11ay Fast Association Authentication Month Year doc.: IEEE 802.11-yy/xxxxr0 11ay Fast Association Authentication Date: 2016-02-29 Authors: Name Affiliations Address Phone email Robert Sun; Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata, Ontario K2K 3J1 +1-613-2871948 Rob.Sun@huawei.com Yan Xin Osama Aboul-Magd Edward Au Rob Sun etc, Huawei. John Doe, Some Company
Problem Statements Auth Server PCP/AP DMG STA Beacon/Announce/Probe Req-Resp 11.5.1.3.5 (11ad) defines the Security Association operations in PBSS The Association and Authentication are lock step procedures in order to satisfy the RSNA trust model. However it takes substantial time in completion of the authentication and association following the steps as specified in 11.5.1.3.5[1] How to optimize it? 802.11 Authentication Request Not Used for DMG 802.11 Authentication Response State 2 State 2 802.11 Association Request 802.11 Association Response + RSN IE EAPol Start EAPol Req ID EAPol Resp ID Radius Req EAP Authentication Method EAPol Success EAPol Success State 3 State 3 PBSS 4 Way Handshake State 4 State 4
11ad Authentication State Machine (10.3.2) DMG STA association and authentication goes through State 2->3->4 with IEEE 802.1x RSNA AKM. Short cut state transition (State 2 ->State 4) is serving the fast re-authentication and enable the PBSS 4 way handshake Problem: 11ad didn’t specify the PBSS 4 way handshake in a way that really enables the short cut state transition. In another words, as per 11ad the PBSS 4 way handshake can only take place after state 3. Observations: - The short cut state transition will be beneficial in making speedy association/authentication
Design Principle Keep 11ad Authentication/Association scheme intact Section 10.3.2 Section 11.5.1.3.5 Reuse the RSNA compliant 802.1x authentication/association state machine No one-shoe-fits-all 11ay association/authentication solution. Some Use Cases (UC#1, #2) have different pre-shared credentials than others (UC#4,5) and required different authentication schemes to meet the timing requirements. Other cases can still keep using the legacy 11ad authentication/association procedure.
Solution: RSNA-based Authentication PCP/AP DMG STA DMG Beacon/Announce/Probe Req-Resp (RSN 11ay FAA Capability bit+ Authentication IE […||Anonce]) State 2 State 2 802.11 (re)Association Req ( +Authentication IE [Snonce +MIC]) DMG STA constructs PTK PCP/AP constructs PTK 802.11 (re)Association Resp (+Authentication IE [MIC]) State 3/4 State 3/4
11ay Fast Association/Authentication Protocol Analysis If dot11RSNAEnabled is true, and if the RSNA is based on IEEE 802.1X AKM in PBSS. No TTP (Trust Third Party) Auth Server ( i.e UC#1, UC#2, UC#3) required. No other DMG STA in the proximity (UC#1 or UC#2) Least concern for eavesdropping or MITM attack. Both PCP/AP and DMG STA shares the common Shared Secret (K) cryptographically secure (NIST SP800-97) K is the Authentication Key ( at least 128bits) The 1st message of 4 way handshake is now piggybacked over DMG beacon from PCP/AP 11ay FAA (Fast Association/Authentication Capability Bit and Authentication IE could be appended to the DMG Beacon, or Announcement or Probe Response Frames. The 4th message of 4 way handshake is omitted in order to save flight time which traditionally is deployed for key confirmation purpose. The removal is not a concern if “No other DMG STA is proximity” 11ad PBSS 4 way handshake messages are piggybacked with optional MBO parameters for MBO operations. The 11ay FAA may support it by appending the MBO IEs.
Solution: RSNA-based Authentication with Key ID initiating from PCP/AP In UC #1, A PCP/AP (toll gate) has to maintain up to thousands of pre-shared secrets (K) in order to support the massive pass through STAs. The K has to be differed from STA to STA in order to prevent the key forgery attack. Key ID is used for STA to indicate to PCP/AP which Key it starts to authenticate. The Key ID will be input into the MIC to prevent the replay attack. The Key ID could be indicated by either PCP/AP or DMG STA, However it’s more practical for PCP/AP to store massive keys in database. The Key ID format could be as specified in RFC 4880 Note: This Key ID is different than the GCMP MPDU Key ID octet (11.4.5.2) PCP/AP DMG STA DMG Beacon/Announce/Probe Req-Resp (RSN 11ay FAA Capability bit +Authentication IE [Key ID|| ANonce]]) State 2 State 2 802.11 (re)Association Req ( +Authentication IE [… Key ID, SNonce +MIC]) DMG STA constructs PTK PCP/AP constructs PTK 802.11 (re)Association Rsp (+Authentication IE [MIC]) State 4 State 4
Solution: RSNA-based Authentication with Key ID initiating from DMG STA PCP/AP DMG STA Authentication with Key ID initiating from DMG STA In the Case of DMG STA has the storage of the Keys database (Out of scope of IEEE 802.11) DMG STA attach its Key ID in the 802.11 Association Req frame as the Extended IE to indicate PCP/AP which key it’s intended to use for this particular session. DMG Beacon/Announce/Probe Req-Resp (RSN 11ay FAA Capability bit + Authentication IE( ANonce)) State 2 State 2 802.11 (re)Association Req ( +Authentication IE [Key ID, SNonce +MIC]) DMG STA constructs PTK PCP/AP constructs PTK 802.11 (re)Association Rsp (+Authentication IE [Key ID,MIC]) State 4 State 4
11ay Key Hierarchy (W/O Key ID) K (PMK) KDF-X( K, “11ay Key Generation”, Min(MAC_s, MAC_a)||Max(MAC_s, MAC_a) ||Min(SNonce, ANonce)|| Max(SNonce, ANonce)) PTK Key confirmation key L(PTK,0,B) KCK Key encryption key L(PTK,B, B) KEK2 Temporal Key L(PTK,B or 2*B,TK_bits) TK Note: B should be at least 128bits
11ay Key Hierarchy (W/ Key ID) K (PMK) Note 2 KDF-X( K, “11ay Key Generation”, Key ID|| Min(MAC_s, MAC_a)||Max(MAC_s, MAC_a) ||Min(SNonce,ANonce)|| Max(SNonce, ANonce)) PTK Key confirmation key L(PTK,0,B) KCK Key encryption key L(PTK,B, B) KEK2 Temporal Key L(PTK,B or 2*B, TK_bits) TK Note 1 Note 1: B should be at least 128bits Note 2: Key ID is getting involved into the key generation
11ay Key Usage and Management Key Management K is used to derive KCK (>=128bits), KEK(>=128bits) and TK (>=128bits) The Cipher Suites are GCMP (OUI: 00-0F-AC:8) Key ID is specially designed for the scenarios where no TTP server and both devices are in very close proximity (less threat from eavesdropping or man in the middle) Key ID is to identify the Key from pre-shared Key database to prevent the forgery attack The Key management should be following PTKSA life cycle management (10.3.5) The 11ay re-association operation could repeat the same protocol in order to resume the upper layer sessions without breakout.
NEW RSN Capabilities field for 11ay Fast Association/Authentication FAA Capability (Subclause 8.4.2.24.4) - Define the 11ay FAA Capability Bit for indication: 0 is not using 11ay FAA 1 is using 11ay FAA - If the 11ay FAA Capability bit is 1, an Authentication IE is attached thereafter
New: 11AY Authentication IE Format Element ID 11ay PBSS Auth Options Length Key ID Nonce's MIC Octets: 1 1 1 0 or 16 0 or 8 0 or 16 PCP/AP as Key ID initiator 1 DMG STA as key ID initiator B0 B2 B4 B5 B6 B7 Association Authentication type Handshake # Key ID Usage Key ID initiator Reserved B3 B2 B3 B0 B1 00 Message #1 (Within the DMG Beacon or other frames) 01 Message #2 ( Within the 802.11 (re) Association Request Frame) 10 Message #3 (Within the 802.11 (re) Association Response Frame) 11 Message #4 (Not used if B0::B1= 01 and 10) 00 Reserved 01 11ay PBSS Fast Association/Authentication with PSK 10 11ay PBSS Fast re-association/ re-authentication with PSK 11 11ay association/authentication using other frames than 802.11 association/authentication frames
References [1]Rob Sun, et al, Performance of 802.11 EAP authentication and authorization https://mentor.ieee.org/802.11/dcn/12/11-12-0041-01-00ai-performance-analysis-of-802-11-eap-authentication-and-authorization.ppt
SP/Motion Do you agree to insert the following text into the SFD? Mar 2016 SP/Motion Do you agree to insert the following text into the SFD? “An EDMG STA may include the Authentication IE within management frames during discovery and association phase to parallelize the pre-shared key based authentication and key generation, to speed up the process of authentication and association” Yes: No: Abstain: Huawei