Doc.: IEEE 802.11-02/104r0 Submission January 2002 Bernard Aboba/Microsoft EAP Keying Overview Bernard Aboba Microsoft.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
doc.: IEEE /382 Bernard Aboba Microsoft
Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Ariel Eizenberg PPP Security Features Ariel Eizenberg
IEEE Wireless Local Area Networks (WLAN’s).
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft IEEE 802.1X and RADIUS Security Bernard Aboba Ashwin.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
WEP Protocol Weaknesses and Vulnerabilities
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /034r1 Submission March 2000 Dan Simon, Bernard Aboba, Tim Moore, Microsoft IEEE Security and 802.1X Dan Simon
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,
Doc.: IEEE /524r0 Submission November 2001 Bernard Aboba, MicrosoftSlide 1 Secure Remote Password (SRP) Bernard Aboba Dan Simon Tim Moore Microsoft.
EAP-POTP Magnus Nyström, RSA Security 23 May 2005.
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Thoughts on KeySec John Viega
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.
EAP WG IETF 55 Atlanta, GA. EAP WG Meeting Monday, Salon II Preliminaries (10 minutes) –Bluesheets, minutes –Document Status RFC 2284 Bis EAP.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /403r0 Submission July 2001 Albert Young, 3Com, et alSlide 1 Supplementary Functional Requirements for Tgi ESS Networks Submitted to.
Doc.: IEEE k Submission July 2004 Bernard Aboba, MicrosoftSlide 1 IEEE k Security: A Conceptual Model Bernard Aboba Microsoft.
1 SECMECH BOF EAP Methods IETF-63 Jari Arkko. 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.
SECMECH BOF EAP Methods
PEKM (Post-EAP Key Management Protocol)
Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies
Presentation transcript:

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft EAP Keying Overview Bernard Aboba Microsoft

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Outline Terminology Status of EAP The EAP architecture EAP keying Details –Derivation of master session keys from master key –Format for RADIUS keying attributes What happens next?

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Terminology Master key –The key derived between the EAP client and EAP server during the EAP authentication process. Master session key –The keys derived from the master key that are subsequently used in generation of the transient session keys for authentication, encryption, and IV-generation. So that the master session keys are to be usable with any ciphersuite, they are longer than is necessary, and are truncated to fit. Transient session keys –The chosen ciphersuite uses transient session keys for authentication and encryption as well as IVs (if required). The transient session keys are derived from the master session keys, and are of the appropriate size for use with the chosen ciphersuite.

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Status of EAP IETF Proposed Standard (RFC 2284) –RFC 2284bis effort underway to promote to Draft Standard EAP increasingly adopted for network access authentication –Now: PPP, IEEE 802.1X, PIC (EAP over IP) –Future: PANA, Hiperlan? Bluetooth? Vendor interest in EAP increasing –31 EAP type codes allocated by IANA Potential interoperability problems –RFC 2284 unclear in a number of places –EAP increasingly used for keying: but no architectural description of how this works Confusion about key interfaces can result in interoperability problems Example: If EAP method doesn’t generate a master session key and AAA server assumes master session keys, NAS and client will end up with incompatible keys

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Allocated EAP Type#’s Type Description Reference Implemented? Spec Available? Identity [RFC2284] Yes RFC Notification [RFC2284] Yes RFC NAK (Response only) [RFC2284] Yes RFC MD5-Challenge [RFC2284] Yes RFC One Time Password (OTP) [RFC2284] No RFC Generic Token Card [RFC2284] No RFC No No 8 No No 9 RSA Public Key Authentication [Whelan] No Expired 10 DSS Unilateral [Nace] Yes I-D? 11 KEA [Nace] Yes I-D? 12 KEA-Validate [Nace] Yes I-D? 13 EAP-TLS [Aboba] Yes RFC Defender Token (AXENT) [Roselli] Yes No 15 Windows 2000 EAP [Asnes] ? No 16 Arcot Systems EAP [Jerdonek] ? No 17 EAP-Cisco Wireless [Norman] Yes No 18 Nokia IP smart card auth [Haverinen] ? No 19 SRP-SHA1 Part 1 [Carlson] Yes I-D 20 SRP-SHA1 Part 2 [Carlson] No I-D 21 EAP-TTLS [Funk] Yes I-D 22 Remote Access Service [Fields] ? No 23 UMTS Auth and Key agreement [Haverinen] ? ? 24 EAP-3Com Wireless [Young] Yes No 25 PEAP [Palekar] Yes I-D 26 MS-EAP-Authentication [Palekar] Yes No 27 Mutual auth w/key exchange (MAKE) [Berrendonner] ? No 28 CRYPTOCard [Webb] Yes No 29 EAP-MSCHAP-V2 [Potter] ? I-D 30 DynamID [Merlin] ? No 31 Rob EAP [Ullah] ? No

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Some Observations Rate of Type allocation is increasing –31 Type values allocated since March 1998 –4 Type values allocated in the last month Two Type values allocated to the same Method –EAP SRP-SHA1 Parts 1 and 2 –EAP-MSCHAP-v2 and MS-EAP-Authentication Most allocations done without a specification for vendor-specific use Not all allocated Types are used –At least 5 of the allocated types have not been implemented (~15 percent!) Conclusion –EAP Type space is a finite resource (255) - could probably be managed more effectively –IANA considerations needed! –Should allocation of EAP type codes require “expert review”?

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft The EAP Architecture NASen/APs –Don’t have to understand EAP methods, act as a “passthrough” NAS code does not need to be updated to support a new EAP method NASen can work with any EAP method –Negotiates ciphersuite with client Can be expected to have ciphersuite-specific knowledge, since they implement the ciphersuites NAS can know what key lengths/types are required for each ciphersuite AAA servers –Act as a “passthrough” to EAP methods hosted via EAP API AAA server core code should not need to be updated to support a new EAP method AAA server can host any EAP method –May not know ciphersuite negotiated between NAS and client PPP ECP occurs *after* authentication ciphersuite negotiation occurs *before* authentication AAA server cannot be assumed to have the information to pass back ciphersuite- specific keys –AAA server code should not need to be updated to support a new ciphersuite

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft The EAP Architecture (cont’d) EAP methods –May not know the negotiated ciphersuite Ciphersuite may not be known at the time the method is invoked EAP API may not support passing this down from AAA server –Should not need to be updated to support a new ciphersuite –Differ in their access to the master key Some methods have direct access to the master key (SRP) Some methods cannot access the master key directly (TLS, GSS-API) Implication: EAP methods are generally incapable of supporting ciphersuite-specific keys –RFC 2716 derives “master session keys” – passed by AAA server to the NAS –Ciphersuite-specific keys can be derived by the NAS

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Some Basic Groundrules EAP methods should be engineered to work in any application –Example: EAP methods that work only with EAP methods should be engineered to key any ciphersuite –Example: EAP methods that include their own methods for key truncation EAP methods should be engineered to work with any AAA protocol –Example: EAP methods that require RADIUS (or Diameter) EAP methods should be engineered to work with any AAA server –Example: EAP methods incompatible with keying attributes supported by a particular AAA server EAP methods should not rely on features unsupported by RFC 2284bis –Examples: Use of Notification for nonce passing Use of NAK for version negotiation within an EAP method Passing additional data within EAP Success or Failure

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft The EAP Keying Problem The problem: How can EAP methods be used to derive ciphersuite-specific keys for any ciphersuite? EAP methods are generally incapable of supporting ciphersuite-specific keys EAP methods may not have direct access to the master key EAP methods need to be independent of media (PPP, 802.1X) NASen are generally incapable of hosting EAP-method specific code NASen can host ciphersuite-specific code The solution: –EAP methods derive generic “master session keys” from the master key Enables EAP methods to provide the NAS with “generic keying material” which requires no EAP-method specific processing –Master session keys are passed by the AAA server to the NAS –Ciphersuite-specific transient session keys are derived by the NAS from the “master session keys” Implications: –Context transfers move the AAA context from the old AP to the new AP; new APs process the context as though it came from the AAA server –This means that “master session keys” are transferred from the old AP to the new AP, not transient session keys!

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft The EAP Keying Architecture | | | Is raw master key | | Can a pseudo-master key | | available or can | | be derived from | | the PRF operate on it? | | the master key? | | | | | | K | K' V V | | | Master Session Key | | Derivation | | | | | | Master Session Key Outputs | V V | | Key and IV Derivation | | | P->A | A->P | P->A | A->P | P->A | A->P | Enc. | Enc. | Auth. | Auth. | IV | IV | Key | Key | Key | Key | | | | | | | | V V V V V V | | Ciphersuite-Specific Truncation & | | Key utilization | | EAP API AAA attributes EAP Method (client and AAA server) NAS/AP and client

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Roles of Client, NAS/AP and AAA Server EAP client and EAP server (AAA) –EAP methods derive master keys –EAP method derives master session keys from the master key –EAP method passes master session keys to AAA server via EAP API AAA server and NAS –AAA server transmits master session key to the NAS/AP via attributes Client and NAS –Select a ciphersuite –Derive ciphersuite-specific keys from the master session keys –Use the ciphersuite-specific keys with the selected ciphersuite

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft What is Needed to Fully Specify the Keying Architecture? Algorithms for the derivation of the master session key from the master key for each EAP method –Example: RFC 2716, section 3.5 includes algorithms for “master session key” derivation –Some proposed EAP methods do not describe how to generate master session keys! Format for the AAA attributes used to transmit the master session keys from the AAA server to the NAS/AP –Example: RFC 2548 defines vendor-specific AVPs for transmission of encryption master session keys: MS-MPPE-Send-Key (16), MS-MPPE- Recv-Key (17) Algorithms for the derivation of ciphersuite-specific keys from the master session keys for each ciphersuite –Example: RFC 3079 section 4 defines algorithms for deriving MPPE transient session keys from RFC 2716 master session keys These techniques are not generally applicable to other ciphersuites!

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft What is Required of EAP Methods Generating Keys? EAP methods generating keys must also describe the key hierarchy –How are encryption, authentication and IV master session keys derived from the master key? –Examples: RFC 2716 describes how master session keys are derived from TLS master key EAP SRP and EAP GSS drafts didn’t describe how master session keys are generated –Result: Methods won’t work on all AAA servers, NASen, clients Key hierarchy derivation is method-specific –No general solution that works for any EAP method –SRP: may be able to leverage IKE or TLS key hierarchy –GSS: needs to describe key hierarchy valid for use with any GSS-API method This may be difficult if GSS_GetMIC() doesn’t supply sufficient randomness Generating master session keys in a secure way is hard –IKE and TLS are the best examples –Need cryptographic separation between authentication, encryption and IV master session keys –Need to ensure “liveness” in master session keys –EAP methods can get this (and more) for free via TLS/IKE protection TLS: PEAP, EAP TTLS IKE: PIC

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Alternatives Attempt to validate many EAP methods providing keying material –Will require creation of a key hierarchy for each protocol –Could stretch the resources available for security review Limit the number of EAP methods generating keys –Focus on methods that can leverage existing, well analyzed key derivation techniques –Adopt key hierarchies adopted in existing standards or analyzed by NIST –If method doesn’t fit into the above two categories – punt! Focus on protecting EAP with well-analyzed key derivation technology –Would protect EAP exchange using protocols such as IKE (PIC) or TLS (TTLS, PEAP) –Would enable EAP methods to focus on authentication and leverage protection mechanism to handle keying Key derivation, hierarchies for IKE, TLS are well documented and analyzed Much better chance of getting a method running under “protection umbrella” to work correctly –Other benefits likely TTLS/PEAP provides segmentation/reassembly, fast reconnect without requiring any work on the part of the EAP method developer

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft What Additional Pieces Does Need To Support Rekeying? Algorithm for encryption, authentication, integrity and replay protection of EAPOL key descriptors Rekeying algorithm Algorithm for authentication of management frames –Reassociation Request/Response –Disassociation –Deauthentication Cryptographic separation needed between: –Transient session keys –Keys used to encrypt/authenticate EAPOL key descriptors –Keys used to authenticate management frames

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Details ciphersuite keying requirements –AES-CTR + CBC-MAC w/XCBC extensions: a single 128-bit encryption key in each direction: APEncKey (MS-MPPE-Send- Key), PAEncKey (MS-MPPE-Recv-Key) –AES-OCB: a single 128-bit encryption key: APEncKey (MS- MPPE-Send-Key) Derivation of master session keys from master key –RFC 2716 Format of RADIUS Keying AVPs –RFC 2548 –draft-simon-radius-keys-00.txt Format of EAPOL key descriptors Questions to ask

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft RFC 2716 Derivation of Master Session Keys K = TLS master key (generally not exportable) Random = client_hello.random | server_hello.random PRF1=PRF(K, “client EAP encryption”, random) [128B] –Peer to authenticator encryption key: first 32B –Authenticator to Peer encryption key: second 32B –Peer to authenticator authentication key: third 32B –Authenticator to peer authentication key: fourth 32B PRF2=PRF(“”,”client EAP encryption”, random) [64B] –Peer to authenticator IV: first 32B –Authenticator to peer IV: second 32B Note: –For NAS and AAA server to derive the same master session keys, the nonces need to be exchanged as part of the EAP method Client_hello.random and server_hello.random are specific to TLS

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft RFC 2716 Master Session Key Derivation | | | Is raw master key | | Can a pseudo-master key | | available or can | | be derived from | | the PRF operate on it? | | the master key? | | | | | | K | K' V V | | | Master Session Key | | Derivation | | | | PRF1 (128B) | PRF2 (64B) | | V V | | | Key | | IV | | Derivation | | | | P->A | A->P | P->A | A->P | P->A | A->P | Enc. | Enc. | Auth. | Auth. | IV | IV | Key | Key | Key | Key | 32B | 32B | 32B | 32B | 32B | 32B | | | | | | | | V V V V V V | | Ciphersuite-Specific Truncation & | | Key utilization | | EAP API AAA attributes EAP Method (client and AAA server) NAS/AP and client

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft RADIUS Vendor-Specific Key Attribute (RFC 2548) MS-MPPE-Send-Key (Vendor-Type = 16) (Encrypts packets from Auth to Peer) MS-MPPE-Recv-Key (Vendor-Type = 17) (Encrypts packets from Peer to Auth) | Vendor-Type | Vendor-Length | Salt | | String... | Vendor-Length > 4 Overview: Provides 2 x 32B of keying material (although keys can be up to 251B) Only supports sending encryption master session keys in each direction Sufficient for WEP, proposed AES ciphersuites No support for auth or IV master session keys Can make cryptographic separation more difficult

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Proposed RADIUS Key Attribute (draft-simon-radius-key-attr-00.txt) | Type | Length | Salt | | PAEncKey... (32B) | | APEncKey... (32B) | | PAAuthKey... (32B) | | APAuthKey... (32B) | | PAIV... (32B) | | APIV... (32B) | Overview: Provides 6 x 32B of keying material (192B total) Master Session keys each 32B (256 bits) in length Supports sending encryption, auth, IV master keys in each direction

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft What Happens Next? At this point, client, NAS/AP, and AAA server all have the same master session keys –Could occur via a AAA conversation –Could occur via a context transfer Next steps –NAS and client discard keys not required for the negotiated ciphersuite or key transmission –Broadcast key transmitted from AP to STA –NAS and client truncate keys to the appropriate length for the negotiated ciphersuite –Liveness added?

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft RC4 Key Descriptor Format (IEEE 802.1X) | Type | Key Length |Replay Counter | Replay Counter | Replay Counter | Key IV | Key IV | Key IV | Key IV | Key IV... |F| Key Index | | Key Signature | Key Signature | Key Signature | Key Signature | Key Type (1 = RC4) Replay Counter = 64-bit NTP KeyIV = 128-bit random number F = Key flag (0 for broadcast, 1 for unicast) Key index = 7 bits Key Signature = HMAC-MD5(APEncKey, Entire EAPOL Packet w/Key Signature = 0) Key = Key of length = Key Length

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft RC4 Key Descriptor Issues Alignment –Replay counter, Key IV fields not aligned Replay counter –NTP used; replay window not specified Key Signature –Calculation not specified in IEEE 802.1X The Key Signature is a MIC calculated over all fields of the EAPOL packet, from and including the EAPOL protocol version field, to and including the Encrypted Key field, with the signature set to 0. MIC Key = Authenticator MS-MPPE-Send-Key (APEncKey) –MIC length varies by algorithm; MIC algorithm implicit in the Type field HMAC-SHA1 is 160 bits, not 128 RC4 cipher used to encrypt key –Key stream derivation not specified in IEEE 802.1X Recommendation –Define new key descriptor format for new types Not required to reuse generic format for new types –Write specifications so that developers can interoperate based on the specification

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft The Rest of the Story

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Some Questions to Ask Describe the key hierarchy –How are ciphersuite-specific keys derived from the master session keys? Are these mechanisms appropriate to the ciphersuites under consideration? (WEP, AES modes) –How are the master session keys used to encrypt and authenticate the multicast key within the multicast key descriptor? Which of the master session keys are used? For what operations? –How are the master session keys used to encrypt and authenticate the nonce/unicast session key descriptors? –How are the master session keys used to derive the keys used to authenticate management frames? Which management frames are authenticated? Describe how vulnerabilities are addressed –How is cryptographic separation provided between the above keys? –How is replay prevention/liveness supported? Describe rekey scenarios –If there are multiple key frames and some are not mandatory to implement, what happens if a STA does not support the key descriptor type sent by the AP? –What if the STA wants to rekey?

doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft Feedback?