Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Doc.: IEEE /0560r0 Submission May 2010 Ashish Shukla, MarvellSlide 1 TDLS TPK Handshake Date: Authors:
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
Doc.: IEEE /1065r0 Submission November 2005 Emily Qi et alSlide 1 Proposal for Load Balancing Notice: This document has been prepared to assist.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
Doc.: IEEE /0566r1 Submission May 2006 Sood, Walker, Cam-Winget, CalhounSlide 1 TGr Security Architecture Notice: This document has been prepared.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
Doc.: IEEE /1565r0 Submission December 2004 Haixiang He, Nortel NetworksSlide 1 Fast BSS Transition Tunnel Notice: This document has been prepared.
Submission doc.: IEEE ai May 2012 Lei Wang, InterDigital CommunicationsSlide 1 Proposed SFD Text for ai AP/STA Initiated FILS Optimizations.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Doc.: r Submission March 2006 AllSlide 1 A method to refresh the keys hierarchy periodically Notice: This document has been prepared to.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
SubmissionJoe Kwak, InterDigital1 Simplified 11k Security Joe Kwak InterDigital Communications Corporation doc: IEEE /552r0May 2004.
Doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE /01097r0 Submission November 2005 N. Cam-Winget, K. Sood, and J. WalkerSlide 1 EAPKIE Replay Counters and MIC Notice: This document.
Doc.: IEEE /0199r0 Submission March 2005 Kapil Sood, Intel; Bob O’Hara, AirespaceSlide 1 Policy Enforcement For Resources and Security Notice:
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Doc.: IEEE /0269r1 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District, Chengdu,
Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.
Robust Security Network (RSN) Service of IEEE
Seamless BSS Transition Protocol
Some LB 62 Motions January 13, 2003 January 2004
Proposed SFD Text for ai Link Setup Procedure
Keying for Fast Roaming
Pre-association Security Negotiation for 11az SFD Follow up
Pre-association Security Negotiation for 11az SFD Follow up
Management Frame Protection Study Group Request
Mesh Security Proposal
TDLS TPK Handshake Date: Authors: May 2010 May 2010
Use of EAPOL-Key messages during pre-auth
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
IGTK Switch Announcement
Pre-Association Security Negotiation (PASN) for 11az
Just-in-time Transition Setup
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Jesse Walker and Emily Qi Intel Corporation
Motorola TGr Fast Handover Proposal
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Roaming Keith Amann, Spectralink
Management Frame Protection Study Group Request
Mechanism to update current session parameters
Fast Roaming Compromise Proposal
Mesh Security Proposal
TGr Security Architecture
Fast Roaming Compromise Proposal
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Fast Roaming Compromise Proposal
Public Action Frame Issue
Keying for Fast Roaming
Introducing 11r-d0.00 Date: Authors: July 2005
Overview of Improvements to Key Holder Protocols
Fast Authentication in TGai
Use of EAPOL-Key messages
Beacon Content Protection
TGi Draft 1 Clause – 8.5 Comments
Presentation transcript:

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 2 Agenda Problem Statement Design Goals Pre-Keying Usage Open Issues Q&A Straw Poll

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 3 Problem Statement r seeks to optimize STA transition time from one AP to another –VoIP requires << 50 msec transition times, including security setup –The VoIP market perceives i as too expensive k measurement frames can be useful before association –But k messages used in this way require protection prior to STA transitioning from one AP to another –802.11i keys not available until after association Protection for Reassociation frames is desirable, too

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 4 Design Goals Make i keys available before association –“Make-before-break” architecture Reuse i framework to make keys available –Do not redesign i infrastructure –Minimize amount of new invention Address the stated concerns of the TGi minority who voted against doc 03/008 and its offspring Give an example make-before-break solution so TGr can understand its implications

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 5 Pre-keying Overview Reuse the i Pre-authentication mechanism for keying –802.11i 4-Way Handshake messages are encoded in 802.1X frames –Use pre-authentication mechanisms forward 802.1X frames between a STA and a new AP via an AP already associated with the STA Introduce two new i messages: –Pre-Keying Request, sent from STA to targeted AP to request pre-keying Identifies STA MAC Address, PMKID of PMK to use –Pre-Keying Reject, send from targeted AP to STA if request cannot be honored –AP may respond to Pre-Keying Request by initiating a 4-Way Handshake over the pre-authentication channel Introduce PTK caching –4-Way Handshake via the Pre-authentication channel populates the PTKSA cache –Inactive PTKSAs are (perhaps agressively) timed out Move security policy agreement from Association to 4-Way Handshake –Add PTKSA cache timeout value to RSN IE sent AP  STA

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 6 Ingredients: Pre-Authentication Channel STAAP 1 AP lX over lX over DS All frames use Pre-authentication Ethertype (0F-AC) instead of 802.1X Ethertype (88-8E) All frames are 802.1X frames STA  AP 2 Frames have Src Addr = STA’s MAC address, Dest Addr = AP 2’s BSSID AP 2  STA have Src Addr = AP 2’s BSSID, Dest Addr = STA’s MAC address

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 7 Ingredients: PMK Caching STAAP STA PMK Cache AP’s BSSID, PMKID, PMK AP2’s BSSID, PMKID, PMK STA’s MAC Addr, PMKID, PMK AP PMK Cache STA2’s MAC Addr, PMKID, PMK If a STA and AP share a cached PMK, they needn’t reauthenticate

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 8 Ingredients: 4-Way Handshake EAPOL-Key(ANonce) Pick Random ANonce EAPOL-Key(Unicast, SNonce, MIC, STA RSN IE) EAPOL-Key(ANonce, MIC, AP RSN IE, GTK) Pick Random SNonce, Derive PTK = EAPOL-PRF(PMK, ANonce | SNonce | AP MAC Addr | STA MAC Addr) Derive PTK EAPOL-Key(MIC) Install TK, GTK AP STA PMK

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 9 Some Observations i 4-Way Handshake messages are encoded as 802.1X messages –So could be forwarded over pre-authentication channel by simply changing the Ethertype –802.11i does not define how to send 4-Way Handshake messages over the Pre-authentication i ties policy negotiation to association –But has been reworked for association-less IBSS case i 4-Way Handshake is self-protecting –Security unaffected by the message path Largely re-aligns i with the original architecture

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 10 Usage On first contact, STA uses existing i –Discovery  Open System Authentication  Association  802.1X authentication  4-Way Handshake  Data exchange After 4-Way Handshake completes STA may use pre-keying if desired to optimize AP-to-AP transition –Discovery  Pre-key  Reassociate  Data exchange If desired, STA may use pre-keyed TK to protect other management messages prior to association – k Protected Action Frames If keys are in place prior to AP-to-AP transition, then they can be used to protect Reassociation –Protection of Disassociation, Deauthentication becomes meaningful

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 11 What’s Missing from i? Minor change to Key Management state machines required to support pre- keying –4-Way Handshake, Group Key Handshake messages may be encapsulated using the Pre-authentication Ethertype –Change state machines to track whether keying messages exchanged over normal or over pre-authentication channel STA needs a Request message to kick-start AP –Must identify the STA and the PMK used STA needs feedback if AP does not have the required PMK –This can’t be secured so is only a hint PTK rules need slight tinkering to permit pre-keying without association –APs should not cache PTKs forever –PTKs can’t be used across associations RSN IE changes –STA needs feedback Re: PTK timeout –STA and AP have to negotiate security policy in 4-Way Handshake instead of Reassociate –Need to advertise support for pre-keying

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 12 Some Open Issues PTK caching potentially a resource pig and must be controlled Identify modifications needed to 802.1X state machines to support pre- keying Prevent same PTK from being used across two associations –PTK reuse across association breaks replay protection mechanism What if STA transitions to the new AP before pre-keying completes? What if STA transitions to a different AP before pre-keying completes? How to handle GTK updates? –The AP can send GTK updates over the pre-authentication channel if the STA is not associated –But what to do is STA moves? Security associations are stateful What to with pre-key request from an “already associated” STA? Other information that can be transferred over the pre-authentication channel?

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 13 Q&A Where do the cached PMKs come from? –Out of Scope. These can be provisioned by, e.g., pre-authentication, some IETF/IRTF “standard” back-end protocol, e.g. proactive keying, or by a proprietary key provisioning scheme, e.g., Cisco’s What about subnet boundary crossing? –Out of Scope. Since it is based on the pre-authentication channel, it is a LAN-only solution. Why not use some other channel? –We know of no other candidates. Please suggest one. Why reuse the 4-Way Handshake? –We don’t want to invent a new protocol. Getting a key establishment scheme right is hard. And the political reality suggests we try.

doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 14 Feedback?