Doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 1 A vendor specific plan for centralized security Date: Authors:
Advertisements

Doc.: IEEE r6 Submission July 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Doc.: IEEE /1625r1 Submission November 2006 Braskich, et al Slide 1 Update to Efficient Mesh Security and Link Establishment Notice: This document.
Doc.: IEEE /0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: Authors:
Doc.: IEEE /1109r0 Submission Month Year Tom Siep, CSRSlide 1 Amendment Creation Process Date: YYYY-MM-DD Authors:
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /1471r0 Submission September 2006 authors Slide 1 Efficient Mesh Security and Link Establishment Notice: This document has been prepared.
Doc.: IEEE /0862r0 Submission July 2009 Michael Bahr, Siemens AGSlide 1 Proxy Update Element Revision Date: Authors:
Doc.: IEEE r1 Submission March 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Protocol Coexistence Issue in MSA Subsequent Authentication
Doc.: IEEE /2176r0 Submission July 2007 Meiyuan Zhao, Intel Corp.Slide 1 Protocol Analysis of Abbreviated Handshake Date: Authors:
Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:
14 March 2002 doc.: IEEE /152r2 Gregg Rasor, MotorolaSlide 1Submission Project: IEEE P Working Group for Wireless Personal Area Networks.
Relationship between peer link and physical link
Submission Title: [Proposal for MAC Peering Procedure]
Updates on Abbreviated Handshake
Overview of Key Holder Security Association Teardown Mechanism
Authentication and Key Management of MP with multiple radios
Mesh Security Proposal
Mesh Frame Formats Date: Authors: June 2007 March 2007
Improvements to Power Management and Future Work
Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Security Architecture Considerations Date.
Mesh Frame Formats Date: Authors: July 2007 March 2007
Submission Title: [Proposal for MAC Peering Procedure]
Resolutions to orphan comments
Nov 2013 Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Peer link Set-up and Maintenance
Robert Moskowitz, Verizon
Nov 2013 Robert Moskowitz, Verizon
Jesse Walker and Emily Qi Intel Corporation
Summary of Updates to Abbreviated Handshake
Submission Title: [Proposal for MAC Peering Procedure]
Security Properties Straw Polls
Overview of Changes to Key Holder Frame Formats
Proposed Resolutions to RFI comments of LB 166 on IEEE s D7.0
May 2007 MSA Comment Resolution Overview
Update to Efficient Mesh Security and Link Establishment
Authentication and Key Management of MP with multiple radios
Mesh Frame Formats Date: Authors: May 2007 March 2007
Link Setup Flow July 2011 Date: Authors: Name Company
Updates on Abbreviated Handshake
Draft D4.01 status report Date: Authors: February 2010
Mesh Security Proposal
Different MKD domain MPs communication method
Submission Title: [Proposal for MAC Peering Procedure]
Terminology changes in a nutshell …
Mesh Frame Formats Date: Authors: June 2007 March 2007
Overview of Abbreviated Handshake Protocol
TG1 Draft Topics Date: Authors: September 2012 Month Year
Relationship between peer link and physical link
PLE Comment Resolution
27 Febraury 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Security Sub-committee Status Report.
Overview of Improvements to Key Holder Protocols
TG1 Draft Topics Date: Authors: September 2012 Month Year
MAC beaconing sync comment resolution
PLE Comment Resolution Update
Security Requirements for an Abbreviated MSA Handshake
Overview of Improvements to Key Holder Protocols
Some feedback from editor
Link Setup Flow July 2011 Date: Authors: Name Company
Mesh Frame Formats Date: Authors: May 2007 March 2007
Mesh Frame Formats Date: Authors: July 2007 March 2007
Robert Moskowitz, Verizon
A Better Way to Protect APE Messages
Overview of an MSA Security Proof
Mesh Frame Formats Date: Authors: May 2007 March 2007
Presentation transcript:

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous forms Date: Authors:

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 2 Abstract This document provides an overview of “An abbreviated handshake with sequential and simultaneous forms,” in 11-07/2535r0.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 3 Background Peer links are established through the peer link management protocol, defined in 11A.2. MPs use this protocol before any other direct communication may occur. Establishment of a security association between two MPs occurs through the use of Full MSA authentication, including a mesh 4-way handshake that is exchanged after peer link management. A protocol that could integrate these functions may be called an abbreviated handshake.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 4 Full MSA Authentication Full MSA Authentication is illustrated at right. At a minimum, this 8-message exchange is required to securely establish each link in a mesh. LB93 comments call for a more efficient handshake. See CIDs 735, 1057, We investigate the design of an abbreviated handshake to answer this call. Mesh Point Peer Link Open Initial MSA Authentication (if needed) 4-way Handshake #1 4-way Handshake #2 4-way Handshake #3 4-way Handshake #4 Peer Link Confirm Mesh Point

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 5 Security Goals for Abbreviated Handshake An abbreviated handshake protocol must achieve the following goals, which also applies to other MSA protocols: Mutual Authentication Key Secrecy –PTK: the session key –Broadcast keys (GTKs), for each node, which may be exchanged during the handshake. –Other key material, such as the PMK-MA Session Key (PTK) Freshness Cipher Suite Selection Not Compromised Authenticated Exchange of Information Composability –Abbreviated handshake works together with other MSA protocols.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 6 Security State Besides providing mutual authentication and establishing a session key, the abbreviated handshake must confirm the security state. –i.e., meeting the Authenticated exchange of information goal The security state is information agreed upon by both MPs by the time the handshake successfully completes. –That is, if the handshake successfully completes, then both MPs are in agreement about the security state. PTKSA Security state contents: –(2) MP MAC addresses –(2) Link Identifiers –Pairwise Cipher Suite –PTK (derived through nonce contributions by both MPs).

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 7 Use case for Abbreviated Handshake Cached keys: An abbreviated handshake could be valuable (in terms of efficiency) when two nodes are re- establishing a link that had recently failed. –A peer link is torn down (and the PTK SA deleted), but the PMK- MA remains cached. Continuing mesh formation: A MP uses Full MSA Authentication when creating its first peer link in a mesh. Subsequent links, continuing the building of the mesh, can benefit from the efficiency gain of an abbreviated handshake.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 8 Summary of an abbreviated handshake specification Definition of additional Peer Link frame types PTK derivation update MLME primitive definition for initiating handshake Updates to MSA overview text Initiating the abbreviated handshake Processing the abbreviated handshake in the sequential form Processing the abbreviated handshake in the simultaneous form Informative annex: state machine for abbreviated handshake protocol

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 9 Protocol Details The abbreviated handshake permits two distinct forms: sequential & simultaneous. Sequential: exactly one MP has initiated the protocol with its peer Simultaneous: each of two MPs initiate the protocol with each other (within a small window of time) Flexible ordering

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 10 Abbreviated Handshake Protocol State Machine The abbreviated handshake builds on the peer link management protocol defined in TGs. –Message types and protocol structure for simultaneous form is similar to the peer link management defined in the draft. –The sequential form adds new message types, simply to distinguish between the protocol forms. A state machine, specific to the abbreviated handshake, is presented in an informative annex. –A single state machine describes both the simultaneous and sequential forms of the handshake. –Protocol-layer retries are eliminated to prevent excessive complexity in the state machine: an MP may reattempt establishment of a link by attempting a new link instance.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 11 Key Selection Details Key selection for the abbreviated handshake is similar to that of Full MSA Authentication. Key selection can be summarized: –If a key is cached at both MPs, use it. –If not, but an MP has a connection to the MKD (and is an authorized MA), it should retrieve a key so that the MPs share one. –Tie-break based on MAC address when required –If no cached keys & no connection to MKD, abbreviated handshake does not complete.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 12 Key retrieval Each party requires possession of a shared symmetric PMK- MA for successful protocol completion. On a given instance of the abbreviated handshake, one MP may not have the agreed- upon key and must retrieve it from the MKD. This action may occur to permit the handshake to complete (see illustration). Mesh Point MKD Mesh Point Peer Link Open Peer Link Setup Peer Link Response Peer Link Acknowledge Key Request Key Delivery multi-hop

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 13 Forged Open Messages A Peer Link Open message initiating the abbreviated handshake may be forged. Attacked MP may attempt key pull. Key delivery may occur if Peer Link Open contained a valid key name (forwarded in key request to MKD). Without key delivery, Peer Link Setup is not sent. Attacker MKD Mesh Point Peer Link Open Peer Link Setup Key Request Key Delivery Key is delivered only if Peer Link Open contained valid key name. Attacker will not be able to construct correct response message. multi-hop

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 14 Half-open link recovery A half-open link is possible in session-establishment protocols (a.k.a, the 2-army problem), due to a final message being lost. Handling of a half-open link depends on the abbreviated handshake form that was used. Mesh Point Peer Link Open Peer Link Confirm Mesh Point Peer Link Open Peer Link Setup Peer Link Response Peer Link Acknowledge Sequential: the MP that initiated the abbreviated handshake is aware of the half-open link, and is responsible for error recovery. Simultaneous: the sender of the lost message will not be aware of the half- open link

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 15 Security proof details 11-07/2432r0 presents some analysis of MSA in the form of a security proof. It also contains analysis of the abbreviated handshake that we have described. The proof is constructed using PCL to describe the MSA protocols –Extensions to PCL to permit description of the abbreviated handshake are described in 11-07/2432r0. –The proof considers the two forms of the abbreviated handshake, proving the forms are well-defined, can operate on a single device together, and operate well with the MSA protocols specified in TGs. The proof shows that the abbreviated handshake achieves the security goals set forth for the MSA architecture.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 16 Future Plans We plan to evaluate the performance of this design. The design will continue to be refined as we discuss the design with others working in this area. Feedback on 11-07/2535r0 is appreciated.

doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 17 References 11-07/2432r0, “Overview of an MSA Security Proof” 11-07/2535r0, “An abbreviated handshake with sequential and simultaneous forms”