none
Error in AuthIP Key Material Generation specification RRS feed

  • Question

  • The specification says:

    The quick mode security association (QM SA) authentication key MUST be set to the first part of
    IPsecEncryptKey (up to ipsechashLength bytes). The QM encryption key MUST be set to the
    remainder of IPsecEncryptKey.

    However, in practice (and as confirmed by examining the source code of AddKeyToProposal) it seems to be the other way around: the QM encryption key is the first part of IPsecEncryptKey and the authentication key follows this value.

    Regards,

    Gary Nebbett

    Friday, February 13, 2015 1:04 PM

Answers

  • Hello Gary -

    Thank you for your valuable feedback, we have addressed the issue and updated MS-AIPS with following information -

    3.1.7.4 AuthIP Key Material Generation

    Before
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    The quick mode security association (QM SA) authentication key MUST be set to the first part of IpsecEncryptKey (up to ipsechashLength bytes). The quick mode encryption key MUST be set to the remainder of IPsecEncryptKey.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    After
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    The quick mode security association (QM SA) encryption key MUST be set to the first part of IPsecEncryptKey (up to ipseccryptLength bytes). The quick mode authentication key MUST be set to the remainder of IPsecEncryptKey.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, May 11, 2015 5:53 PM

All replies

  • Hi Gary,

    Thank you for your question. A member of the Protocol Documentation support team will respond to you soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Friday, February 13, 2015 6:42 PM
  • Hello Gary -

    I'm researching this for you. My understanding is that you are not blocked; as you already know the expected behavior based on your debugging; and providing this as a feedback to improve the quality of [MS-AIPS] specification. Please let me know if this understanding is incorrect.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Friday, February 13, 2015 7:24 PM
  • Hello Gary -

    Thank you for your valuable feedback, we have addressed the issue and updated MS-AIPS with following information -

    3.1.7.4 AuthIP Key Material Generation

    Before
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    The quick mode security association (QM SA) authentication key MUST be set to the first part of IpsecEncryptKey (up to ipsechashLength bytes). The quick mode encryption key MUST be set to the remainder of IPsecEncryptKey.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    After
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    The quick mode security association (QM SA) encryption key MUST be set to the first part of IPsecEncryptKey (up to ipseccryptLength bytes). The quick mode authentication key MUST be set to the remainder of IPsecEncryptKey.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, May 11, 2015 5:53 PM