1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: ERP proposal Date Submitted: October 13, 2011 Authors or Source(s): Fernando Bernal-Hidalgo, Rafa Marín-López Abstract: Modifications to be carried out in current D04 related with comment #24.
2 IEEE presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6
MIAK (Media Independent Authentication Key) A new key named MIAK needs to be derived to generate the AUTH TLV. Modify figure 33, including the MIAK to left of the MIIK. Basically, selecting a suitable value for L in KDF defined in section 9.2.2, we can obtain MIAK. We will set MIAK length to 128 bits.
AUTH TLV Generation How to generate the AUTH TLV – PRF(K, “AUTH_TLV” | MIH_AUTH message| MNCiphersuite | PoSCiphersuite) K = MIAK MIH_AUTH message: The whole MIH_AUTH message including AUTH TLV filled with 0s. MNCiphersuite = the ciphersuite sent by the MN PoSCiphersuite = the ciphersuite sent by the PoS PRF is the one selected in the KDF_LIST – KDF_CMAC_AES – KDF_HMAC_SHA1 – KDF_HMAC_SHA256 PRF output length = it will depend on the negotiated PRF
Draft Modifications Rename – Change KDF_LIST to PRF_LIST Modify definition – PRF_LIST Bit 0: KDF_AES_CMAC PRF_AES_CMAC Bit 1: KDF_HMAC_SHA1 PRF_HMAC_SHA1 – We missed KDF_HMAC_SHA256. Add it: Bit 2 : KDF_HMAC_SHA256 PRF_HMAC_SHA256
DICUSSION Should the MIH Service Authentication Phase be protected by an existing MIH SA during re-authentication with the same PoS? – We believe that MIH_AUTH messages should be always protected by using AUTH TLV To not use MIH SA How is AUTH TLV generated (key used and ciphersuite)? – Done Should we add a new section explaining how downgrading attack is avoided? – No. Nevertheless, the way how AUTH TLV is generated solves the problem. – Inconsistency since PoS does not receive a key confirmation from the MN Add an addtional MIH_AUTH exchange.
ERP MN Initiated MIH Access Authentication Phase EAP Peer MN EAP Peer MN EAP Auth. PoS EAP Auth. PoS MIH_Auth request (EAP-Initiate/Re-Auth, parameters) MIH_Auth response (EAP-Finish/Re-Auth, selections) MIH Capability Discovery Request MIH Capability Discovery Response MIH Termination Request MIH Termination Response... Capability Discovery Phase MIH Service Authentication Phase Service Access Phase Termination Phase MIH_Auth request (AUTH) MIH_Auth response (AUTH)
ERP Network Initiated (1) MIH Access Authentication Phase EAP Peer MN EAP Peer MN EAP Auth. PoS EAP Auth. PoS MIH_Auth request (EAP-Initiate/Re-Auth, parameters) MIH_Auth response (EAP-Finish/Re-Auth, selections) MIH_Auth indication (EAP-Initiate/ Re-auth-Start) Trigger MIH Capability Discovery Request MIH Capability Discovery Response Capability Discovery Phase MIH Termination Request MIH Termination Response... Service Access Phase Termination Phase MIH Service Authentication Phase MIH_Auth request (AUTH) MIH_Auth response (AUTH)
ERP Network Initiated (2) MIH Access Authentication Phase EAP Peer MN EAP Peer MN EAP Auth. PoS EAP Auth. PoS MIH_Auth request (EAP-Request/Identity) Trigger MIH_Auth response MIH Service Authentication Phase MIH Capability Discovery Request MIH Capability Discovery Response Capability Discovery Phase MIH Termination Request MIH Termination Response... Service Access Phase Termination Phase MIH_Auth request (EAP-Initiate/Re-Auth, parameters) MIH_Auth response (EAP-Finish/Re-Auth, selections) MIH_Auth request (AUTH) MIH_Auth response (AUTH)