1. Month Year
doc.: IEEE yy/xxxxr0
November 2005
Disassociation and Deauthentication in BUMP using Length-Two-Hash Chain
Date:
Authors:
Notice: This document has been prepared to assist IEEE It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures < ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE Working Group. If you have questions, contact the IEEE Patent Committee Administrator at
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

2. Month Year
doc.: IEEE yy/xxxxr0
November 2005
Abstract
Part of the BUMP proposal describes a mechanism for secure disassociation frames using a hash-based commitment. This talk describes an (independently discovered) observation regarding this approach. In particular, we show how to use a two-level hash chain to separately permit both secure disassociation and deauthentication without requiring extra state or communication costs.
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

3. Outline Basic 802.11 State Machine DoS Attacks by Rogue STA
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Outline
Basic State Machine
DoS Attacks by Rogue STA
The BUMP proposal for protecting group management frames: Length-One Hash Chains
Relevance to State Machine (protects deauthentication/disassociate frame)
Our Core Idea: Length-Two Hash Chains
Relevance to State Machine (protects deauthentication/disassociate frame and also protects disassociation frame).
Implementation based closely on BUMP protocol architecture
Conclusions
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

4. Review: “Basic” 802.11 state diagram
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Review: “Basic” state diagram
State 1:
Unauthenticated
Unassociated
Not clear whether there’s a compelling reason to separate these two states.
Successful authentication
Deauthentication notification
State 2:
Authenticated
Unassociated
Deauthentication notification
Successful (re) association
Disassociation notification
State 3:
Authenticated
Associated
(State 3’: w/PTKSA)
IEEE 802.1X Controlled Port unblocked
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

5. Problem: Rogue group stations
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Problem: Rogue group stations
Need to protect management frames that a station uses to disassociate or deauthenticate.
Otherwise rogue station can forge such frames which results in a DoS attack.
DoS attack
Associated
w/PTKSA
Disassociation or Deauthentication broadcast
Group (same GTK)
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

6. Month Year
doc.: IEEE yy/xxxxr0
November 2005
BUMP Proposal to Achieve Insider Forgery Protection for Broadcast Disassoc/Deauth
If AP is enabled to enforce protection of broadcast management frames:
Generate a random, unpredictable value CGTK whenever it selects a new IGTK (e.g. the key for protecting broadcast management frames).
Distributes the commitment value CV = hash(AA | SA | CGTK) to w STAs when it distributes IGTK
When AP sends broadcast Disassociation/Deauthenticate:
MIC IE includes CGTK as the sequence number, length is updated to 26
Full packet is MIC’ed per the w broadcast protection (except for muted bits per slide 3)
When an w STA receives a protected broadcast, accept frame if:
CV = hash( AA | SA | CGTK)
MIC is valid
Otherwise discard packet
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

7. BUMP Proposal: relevance to “Basic” 802.11 state diagram
Month Year
doc.: IEEE yy/xxxxr0
November 2005
BUMP Proposal: relevance to “Basic” state diagram
State 1:
Unauthenticated
Unassociated
Successful authentication
Deauthentication notification
Deauthentication notification
State 2:
Authenticated
Unassociated
With CGTK
Successful (re) association
Disassociation notification
State 3:
Authenticated
Associated
IEEE 802.1X Controlled Port unblocked
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

8. Our Core Idea Add a level of indirection! Specifically
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Our Core Idea
Add a level of indirection!
BUMP starts with the CGTK and generates the CV by hashing it (one-level hash chain).
We propose first generating the CGTK itself by a hash function (two-level hash chain).
Specifically
AP sets up CV as follows:
Pick unpredictable value SGTK (“Seed” for CGTK)
CGTK = Hash(SGTK)
CV = Hash(AA | SA | CGTK)
AP includes CGTK as part of broadcast disassociate;
AP includes SGTK as part of broadcast deauthenticate/disassociate
Note: hash chains have been around for a long time
Passwords (Lamport), One-time Signatures (Merkle), Micropayments (Pedersen; Anderson, Manivafas, Sutherland; Rivest and Shamir), Certificate Revocation (Micali), Multicast Authentication (Perrig, Canetti, Song, Tygar), etc.
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

9. Insider Forgery Protection for Broadcast Disassoc/Deauth
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Insider Forgery Protection for Broadcast Disassoc/Deauth
If AP is enabled to enforce protection of broadcast management frames:
Generate CGTK=hash(SGTK) – where SGTK is an unpredictable, random “seed” GTK.
Distributes the commitment value CV = hash(AA | SA | CGTK) to w STAs.
When AP sends broadcast Disassociation/Deauthenticate:
Include SGTK
When AP sends broadcast Disassociation
Include CGTK
When an w STA receives a protected broadcast, accept frame if:
CV = hash( AA | SA | CGTK) for a disassociation frame.
CV = hash( AA | SA | hash(SGTK)) for a deauthentication frame.
Otherwise discard frame
Impacts:
Can separately achieve disassociation and deauthentication (but we don’t have a concrete scenario that leverages this separation).
Tradeoff: AP needs to do extra hash function computation when generating CV.
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

10. 4way-handshake CGTK=Hash(SGTK)
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Protocol Diagram
STAs
Rogue AP
Store: SGTK
4way-handshake CGTK=Hash(SGTK)
CV=Hash(AA | SA | CGTK)
Disassociation/Deauthentication with the broadcast address
STA can ignore
Disassociation with the broadcast address and CGTK
Check: CV = Hash( AA | SA | CGTK)
Deauthentication with the broadcast address and SGTK
Check: CV = Hash(AA | SA | Hash(SGTK))
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

11. Our Proposal: relevance to 802.11 state diagram
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Our Proposal: relevance to state diagram
State 1:
Unauthenticated
Unassociated
Problem: While our two-level hash chain allows you to go from State 3 to State 2, you can only go to State 1 from there.
Upshot: Two-level hash chains give you extra “flexibility” but it’s not clear if there’s a usage scenario that takes advantage of this flexibility.
Successful authentication
Deauthentication notification
Deauthentication notification
State 2:
Authenticated
Unassociated
With SGTK
Successful (re) association
With CGTK
Disassociation notification
State 3:
Authenticated
Associated
IEEE 802.1X Controlled Port unblocked
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

12. Proposal Summary Extensions to BUMP: Bumping up BUMP! Impacts:
Month Year
doc.: IEEE yy/xxxxr0
November 2005
Proposal Summary
Extensions to BUMP: Bumping up BUMP!
CV created using double-hash chain: CGTK = Hash(CGTK); CV = Hash(AA | SA | CGTK)
Disassociate with CGTK
De-authenticate with SGTK
Impacts:
Compatibility: seems to fit very cleanly into existing BUMP proposal
Separation: Disassociation and deauthentication are treated individually (fits “basic” state diagram more closely).
Tradeoffs: AP needs to do one extra hash function computation.
Open Question:
Is there a scenario that can take advantage of this separation?
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company

13. Month Year
doc.: IEEE yy/xxxxr0
November 2005
References
ads-which-management-frames-need-protection.ppt
ads-session-mac-address-solves-deadlocks.ppt
ads-management-frame-protection.ppt
ads-requirements-management-frames-protection-schemes.ppt
ads-simple-80211i-extension.ppt
ads-protectionmanagementframes-protocolrequirements.ppt
ads-PMF-Requirements.ppt
ads-requirements-management-protection.doc
ads-protecting-broadcast-management-frames.ppt
w-broadcast-and-unicast-management-protection-bump.ppt
w-normative-text-bump-proposal.doc
Zulfikar Ramzan, DoCoMo USA Labs
John Doe, Some Company