Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail."— Presentation transcript:

1 doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771- 7630 hmorioka@root-hq.com Hiroshi ManoROOT INC.7-21-11 Nishi- Gotanda, Shinagawa- ku, Tokyo 141-0031 JAPAN +81-3-5719- 7630 hmano@root-hq.com Mark RISONCSRCambridge Business Park, Cowley Road, Cambridge CB4 0WZ UK +44-1223- 692000 Mark.Rison@csr.com Marc EmmelmannFraunhofer FOKUS Kaiserin-Augusta- Alle 31 10589 Berlin Germany +49-30-3463- 7268 emmelmann@ieee.org

2 doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 2 Abstract This document describes a technical proposal for TGai which addresses the following phase. Authentication and Association

3 doc.: IEEE 802.11-11/0976r3 Submission Conformance w/ Tgai PAR & 5C July 2011 Hitoshi Morioka, ROOT INC.Slide 3 Conformance QuestionResponse Does the proposal degrade the security offered by Robust Security Network Association (RSNA) already defined in 802.11? No Does the proposal change the MAC SAP interface?No Does the proposal require or introduce a change to the 802.1 architecture?No Does the proposal introduce a change in the channel access mechanism?No Does the proposal introduce a change in the PHY?No Which of the following link set-up phases is addressed by the proposal? (1) AP Discovery (2) Network Discovery (3) Link (re-)establishment / exchange of security related messages (4) Higher layer aspects, e.g. IP address assignment 3, 4

4 doc.: IEEE 802.11-11/0976r3 Submission Concept July 2011 Hitoshi Morioka, ROOT INC.Slide 4 STA AP Authentication, Key sharing, Association completed, use CCMP for data frames 4-way handshake, no security 4-way handshake, no security.11i authentication.11i key sharing Existing.11 STA AP Authentication, Key sharing, Association completed, use CCMP for data frames handshake Authentication key sharing (Upper Layer Setup) handshake Authentication key sharing (Upper Layer Setup).11ai 3(4) phases into 1. No need to process sequentially. These can be processed simultaneously. 3(4) phases into 1. No need to process sequentially. These can be processed simultaneously. Upper Layer Setup (i.e. DHCP) Upper Layer Setup (i.e. DHCP)

5 doc.: IEEE 802.11-11/0976r3 Submission Network Assumption July 2011 Hitoshi Morioka, ROOT INC.Slide 5 STA AP Network Standalone (Home/Small Office, No AS) STA AP Network Enterprise (ISP/Large Office, with AS) STA AP STA AP AS

6 doc.: IEEE 802.11-11/0976r3 Submission Pre-shared Information Standalone –A user ID and a PSK is pre-shared between AP and an STA. –Each STA has a different user ID and a PSK. –PMK is derived from PSK by existing method. Enterprise –A use ID and a PSK is pre-shared between AS and an STA. –Each STA has a different use ID and a PSK. –A shared secret (AP-key) is pre-shared between AS and AP. –Each AP has a different AP-key. –Each AP has at least one fixed reachable address. (i.e. fixed IP address) Pre-shared Keys –Pre-shared keys are distributed by other trust way, such as post-mail, memory card/stick, SIM card or over the trusted network as same as.11i pre-shared key distribution. July 2011 Hitoshi Morioka, ROOT INC.Slide 6 RADIUS

7 doc.: IEEE 802.11-11/0976r3 Submission Protocol Sequence Overview (Standalone) July 2011 Hitoshi Morioka, ROOT INC.Slide 7 STA AP Beacon (ANonce, aiCAP) Probe Req. Probe Resp. (ANonce, aiCAP) Assoc. Req. (ANonce, SNonce, NAI, MIC, [ENC(ULI)]) PTK shared Assoc. Resp. (ANonce, Lifetime, MIC, ENC(GTK, [ULI])) Authentication, Key sharing, Association completed, use CCMP for data frames PSK PMK PSK PMK

8 doc.: IEEE 802.11-11/0976r3 Submission Beacon/Probe Response AP transmits Beacon/Probe Resp. which includes.11ai capability indicator (aiCAP; new IE, new flag or new AKM suites in RSN IE) and ANonce (new IE). ANonce must be unique number. AP records ANonces and they expire in a certain period. Beacon/Probe Response can include existing RSN IE for accommodating legacy devices. (Probe request is not modified.) July 2011 Hitoshi Morioka, ROOT INC.Slide 8 STA AP Beacon (ANonce, aiCAP) Probe Req. Probe Resp. (ANonce, aiCAP)

9 doc.: IEEE 802.11-11/0976r3 Submission.11ai Association Request A.11ai STA can know the AP supports.11ai association by aiCAP in Beacon/Probe resp. The STA picks up and records ANonce from Beacon/Probe resp. The STA generates SNonce which is unique number. The STA calculate PTK as following. (same key hierarchy as described in 8.5.1.2 in IEEE802.11-2007) PTK  PRF-384(PMK, “Pair wise key expansion”, Min(AA, SPA) || Max(AA, SPA) || Min(ANonce, SNonce) || Max(ANonce, SNonce)) If the STA has upper layer information (ULI) to send, it can be encrypted by PTK(KCK, KEK or TK which key is better?). The STA construct a.11ai Association request which includes the following information. –aiCAP –ANonce –SNonce –NAI –ENC(ULI) Calculate and append MIC. MIC is calculated by following method. –Apply Hash function (i.e. SHA-1) to an appropriate part of the frame. –Apply HMAC-hash function or Michael to the result with PTK, KCK, KEK or TK. July 2011 Hitoshi Morioka, ROOT INC.Slide 9 STA AP Assoc. Req. (aiCAP, ANonce, SNonce, NAI, ENC(ULI), MIC) Beacon (ANonce, aiCAP) Probe Req. Probe Resp. (ANonce, aiCAP)

10 doc.: IEEE 802.11-11/0976r3 Submission Authentication by AP If the AP receives association request with aiCAP, the AP recognizes the STA requesting.11ai association. The AP checks following information. –ANonce: Search the ANonce list recorded. If the same ANonce is found, it’s success. –NAI: Search user ID list. If the same user ID is found, it’s success and retrieve PMK for the user. Now the AP has all of required information to calculate PTK. The AP calculate it. The AP calculates and compares the MIC with PTK or key derived from PTK. If they matches, the authentication successes. If encrypted ULI is included, the AP decrypts it and process it. (Don’t defined how to do yet.) July 2011 Hitoshi Morioka, ROOT INC.Slide 10 STA AP Assoc. Req. (aiCAP, ANonce, SNonce, NAI, ENC(ULI), MIC) PTK shared

11 doc.: IEEE 802.11-11/0976r3 Submission.11ai Association Response The AP assigns an AID to the STA. –It means AID is assigned only after successful authentication. The AP constructs.11ai association response including the following information and transmits to the STA. –aiCAP –ANonce: included in the association request. –Lifetime: PTK lifetime. –GTK: Derived by existing method and encrypted by using PTK, KCK, KEK or TK. –ULI: If available at that time. It can be encrypted. If need more time to response, set “send you later” indicator in ULI. –MIC July 2011 Hitoshi Morioka, ROOT INC.Slide 11 STA AP Assoc. Resp. (aiCAP, ANonce, Lifetime, ENC(GTK, [ULI]), MIC)

12 doc.: IEEE 802.11-11/0976r3 Submission Authentication by STA The AP checks the following information. –ANonce: Identify the request to which the response correspond. –MIC If the MIC matches, the authentication successes. Decrypt GTK and install. If available, decrypt ULI and process. Authentication and Association have been completed. Data frames are encrypted by CCMP. July 2011 Hitoshi Morioka, ROOT INC.Slide 12 STA AP Assoc. Resp. (aiCAP, ANonce, Lifetime, ENC(GTK, [ULI]), MIC) Authentication, Key sharing, Association complete CCMP for data frames Authentication, Key sharing, Association complete CCMP for data frames

13 doc.: IEEE 802.11-11/0976r3 Submission non-.11ai (legacy) STA and.11ai AP Non-.11ai STA will ignore aiCAP and other.11ai specific IEs. The STA just transmits legacy Authentication frame to the AP. The AP can recognize the STA intends to connect by legacy method by receiving legacy Authentication frame. The AP accommodates the STA as legacy device. July 2011 Hitoshi Morioka, ROOT INC.Slide 13

14 doc.: IEEE 802.11-11/0976r3 Submission.11ai STA and non-.11ai (legacy) AP.11ai STA can recognize the AP does not support.11ai by no aiCAP in beacon or probe response. The STA will connect to the AP by legacy method or search other AP. July 2011 Hitoshi Morioka, ROOT INC.Slide 14

15 doc.: IEEE 802.11-11/0976r3 Submission Current State Machine (IEEE802.11-2007) July 2011 Hitoshi Morioka, ROOT INC.Slide 15 NOTE 3—IEEE 802.11 Open System authentication provides no security, but is included to maintain backward compatibility with the IEEE 802.11 state machine (see 11.3). (8.4.1.2.1 b)) NOTE 3—IEEE 802.11 Open System authentication provides no security, but is included to maintain backward compatibility with the IEEE 802.11 state machine (see 11.3). (8.4.1.2.1 b))

16 doc.: IEEE 802.11-11/0976r3 Submission TGai State Machine In real implementation –STA: Skip transmitting Auth Req. –AP: Process Open System authentication and association sequentially. –These modifications are very small. –And can coexist with legacy system (state machine). –We tried to implement on NetBSD, Linux and Android. July 2011 Hitoshi Morioka, ROOT INC.Slide 16 Successful.11ai Association or Reassociation Successful.11ai Association or Reassociation

17 doc.: IEEE 802.11-11/0976r3 Submission Protocol Features 1.5 round-trip frame exchange to complete authentication and PTK/GTK setup. Mutual Authentication between AP and STA –Both AP and STA check MIC in the Assoc frame. –MIC is calculated by using PTK or a key derived from PTK. –So they can authenticate mutually. PTK never on-the-air –PTK is calculated by STA and AP separately. –So PTK is never on-the-air. Early PTK share –PTK can be shared after the AP received Assoc. Request. –So some information, GTK, upper layer information, can be encrypted even in the Assoc. Request. July 2011 Hitoshi Morioka, ROOT INC.Slide 17

18 doc.: IEEE 802.11-11/0976r3 Submission Comparison with.11i.11iThis Protocol AuthenticationVary (Depend on EAP method) MIC in Assoc. frames. Depend on MIC hash function strength. Clear text on-the-air for key sharing ANonce, SNonce, AA, SPA  Key hierarchy8.5.1 in IEEE802.11-2007  AID assignmentBefore authenticationAfter authentication Upper Layer Resource assignment After authentication Encrypted  Data Frame EncryptionCCMP  July 2011 Hitoshi Morioka, ROOT INC.Slide 18

19 doc.: IEEE 802.11-11/0976r3 Submission EAPOL-Key Message 4 Key negotiation of this protocol is very similar to.11i. But no message which corresponding to EPAOL-Key message 4. Message 4 is just for confirmation that correct PTK is installed. In our protocol, PTK is already checked before transmitting Assoc. resp. If it does not match, the authentication fails. And the AP can confirm that the STA received Assoc. resp. or not by ACK frame because Assoc. resp. is an unicast frame. July 2011 Hitoshi Morioka, ROOT INC.Slide 19 STA AP EAPOL-Key 1 (ANonce) EAPOL-Key 2 (SNonce, MIC) EAPOL-Key 3 (ANonce, GTK, MIC) EAPOL-Key 4 (MIC) STA AP Beacon/Probe resp. (ANonce).11ai Assoc req. (ANonce, SNonce, MIC).11ai Assoc resp. (ANonce, GTK, MIC).11i This Protocol ACK

20 doc.: IEEE 802.11-11/0976r3 Submission Security Consideration Major Attacks –Replay Attack –Fake AP Security Strength –Authentication strength of this protocol depends on the strength of hash function. July 2011 Hitoshi Morioka, ROOT INC.Slide 20

21 doc.: IEEE 802.11-11/0976r3 Submission Replay Attack Malicious STA with different MAC address with correct STA. –The authentication fails because of MIC mismatch. Malicious STA with the same MAC address with correct STA. –Replay long time after the correct association request. The authentication fails because the ANonce has been expired. –Replay immediately after the correct association request. The malicious STA may receive the same frame as the correct STA. But the PTK is not included and the GTK is encrypted by PTK. The malicious STA don’t know the PTK. It cannot get any keys. Actually, the malicious STA don’t need to transmit replay association request. The information he can get is as same as just sniffing. July 2011 Hitoshi Morioka, ROOT INC.Slide 21

22 doc.: IEEE 802.11-11/0976r3 Submission Fake AP Fake APs can not know the correct PTK and, of course, PMK. PTKs are never on-the-air. If a fake AP transmits a fake association response to a correct STA corresponding to a correct association request, the authentication by the STA fails because of the MIC mismatch. The STA will retry or search other AP. July 2011 Hitoshi Morioka, ROOT INC.Slide 22

23 doc.: IEEE 802.11-11/0976r3 Submission Enterprise Network Model We’re so sorry but we didn’t have enough time to revise the slides for enterprise network. The old slides may make you confusing. So we deleted these slides. We’ll revise them ASAP and show in teleconferences and September session. July 2011 Hitoshi Morioka, ROOT INC.Slide 23

24 doc.: IEEE 802.11-11/0976r3 Submission Questions & Comments July 2011 Hitoshi Morioka, ROOT INC.Slide 24

Download ppt "Doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-11/1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1

Doc.: IEEE /1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1
Doc.: IEEE 802.11-11/1160r2 Submission NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Hemanth Sampath Qualcomm 5775 Morehouse Dr, San.

Doc.: IEEE /1160r2 Submission NameAffiliationsAddressPhone George Cherian Santosh Abraham Hemanth Sampath Qualcomm 5775 Morehouse Dr, San.
Doc.: IEEE 802.11-11/0119r00 Submission January 2011 Marc Emmelmann, Fraunhofer FokusSlide 1 Requirements for FILS Submissions coming from PAR & 5C Date:

Doc.: IEEE /0119r00 Submission January 2011 Marc Emmelmann, Fraunhofer FokusSlide 1 Requirements for FILS Submissions coming from PAR & 5C Date:
Doc.: IEEE 802.11-12/0032r0 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0032r0 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-11/1436r0 Submission NameAffiliationsAddressPhoneemail Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Doc.: IEEE /1436r0 Submission NameAffiliationsAddressPhone Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Doc.: IEEE 802.11-11/0780r1 Submission NameAffiliationsAddressPhoneemail Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.

Doc.: IEEE /0780r1 Submission NameAffiliationsAddressPhone Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.
Doc.: IEEE 802.11-12/0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: 2012-05-04 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: Authors: NameAffiliationsAddressPhone .
TGai FILS Authentication Protocol

TGai FILS Authentication Protocol
Doc.: IEEE 802.11-11/1498-01-00ai Submission NameAffiliationsAddressPhoneemail Phillip BarberHuawei Technologies Co., Ltd. 1700 Alma Rd, Ste 500 Plano,

Doc.: IEEE / ai Submission NameAffiliationsAddressPhone Phillip BarberHuawei Technologies Co., Ltd Alma Rd, Ste 500 Plano,
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/0550 Submission NameAffiliationsAddressPhone Kiseon RyuLG Electronics10225 Willow Creek Rd, San Diego, CA, 92131, USA +1

Doc.: IEEE /0550 Submission NameAffiliationsAddressPhone Kiseon RyuLG Electronics10225 Willow Creek Rd, San Diego, CA, 92131, USA +1
Doc.: IEEE 802.11-12/933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: 2012-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/1042r3 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,

Doc.: IEEE /1042r3 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,
Doc.: IEEE 802.11-12/1042 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,

Doc.: IEEE /1042 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,
Doc.: IEEE 802.11-12/0039r0 Submission NameAffiliationsAddressPhoneemail Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.

Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE 802.11-12/1054r0 Submission Sep. 2012 Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: 2012-09-07 Authors:

Doc.: IEEE /1054r0 Submission Sep Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: Authors:
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:

Similar presentations

Ads by Google