Doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
TGai FILS Authentication Protocol
Overview of IEEE and MAC Layer September 25, 2009 SungHoon Seo
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE /0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
1 IEEE i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless and Security CSCI 5857: Encoding and Encryption.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Doc.: IEEE /0377r1 Submission March 2004 Areg Alimian CMC, Bernard Aboba MicrosoftSlide 1 Analysis of Roaming Techniques Areg Alimian Communication.
Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /084r0-I Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
1 An Empirical Analysis of the IEEE MAC Layer Handoff Process Arunesh Mishra Minho Shin William Arbaugh University of Maryland College Park,MD,USA.
Doc.: IEEE /01097r0 Submission November 2005 N. Cam-Winget, K. Sood, and J. WalkerSlide 1 EAPKIE Replay Counters and MIC Notice: This document.
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
Authentication and handoff protocols for wireless mesh networks
M. Kassab, A. Belghith, J. Bonnin, S. Sassi
Keying for Fast Roaming
Roaming Interval Measurements
Mesh Security Proposal
PEKM (Post-EAP Key Management Protocol)
Just-in-time Transition Setup
Fast Authentication in TGai : Updates to EAP-RP
Jesse Walker and Emily Qi Intel Corporation
Security for Measurement Requests and Information
TAP (Transition Acceleration Protocol)
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Roaming Keith Amann, Spectralink
Fast Roaming Compromise Proposal
Roaming timings and PMK lifetime
Mesh Security Proposal
Fast Roaming Compromise Proposal
Fast Roaming Compromise Proposal
Roaming timings and PMK lifetime
Keying for Fast Roaming
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Submission Title: Dallas i/ Liaison Report.
Presentation transcript:

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems Inc Doug Smith, Cisco Systems Inc Keith Amann, Spectralink

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 2 Fast Roam Goals TGi has provided sound framework and protocols to secure link communications Next step is to evaluate Fast Roaming –Voice advocates no more than 50ms handoff latency –Are security considerations for voice the same as data? Submission focuses on fast roaming for voice –Only reassociation exchange is applied

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 3 Handoff Times for Voice Doc 02/758 states: –ITU guidance on TOTAL hand-off latency is that it should be less than 50 ms. Cellular networks try to keep it less than 35 ms.

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 4 Handoff Process Delays STA APs … Probe Requests Probe Response Pre-authentication Exchange Re-association Exchange4-way & 2-way handshakes Other APs IAPP Discovery Reauthentication New AP

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 5 The Handoff Procedure : two phases 1.Discovery (active or passive scanning) Determination to find new AP due to signal strength loss (or inability to communicate) with current AP Probe delays incurred when client searches for new AP 2.Reauthentication Station reauthenticates and reassociates to new AP Reauthentication and reassociation delays Implications: –Discovery phase – out of TGi’s scope –Reauthentication phase must be efficient to support wireless voice

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 6 Average Roam latencies in current systems PhaseAverage measured latencies Discovery66ms – 440ms Reauthentication (Open Auth, no WEP) 12ms – 40ms

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 7 Cryptographic computations for RSN 4-way and 2-way exchanges NodeMessageNonce GenHmac-SHA1 1 ops Hmac-md5 2 ops STA ← AP4-way: 1 st msg1-- STA → AP4-way: 2 nd msg132 STA ← AP4-way: 3 rd msg-32 STA → AP4-way: 4 th msg--(2 4 ) STA ← AP2-way: 1 st msg(1 3 )(3 3 )2 STA → AP2-way: 2 nd msg--2 Total6 msgs268 1 Hmac-SHA1 used as PRF to compute WRAP or CCMP keys 2 Hmac-MD5 requires 2 MD5 operations 3 Only computed when GTK is refreshed 4 MIC check doesn’t affect data flow

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 8 RSN Relative Costs Initial AssocReassociation Crypto operations 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 Packet count(4+ EAP + 6) ** packets(4 + 6) ** packets ** Open Auth + (Re)Assoc = 4 pkts

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 9 Potential delays Computational delay –Each authentication packet –Each packet requiring generation of PRF Media access delay : due to packets sent by other NICs between the authentication packets Example: 1500 octet packet arrives while AP is processing an association response: –AP at 11Mbps ≈ 1.1ms delay between each packet –AP at 6Mbps ≈ 2ms delay between each packet –AP at 2Mbps ≈ 6ms delay between each packet For 10 message exchange, media access delay alone is 10-60ms! The heavier the traffic, the higher the delay….

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 10 Fast Roam for voice implies: Pre-authentication is required Re-association 4-way handshake is too expensive Additional 2-way handshake for GTK delivery does not help. GOAL: Hand-off times MUST be efficient to support synchronous connections, e.g. VoIP

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 11 Ideally, compress roaming to: Supplicant Client Authenticator AP Reassociate Request: negotiate CKM, authenticate rekey Reassociate Response: validate rekey, random challenge, deliver group key Client and AP can now protect 802.1X and packets Reassociate Confirm: random challenge response, MIC

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 12 Handoff Procedure using a Roam Server Roam Server 1st APNew AP Establish Security Block Send Security Block Re-association Assumptions: Roam Server can be adapted to document 02/758 Roam Server is trusted, can be the Authentication Server AP is trusted and has trust relationship with Roam Server

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 13 Roam Server is Central Key Manager (CKM) Central Key Management (CKM) Protocol: Uses PMK from successful EAP Authentication to derive 1.rekey request key (RRK) – used to authenticate rekey element in reassociation request 2.Rekey base key (RBK) – used to mutually derive pairwise transient keys (PTK) to protect 802.1X and packets. RRK and RBK derived on association RRK serves as authorization key RBK serves as Base Key used to derive PTKs Roam Server may only distribute PTKs or with proactive key distribution can forward to APs

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 14 New Key Hierarchy PMK implicitly derived as a result of a successful EAP authentication RRK 128 bits RBK 256 bits Generate RRK and BRK: PRF-384(PMK, “Fast-Roam Generate Base Key”, MAC APi | MAC STA | Nonce STA | Nonce RS ) 802.1X Encrypt Key (16bytes) 802.1X MIC Key (16 bytes) Encrypt Key (16 bytes) MIC Keys (TKIP only) Tx Key Rx Key 8 bytes 8 bytes PTK RSC = PRF-XXX(RBK, RSC|BSSID)

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 15 New Key Hierarchy facilitates reassoc RRK used to authenticate new Reassociation Request element Element ID LengthRekey Sequence Counter MIC 1octet 4octets8octets MIC = HMAC-MD5(RRK, MAC STA | BSSID | RSNE STA | RSC )

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 16 Reassociation Response includes GTK MIC RRK = HMAC-MD5(RRK, RSC | MAC STA ) PTK RSC = = PRF-XXX(RBK BSSID, RSC | BSSID ) MIC PTK = HMAC-MD5(TK RSC, RSNE AP | RSC | KeyID unicast | KeyID multicast | Multicast Key length | E(PTK RSC, GTK) ) Elem IDLenRSCRandom Challenge KeyID unicast KeyID multi- cast Multi- cast key length MIC RRK MIC PTK E(GTK) 1octet 4octets16 octects1octet 2octets8 octets N octets

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 17 Re-association Confirm New 3 rd message should be management : –3 rd message includes random challenge response –3 rd message confirms liveness of PTK –3 rd message defeats MIM attack

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 18 Same Assoc and 802.1X Auth as default RSN Association Req + RSN IE (802.1X, CKM) ** Association Response (success) EAP type specific mutual authentication Derive Pairwise Master Key (PMK) RADIUS ACCEPT (with PMK) 802.1X/EAP-SUCCESS Derive Pairwise Master Key (PMK) ** New AKM → Central Key Management (CKM) is negotiated Open Authentication Request Open Authentication Response

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 19 Initial 4-way handshake with Roam Server EAPoL-Key(Unicast, ANonce) PMK Derive ANonce Derive SNonce EAPoL-Key(Unicast, SNonce, MIC, RSNE STA ) EAPoL-Key(Install PTK 1, Unicast, MIC, RSNE AP ) Derive RRK, RBK, PTK 1 EAPoL-Key(Unicast, MIC) Install Keys Deliver PTK 1 RS AP STA Group key handshake used for PTK liveness confirm

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 20 Ideally, compress roaming to: Supplicant Client Authenticator AP Reassociate Request: negotiate CKM, authenticate rekey Reassociate Response: validate rekey, random challenge, deliver group key Client determines new AP for roam, increments RSC Generates new PTK i, requests CKM Generate CKM rekey authentication element AP validates CKM rekey authentication element Generates new PTK i, finalizes Client switch to AP Generate CKM rekey response authentication element Deliver group keys to Client Client and AP can now protect 802.1X and packets Reassociate Confirm: random challenge response, MIC

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 21 Using Roam Server RS AP STA Reassoc Req: negotiate CKM, authenticate rekey Reassoc Resp: validate rekey, random challenge, deliver group key AP requests for STA’s RBK (For proactive key distribution, no request is needed) Deliver STA’s RBK Reassoc Confirm: random challenge response

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 22 Reassociation triggers rekey with new AP Rekey obviates need to reauthenticate with AS Rekey obviates need for client to pre-authenticate Rekey is embedded in reassociate exchange to reduce number of packet exchanges Reassociation messages include new authenticated element to validate rekey request

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 23 Cryptographic computations for CKM Reassociation NodeMessageNonce GenHmac-Sha1 1 ops Hmac-md5 2 ops STA → APReassoc Request-(3 4 )1 AP → RSPTK request--3 RS → APPTK response-(3 4 )3 STA ← APReassoc Response(1) STA → APReassoc Confirm--2 Total3 air pkts + 2 DS pkts Hmac-SHA1 used as PRF to compute CCMP keys 2 Hmac-MD5 requires 2 MD5 operations 3 Only computed when GTK is refreshed 4 Can be precomputed before reassociation commit

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 24 Relative Costs RSNCKM Crypto Ops for Assoc 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 2 Nonce Gen + 12 HMAC-SHA1 + 8 HMAC-MD5 Crypto Ops for Reassociation 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 1 Nonce Gen + 0 HMAC-SHA HMAC-MD5 Assoc pkts(4 + EAP + 6) pkts Reassoc pkts(4 + 6) ** pkts3 pkts over air + 2pkts on DS ** Presumes Pre-authentication

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 25 Proposal optimizes Fast roaming by Reduction in packet exchanges Reduction in cryptographic computations No propagation of MK or PMK is required Roam Server can be adapted to use proactive key distribution and forward in context

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 26 TGi must address Fast Roaming Roaming must be seamless for all clients Must account for small clients (e.g. wireless phones)

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 27 Feedback?

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 28 Roam Server generates AP specific Roam Server 1st APNew AP Re-association = PRF-384(PMK, “Fast-Roam Generate Base Key”, MAC AP1 | MAC STA | Nonce STA | Nonce RS )

doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 29 Initial 4-way handshake in distributed model…. EAPoL-Key( Unicast, ANonce) PMK Derive ANonceDerive SNonce EAPoL-Key(Unicast, SNonce, MIC, RSNE STA ) EAPoL-Key( Install PTK 1, Unicast, MIC, RSNE AP ) Derive RRK, RBK, PTK 1 EAPoL-Key(Unicast, MIC) Install Keys

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.