Fast Roaming Observations

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Authentication & Kerberos
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
IEEE Wireless LAN Standard
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /084r0-I Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
EAP-PSK v8 IETF 63 – Paris, France August EAP-PSK: an independent submission to IESG Requested EAP method type number allocation Reviewed June 2005.
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Lecture 24 Wireless Network Security
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Wireless security Wi–Fi (802.11) Security
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE /322r0 Submission May 2002 Jesse Walker et alSlide 1 The Louie Architecture Nancy Cam Winget, Cisco Bob Moskowitz, TruSecure Greg Chesson,
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.
Authentication and Upper-Layer Messaging
Some LB 62 Motions January 13, 2003 January 2004
802.11r Requirements Discussion
Chapter 6: Transport Layer (Part I)
Keying for Fast Roaming
802.1X and key interactions Tim Moore November 2001
Motions to Address Some Letter Ballot 52 Comments
MAC Address Hijacking Problem
Nancy Cam-Winget, Cisco Systems Inc
Outline Midterm results summary Distributed file systems – continued
Assignment #4 – Solutions
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Nancy Cam Winget, Atheros
Just-in-time Transition Setup
Agenda retrospective - B. Aboba Lunch
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
doc.: IEEE /252 Bernard Aboba Microsoft
Proposed Modifications to e-D4.0 Direct Link Protocol
Jesse Walker and Emily Qi Intel Corporation
802.1X and AKE Comparison Nancy Cam-Winget, Atheros
AES Associated Data Optimization
Security Properties Straw Polls
Roaming Keith Amann, Spectralink
Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies
Fast Roaming Compromise Proposal
Florent Bersani, France Telecom R&D
EAPOL-Key Clarifications
Fast Roaming Compromise Proposal
Fast Roaming Using Multiple Concurrent Associations
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Diffie/Hellman Key Exchange
SA Teardown Protection for w
Fast Roaming Compromise Proposal
The Need for Fast Roaming
802.1X and AKE Comparison Nancy Cam-Winget, Atheros
Public Action Frame Issue
Dan Harkins Trapeze Networks
Keying for Fast Roaming
Roaming Improvements to TGe
Jesse Walker, Intel Corporation Russ Housley, Vigil Security
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
TGi Draft 1 Clause – 8.5 Comments
TGi Draft 1 Clause – 8.5 Comments
Presentation transcript:

Fast Roaming Observations January 2002 Fast Roaming Observations Jesse Walker, Intel Corporation Nancy Cam-Winget, Atheros Communications Walker/Cam-Winget; Intel/Atheros

Background TGf IAPP “Fast Hand-off” to effect fast roaming January 2002 Background TGf IAPP “Fast Hand-off” to effect fast roaming TGf intended to address several important needs: Update 802 bridges after a roam Delete obsolete state off roaming STA’s old AP Move QoS data from old AP to new AP Also being (ab?) used by TGi to pass keying material from old AP to new AP on STA roam Claims: Simpler, more secure protocols are possible TGf is being needlessly complicated by considerations relevant only to TGi If it tries, TGi can find a better fast roaming solution that does not distort TGf Even if it doesn’t try, most of the work still falls to TGi, and TGi needs to undertake this work Walker/Cam-Winget; Intel/Atheros

IAPP Fast Hand-off of TGi Keys January 2002 IAPP Fast Hand-off of TGi Keys Old AP IAPP Send SecBlock IAPP Move STA IAPP Send SecBlock Ack IAPP Move Ack AS New AP Reassociate Request Query Query Response Reassociate Response Query transaction supplies IPsec security association material  only needed once if New AP caches SAs; requires AS to maintain registry of IPsec SAs SendBlock transaction copies keying material from old AP to new AP Move transaction deletes keying material off old AP Walker/Cam-Winget; Intel/Atheros

Some Problems (1) Sharing keying material among n APs January 2002 Some Problems (1) Sharing keying material among n APs increases chance of key compromise Exposure of 1 AP compromises STA on all subsequent roams All STAs that roamed through the compromised AP have to be considered compromised How does the STA and new AP establish its fresh EAPOL Key? Keys live forever Walker/Cam-Winget; Intel/Atheros

Some Problems (2) Authentication issues January 2002 Some Problems (2) Authentication issues Does client authentication really work? Does New AP have to remember every <nonce, key> pair ever seen to guarantee liveness? The answer depends critically dependent on (a) the Security Block exchange being properly protected from replay and forgery, and (b) the old AP never being compromised Who should be authenticated to whom? For protocol to be secure, each party (Old AP, new AP, STA) must be authenticated to the other two? It looks so. Walker/Cam-Winget; Intel/Atheros

January 2002 Some Problems (3) How does protocol distinguish the reassociations types: Legacy reassociation IAPP “Fast Handoff” reassociation Reassociation to the same AP Walker/Cam-Winget; Intel/Atheros

A Different Architecture (1) January 2002 A Different Architecture (1) Assume: Each AP shares a secret KAP with the AS (Needed for 802.1X support anyway) Key Hierarchy: Master Key KSTA  secure communication between AS, STA Association Key  secure EAPOL key messages Temporal Key  derive keys to secure data between AP, STA Three processing elements: STA AP (802.1X Authenticator) 802.11 Hand-off server (802.1X Authentication server) One new protocol: Key Sharing Protocol: Protocol goal: to push a fresh key out from AS to new AP and STA Walker/Cam-Winget; Intel/Atheros

A Different Architecture (2) January 2002 A Different Architecture (2) Steps on Association: Associate Run full EAP authentication (AS  STA) Derive Master Key Run key sharing protocol (AS  AP  STA) Use Master Key to distribute Association Key to STA Use AP  AS key to deliver Association Key to AP Steps on Reassociation Run key sharing protocol (AS  AP  STA) embedded in reassociation Use Master Key to distribute new Association Key to STA Use AP  AS key to deliver new Association Key to new AP Steps on Disassociation or IAPP Delete: Must carry the new Authenticator Element Old AP securely deletes Association and Temporal Keys if Authenticator Element checks STA retains only Master Key Walker/Cam-Winget; Intel/Atheros

Key Sharing Protocol STA AS AP January 2002 Key Sharing Protocol STA AP AS AP-ID, STA-ID, NonceAP EKAP(NonceAP, AP-ID, K, EKSTA(K, STA-ID)) EKSTA(K, STA-ID) K = f(K), Association Key = g(K) EK (NonceSTA) EK (NonceSTA+1) This is just the Needham-Shroeder protocol Walker/Cam-Winget; Intel/Atheros

Example Reassociation Instantiation January 2002 Example Reassociation Instantiation STA AP AS Reassociate Request (STA-ID) AP-ID, STA-ID, NonceAP EKAP(NonceAP, AP-ID, K, EKSTA(K, STA-ID)) Reassociate Response = EKSTA(K, STA-ID) EAPOL Key = EK (NonceSTA) EAPOL Key = EK (NonceSTA+1), EAssocKey(Nonce) K = f(K), AssocKey = g(K) Walker/Cam-Winget; Intel/Atheros

Comparison with IAPP “Fast Hand-off” (1) January 2002 Comparison with IAPP “Fast Hand-off” (1) Reduces # of catastrophic failure points from n to 1 STA + new AP have fresh, independent Association Key on every association v. Association Key derived from same keying material on every reassociation for IAPP Protocol is live by construction v. not evident for IAPP “Fast Hand-off” Explicit reauthentication v. don’t know if authentication works for IAPP fast hand-off Explicit key verification v. implicit key verification for IAPP Walker/Cam-Winget; Intel/Atheros

Comparison with IAPP “Fast Hand-off” (2) January 2002 Comparison with IAPP “Fast Hand-off” (2) IPsec not required v. IPsec required for IAPP Fast Hand-off New AP could forward STA’s authenticator to Old AP in an appropriate request after Key Sharing Protocol completes, causing the Old STA to delete obsolete state AS IPsec SA management suspicious If AS IPsec SA management not used, decreases number of AP keys from n(n+1)/2 to n On the other hand, if the AS supported its part of Key Sharing Protocol, this could be used between old AP and new AP to secure data exchange between them Walker/Cam-Winget; Intel/Atheros

January 2002 Summary IAPP has its proper functions, but TGi is distorting its architecture by moving keys between APs More important, using IAPP for key transfer introduces a number of security problems Simpler, more secure, more scalable architectures are feasible TGf should not compromise its architecture to accommodate TGi However, it must if TGi does not abandon this usage If it doesn’t abandon this, TGi is still responsible for Define Send Security Block and Move contents Define how it wants these contents secured Walker/Cam-Winget; Intel/Atheros

January 2002 Feedback? Walker/Cam-Winget; Intel/Atheros