Keying for Fast Roaming

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /084r0-I Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn
Some LB 62 Motions January 13, 2003 January 2004
TGi Motions for Comment Resolution
Motions to Address Some Letter Ballot 52 Comments
TGai FILS Authentication Protocol
Mesh Security Proposal
Nancy Cam-Winget, Cisco Systems Inc
Wireless Network Security
Key Hierarchy Merge Status
PEKM (Post-EAP Key Management Protocol)
Pre-Association Security Negotiation (PASN) for 11az
Nancy Cam Winget, Atheros
Just-in-time Transition Setup
TAP & JIT Key Hierarchy Notes
Robert Moskowitz, Verizon
Nancy Cam-Winget, Cisco Systems Inc
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Robert Moskowitz, Verizon
doc.: IEEE /252 Bernard Aboba Microsoft
Jesse Walker and Emily Qi Intel Corporation
802.1X and AKE Comparison Nancy Cam-Winget, Atheros
TAP (Transition Acceleration Protocol)
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Roaming Keith Amann, Spectralink
Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies
Fast Roaming Compromise Proposal
NIST Considerations Date: Authors: July 2005 Month Year
Updates on Abbreviated Handshake
Options for Protecting Management Frames
Roaming timings and PMK lifetime
Mesh Security Proposal
TGr Security Architecture
Fast Roaming Compromise Proposal
Overview of Abbreviated Handshake Protocol
Fast Roaming Compromise Proposal
802.1X and AKE Comparison Nancy Cam-Winget, Atheros
Dan Harkins Trapeze Networks
Roaming timings and PMK lifetime
Keying for Fast Roaming
Jesse Walker, Intel Corporation Russ Housley, Vigil Security
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Fast Roaming Observations
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Submission Title: Dallas i/ Liaison Report.
Roaming timings and PMK lifetime
11ay Fast Association Authentication
TGi Draft 1 Clause – 8.5 Comments
11ay Fast Association Authentication
Comment Resolution Motions
Presentation transcript:

Keying for Fast Roaming March 2003 Keying for Fast Roaming Nancy Cam-Winget, Cisco Systems Keith Amann, Spectralink Bill Arbaugh, University of Maryland Greg Chesson, Atheros Dan Harkins, Trapeze Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Corporation Cam-Winget et. al.

Agenda Concepts Fast Roaming Key Hierarchy Keying Reassociations March 2003 Agenda Concepts Fast Roaming Key Hierarchy Keying Reassociations Fast Roaming PMK/PTK Usage Protocol Properties Back-end Protocol Considerations Open Issues Cam-Winget et. al.

Concepts AS-STA Session – MKID – Master Key Identifier, names a key March 2003 Concepts AS-STA Session – MKID – Master Key Identifier, names a key PMK Caching PMK Timeout PMK – unique per AP Cam-Winget et. al.

Fast Roaming Key Hierarchy (1) March 2003 Fast Roaming Key Hierarchy (1) Master Key (MK) named MKID = Original BSSID | STA MAC Addr | NTP Timestamp Generate ETEK : End-To-End-Key is used to secure delivery of MKID Pairwise Master Key (PMK) = Roaming-PRF(MasterKey, “fast roaming pmk” | MKID | BSSID) PTK = Roaming-PRF(PMK, “fast roaming ptk” | new BSSID | STA MAC Addr | MKID | Counter) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have ciphersuite-specific structure Cam-Winget et. al.

Fast Roaming Key Hierarchy (2) March 2003 Fast Roaming Key Hierarchy (2) No random nonces mixed into PTK Rationale: Allow STA to pre-compute PTK Consequence: PMK must be fresh across AS-STA sessions MKID identifies keys Rationale: optimizing performance requires identifying right key earlier in key confirmation handshake Cam-Winget et. al.

Fast Roaming Key Hierarchy (3) March 2003 Fast Roaming Key Hierarchy (3) Algorithm Roaming-PRF Input: Key K, Label L, Nonce N, Output Length OL Output: OL-octet string Out Out = “” for i = 1 to (OL+15)/16 do Out = Out | AES-CBC-MAC(K, L | N | i | OL) return first OL octets out of Out Cam-Winget et. al.

Rekeying Reassociations (1) March 2003 AP STA Rekeying Reassociations (1) PMK, MKID1, Counter1 PMK, MKID2, Counter2 Counter1 = Counter1 + 1, KCK | KEK | TK = Roaming-PRF(PMK, “fast roaming ptk” | BSSID | STA MAC Addr | MKID | Counter) Reassoc Req (RSN IE, Fast-Rekey IE(MKID1, Counter1 , Srand)) if MKID1 == MKID2 and Counter1 > Counter2 then derive KCK | KEK | TK else reject Reassoc Resp(RSN IE, Fast-Rekey IE(MKID2, Counter2, Arand, RSC, EKEK(GTK), MIC)) Action-Frame(Fast-Rekey-Confirm IE(Arand, MIC)) Install TK Counter2 = Counter1 Install TK Cam-Winget et. al.

Rekeying Reassociations (2): Fast-Rekey IE March 2003 Rekeying Reassociations (2): Fast-Rekey IE Element ID – 1 octet Length – 1 octet GTK Key ID – 1 octet GTK Length – 1 octet MKID – 20 octets Counter – 4 octets Random – 16 octets RSC – 8 octets GTK - 40 octets MIC – 8 octets Cam-Winget et. al.

Rekeying Reassociations (3): Fast-Rekey-Confirm IE March 2003 Rekeying Reassociations (3): Fast-Rekey-Confirm IE Element ID – 1 octet Length – 1 octet Random – 16 octets MIC – 8 octets Cam-Winget et. al.

Rekeying Reassociations (4): MICs March 2003 Rekeying Reassociations (4): MICs GTK encryption Algorithm: AES Key Wrapping (RFC 3394) Pad with 16bytes of zeroes for CCMP Reassociation Response MIC: AES-CBC-MAC-64(KCK, Srand | RSNIEBSSID | Element ID | Length | MKID | Counter | Arand | RSC | GTK Key ID | GTK Length | GTK) Action Message Confirm MIC: AES-CBC-MAC-64(KCK, Element ID | Length | Arand) The MIC’s effectively cover the entire Fast Rekey IE and must know MIC data length apriori. Cam-Winget et. al.

Rekeying Reassociations (5) March 2003 Rekeying Reassociations (5) AP proves it is live by MICing SRand in Reassociation Response STA proves it is live by MICing Arand in Action Message Counter value rules insure PTK is fresh if PMK is fresh STA must maintain Counter over MK lifetime AP must maintain Counter over PMK lifetime Cam-Winget et. al.

Rekeying Reassociations (6) March 2003 Rekeying Reassociations (6) AES-CBC-MAC requires Fast-Rekey IE, Fast-Rekey-Confirm IE have fixed lengths Use only with TKIP and CCMP Cam-Winget et. al.

Protocol Properties Scheme is optional Scheme works with March 2003 Protocol Properties Scheme works with proactive keying (Arbaugh et al) on-demand key refresh (Cam-Winget) Scheme aids fast roaming by Supporting PTK pre-computation PMK caching at the AP and STA Reducing roundtrips at reassociation from 7.5 to 2.5 Scheme is optional Cam-Winget et. al.

Fast Roaming PMK/PTK Usage (1) March 2003 Fast Roaming PMK/PTK Usage (1) AS delivers PMK to AP Authenticator 802.1X Authenticator derives Fast-Roaming PTK 802.11 MAC asks 802.1X to compute MICs over fast roaming rekey messages to verify MICs of fast roaming rekey messages to transfer RSC, encrypted GTK Cam-Winget et. al.

Fast Roaming PMK/PTK Usage (2) March 2003 Fast Roaming PMK/PTK Usage (2) Service interface: MLME-Compute-MIC Indicates offsets for RSC, Encrypted GTK or if not requried 802.1X inserts RSC, GTK if non-zero offset MLME-Verify-MIC Indicates offsets for RSC, Encrypted GTK if present 802.1X extracts RSC, GTK if present Service interface allows proprietary keying schemes, too Cam-Winget et. al.

Fast Roaming PMK/PTK Usage (3) March 2003 Fast Roaming PMK/PTK Usage (3) Scheme requires AP to cache PMK, Counter across associations AP can use server as backing store AP selects random key K AP uses K to encrypt PMK, Counter, PMK Timeout and save these in backing store data base indexed by STA MAC Addr Scheme requires a PMK Timeout to always be present with the PMK Cam-Winget et. al.

Fast Roam negotiation OUI Value Meaning Authentication Type March 2003 Fast Roam negotiation OUI Value Meaning Authentication Type Key Management Type 00:00:00 Reserved 1 Unspecified authentication over IEEE 802.1X– RSN default IEEE 802.1X Key Management as defined in 8.5 – RSN default 2 None IEEE 802.1X Key Management as defined in 8.5 using PSK 3 Unspecified authentication over IEEE 802.1X Fast Roam Key Management - Optional 4-255 Vendor Specific Any Other Cam-Winget et. al.

Initial Association AS STA AP March 2003 802.11 Open Authentication Association Req + RSN IE (AKM = Fast Roam) Association Response (success) EAP type specific mutual authentication AKM is relayed to AS using same back-end protocol (e.g. Radius attribute) Derive Pairwise Master Key (PMK) Access ACCEPT (MKID IE, PMK) 802.1X/EAP-SUCCESS Counter = 1; Derive PTK Cam-Winget et. al.

Initial Association STA AP March 2003 New Session Initiate ( MKIDE, RSNIEAP, Fast Rekey IE ) Counter ← 1 Derive PMK and PTK New Session Confirm( RSNIESTA, Fast Rekey IE) Install TK Install TK Cam-Winget et. al.

Initial Association(2): MKID IE March 2003 Initial Association(2): MKID IE Element ID – 1 octet Length – 1 octet MKID – 20 octets MIC – 8 octets Element shared between STA and AS only. ETEK is used to authenticate MKID: MIC = AES-CBC-MAC(ETEK, Element ID | Length | MKID) Cam-Winget et. al.

Initial Association (3) March 2003 Initial Association (3) New Session Initiate Fast Rekey IE : MIC = AES-CBC-MAC(KCK, RSNIEBSSID | Element ID | Length | GTK Key ID | GTK Length | MKID | Counter | ARand | RSC | GTK) New Session Confirm Fast Rekey IE: MIC = AES-CBC-MAC(KCK, Element ID | Length | Arand) Cam-Winget et. al.

Back-end Protocol Requirements March 2003 Back-end Protocol Requirements Must allow AP to specify roaming key hierarchy Default = 4-way handshake hierarchy when unspecified Must always support 4-way handshake, because STA may not support fast-roaming keying protocol Must allow AS to deliver MKID, PMK, MKID IE timeout with PMK to APs within roaming domain Cam-Winget et. al.

March 2003 Motion Move to incorporate Fast Roaming Key Hierarchy and protocol from document 03/XXX into the TGi draft as optional. Cam-Winget et. al.

Issues Under Discussion…all related to the backend March 2003 Issues Under Discussion…all related to the backend Which PMK to use on initial contact association? AS and STA defines PMK to use in EAP exchange via EAP TLV. How to deliver MKID to STA on initial contact? AS delivers the MKID either through EAP TLV or on first initial contact handshake. How does 802.1X AS know to generate the Fast Roaming PMK instead of 4-way Handshake PMK? EAP TLV can be inserted in the EAP Identity Response of first STA challenge response. Otherwise, a new EAP method must be provided. What are the PMK caching rules? It is being addressed, one example is 03/084 Effect on 802.1X state machine? Initial establishment is affected. New MLME interface is needed to allow .11 request new PTK. Is rekey required? If so, how? Issue holds for Fast Roam and 4-way handshake Cam-Winget et. al.

March 2003 Feedback? Cam-Winget et. al.