3.1.5.5.2.2 Intermediate PEAP MAC Key (IPMK) and Compound MAC Key (CMK)

The Intermediate PEAP MAC key (IPMK) and Compound MAC Key (CMK) are constructed using the following steps:

• If the PEAP peer and the PEAP server resumed an authentication using fast reconnect, then IPMK and CMK are obtained from TK as shown in the following steps.

• If the PEAP peer and the PEAP server did not resume an authentication using fast reconnect, and an inner method was used for authenticating the PEAP peer, then the IPMK is generated using the following steps:

  1. Generate an ISK:

     • If the inner EAP method generates keys, then an implementation MUST obtain the InnerMPPESendKey, InnerMPPERecvKey and their lengths from the inner method as specified in sections 3.2.5.4.7 and 3.3.7.3. The InnerMPPESendKey and InnerMPPERecvKey are the same as MS-MPPE-Send-Key and MS-MPPE-Recv-Key respectively as specified in [RFC2548], sections 2.4.2 and 2.4.3.

       Each inner method decides how to generate these keys. The Protected Extensible Authentication Protocol uses the keys returned by the inner method and calculates ISK as follows: (The following Microsoft Point-to-Point Encryption (MPPE) keys are not encrypted by RADIUS shared secret, and contain only the key itself and no length, salt, or type field.)

        Peer ISK = InnerMPPESendKey | InnerMPPERecvKey
        Server ISK = InnerMPPERecvKey | InnerMPPESendKey
       

       If the concatenated string length (obtained from InnerMPPESendKeyLength and InnerMPPERecvKeyLength) is more than 32 octets, then the first 32 octets form the ISK. If the concatenated string length is less than 32 octets, then the string is appended with 0x00 at the end as padding to obtain a total length of 32 octets.

     • If the inner EAP method did not generate any keys, then the ISK MUST be 32 octets of 0x00.

  2. Generate the IPMK Seed as follows:

     To obtain a seed value for the PRF+ function (see [RFC4306], section 2.13) in order to generate an IPMK, an implementation MUST create a byte array containing the ASCII values for the string "Inner Methods Compound Keys" and MUST concatenate the ISK as follows (where "|" denotes concatenation of strings):

      IPMK Seed = "Inner Methods Compound Keys" | ISK
       
     

  3. Generate the IPMK and CMK as follows:

     To generate the IPMK, implementations MUST use the first 40 octets of TK (see section 3.1.5.5.2.1), and MUST use the PRF+ seed value as the input to a PRF+ operation, and MUST generate 60 bytes. The first 40 bytes are the IPMK, while the last 20 bytes are the CMK.

      TempKey = First 40 octets of TK
      IPMK = First 40 octets of PRF+ (TempKey, IPMK Seed, 60);
     

     This is the PRF+ algorithm (where "|" denotes concatenation).

      K = Key, S = Seed, LEN = output length
       
     

     In generating IPMK and CMK, 60 bytes are required. Therefore, LEN=60 in this case.

      PRF+(K, S, LEN) = T1 | T2 | ... |Tn
      Where:
      T1 = HMAC-SHA1 (K, S | 0x01 | 0x00 | 0x00)
      T2 = HMAC-SHA1 (K, T1 | S | 0x02 | 0x00 | 0x00)
       
      ...
       
      Tn = HMAC-SHA1 (K, Tn-1 | S | n | 0x00 | 0x00)
     

     As shown, PRF+ is computed in iterations. The number of iterations (n) depends on the output length (LEN). The computation stops when the concatenated length of T1, T2, ..., Tn is equal to or greater than the output length. When calculating IPMK and CMK, required output length is 60 bytes (LEN=60). Because each HMAC-SHA1 operation generates 20 bytes, n=3 iterations (that is, T1, T2 and T3) are required to compute IPMK and CMK.

     The preceding PRF+ definition is valid only when LEN < 256 and n < 256.