By: Alex Feldman

 A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE ) this would be an access point.  In case of WiMax (IEEE ) it is a base station.

 The mobile station may need to change its connection point to the network.  The connection point “Hands Over” the connection to the new point.  It has to be secure  It has to be fast  It has to be standardized

 Supplicant (Sta)– the station entering the network to be authenticated.  Authenticator (Au) – the access point directly connected to the station, and acting as a proxy to the authentication server.  Authentication Server (AS) – database containing credentials for all users, reachable by the authenticator.

 Extensible Authentication Protocol -Transport Layer Security  Widely supported but rarely used.  8-way handshake. Very secure but also very time consuming.  Doesn’t scale well when clients handoff often.

 PMK - Pairwise Master Key  PTK – Pairwise Transient Key  EMSK – Extended Master Session Key  RADIUS – Remote Authentication Dial In User Service. Uses a shared secret to cipher and authenticate the communication.

1. Authentication – PMK and EMSK generated on SA and Station. 2. AS moves PMK to Au by using RADIUS way handshake – PTK generated by Au and Station

 When a station changes access points, re- authenticating the PMK is slow.  Only the PTK needs to be renewed, and PMK can be left alone.  How do we transmit the PMK from Au1 to Au2????

 Au1 is a bad guy. Pushes false PMK  Sta is a bad guy that gets access to Au2  Sta is a good guy that gets a denial of service  Au2 is a bad guy. Pulls PMK from Au1. Now it can decipher traffic.

 Don’t use AS for re-authentication!  Pull/Push policies to transfer keys.  Provides good performance.  More complicated.  Use when:  Handover speed is crucial & path to the AU is long  Don’t want to be dependant on the AU server

 Contact the Au on every handover.  Slower performance.  Gained security.  Possible danger if the protocol used to move PMK is not strong. Need good reasons to transfer PMKs.

 Goal: reduce the number of packets required for TLS exchange by re-using information generated in the first authentication.  EMSK remained on the Authentication Server, so it can be used to re-authenticate the Station

Based on contacting the Authentication server Au PTK

 EAP-TLS took 2.34 seconds on average  Proposed protocol took 0.62 seconds on average  74% improvement over EAP- TLS!  82% improvement when including retransmissions

 Internet Engineering Task Force (IETF) – working on new standard to used the EMSK for re-authentication.  Pull and push methods to transfer keys for nodes within same mobility domains

 EAP-TLS is slow for re-authentication.  Big improvements can be made by following the proposed protocol, which  Reduces number of packets required  Reduces retransmissions  Decreases time

 Original paper written by: Romano Fantacci, Leonardo Maccari, and Tommaso Pecorella from:University of Florence Federico Frosali from: Telecom Italia Lab