC4072], which originally specified the EAP-Master-Session-Key and EAP-Key-Name AVPs for conveying keying material derived during EAP method execution (such as EAP-TLS from [RFC5216]), this specification addresses the need to transport additional keys.
Purpose of the Diameter Cryptographic Key Transport Interface
- Enhanced Key Transport: The interface extends the legacy key transport mechanism by supporting the inclusion of multiple cryptographic keys in one Diameter message. This is essential for transporting keys derived from advanced methods (e.g., as detailed in [RFC5295]) and for handling new keys specified by the EAP Re-authentication Protocol (ERP) in [RFC6696].
- Efficient Key Distribution: By allowing multiple keys to be transported simultaneously, the interface streamlines the process of distributing cryptographic keying material between Diameter nodes. This enhances the overall security and efficiency of EAP-based authentication and re-authentication procedures.
Key Elements
- The original Diameter EAP application permitted only one instance of the EAP-Master-Session-Key or EAP-Key-Name AVPs per message. This limitation proved insufficient as additional keys began to be derived from the keying material during EAP execution.
- The new set of AVPs defined in this specification overcomes this limitation by allowing multiple cryptographic keys to be included in a single message. This accommodates both the derivation of extra keys during EAP method execution and the key requirements introduced by ERP.
- These AVPs are seamlessly integrated into Diameter messages, ensuring that all necessary cryptographic keys can be securely and efficiently transported between Diameter nodes involved in authentication processes.
For complete technical specification of Diameter Attribute-Value Pairs for Cryptographic Key Transport please refer to: [RFC6734]
package com.mobius.software.telco.protocols.diameter.primitives.rfc6734
|
Name |
AVP Code |
Data Type |
Vendor |
|
Key |
581 |
Grouped |
IETF |
|
Used in Diameter to carry keying information, such as the key type, keying material, and optionally, the lifetime of the key, the key name, and the Security Parameter Index (SPI) associated with the key. The AVP structure is defined as follows: Key-Type (Mandatory): Specifies the type of the key. Keying-Material (Optional): Contains the keying material (the actual cryptographic key). Key-Lifetime (Optional): Specifies the lifetime of the key. Key-Name (Optional): Contains the name of the key. Key-SPI (Optional): Specifies the Security Parameter Index (SPI) associated with the key. |
|||
|
Keying-Material |
583 |
OctetString |
IETF |
|
Used to carry the cryptographic keying material required for secure communication. The exact usage of this keying material depends on various factors, such as the type of key, the specific security protocol being used, and the underlying link layer in use. |
|||
|
Key-Lifetime |
584 |
Unsigned32 |
IETF |
|
Specifies the duration in seconds for which the keying material, provided by the Keying-Material AVP, is valid. This ensures that the cryptographic key will not be used indefinitely and can be replaced after a specific time period, enhancing security. Note: Applications using this value should consider the beginning of the lifetime to be the point in time when the message containing the keying material is received. In addition, client implementations should check to ensure that the value is reasonable; for example, the lifetime of a key should not generally be longer than the session lifetime (see Section 8.13 of [RFC6733]). |
|||
|
Key-Name |
586 |
OctetString |
IETF |
|
Contains an opaque identifier for the key, which is used to reference the cryptographic key within the system. The way this key identifier is generated and used depends on the key type and its associated usage, and detailed handling is context-specific, as defined in additional RFCs ([RFC5247], [RFC5295]) for specific key management scenarios. |
|||
|
Key-SPI |
585 |
Unsigned32 |
IETF |
|
Contains an Unsigned32 value that can be used to identify and associate specific keying material. The SPI value allows systems to reference a keying material in a consistent manner when performing security operations, such as encryption or authentication, where the key's security parameters need to be defined and tracked. |
|||
|
Key-Type |
582 |
Enumerated |
IETF |
|
Identifies the type of key being sent. Enumerated Values: DSRK (0): Domain-Specific Root Key: A root key used within a domain to derive additional keys for secure communications, as defined in [RFC5295]. rRK (1): Re-authentication Root Key: A key used specifically for re-authentication purposes, as defined in [RFC6696]. rMSK (2): Re-authentication Master Session Key: A master key used for re-authentication sessions, as defined in [RFC6696]. |
|||
Start innovating with Mobius
What's next? Let's talk!