Short summary:
Section 5.4 claims that IMCK (and as such, also) S-IMCK[j] is derived
by combining the MSKs from inner EAP methods while Section 5.2 talks
about two different derivations: one based on MSK and the other one
based on EMSK.
i.e. IMCK[j] is derived from either EMSK or MSK. The original text had
IMSK = ... TLS-PRF(EMSK, ..)
Which had a few problems:
-
the definition here used
IMSK, and the later uses wereIMSK[j], which is inconsistent. -
the secret is defined as
EMSK, while the later text went "no, really, it's sometimesMSK". -
there was no discussion of what to do with
S-IMCKderived from different sources.
Define IMCK[j] as:
IMSK[j] = First 32 octets of TLS-PRF(secret, "TEAPbindkey@ietf.org",
0x00 \| 0x00 \| 0x40)
where secret is EMSK[j] or MSK[j].
And then means note that we need to derive two sequences of S-IMCK[j]:
S-IMCK_MSK[j]
and
S-IMCK_EMSK[j]
As part of this cleanup, clarify some other text around
session_key_seed and CMK[j] for consistency.