Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2011-11-01 Authors:

Published byBrook Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2011-11-01 Authors:"— Presentation transcript:

1 doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2011-11-01 Authors:

2 doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 2 Abstract This presentation describes a proposed FILS authentication protocol.

3 doc.: IEEE 802.11-11/1429r0 Submission Background: Otway-Rees Classic 3-party protocol Players: –Alice, a client/peer with identity A –Bob, a server/peer with identity B –Trent, the trusted 3 rd party with identity T Assumptions: –Alice shares a key with Trent, K at –Bob shares a key with Trent, K bt Notation: –{X}y is wrapping message X with key y –g x is a Diffie-Hellman exponential, generator g raised to power x –Nx is a nonce, a random number, contributed by party x –sess is a session identifier –X  Y means X sends to Y November 2011 Dan Harkins, Aruba NetworksSlide 3

4 doc.: IEEE 802.11-11/1429r0 Submission Background: Otway-Rees A  B: A, B, sess, {Na, A, B, sess} K at B  T: B, A, sess, {Na, A, B, sess} K at, {Nb, B, A, sess} K bt B  T: sess, {Na, K ab }K at, {Nb, K ab }K bt A  B: sess, {Na, K ab }K at Now Alice and Bob share a secret key, K ab, and a session identifier, sess. November 2011 Dan Harkins, Aruba NetworksSlide 4

5 doc.: IEEE 802.11-11/1429r0 Submission Background: Otway-Rees Nonces provide a proof of “liveness” to the resulting shared key If sess is reused a cut-and-paste attack could result in one party thinking protocol finished successfully and the other thinking it failed– not a good result Trent, the trusted third party, is a key distributor –Someone else besides Alice and Bob know their secret –Trent is solely responsible for creating the secret Alice and Bob really haven’t authenticated each other! –They share a key with the other party but have not proven to each other that the other party knows it We could add an Otway-Rees-like exchange, but…. November 2011 Dan Harkins, Aruba NetworksSlide 5

6 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication Using a TTP Use Diffie-Hellman to derive a unique session key Use Trent to authenticate the exchange, not be a key distributor Add a proof-of-possession upon completion of the exchange Embed Alice’s message for/from Trent inside Bob’s to mitigate cut-and-paste issues November 2011 Dan Harkins, Aruba NetworksSlide 6

7 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication Using a TTP A  B: A, sess, Na, {A, B, sess, g a } K at B  T: B, sess, {B, A, sess, g b, {A, B, sess, g a }K at } K bt B  T: sess, {B, A, sess, g b, g a, {A, B, sess, g a, g b }K at }K bt, A  B: sess, Nb, {A, B, sess, g a, g b }K at (g b ) a = g ab = (g b ) a K ab-mac | PMK = KDF(Na | Nb, g ab ) A  B: HMAC(K ab-mac, sess | MAC-A | MAC-B) B  A: HMAC(K ab-mac, sess | MAC-B | MAC-A) K ab-ccm = KDF(PMK, sess, min(MACS), max(MACS)) November 2011 Dan Harkins, Aruba NetworksSlide 7

8 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication Using a TTP Diffie-Hellman exponentials in wrapped content provide the “liveness” proof to the exchange Embedding messages from/for Alice into Bob’s messages helps thwart cut-and-paste attacks Alice knows Bob created g b and Bob knows Alice created g a (because Trent said so), and they both know that the only entities that can know g ab are themselves Final two messages provide proof-of-possession of g ab Generation of a CCMP (GCMP!) key for initial use and a PMK for subsequent use November 2011 Dan Harkins, Aruba NetworksSlide 8

9 doc.: IEEE 802.11-11/1429r0 Submission Putting FILS Authentication Using a TTP Into 802.11 Authenticated Diffie-Hellman between Alice and Bob is four messages– two for the interaction with Trent, and two to prove possession of the resulting shared secret. –Use 802.11 authentication frames for first two –Use 802.11 association frames for second two Fits in nicely with 802.11 state machine –Discovery is through Beacons and Probe responses –State 0 to State 1 transition is using authentication frames –State 1 to State 2 transition is using association frames –STA could associate with multiple APs while associated with another Can put other things, like DHCP Request/Response, into 802.11 Association Request/Response November 2011 Dan Harkins, Aruba NetworksSlide 9

10 doc.: IEEE 802.11-11/1429r0 Submission Putting FILS Authentication Using a TTP Into 802.11 November 2011 Dan Harkins, Aruba NetworksSlide 10 802.11 beacon/probe response 802.11 authentication request 802.11 authentication response 802.11 association request 802.11 association response FILS-TTP authentication request FILS-TTP authentication response STAid, sess, {blob}sta-ttp TTPid, APid APid, sess, {blob}ap-ttp sess, {blob}ap-ttp sess, {blob}sta-ttp H(K, sess | MAC-STA | MAC-AP) H(K, sess | MAC-AP | MAC-STA) STAAPTTP

11 doc.: IEEE 802.11-11/1429r0 Submission Putting FILS Authentication Using a TTP Into 802.11 Fast! –Only operations using asymmetric cryptography invole the Diffie- Hellman key exchange –The TTP does not do any computationally intensive action! Use state-of-the-art crypto –Use RFC 5297 for wrapping/unwrapping of blobs –Use RFC 5869-style “extract-the-expand” KDF –Works with elliptic curve as well as finite field cryptography Communication with Trent: –SME: this is the way 11r punted the R0-R1-AP communication issue –ERP: could craft this req/resp into an EAP/Initiate-Reauth and EAP/Finish-Reauth, will work with RADIUS and Diameter (!) –or other IETF? November 2011 Dan Harkins, Aruba NetworksSlide 11

12 doc.: IEEE 802.11-11/1429r0 Submission Properties of FILS Authentication Using a TTP Perfect Forward Secrecy: Yes Mutual Authentication: Yes Key Generation: Yes Identity Protection: No Protection against DDOS attacks: No Crypto-agility: Yes Negotiation of crypto capabilities: Yes November 2011 Dan Harkins, Aruba NetworksSlide 12

13 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication, without Online Third Party Uses Ephemeral Diffie-Hellmann to derive a unique session key Uses Signatures to Authenticate Exchanged DH- exponents Uses Message Authentication Code to provide key confirmation and complete exchange November 2011 Slide 13

14 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication Without a Third Party Protocol Flows: A  B: Na, xG, Cert CA (Id A, aG), Id sess A  B: Nb, yG, Cert CA (Id A, bG), Id sess K = h (xy)G = (hx)Y = (hy)X, where X:=xG, Y:=yG K ab-mac | PMK = kdf(Na | Nb, K | Id A | Id B | Id sess ) A  B: MAC kab-mac (flow AB, Id A, Id B ), Sig A (yG, xG, Id A, Id B, Id sess ) A  B: MAC kab-mac (flow BA, Id B, Id A ), Sig B (xG, yG, Id B, Id A, Id sess ) K ab-ccm = KDF(PMK, Id sess, min(MACS), max(MACS)) Cryptographic Schemes: (1)Ephemeral Diffie-Hellmann CDH(1,1): NIST SP 800-56a (2)Signature Scheme ECDSA: FIPS 186-2 (3)Key Derivation: Draft NIST SP 800-56C (4)Curve: P-256 h=1 (FIPS 186-2); SHA-256 (FIPS 180-2) November 2011 Slide 14

15 doc.: IEEE 802.11-11/1429r0 Submission Putting FILS Authentication Without a Third Party Into 802.11 November 2011 Slide 15 802.11 beacon/probe response 802.11 authentication request 802.11 authentication response 802.11 association request 802.11 association response xG, Cert CA (STA, aG), Id sess yG, Cert CA (AP, bG), Id sess STA AP TTP MAC ka (#3, STA, AP), Sig STA (yG, xG, STA, AP, Id sess ) MAC ka (#4, AP, STA), Sig AP (xG, yG, AP, STA, Id sess ) Possible to include AP key contribution in Beacon/probe, at cost of loosing perfect Forward secrecy; but does slim down #flows

16 doc.: IEEE 802.11-11/1429r0 Submission Properties of FILS Authentication Without a Third Party Perfect Forward Secrecy: Yes Mutual Authentication: Yes Key Generation: Yes Identity Protection: No Protection against DDOS attacks: No, but not a threat if ECC implemented with some hardware support Crypto-agility: Yes Negotiation of crypto capabilities: Possible November 2011 Slide 16

17 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication Using a Simple Password (ala SAE) A  B: Na, sess, scalar a, element a A  B: Nb, sess, scalar b, element b (PWE scalarb * element b ) a = K = (PWE scalara * element a ) b K ab-mac | PMK = KDF(Na | Nb, K) A  B: HMAC(K ab-mac, sess | scalar a | scalar b | MAC-A | MAC-B) B  A: HMAC(K ab-mac, sess | scalar b | scalar a | MAC-B | MAC-A) K ab-ccm = KDF(PMK, sess, (scalar a + scalar b ) | min(MACS), max(MACS)) November 2011 Dan Harkins, Aruba NetworksSlide 17

18 doc.: IEEE 802.11-11/1429r0 Submission Putting FILS Authentication Using a Simple Password Into 802.11 November 2011 Slide 18 802.11 beacon/probe response 802.11 authentication request 802.11 authentication response 802.11 association request 802.11 association response Na, scalar a, element a, Id sess STA AP Nb, scalar b, element b, Id sess H(K, Id sess | MAC-STA | MAC-AP) H(K, Id sess | MAC-AP| MAC-STA)

19 doc.: IEEE 802.11-11/1429r0 Submission Properties of FILS Authentication Using a Simple Password (ala SAE) Perfect Forward Secrecy: Yes Mutual Authentication: Yes Key Generation: Yes Identity Protection: No Protection against DDOS attacks: No Crypto-agility: Yes Negotiation of crypto capabilities: Yes November 2011 Slide 19

20 doc.: IEEE 802.11-11/1429r0 Submission FILS Authentication Two Message Exchange supports many options –Authentication using symmetric keys and a trusted third party –Authentication using certificates without a trusted third party –Authentication using passwords without a trusted third party Many desirable security properties –Mutual authentication –Perfect Forward Secrecy –Key Generation –Crypto-agility Use state-of-the-art cryptography November 2011 Dan Harkins, Aruba NetworksSlide 20

21 doc.: IEEE 802.11-11/1429r0 Submission Conformance with TGai PAR & 5C November 2011 Slide 21 Conformance QuestionResponse Does the proposal degrade the security offered by Robust Security Network Association (RSNA) already defined in 802.11? No Does the proposal change the MAC SAP interface?No Does the proposal require or introduce a change to the 802.1 architecture? No Does the proposal introduce a change in the channel access mechanism? No Does the proposal introduce a change in the PHY?No Which of the following link set-up phases is addressed by the proposal? (1) AP Discovery (2) Network Discovery (3) Link (Re-)establishment, exchange of security related messages (4) Higher layer aspects, e.g. IP address assignment. 3

22 doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 22 References

Download ppt "Doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2011-11-01 Authors:"

Similar presentations

Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-11/1436r0 Submission NameAffiliationsAddressPhoneemail Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Doc.: IEEE /1436r0 Submission NameAffiliationsAddressPhone Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Doc.: IEEE 802.11-11/0780r1 Submission NameAffiliationsAddressPhoneemail Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.

Doc.: IEEE /0780r1 Submission NameAffiliationsAddressPhone Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.
Doc.: IEEE 802.11-12/0041r1 Submission NameAffiliationsAddressPhoneemail Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.

Doc.: IEEE /0041r1 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.
Doc.: IEEE 802.11-12/0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: 2012-05-04 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 11-12-0406-03-00ai May 2012 InterDigital, KDDI, Nokia, Huawei, Intel, Qcomm Slide 1 Proposed SFD Text for 802.11ai Passive Scanning.

Submission doc.: IEEE ai May 2012 InterDigital, KDDI, Nokia, Huawei, Intel, Qcomm Slide 1 Proposed SFD Text for ai Passive Scanning.
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/0550 Submission NameAffiliationsAddressPhone Kiseon RyuLG Electronics10225 Willow Creek Rd, San Diego, CA, 92131, USA +1

Doc.: IEEE /0550 Submission NameAffiliationsAddressPhone Kiseon RyuLG Electronics10225 Willow Creek Rd, San Diego, CA, 92131, USA +1
Doc.: IEEE 802.11-12/933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: 2012-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/1042r3 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,

Doc.: IEEE /1042r3 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,
Doc.: IEEE 802.11-12/1042 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,

Doc.: IEEE /1042 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,
Doc.: IEEE 802.11-12/1054r0 Submission Sep. 2012 Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: 2012-09-07 Authors:

Doc.: IEEE /1054r0 Submission Sep Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: Authors:
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Submission doc.: IEEE 11-11/1414r2 November 2011 Katsuo Yunoki, KDDI R&D LaboratoriesSlide 1 Probe Request and Response in TGai Date: 2011-11-02 Authors:

Submission doc.: IEEE 11-11/1414r2 November 2011 Katsuo Yunoki, KDDI R&D LaboratoriesSlide 1 Probe Request and Response in TGai Date: Authors:
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Doc.: IEEE 802.11-11/0977r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-

Doc.: IEEE /0977r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
Submission doc.: IEEE 11-12-0406-00-00ai March 2012 InterDigital, KDDI, Nokia, Huawei, IntelSlide 1 Proposed SFD Text for 802.11ai Passive Scanning Improvement.

Submission doc.: IEEE ai March 2012 InterDigital, KDDI, Nokia, Huawei, IntelSlide 1 Proposed SFD Text for ai Passive Scanning Improvement.

Similar presentations

Ads by Google