3.1.5.7 Key Management

PEAP methods MUST generate MPPE keys as follows.

1. If a PEAP server and PEAP peer have successfully exchanged cryptobinding TLVs, then the keys are generated as follows:

   1. The Compound Session Key (CSK) is derived with the following equation.

       CSK = PRF+ (IPMK, "Session Key Generating Function", 128)
      

      The output length of the CSK MUST be 128 bytes. IPMK and PRF+ function is defined in section 3.1.5.5.2.2.

      For the seed value for the PRF+ function for the CSK, an implementation MUST create a byte array containing the ASCII values for the string "Session Key Generating Function" appended with a NULL(0x00) byte.

   2. The first 64 bytes of the CSK are split into two MPPE keys, as follows.

      	First 32 bytes of CSK	Second 32 bytes of CSK
      PEAP peer	MS-MPPE-Send-Key	MS-MPPE-Recv-Key
      PEAP server	MS-MPPE-Recv-Key	MS-MPPE-Send-Key

2. When an endpoint (either a PEAP server or PEAP peer) is incapable of sending cryptobinding TLVs, and the other endpoint is configured to accept such authentications, then the keys are obtained from the first 64 octets of the Key_Material, as specified in [RFC5216]: TLS-PRF-128 (master secret, "clientEAP encryption", client.random || server.random).

   	First 32 bytes of Key_Material	Second 32 bytes of Key_Material
   PEAP peer	MS-MPPE-Send-Key	MS-MPPE-Recv-Key
   PEAP server	MS-MPPE-Recv-Key	MS-MPPE-Send-Key