1 IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: Key Hierarchy Discussion Date Submitted: January 5, 2009 Present at a Future IEEE a meeting (TBD) Authors: Lily Chen (NIST) Abstract: This document focus on IEEE and IEEE key hierarchy to understand the impact of introducing a media independent key hierarchy xx-00-sec
2 2 IEEE presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6http://standards.ieee.org/board/pat/faq.pdf
3 Background At January 5 21a teleconference, it appeared that group members have different understandings about the media specific key hierarchy vs. media independent key hierarchy. This presentation will explain the author’s understanding for further discussions.
4 Proposed MIA Key Hierarchy Document #102 proposed this new key hierarchy. Document #164 discussed options to distribute MS-PMKs to different MSAs. MSK or rMSK MI-PMK MS 1 -PMKMS 2 -PMK MSA 1 MSA 2
5 IEEE Key Hierarchy
r Key Hierarchy PMK-R0 KH is considered as a MSA. PMK-R0 KH PMK-R0 PMK-R1 A PMK-R1 B MSK PTK A PTK B
7 If Use MS-PMK as MSK to PMK-R0 KH,… MSK or rMSK MI-PMK MS 1 -PMK PMK-R0 KH PMK-R0 PMK-R1 A PMK-R1 B PTK A PTK B
8 Then there are two key hierarchies MSK or rMSK MI-PMK MS 1 -PMK PMK-R0 PMK-R1 PTK PMK-R0 MSK or rMSK PMK-R0 PMK-R1 PTK PMK-R0 With initial entry authentication With media independent authentication
9 In an initial entry authentication Auth Client MN Auth Server MSK PMK-R0 KH PMK-R1 KH A PMK-R1 KH B PMK-R1 A PMK-R1 B Existing r MSK PMK-R0 PMK-R1 A PMK-R1 B
10 In a media independent authentication, MI Auth Client Auth Client 3GPP USIM MIHF MN PoS- MIA Auth Server Auth Server 3GPP AuC/HLR MSK MS-PMK PMK-R0 KH PMK-R1 KH A PMK-R1 KH B PMK-R1 A PMK-R1 B Existing r MSK PMK-R0 PMK-R1 A PMK-R1 B Auth Client MI Auth Server MI-PMK MS-PMK
11 Conclusion – Part 1 The same MN for access, in a initial entry authentication and a media independent authentication, will derive different key hierarchies. Therefore, what a MIA accommodated should be a “media specific authentication for ” and generate the same key hierarchy. The key distributed to R0 KH should be MSK. Do not use MS-PMK as a MSK!
12 IEEE Key Hierarchy
e – PKMv2 e PKMv2 support two main authentications. RSA Based authorization with BS. RSA Based authorization with BS and then EAP authentication with AAA. Optionally, it can execute a second EAP with BS. The different authentications generate different key hierarchies.
e – PKMv2 RSA Based Authorization Pre-PAK is transported from BS to MS encrypted with MS’s RSA public key. AK is derived from PAK. KEK is a truncation of AK and will be used to deliver TEKs in three way handshake. In this case, all the keys are derived at MS and BS. How to introduce media independent key hierarchy? Pre-PAK EIKPAK AK MAC keysKEK MSBS X.509 Cert Authorization Req Authorization Reply (Pre-PAK encrypted by MS’s RSA PK)
e – PKMv2 RSA and EAP Pre-PAK is transported from BS to MS encrypted with MS’s RSA public key. (The BS is engaged in a very early stage.) MSK is obtained through EAP. AK is derived from PMK and PAK. An EIK is derived from Pre-PAK to protect EAP. If a media independent authentication is introduced, how to plug the target BS in? How to map media independent key hierarchy to this case? Pre-PAK EIKPAK AK MAC keysKEK MSK PMK MSBSAAA Pre-PAK encrypted by MS’s RSA PK EAP (protected by EIK) MSK Pre-PAK MSK
e – PKMv2 RSA and EAP (AK from MSK) There is an option that AK can be derived only from PMK, which is derived from MSK. In this case, if using MS-PMK as a MSK in handover, assuming it is doable ignoring all the issues, it introduces a different key hierarchy. MI authentication key hierarchy MAC keysKEK MSK PMK AK MI-PMK MS-PMK MSBSAAA Pre-PAK EAP (protected by EIK) MSK Pre-PAK MSK Initial entry key hierarchy MAC keysKEK MSK PMK AK
e – PKMv2 RSA and 2 EAP Pre-PAK is transported from BS to MS encrypted with MS’s RSA public key. MSK1 is obtained through the first EAP. An EIK1 is derived from Pre- PAK to protect the first EAP. An EIP2 is derived from MSK1 to protect the second EAP. How to map media independent key hierarchy to this case? MSBSAAA Pre-PAK encrypted by RSA PK EAP (protected by EIK1) MSK1 Pre-PAK MSK1 Optional EAP (Protected by EIK2) MSK2 AK MAC keysKEK MSK1 PMK2 MSK2 EIK2PMK1
18 Conclusion –Part 2 In , it will need a BS to authorize before a MS is engaged in an EAP protocol. Media Independent Authentication can hardly plug in the target BS. When AK is derived from PAK key and MSK, it can hardly map to the media independent key hierarchy as introduced in #102. When AK is derived from one MSK only, using a MS-PMK as an input to an authenticator will introduce a different key hierarchy!
19 Conclusion Introducing Media Independent Key Hierarchy will make to use two different key hierarchies. Media Independent Key Hierarchy can hardly map to key hierarchy. (Independent authentication has more issues.) We should not introduce Media Independent Key Hierarchy in 21a.