Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft
Wish Share PMK between multiple APs within a physical box Translate to Sept 2003 Wish Share PMK between multiple APs within a physical box Translate to Share keying information from a 802.1X authentication for use by 4-way handshakes on multiple APs within a physical box Tim Moore, Microsoft
Sept 2003 PMK PMK = MSK(0..31) MSK – master session key first 256bits MSK is what is delivered to AP from RADIUS server a AAA Key Tim Moore, Microsoft
Security Do not reuse symmetric key Sept 2003 Security Do not reuse symmetric key Can derive keys from a single symmetric key and use the derived keys Tim Moore, Microsoft
Security fix Derive multiple PMKs from MSK, one per AP Sept 2003 Security fix Derive multiple PMKs from MSK, one per AP PMK = PRF(MSK(0..31), “PMK Key”|BSSID) Now have unique symmetric key rather than reusing PMK Tim Moore, Microsoft
Sept 2003 Implementation issue How does Supplicant know which MSKs can be used to derive a PMK to another AP? Need additional information from AP Add a Authenticator Group MAC address A MSK from a 802.1X authentication from any authenticator with the same group address can be used to derive a PMK for use with this authenticator Tim Moore, Microsoft
Sept 2003 Implementation issue How does Authenticator know which MSKs can be used to derive a PMK to another Supplicant? Need additional information from the Supplicant Add a Supplicant Group MAC address A MSK from a 802.1X authentication from any supplicant with the same group address can be used to derive a PMK from this supplicant Tim Moore, Microsoft
Group Address Add a MAC address to the RSN IE Sept 2003 Group Address Add a MAC address to the RSN IE Group address in Beacon and Probe response contains Authenticator Group Address Group address in (re)associate request contains Supplicant Group Address Tim Moore, Microsoft
Changes PMK = PRF(MSK(0..31), “PMK Key”|BSSID) RSNIE Sept 2003 Changes PMK = PRF(MSK(0..31), “PMK Key”|BSSID) RSNIE Add “Group MAC Addr” field Text in PMK caching to describe use of Group Addresses Tim Moore, Microsoft