Doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
Doc.: IEEE /0560r0 Submission May 2010 Ashish Shukla, MarvellSlide 1 TDLS TPK Handshake Date: Authors:
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
TGai FILS Authentication Protocol
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.
Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /0566r1 Submission May 2006 Sood, Walker, Cam-Winget, CalhounSlide 1 TGr Security Architecture Notice: This document has been prepared.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE /0539r2 Submission June 2005 Bill Marshall, TGr EditorSlide 1 Technical corrections to D0.01 Notice: This document has been prepared.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE / i Submission July 2003 Petroni,Arbaugh WAA Associates, LLC.Slide 1 An Empirical Analysis of the 4- way Hand-shake 1 Nick.
Doc.: IEEE /01097r0 Submission November 2005 N. Cam-Winget, K. Sood, and J. WalkerSlide 1 EAPKIE Replay Counters and MIC Notice: This document.
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Seamless BSS Transition Protocol
Just-In-Time 2 Phase Association TGr Proposal for Fast BSS Transitions
Keying for Fast Roaming
Motions to Address Some Letter Ballot 52 Comments
Mesh Security Proposal
TDLS TPK Handshake Date: Authors: May 2010 May 2010
Use of EAPOL-Key messages during pre-auth
PEKM (Post-EAP Key Management Protocol)
Broadcast and Unicast Management Protection (BUMP)
Broadcast and Unicast Management Protection (BUMP)
Just-in-time Transition Setup
Beacon Protection Date: Authors: July 2018 July 2018
Beacon Protection Date: Authors: May 2018 January 2018
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Technical corrections to D0.01
Jesse Walker and Emily Qi Intel Corporation
TAP (Transition Acceleration Protocol)
Motorola TGr Fast Handover Proposal
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Roaming Keith Amann, Spectralink
“Not Ready” Response in FT Auth Messages
Flexible Pre-key Overview
Fast Roaming Compromise Proposal
Florent Bersani, France Telecom R&D
Options for Protecting Management Frames
TGr Security Architecture
Fast Roaming Compromise Proposal
Beacon Protection Date: Authors: July 2018 July 2018
Fast Roaming Compromise Proposal
Keying for Fast Roaming
Jesse Walker, Intel Corporation Russ Housley, Vigil Security
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Beacon Protection Date: Authors: May 2018 January 2018
Fast Roaming Observations
Overview of Improvements to Key Holder Protocols
Use of EAPOL-Key messages
Link Setup Flow July 2011 Date: Authors: Name Company
Use of Nonces in Fast Transitioning Flows
Presentation transcript:

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems Inc Emily H. Qi and Jesse Walker, Intel Corporation

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 2 Where we are so far… Existing Standard & Proposals: –Pre-authentication + 4-Way Handshake at Reassociation (802.11i) –Pre-keying (04/476) –Tentative association (04/606) Existing Proposal Problems –Pre-authentication + 4-Way Handshake at Reassociation is not fast Otherwise r would not exist –Pre-keying and Tentative association incomplete i replay protection tied to key freshness and peer liveness So far, both have failed to explain how they will obtain these Reservation introduces a novel DoS attack against network resources Proposals must explain how to protect against these novel DoS attacks, because PAR says r can’t make security worse

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 3 4-Way Handshake Observations 4-Way Handshake overloads ANonce, SNonce to perform two functions: –They must be different on each 4-Way Handshake to provide key separation (“fresh” keys) –They must be unpredictable to prove liveness, so are specified as random Making nonces serve both functions serializes PTK derivation with 4-Way Handshake execution –Infeasible for STA to pre-compute PTK, because ANonce must be unpredictable

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 4 Proposal Pre-compute PTK on the STA prior to Re-Association Establish security associations liveness and GTK at reassociation time –Not after, as i does today –Not before, as pre-keying and tentative association propose Apply updates to the i 4-Way Handshake to allow it to meet requirements: –Eliminate 4-Way Handshake Msg 1 by making ANonce predictable for AP-to-AP transition –Embed 4-Way Handshake Msg 2 in Reassociation Request –Embed 4-Way Handshake Msg 3 in Reassociation Response –Add AP-Challenge to 4-Way Handshake Msgs 3 and 4, to prove STA liveness to AP –Don’t change the i key hierarchy

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 5 Optimized Re-Association with 4-way Supplicant Client Authenticator AP Reassociate Request( 802.1X 4-way Message #2) Reassociate Response( 802.1X 4-way Message #3) Client determines new AP for roam, increments ANONCE Generates new PTK i, Generate 802.1X Optimized 4-way Message #2 AP validates ANONCE Generates new PTK validate 802.1X 4-way Message #2 Generate 802.1X Optimized 4-way Message #3 Client and AP can now protect 802.1X and packets 802.1X 4-way Message #4 Client validates Message #3 (process flows same as TGi)

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 6 Optimized 4-way Handshake Use of 4-way Handshake as on associations defined in i: –SNonce and ANonce remain unpredictable and random On Roam use Optimized 4-way Handshake: –ANonce becomes an incrementing counter in reassociations, used as replay protector against rekeys triggered either by IV exhaustion or roams –4-way Message #1 is not used in the optimized 4-way handshake –Reassociation Request includes optimized Message # 2 –Message #2 conveys ANonce and PMKID STA used to generate the PTK –AP validates ANonce from STA to ensure it is not a replay –Reassociation Response includes optimized Message # 3 –Optimized Message #4 flows as defined in i –Uses PMK cacheing and established PMKID to kickstart optimized 4-way handshake ANonce is bound to STA, BSSID and PMKID Proposal enables i 4-way and Optimized 4-way handshakes to co-exist

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 7 Two new KDE’s ANonce in Message 2 is conveyed as KDE AP-Challenge to ensure STA liveness proof to AP

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 8 4-way Handshake Optimized Message 2 Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) SNonce (32 octets) Key MIC (16 octets) Key Data Length (2 octets)RSN IE, PMKID, ANonce

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 9 4-way Handshake Optimized Message 3 Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) ANonce (32 octets) Key MIC (16 octets) Key Data Length (2 octets)RSN IE, GTK, AP-Challenge

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 10 4-way Handshake Optimized Message 4 Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) Key MIC (16 octets) Key Data Length (2 octets)AP-Challenge

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 11 Inserting 802.1X in X EAPOL Key Frame (Message 2 and 3) are embedded into Reassociation Request and Response in new IE Element IDLengthData TBD802.1X packet length 802.1X EAPOL Key frame

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 12 Optimizations enable Reuse of TGi Compression of exchanges reduce latencies Enables the STA to precompute PTK prior to association (to minimize time spent during association) Enables the STA to plumb PTK prior to reassociation….fixes race conditions in 4-way handshake

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 13 Questions?

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 14 Backup slides

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 15 EAPOL Message FieldMessage 1Message 2Message 3Message 4 Key InformationVersionV1 or v2 Key Type1111 Install0010 Key ACK1010 Key MIC0111 Secure0011 Error0000 Request0000 ENC Key Data 0010 Key LengthCipher spec0 0 Key Replay Counternnn+1 Key NonceANonceSNonceANonce0 Key IV000 if v2 Random v1 0 Key RSC00GTK’s PN0 Key MIC0MIC 0 Key Data Length22Len-2Len-30 Key DataPMKIDRSNIE STA RSNIE AP, GTK i 4-way Handshake Message values

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 16 EAPOL Message FieldMessage 1Message 2Message 3Message 4 Key Information VersionNot Used on Reassociation V1 or v2 Key Type111 Install110 Key ACK010 Key MIC111 Secure011 Error000 Request000 ENC Key Data010 Key Length0Cipher spec0 Key Replay Counternn+1 Key NonceSNonceANonce0 Key IV00 if v2 Random v1 0 Key RSC0GTK’s PN0 Key MICMIC 0 Key Data Length62RSNIE AP + GTK len0 Key DataRSNIE STA, PMKID, ANonce RSNIE AP, GTK, AP-Challenge Optimized i 4-way Handshake Message values

doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 17 EAPOL Key Frame Format Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) Key Nonce (32 octets) Key IV (16 octets) Key RSC (8 octets) Reserved (8 octets) Key MIC (16 octets) Key Data Length (2 octets)Key Data (n octets)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.