Presentation is loading. Please wait.

Presentation is loading. Please wait.

doc.: IEEE /252 Bernard Aboba Microsoft

Published byValentijn van de Velde Modified over 6 years ago

Similar presentations

Presentation on theme: "doc.: IEEE /252 Bernard Aboba Microsoft"— Presentation transcript:

1 doc.: IEEE 802.11-01/252 Bernard Aboba Microsoft
May 2001 16 January 2019 Fast Handoff Issues Bernard Aboba Microsoft Bernard Aboba, Microsoft Bernard Aboba, Microsoft

2 Outline Problem Statement Overall latency budget Pre-authentication
16 January 2019 Outline Problem Statement Overall latency budget Pre-authentication Fast-Handoff Performance diagram Key Generation Bernard Aboba, Microsoft

3 16 January 2019 Problem Statement To attempt to complete all activities necessary for a STA to be functional when connected to a new AP More than just an problem, but latency is important Definition of “functional” depends on the application Example applications Multimedia streaming (150ms) VOIP (50ms) Bernard Aboba, Microsoft

4 Latency Budget 16 January 2019 Bernard Aboba, Microsoft Layer Item
Time (ms) L2 scan (passive) 0 ms (cached), 1 second (wait for Beacon) scan (active) 40 to 300 ms assoc/reassoc (no IAPP) 2 assoc/reassoc (w/ IAPP) 40 802.1X authentication (full) 1000 802.1X authentication (fast resume) 250 Fast handoff (4-way handshake only) 60 L3 DHCPv4 Initial RS/RA 5 Wait for subsequent RA 1500 DAD (full) Optimistic DAD MN-HA BU 1 RTT (IKE w/HA SA), 4 RTT (IKE w/CoA SA) MN-CN BU 1-1.5 RTT (CAM) to 2.5 RTT (RR) L4 TCP parameter adjustment (status quo) 5000 (802.11/CDMA) (802.11/GPRS) Best case All fixes 150 ms Average case 6to4, RR, Active scan 1300 ms Worst case No TCP changes, full EAP auth, IAPP, DHCPv4 25000 ms Bernard Aboba, Microsoft

5 Pre-Authentication w/802.1X
16 January 2019 Pre-Authentication w/802.1X Channel 11 Channel 6 c v D AP B STA AP A STA authenticates and associates to AP A on Channel 6 802.1X data frames with “From DS” and “To DS” set to false (Class 1) STA does passive or active scan, moves, selects AP B as “potential roam” STA authenticates to AP B before connectivity is lost to AP A (if DT < c/v) Can send unicast 802.1X data frames to AP B, forwarded by AP A “From DS” or “To DS” set to true (Class 3) Can tune radio to Channel 11 (if B > r DT) STA reassociates to AP B Bernard Aboba, Microsoft

6 Reassociation w/4-way Handshake Only
16 January 2019 Reassociation w/4-way Handshake Only Channel 11 Channel 6 c v D AP B STA AP A STA had previously associated with AP B STA authenticates and associates to AP A on Channel 6 802.1X data frames with “From DS” and “To DS” set to false (Class 1) STA does passive or active scan, moves, selects AP B as “potential roam” STA recognizes that it has already derived a PMK with AP B that still has lifetime remaining STA sends Reassociation Request to AP B, asserts the “PMK cached” bit, receives Reassociation Response with “PMK cached” bit set (means AP has a PMK for the STA) STA completes 4-way handshake with AP B Bernard Aboba, Microsoft

7 Pre-Authentication Performance
16 January 2019 Pre-Authentication Performance Maximum velocity (no PMK cached on AP B) v = c/ DTPA DTPA = DTSCAN + DT802.1X + DT4way + DTREASSOC Example: c = 2 ft; DT = 250 ms (fast resume), V=8 ft/sec (5.5 MPH, pedestrian) If STA can learn of alternative APs via other mechanisms (e.g. advertisement over IP), then c ~ D. Maximum velocity (PMK cached on AP B) DTPA = DTSCAN + DT4way + DTREASSOC Example: c = 2 ft; DT = 100 ms, V=20 ft/sec (14 MPH) Server load Do a full authentication for all APs in the roaming set (N) for which a PMK has not been derived and cached Authentication Load = N * V/D (for path with all new APs) Authentication Load = N * V/(D * Tkey) (for path with old APs) Bernard Aboba, Microsoft

8 Fast Handoff Channel 11 Channel 6 c v D AP B STA AP A
16 January 2019 Fast Handoff Channel 11 Channel 6 c v D AP B STA AP A STA authenticates and associates to AP A on Channel 6 PMK provided to AP B via IAPP or AAA (University of Maryland proposal) STA does passive or active scan, moves, selects AP B as “potential roam” STA authenticates to AP B STA reassociates to AP B Bernard Aboba, Microsoft

9 Fast Handoff Performance
16 January 2019 Fast Handoff Performance Maximum velocity calculation v = D/DTFH DTFH = Max (DTSCAN, 2RTTAAA) + DT4way + DTREASSOC Example: D = 100 ft, DTSCAN = 40 ms, RTTAAA = 50 ms DT4way = 60 ms, DTREASSOC = 10 ms V = 100 ft/170ms = Mach 0.6! Server load Do a key generation + 2 AAA round-trips for all APs in the neighbor set (M) where cache entry is still valid Key lifetime has a large impact on performance Load multiplied by 2M * V/(D * Tkey) Bernard Aboba, Microsoft

10 The Problem Space Rate Scan + Pre-auth via Old AP B DT Scan +
16 January 2019 The Problem Space Rate Scan + Pre-auth via Old AP B DT Faster Handoff Association not possible Fast Handoff Scan + Radio tuning c DTPA D DTFH D DTReassoc Stationary Pedestrian Vehicular High Speed Station Velocity Bernard Aboba, Microsoft

11 Issues with Fast Handoff
16 January 2019 Issues with Fast Handoff Key lifetime Load proportional to reciprocal of key lifetime PMK “generations” AP, STA may need to keep both current and previous PMKs Performance is best if PMKs are not updated until key lifetime expires Reuse the PMK, but rerun 4-way handshake to ensure liveness Works with pre-authentication too (if STA revisits an AP with a cached PMK) Binding attacks With Fast Handoff, key binding attacks are easier to carry out Bernard Aboba, Microsoft

12 Issues With Fast Handoff (cont’d)
16 January 2019 Issues With Fast Handoff (cont’d) EAP method compatibility PRF used to generate handoff PMKs should not depend on the EAP method Most EAP methods cannot export the MK PMK for fast handoff cannot be calculated from the MK For Perfect Forward Secrecy (PFS), handoff PMK must be computed from a quantity that the AP does not have access to Alternatives: MSK (63,127) (not transmitted to NAS in RFC 2548) Not supported by Diameter EAP Bernard Aboba, Microsoft

13 TGi Pairwise Key Hierarchy
16 January 2019 TGi Pairwise Key Hierarchy Master Key (MK) Pairwise Master Key (PMK) = MSK(0,31) Pairwise Transient Key (PTK) = EAPoL-PRF(PMK, AP Nonce | STA Nonce | AP MAC Addr | STA MAC Addr) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have cipher suite specific structure Bernard Aboba, Microsoft

14 Alternative PMK Calculation
16 January 2019 Alternative PMK Calculation Variation on University of Maryland approach PMK generated for an AP only when a full authentication occurs, or key lifetime expires No PMK “generations” Example Formulas PMK0 = MSK (0,31) PMK1-B = Handoff-PRF(MSK(63,95), PMK0,APB-MAC-Addr, STA-MAC-Addr) PMK1-E = Handoff-PRF(MSK(63,95), PMK0,APE-MAC-Addr, STA-MAC-Addr) STA roams to APB: PMK1-B  PMK0 Bernard Aboba, Microsoft

15 Alternative Synchronization Example
16 January 2019 Alternative Synchronization Example STA roam pattern: AB C D PMKC PMKB PMKD PMKE PMK0A PMKG 1 2 3 4 Generation Bernard Aboba, Microsoft

16 Binding Attacks With fast handoff, key binding issue becomes critical
16 January 2019 Binding Attacks With fast handoff, key binding issue becomes critical Example attack: NAS impersonation In RADIUS, shared secret is verified based on the Source Address, not the NAS-Identifier, NAS-IPv6-Address or NAS-IP-Address attributes Most proxies don’t check source address against these attributes either Diameter has the Route-Record AVP, but not clear it solves the problem Result A rogue NAS can claim to be any other NAS served by the AAA proxy AAA server cannot verify the NAS identification attributes In fast handoff via AAA, result will be PMK sent to a NAS of the attacker’s choice Bernard Aboba, Microsoft

17 Solution Key binding Status
16 January 2019 Solution Key binding Addition of NAS & STA Identification attributes to keying attribute packages Addition of anti-replay attributes Nonce? Event-Timestamp Question: do we need CMS keywrap to protect the binding? Status Diameter EAP & NASREQ: vulnerable to attack RFC 2869bis: vulnerable Bernard Aboba, Microsoft

18 16 January 2019 Recommendations Add a “PMK cached” bit to Association/Reassociation Request/Response Decreases latency and AAA server load Useful for both pre-authentication and fast handoff Reserve (but do not allocate) bits in 4-way handshake May be required to solve “generations” problem Too early to know what form the solution should take Specification can be left until later (maybe another PAR) Bernard Aboba, Microsoft

19 16 January 2019 Feedback? Bernard Aboba, Microsoft

Download ppt "doc.: IEEE /252 Bernard Aboba Microsoft"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
Doc.: IEEE 802.11-04/0377r1 Submission March 2004 Areg Alimian CMC, Bernard Aboba MicrosoftSlide 1 Analysis of Roaming Techniques Areg Alimian Communication.

Doc.: IEEE /0377r1 Submission March 2004 Areg Alimian CMC, Bernard Aboba MicrosoftSlide 1 Analysis of Roaming Techniques Areg Alimian Communication.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE 802.11-04/1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE 802.11-02/551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.

Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE802-11-03/084r0-I Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.

Doc.: IEEE /084r0-I Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE 802.11-01/562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE 802.11 Tgi Tim Moore Bernard Aboba.

Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE 802.11-04-1180-02-000r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.

Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.

EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
Doc.: IEEE 802.11-01/610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and 802.11 key interactions Tim Moore.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.

Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Wireless Network Security CSIS 5857: Encoding and Encryption.

Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE 802.11-03/657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE 802.11-01/610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and 802.11 key interactions Tim Moore.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.

Doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Module 48 (Wireless Hacking)

Module 48 (Wireless Hacking)

Similar presentations

Ads by Google