Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: 2010-01-19 Authors:

Published byUlysses Lambeth Modified over 10 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: 2010-01-19 Authors:"— Presentation transcript:

1 doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: 2010-01-19 Authors: NameCompanyAddressPhoneemail Hiroki NAKANOTrans New Technology, Inc. Sumitomo-Seimei Kyoto Bldg. 8F, 62 Tukiboko-cho Shimogyo-ku, Kyoto 600-8492 JAPAN +81-75-213-1200cas.nakano@gmai l.com cas@trans-nt.com Hitoshi MORIOKAROOT Inc.#33 Ito Bldg. 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-7630hmorioka@root- hq.com Hiroshi MANOROOT Inc.8F TOC2 Bldg. 7-21-11 Nishi- Gotanda, Shinagawa-ku, Tokyo 141-0031 JAPAN +81-3-5719-7630hmano@root- hq.com

2 doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 2 Abstract FastAKM framework reduces time to set up association between AP and non-AP STA. This results in reduction of blackout time on handover and enables us to use VoIP in 802.11 “mobile” environment. We show its technical possibility in this presentation by introducing a trial of example implementation of FastAKM, which establishes an association between AP and non-AP STA by single round-trip exchange of management frames.

3 doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 3 Requirements Employ just ONE round-trip exchange of frames –STA to AP, then AP to STA Do all things to start user’s data exchange –Association –Authentication –Key Exchange No direct contract between AP and non-AP STA –‘Authentication Server’ mediates between AP and non-AP STA –For separation of service providers and AP infrastructure Possibly compatible with existing 802.11 framework –Old STAs can be still operated together.

4 doc.: IEEE 802.11-10/0059r3 Submission An Example Procedure by 802.11-2007 January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 4 STA AP RADIUS Server Beacon Probe Request Probe Response Association Request Association Accept EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/TLS-Start RADIUS-Access-Request/Identity RADIUS-Access-Challenge/TLS-Start EAP-Response/TLS-client Hello EAP-Success RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/ Server Certificate EAP-Key EAP-Request/Pass Through EAP-Response/Client Certificate RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/Encryption Type EAP-Request/Pass Through EAP-Response RADIUS-Access-Request RADIUS-Access-Accept Open System Authentication

5 doc.: IEEE 802.11-10/0059r3 Submission Complaint about the Procedure… January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 5 STA AP RADIUS Server Beacon Probe Request Probe Response Open System Authentication Association Request Association Accept EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/TLS-Start RADIUS-Access-Request/Identity RADIUS-Access-Challenge/TLS-Start EAP-Response/TLS-client Hello EAP-Success RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/ Server Certificate EAP-Key EAP-Request/Pass Through EAP-Response/Client Certificate RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/Encryption Type EAP-Request/Pass Through EAP-Response RADIUS-Access-Request RADIUS-Access-Accept Probe process is optional Any other framework than EAPOL?? Open System auth. is meaningless

6 doc.: IEEE 802.11-10/0059r3 Submission Solution? We investigated and tried implementing two ideas below. –Trial 1: Omit Pre-RSNA Auth. Process –Trial 2: Piggyback Auth. Info. onto Association Request/Response January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 6

7 doc.: IEEE 802.11-10/0059r3 Submission Trial 1: Omit Pre-RSNA Auth. Process We use “Open System” authentication on Pre-RSNA framework at anytime. –Anyone using Shared Key auth? “Open System auth. is a null auth. algorithm. Any STA requesting Open System auth. may be authenticated” Quoted from 802.11-2007 section 8.2.2.2 Nevertheless, it takes ONE round-trip time to do that! Standard should be changed to allow to run Association process without Open System authentication process. –Any problem occurs? January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 7

8 doc.: IEEE 802.11-10/0059r3 Submission Reason of existence of Open System auth. “NOTE 3—IEEE 802.11 Open System authentication provides no security, but is included to maintain backward compatibility with the IEEE 802.11 state machine (see 11.3).” Quoted from 802.11-2007 section 8.4.1.2.1 b) January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 8

9 doc.: IEEE 802.11-10/0059r3 Submission 802.11-2007 Figure 11-6 January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 9

10 doc.: IEEE 802.11-10/0059r3 Submission Modified Figure? January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 10 Successful Association with FastAKM

11 doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 11 Trial 2: Piggyback Auth. Info. onto Association Request/Response Can “Mutual Authentication” be done by just A round- trip of Association Request/Response? –“Single Round-trip Authentication” is a common problem. STA AP Authentication Server Beacon (Probe Request) (Probe Response) Authentication (Open System) Access Request Access Response Association Request Association Response (Accept)

12 doc.: IEEE 802.11-10/0059r3 Submission Supposed Service Model Authentication Server (Service Provider) Non-AP STA (Customer) AP (Infrastructure) January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 12 Contract to provide wireless access via AP infrastructure. Share information to identify each other properly, e.g. username, password, digital certificate, etc. Contract to provide wireless access via AP infrastructure. Share information to identify each other properly, e.g. username, password, digital certificate, etc. Real wireless communication channel Provide wireless access in request of Service Provider Real wireless communication channel Provide wireless access in request of Service Provider Contract to provide wireless access to users specified by Authentication Server (i.e. Service Provider) Set up secure communication channel to exchange information about users Contract to provide wireless access to users specified by Authentication Server (i.e. Service Provider) Set up secure communication channel to exchange information about users No Contract

13 doc.: IEEE 802.11-10/0059r3 Submission Technical Prerequisite January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 13 Access Point (AP) Authentication Server (AS) Station (non-AP STA) Information shared - to identify each other and - to exchange data securely - Secure communication pipe - Information shared to identify each other Wireless communication

14 doc.: IEEE 802.11-10/0059r3 Submission Association and Authentication Procedure STA  AP (piggyback on Association Request) –Auth. Server Selector = name of Auth. Server –User Information pack passed through AP toward Auth. Server User Identifier and a kind of digital signature Session key encrypted by secret shared with Auth. Server Countermeasure against replay attack AP  AS –User Information pack AP  AS –Plain (decrypted) session key STA  AP (piggyback on Association Response) –Proof of AP having legitimate session key –Group key January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 14

15 doc.: IEEE 802.11-10/0059r3 Submission Frame Exchange for Authentication January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 15 Access Point (AP) Authentication Server (AS) Station (non-AP STA) User Information pack - User Identifier - a kind of digital signature - Session key encrypted by secret shared with Auth. Server - Countermeasure against replay attack Auth. Server Selector Plain (decrypted) session key - Proof of AP having legitimate session key - Group key 1 3 2

16 doc.: IEEE 802.11-10/0059r3 Submission An Example Implemetation OS: NetBSD 5.0.1 (i386) Upper MAC Layer: NetBSD’s net80211 WLAN Chipset: Atheros Communications AR5212 Add about 200 lines in C. January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 16

17 doc.: IEEE 802.11-10/0059r3 Submission Difference from 802.11-2007 Additional state transition to skip Open System Auth. –Figure 11-6—Relationship between state variables and services Two additional elements to Table 7-26 Element IDs –Authentication Server Selector (240 temporally) –User Information Pack (241 temporally) RSN with key obtained by new FastAKM framework –7.3.2.25 RSN information element (for beacon and probe resp.) –Both Group and Pairwise Cipher Suites are set to CCMP. –AKM Suite is set to the brand-new one! Define new AKM Suite (00-d0-14-01 is used temporally.) Assign officially on Table 7-34 AKM suite selectors in future… January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 17

18 doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 18 Conclusion Not-so-many changes enables FastAKM framework. We need more technical discussion –to build and verify authentication method –about any effect of changing standard –to write down detailed specification

19 doc.: IEEE 802.11-10/0059r3 Submission Straw Poll “Does WNG think that we need tutorial session exploring the need for support for mobile communication ?” Yes: 18 No: 1 Don’t Care: 7 January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 19

Download ppt "Doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: 2010-01-19 Authors:"

Similar presentations

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-98/178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE 802.11e Security IEEE 802.11 Task Group.

Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22.

Submission doc.: IEEE /1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date:
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE 802.11-12/1281r1 Submission NameAffiliationsAddressPhoneemail Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Doc.: IEEE /1281r1 Submission NameAffiliationsAddressPhone Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Submission doc.: IEEE 11-13/0586r0 May 2013 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Comparison of IE fragmentation proposals Date: 2013-05-15.

Submission doc.: IEEE 11-13/0586r0 May 2013 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Comparison of IE fragmentation proposals Date:
Doc.: IEEE 802.11-14/0093r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0093r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE 802.11-11/1160r2 Submission NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Hemanth Sampath Qualcomm 5775 Morehouse Dr, San.

Doc.: IEEE /1160r2 Submission NameAffiliationsAddressPhone George Cherian Santosh Abraham Hemanth Sampath Qualcomm 5775 Morehouse Dr, San.
Doc.: IEEE 802.11-12/1355r2 11ah Submission Date: 2012-11-08 Authors: Nov 2012 James Wang, MediaTek Slide 1.

Doc.: IEEE /1355r2 11ah Submission Date: Authors: Nov 2012 James Wang, MediaTek Slide 1.
Submission doc.: IEEE 11-12/0271r1 March 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Big IE Date: 2012-03-03 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0271r1 March 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Big IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: 2011-08-16 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.

Submission doc.: IEEE /1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.
Doc.: IEEE 802.11-11/1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: 2012-01-17 Authors:

Doc.: IEEE /1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: Authors:
Submission doc.: IEEE 11-12-1238-01-00ai November 2012 Lei Wang, InterDigital CommunicationsSlide 1 Proposals for the FD Frame Capability, Security and.

Submission doc.: IEEE ai November 2012 Lei Wang, InterDigital CommunicationsSlide 1 Proposals for the FD Frame Capability, Security and.

Similar presentations

Ads by Google