Secure Key Distribution and Authorization July 2005 Secure Key Distribution and Authorization Date: 2005-07-07 Author(s): Name Company Address Phone Email Dan Harkins Trapeze Networks 5753 W. Las Positas blvd Pleasanton, CA 94588 +1 925 474 2212 dharkins@trpz.com Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <stuart.kerry@philips.com> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee.org>. Dan Harkins, Trapeze Networks

Current text on Key Distribution July 2005 A key is retrieved from “the infrastructure” in a method “beyond the scope of this specification.” It “requires that keys only be distributed down the key hierarchy using a secure transport protocol.” This is inadequate. Dan Harkins, Trapeze Networks

Implication of Current Text July 2005 Implication of Current Text Possession of a key implies authorization to possess that key. This is incorrect. Any STA that encounters an authenticator in possession of a PMK that it has not authorized should cause the STA to cease using the entire key hierarchy from which that PMK derived. Dan Harkins, Trapeze Networks

“secure transport protocol”? July 2005 Authentication and confidentiality are not enough Other security objectives are needed Authorization: official sanction is given to an entity to become something that it is not (e.g. a PMK derivative holder) Validation: provide timeliness to authorization to ensure the sanction has bounds Correctness: a STA’s authorization attributes (from AAA) follow it through a FBT Dan Harkins, Trapeze Networks

A “secure transport protocol” July 2005 We cannot punt this problem to another standards body or say it is “out of scope” Elevation of privilege issues Lack of authorization means that there is no way to distinguish between a compromised PMK derivative and a non-compromised PMK derivative in the hands of some random NAS No assurance that the PMK derivative is bounded Dan Harkins, Trapeze Networks

A Secure Protocol to meet these enhanced objectives July 2005 A Secure Protocol to meet these enhanced objectives TTAP’s NAS PMK-R0 holder STA ID-sta, ID-r0kh, {ID-ttap-nas, Ns}mk ID-sta, {ID-ttap-nas, Ns}mk {ID-sta, Ns, Na, PMK-R1, author}k, {ID-ttap-nas, Na}mk {ID-ttap-nas, Na}mk, MIC Where: ID-sta is the NAI send during the EAP exchange ID-r0kh is the identity (NAS-Id nee R0KH) of the PMK-R0 holder ID-ttap-nas is the NAS-Id of the authenticator of the TTAP Ns is a nonce supplied by the STA Na is a nonce supplied by the PMK-R0 holder author are authorization attributes associated with PMK-R0 mk is a key shared between the STA and the PMK-R0 holder k is a key shared between the TTAP and the PMK-R0 holder MIC is SHA-256(Ns|Na) Dan Harkins, Trapeze Networks

Security Objectives Met July 2005 Security Objectives Met Authentication of the entities involved in key distribution Confidentiality of the key distribution Authorization of the status of PMK-R1 holder Validation of the authorization Receipt of the key is acknowledged Correctness of the authorization attributes assigned to the STA Dan Harkins, Trapeze Networks

July 2005 Motion Instruct the editor to incorporate changes from 11-05-677-00-000r into the 11r draft. Dan Harkins, Trapeze Networks