Keying for Fast Roaming March 2003 Keying for Fast Roaming Nancy Cam-Winget, Cisco Systems Keith Amann, Spectralink Bill Arbaugh, University of Maryland Greg Chesson, Atheros Dan Harkins, Trapeze Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Corporation Cam-Winget et. al.
Agenda Concepts Fast Roaming Key Hierarchy Keying Reassociations March 2003 Agenda Concepts Fast Roaming Key Hierarchy Keying Reassociations Fast Roaming PMK/PTK Usage Protocol Properties Back-end Protocol Considerations Open Issues Cam-Winget et. al.
Concepts AS-STA Session – MKID – Master Key Identifier, names a key March 2003 Concepts AS-STA Session – MKID – Master Key Identifier, names a key PMK Caching PMK Timeout PMK – unique per AP Cam-Winget et. al.
Fast Roaming Key Hierarchy (1) March 2003 Fast Roaming Key Hierarchy (1) Master Key (MK) named MKID = Original BSSID | STA MAC Addr | NTP Timestamp Generate ETEK : End-To-End-Key is used to secure delivery of MKID Pairwise Master Key (PMK) = Roaming-PRF(MasterKey, “fast roaming pmk” | MKID | BSSID) PTK = Roaming-PRF(PMK, “fast roaming ptk” | new BSSID | STA MAC Addr | MKID | Counter) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have ciphersuite-specific structure Cam-Winget et. al.
Fast Roaming Key Hierarchy (2) March 2003 Fast Roaming Key Hierarchy (2) No random nonces mixed into PTK Rationale: Allow STA to pre-compute PTK Consequence: PMK must be fresh across AS-STA sessions MKID identifies keys Rationale: optimizing performance requires identifying right key earlier in key confirmation handshake Cam-Winget et. al.
Fast Roaming Key Hierarchy (3) March 2003 Fast Roaming Key Hierarchy (3) Algorithm Roaming-PRF Input: Key K, Label L, Nonce N, Output Length OL Output: OL-octet string Out Out = “” for i = 1 to (OL+15)/16 do Out = Out | AES-CBC-MAC(K, L | N | i | OL) return first OL octets out of Out Cam-Winget et. al.
Rekeying Reassociations (1) March 2003 AP STA Rekeying Reassociations (1) PMK, MKID1, Counter1 PMK, MKID2, Counter2 Counter1 = Counter1 + 1, KCK | KEK | TK = Roaming-PRF(PMK, “fast roaming ptk” | BSSID | STA MAC Addr | MKID | Counter) Reassoc Req (RSN IE, Fast-Rekey IE(MKID1, Counter1 , Srand)) if MKID1 == MKID2 and Counter1 > Counter2 then derive KCK | KEK | TK else reject Reassoc Resp(RSN IE, Fast-Rekey IE(MKID2, Counter2, Arand, RSC, EKEK(GTK), MIC)) Action-Frame(Fast-Rekey-Confirm IE(Arand, MIC)) Install TK Counter2 = Counter1 Install TK Cam-Winget et. al.
Rekeying Reassociations (2): Fast-Rekey IE March 2003 Rekeying Reassociations (2): Fast-Rekey IE Element ID – 1 octet Length – 1 octet GTK Key ID – 1 octet GTK Length – 1 octet MKID – 20 octets Counter – 4 octets Random – 16 octets RSC – 8 octets GTK - 40 octets MIC – 8 octets Cam-Winget et. al.
Rekeying Reassociations (3): Fast-Rekey-Confirm IE March 2003 Rekeying Reassociations (3): Fast-Rekey-Confirm IE Element ID – 1 octet Length – 1 octet Random – 16 octets MIC – 8 octets Cam-Winget et. al.
Rekeying Reassociations (4): MICs March 2003 Rekeying Reassociations (4): MICs GTK encryption Algorithm: AES Key Wrapping (RFC 3394) Pad with 16bytes of zeroes for CCMP Reassociation Response MIC: AES-CBC-MAC-64(KCK, Srand | RSNIEBSSID | Element ID | Length | MKID | Counter | Arand | RSC | GTK Key ID | GTK Length | GTK) Action Message Confirm MIC: AES-CBC-MAC-64(KCK, Element ID | Length | Arand) The MIC’s effectively cover the entire Fast Rekey IE and must know MIC data length apriori. Cam-Winget et. al.
Rekeying Reassociations (5) March 2003 Rekeying Reassociations (5) AP proves it is live by MICing SRand in Reassociation Response STA proves it is live by MICing Arand in Action Message Counter value rules insure PTK is fresh if PMK is fresh STA must maintain Counter over MK lifetime AP must maintain Counter over PMK lifetime Cam-Winget et. al.
Rekeying Reassociations (6) March 2003 Rekeying Reassociations (6) AES-CBC-MAC requires Fast-Rekey IE, Fast-Rekey-Confirm IE have fixed lengths Use only with TKIP and CCMP Cam-Winget et. al.
Protocol Properties Scheme is optional Scheme works with March 2003 Protocol Properties Scheme works with proactive keying (Arbaugh et al) on-demand key refresh (Cam-Winget) Scheme aids fast roaming by Supporting PTK pre-computation PMK caching at the AP and STA Reducing roundtrips at reassociation from 7.5 to 2.5 Scheme is optional Cam-Winget et. al.
Fast Roaming PMK/PTK Usage (1) March 2003 Fast Roaming PMK/PTK Usage (1) AS delivers PMK to AP Authenticator 802.1X Authenticator derives Fast-Roaming PTK 802.11 MAC asks 802.1X to compute MICs over fast roaming rekey messages to verify MICs of fast roaming rekey messages to transfer RSC, encrypted GTK Cam-Winget et. al.
Fast Roaming PMK/PTK Usage (2) March 2003 Fast Roaming PMK/PTK Usage (2) Service interface: MLME-Compute-MIC Indicates offsets for RSC, Encrypted GTK or if not requried 802.1X inserts RSC, GTK if non-zero offset MLME-Verify-MIC Indicates offsets for RSC, Encrypted GTK if present 802.1X extracts RSC, GTK if present Service interface allows proprietary keying schemes, too Cam-Winget et. al.
Fast Roaming PMK/PTK Usage (3) March 2003 Fast Roaming PMK/PTK Usage (3) Scheme requires AP to cache PMK, Counter across associations AP can use server as backing store AP selects random key K AP uses K to encrypt PMK, Counter, PMK Timeout and save these in backing store data base indexed by STA MAC Addr Scheme requires a PMK Timeout to always be present with the PMK Cam-Winget et. al.
Fast Roam negotiation OUI Value Meaning Authentication Type March 2003 Fast Roam negotiation OUI Value Meaning Authentication Type Key Management Type 00:00:00 Reserved 1 Unspecified authentication over IEEE 802.1X– RSN default IEEE 802.1X Key Management as defined in 8.5 – RSN default 2 None IEEE 802.1X Key Management as defined in 8.5 using PSK 3 Unspecified authentication over IEEE 802.1X Fast Roam Key Management - Optional 4-255 Vendor Specific Any Other Cam-Winget et. al.
Initial Association AS STA AP March 2003 802.11 Open Authentication Association Req + RSN IE (AKM = Fast Roam) Association Response (success) EAP type specific mutual authentication AKM is relayed to AS using same back-end protocol (e.g. Radius attribute) Derive Pairwise Master Key (PMK) Access ACCEPT (MKID IE, PMK) 802.1X/EAP-SUCCESS Counter = 1; Derive PTK Cam-Winget et. al.
Initial Association STA AP March 2003 New Session Initiate ( MKIDE, RSNIEAP, Fast Rekey IE ) Counter ← 1 Derive PMK and PTK New Session Confirm( RSNIESTA, Fast Rekey IE) Install TK Install TK Cam-Winget et. al.
Initial Association(2): MKID IE March 2003 Initial Association(2): MKID IE Element ID – 1 octet Length – 1 octet MKID – 20 octets MIC – 8 octets Element shared between STA and AS only. ETEK is used to authenticate MKID: MIC = AES-CBC-MAC(ETEK, Element ID | Length | MKID) Cam-Winget et. al.
Initial Association (3) March 2003 Initial Association (3) New Session Initiate Fast Rekey IE : MIC = AES-CBC-MAC(KCK, RSNIEBSSID | Element ID | Length | GTK Key ID | GTK Length | MKID | Counter | ARand | RSC | GTK) New Session Confirm Fast Rekey IE: MIC = AES-CBC-MAC(KCK, Element ID | Length | Arand) Cam-Winget et. al.
Back-end Protocol Requirements March 2003 Back-end Protocol Requirements Must allow AP to specify roaming key hierarchy Default = 4-way handshake hierarchy when unspecified Must always support 4-way handshake, because STA may not support fast-roaming keying protocol Must allow AS to deliver MKID, PMK, MKID IE timeout with PMK to APs within roaming domain Cam-Winget et. al.
March 2003 Motion Move to incorporate Fast Roaming Key Hierarchy and protocol from document 03/XXX into the TGi draft as optional. Cam-Winget et. al.
Issues Under Discussion…all related to the backend March 2003 Issues Under Discussion…all related to the backend Which PMK to use on initial contact association? AS and STA defines PMK to use in EAP exchange via EAP TLV. How to deliver MKID to STA on initial contact? AS delivers the MKID either through EAP TLV or on first initial contact handshake. How does 802.1X AS know to generate the Fast Roaming PMK instead of 4-way Handshake PMK? EAP TLV can be inserted in the EAP Identity Response of first STA challenge response. Otherwise, a new EAP method must be provided. What are the PMK caching rules? It is being addressed, one example is 03/084 Effect on 802.1X state machine? Initial establishment is affected. New MLME interface is needed to allow .11 request new PTK. Is rekey required? If so, how? Issue holds for Fast Roam and 4-way handshake Cam-Winget et. al.
March 2003 Feedback? Cam-Winget et. al.