This might be old news, but I've just stumbled upon this paper, and found it an excellent response to a lot of questions I've been having. In case it helps anyone else: http://research.microsoft.com/en-us/um/people/klauter/security_of_kea_ake_protocol.pdf