Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.

Published byGeorgiana Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous."— Presentation transcript:

1 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous forms Date: 2007-09-18 Authors:

2 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 2 Abstract This document provides an overview of “An abbreviated handshake with sequential and simultaneous forms,” in 11-07/2535r0.

3 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 3 Background Peer links are established through the peer link management protocol, defined in 11A.2. MPs use this protocol before any other direct communication may occur. Establishment of a security association between two MPs occurs through the use of Full MSA authentication, including a mesh 4-way handshake that is exchanged after peer link management. A protocol that could integrate these functions may be called an abbreviated handshake.

4 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 4 Full MSA Authentication Full MSA Authentication is illustrated at right. At a minimum, this 8-message exchange is required to securely establish each link in a mesh. LB93 comments call for a more efficient handshake. See CIDs 735, 1057, 4764. We investigate the design of an abbreviated handshake to answer this call. Mesh Point Peer Link Open Initial MSA Authentication (if needed) 4-way Handshake #1 4-way Handshake #2 4-way Handshake #3 4-way Handshake #4 Peer Link Confirm Mesh Point

5 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 5 Security Goals for Abbreviated Handshake An abbreviated handshake protocol must achieve the following goals, which also applies to other MSA protocols: Mutual Authentication Key Secrecy –PTK: the session key –Broadcast keys (GTKs), for each node, which may be exchanged during the handshake. –Other key material, such as the PMK-MA Session Key (PTK) Freshness Cipher Suite Selection Not Compromised Authenticated Exchange of Information Composability –Abbreviated handshake works together with other MSA protocols.

6 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 6 Security State Besides providing mutual authentication and establishing a session key, the abbreviated handshake must confirm the security state. –i.e., meeting the Authenticated exchange of information goal The security state is information agreed upon by both MPs by the time the handshake successfully completes. –That is, if the handshake successfully completes, then both MPs are in agreement about the security state. PTKSA Security state contents: –(2) MP MAC addresses –(2) Link Identifiers –Pairwise Cipher Suite –PTK (derived through nonce contributions by both MPs).

7 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 7 Use case for Abbreviated Handshake Cached keys: An abbreviated handshake could be valuable (in terms of efficiency) when two nodes are re- establishing a link that had recently failed. –A peer link is torn down (and the PTK SA deleted), but the PMK- MA remains cached. Continuing mesh formation: A MP uses Full MSA Authentication when creating its first peer link in a mesh. Subsequent links, continuing the building of the mesh, can benefit from the efficiency gain of an abbreviated handshake.

8 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 8 Summary of an abbreviated handshake specification Definition of additional Peer Link frame types PTK derivation update MLME primitive definition for initiating handshake Updates to MSA overview text Initiating the abbreviated handshake Processing the abbreviated handshake in the sequential form Processing the abbreviated handshake in the simultaneous form Informative annex: state machine for abbreviated handshake protocol

9 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 9 Protocol Details The abbreviated handshake permits two distinct forms: sequential & simultaneous. Sequential: exactly one MP has initiated the protocol with its peer Simultaneous: each of two MPs initiate the protocol with each other (within a small window of time) Flexible ordering

10 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 10 Abbreviated Handshake Protocol State Machine The abbreviated handshake builds on the peer link management protocol defined in TGs. –Message types and protocol structure for simultaneous form is similar to the peer link management defined in the draft. –The sequential form adds new message types, simply to distinguish between the protocol forms. A state machine, specific to the abbreviated handshake, is presented in an informative annex. –A single state machine describes both the simultaneous and sequential forms of the handshake. –Protocol-layer retries are eliminated to prevent excessive complexity in the state machine: an MP may reattempt establishment of a link by attempting a new link instance.

11 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 11 Key Selection Details Key selection for the abbreviated handshake is similar to that of Full MSA Authentication. Key selection can be summarized: –If a key is cached at both MPs, use it. –If not, but an MP has a connection to the MKD (and is an authorized MA), it should retrieve a key so that the MPs share one. –Tie-break based on MAC address when required –If no cached keys & no connection to MKD, abbreviated handshake does not complete.

12 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 12 Key retrieval Each party requires possession of a shared symmetric PMK- MA for successful protocol completion. On a given instance of the abbreviated handshake, one MP may not have the agreed- upon key and must retrieve it from the MKD. This action may occur to permit the handshake to complete (see illustration). Mesh Point MKD Mesh Point Peer Link Open Peer Link Setup Peer Link Response Peer Link Acknowledge Key Request Key Delivery multi-hop

13 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 13 Forged Open Messages A Peer Link Open message initiating the abbreviated handshake may be forged. Attacked MP may attempt key pull. Key delivery may occur if Peer Link Open contained a valid key name (forwarded in key request to MKD). Without key delivery, Peer Link Setup is not sent. Attacker MKD Mesh Point Peer Link Open Peer Link Setup Key Request Key Delivery Key is delivered only if Peer Link Open contained valid key name. Attacker will not be able to construct correct response message. multi-hop

14 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 14 Half-open link recovery A half-open link is possible in session-establishment protocols (a.k.a, the 2-army problem), due to a final message being lost. Handling of a half-open link depends on the abbreviated handshake form that was used. Mesh Point Peer Link Open Peer Link Confirm Mesh Point Peer Link Open Peer Link Setup Peer Link Response Peer Link Acknowledge Sequential: the MP that initiated the abbreviated handshake is aware of the half-open link, and is responsible for error recovery. Simultaneous: the sender of the lost message will not be aware of the half- open link

15 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 15 Security proof details 11-07/2432r0 presents some analysis of MSA in the form of a security proof. It also contains analysis of the abbreviated handshake that we have described. The proof is constructed using PCL to describe the MSA protocols –Extensions to PCL to permit description of the abbreviated handshake are described in 11-07/2432r0. –The proof considers the two forms of the abbreviated handshake, proving the forms are well-defined, can operate on a single device together, and operate well with the MSA protocols specified in TGs. The proof shows that the abbreviated handshake achieves the security goals set forth for the MSA architecture.

16 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 16 Future Plans We plan to evaluate the performance of this design. The design will continue to be refined as we discuss the design with others working in this area. Feedback on 11-07/2535r0 is appreciated.

17 doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 17 References 11-07/2432r0, “Overview of an MSA Security Proof” 11-07/2535r0, “An abbreviated handshake with sequential and simultaneous forms”

Download ppt "Doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous."

Similar presentations

Doc.: IEEE 802.11-09/0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 1 A vendor specific plan for centralized security Date: 2009-01-19 Authors:

Doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 1 A vendor specific plan for centralized security Date: Authors:
Doc.: IEEE 802.11-08-0317r6 Submission July 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:

Doc.: IEEE r6 Submission July 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Doc.: IEEE 802.11-09/0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: 2009-03-08 Authors:

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Doc.: IEEE 802.11-06/1625r1 Submission November 2006 Braskich, et al Slide 1 Update to Efficient Mesh Security and Link Establishment Notice: This document.

Doc.: IEEE /1625r1 Submission November 2006 Braskich, et al Slide 1 Update to Efficient Mesh Security and Link Establishment Notice: This document.
Doc.: IEEE 802.11-08/0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: 2008-05-13 Authors:

Doc.: IEEE /0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: Authors:
Doc.: IEEE 802.11-11/1109r0 Submission Month Year Tom Siep, CSRSlide 1 Amendment Creation Process Date: YYYY-MM-DD Authors:

Doc.: IEEE /1109r0 Submission Month Year Tom Siep, CSRSlide 1 Amendment Creation Process Date: YYYY-MM-DD Authors:
Doc.: IEEE 802.11-03/657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE 802.11-06/1471r0 Submission September 2006 authors Slide 1 Efficient Mesh Security and Link Establishment Notice: This document has been prepared.

Doc.: IEEE /1471r0 Submission September 2006 authors Slide 1 Efficient Mesh Security and Link Establishment Notice: This document has been prepared.
Doc.: IEEE 802.11-09/0862r0 Submission July 2009 Michael Bahr, Siemens AGSlide 1 Proxy Update Element Revision Date: 2009-07-02 Authors:

Doc.: IEEE /0862r0 Submission July 2009 Michael Bahr, Siemens AGSlide 1 Proxy Update Element Revision Date: Authors:
Doc.: IEEE 802.11-08-0317r1 Submission March 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:

Doc.: IEEE r1 Submission March 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Protocol Coexistence Issue in MSA Subsequent Authentication

Protocol Coexistence Issue in MSA Subsequent Authentication
Doc.: IEEE 802.11-07/2176r0 Submission July 2007 Meiyuan Zhao, Intel Corp.Slide 1 Protocol Analysis of Abbreviated Handshake Date: 2007-07-11 Authors:

Doc.: IEEE /2176r0 Submission July 2007 Meiyuan Zhao, Intel Corp.Slide 1 Protocol Analysis of Abbreviated Handshake Date: Authors:
Doc.: IEEE 802.11-07/2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date: 2007-07-16.

Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:
14 March 2002 doc.: IEEE 802.15-02/152r2 Gregg Rasor, MotorolaSlide 1Submission Project: IEEE P802.15 Working Group for Wireless Personal Area Networks.

14 March 2002 doc.: IEEE /152r2 Gregg Rasor, MotorolaSlide 1Submission Project: IEEE P Working Group for Wireless Personal Area Networks.
Relationship between peer link and physical link

Relationship between peer link and physical link
Submission Title: [Proposal for MAC Peering Procedure]

Submission Title: [Proposal for MAC Peering Procedure]
Updates on Abbreviated Handshake

Updates on Abbreviated Handshake
Overview of Key Holder Security Association Teardown Mechanism

Overview of Key Holder Security Association Teardown Mechanism
Authentication and Key Management of MP with multiple radios

Authentication and Key Management of MP with multiple radios

Similar presentations

Ads by Google