Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc September 2002 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc Moore, Roshan, Cam-Winget

Phase 1 – Finding and Associating to an AP September 2002 Phase 1 – Finding and Associating to an AP Client AP Probe Request Probe Response + RSN IE (AP supports MCast/Ucast: WEP, TKIP and Auth: Dynamic Keys with 802.1X) 802.11 Open Authentication 802.11 Open Auth (success) Association Req + RSN IE (Client requests TKIP and dynamic keys with 802.1X) Association Response (success) 802.1X controlled port blocked for client AID Moore, Roshan, Cam-Winget

Phase 2 – Authenticating the User September 2002 Phase 2 – Authenticating the User AAA Client AP 802.1X/EAP-Request Identity 802.1X/EAP-Response Identity (EAP type specific) RADIUS Access Request/Identity EAP type specific mutual authentication Derive Pairwise Master Key (PMK) Derive Pairwise Master Key (PMK) RADIUS ACCEPT (with PMK via MS-MPPE) 802.1X/EAP-SUCCESS 802.1X controlled port still blocked for client AID Moore, Roshan, Cam-Winget

Deriving the Pairwise (Unicast) Keys September 2002 Deriving the Pairwise (Unicast) Keys SNonce – Supplicant or STA Nonce ANonce – Authenticator or AP Nonce STA and AP must have a master key (PMK or PSK) Moore, Roshan, Cam-Winget

The Pairwise Key Hierarchy September 2002 The Pairwise Key Hierarchy Min(STA MAC, AP MAC) || Max(STA MAC, AP MAC) || SNonce || ANonce PMK String “Pairwise Key Expansion” NOTE: Values are concatenated, so order matters PRF-512 512 bit Pairwise Transient Key (PTK) Moore, Roshan, Cam-Winget

The Pairwise Key Hierarchy September 2002 The Pairwise Key Hierarchy 512 bit Pairwise Transient Key (PTK) EAPoL-Key MIC Key 128 bits EAPoL-Key Encryption Key 128 bits Temporal Encryption Key 128 bits Temporal AP Tx MIC Key 64 bits Temporal AP Rx MIC Key 64 bits Bits 0-127 Bits 128-255 Bits 256-383 Bits 384-447 Bits 447-511 NOTE: The Tx MIC key is used by the station with the lower MAC address value The Rx MIC key is used by the station with the higher MAC address value Moore, Roshan, Cam-Winget

Phase 3 – The Four Way Handshake September 2002 Phase 3 – The Four Way Handshake Client AP * Fields not noted are null PMK PMK Derive SNonce Derive ANonce EAPoL-Key(Reply Required, Unicast, ANonce) Derive PTK EAPoL-Key(Unicast, SNonce, MIC, STA RSN IE) Derive PTK EAPoL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE) Install Keys Install Keys EAPoL-Key(Unicast, ANonce, MIC) 802.1X controlled port still blocked for client AID Moore, Roshan, Cam-Winget

Deriving the Group Keys September 2002 Deriving the Group Keys Group Master Key Generation Derived from a random number Set to the first PMK (Optional, but not recommended) Must be updated periodically from another PMK Must be updated when the PMK source STA’s association state is purged. GNonce – Group nonce generated by AP Moore, Roshan, Cam-Winget

The Group Key Hierarchy September 2002 The Group Key Hierarchy AP MAC || GNonce GMK String “Group Key Expansion” PRF-256 NOTE: Values are concatenated, so order matters 256 bit Group Transient Key (GTK) Moore, Roshan, Cam-Winget

The Group Key Hierarchy September 2002 The Group Key Hierarchy 256 bit Group Transient Key (GTK) Temporal Encryption Key 128 bits Temporal AP Tx MIC Key 64 bits Temporal AP Rx MIC Key 64 bits Bits 0-127 Bits 128-191 Bits 192-255 NOTE: The Tx MIC key is used by the station with the lower MAC address value The Rx MIC key is used by the station with the higher MAC address value Moore, Roshan, Cam-Winget

Phase 4 – The Group Key Update September 2002 Phase 4 – The Group Key Update Client AP * Fields not noted are null GMK Derive GNonce Derive GTK Encrypt GTK field EAPoL-Key(All Keys Installed, Reply Required, Group Rx, Key Index, Group, GNonce, MIC, GTK) Decrypt GTK field EAPoL-Key(Group, MIC) 802.1X controlled port unblocked for client AID Moore, Roshan, Cam-Winget