Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.

Published bySilvester Ray Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems."— Presentation transcript:

1 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems Inc Emily H. Qi and Jesse Walker, Intel Corporation

2 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 2 Where we are so far… Existing Standard & Proposals: –Pre-authentication + 4-Way Handshake at Reassociation (802.11i) –Pre-keying (04/476) –Tentative association (04/606) Existing Proposal Problems –Pre-authentication + 4-Way Handshake at Reassociation is not fast Otherwise 802.11r would not exist –Pre-keying and Tentative association incomplete 802.11i replay protection tied to key freshness and peer liveness So far, both have failed to explain how they will obtain these Reservation introduces a novel DoS attack against network resources Proposals must explain how to protect against these novel DoS attacks, because PAR says 802.11r can’t make security worse

3 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 3 4-Way Handshake Observations 4-Way Handshake overloads ANonce, SNonce to perform two functions: –They must be different on each 4-Way Handshake to provide key separation (“fresh” keys) –They must be unpredictable to prove liveness, so are specified as random Making nonces serve both functions serializes PTK derivation with 4-Way Handshake execution –Infeasible for STA to pre-compute PTK, because ANonce must be unpredictable

4 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 4 Proposal Pre-compute PTK on the STA prior to Re-Association Establish security associations liveness and GTK at reassociation time –Not after, as 802.11i does today –Not before, as pre-keying and tentative association propose Apply updates to the 802.11i 4-Way Handshake to allow it to meet requirements: –Eliminate 4-Way Handshake Msg 1 by making ANonce predictable for AP-to-AP transition –Embed 4-Way Handshake Msg 2 in Reassociation Request –Embed 4-Way Handshake Msg 3 in Reassociation Response –Add AP-Challenge to 4-Way Handshake Msgs 3 and 4, to prove STA liveness to AP –Don’t change the 802.11i key hierarchy

5 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 5 Optimized Re-Association with 4-way Supplicant Client Authenticator AP Reassociate Request( 802.1X 4-way Message #2) Reassociate Response( 802.1X 4-way Message #3) Client determines new AP for roam, increments ANONCE Generates new PTK i, Generate 802.1X Optimized 4-way Message #2 AP validates ANONCE Generates new PTK validate 802.1X 4-way Message #2 Generate 802.1X Optimized 4-way Message #3 Client and AP can now protect 802.1X and 802.11 packets 802.1X 4-way Message #4 Client validates Message #3 (process flows same as TGi)

6 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 6 Optimized 4-way Handshake Use of 4-way Handshake as on associations defined in 802.11i: –SNonce and ANonce remain unpredictable and random On Roam use Optimized 4-way Handshake: –ANonce becomes an incrementing counter in reassociations, used as replay protector against rekeys triggered either by IV exhaustion or roams –4-way Message #1 is not used in the optimized 4-way handshake –Reassociation Request includes optimized Message # 2 –Message #2 conveys ANonce and PMKID STA used to generate the PTK –AP validates ANonce from STA to ensure it is not a replay –Reassociation Response includes optimized Message # 3 –Optimized Message #4 flows as defined in 802.11i –Uses PMK cacheing and established PMKID to kickstart optimized 4-way handshake ANonce is bound to STA, BSSID and PMKID Proposal enables 802.11i 4-way and Optimized 4-way handshakes to co-exist

7 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 7 Two new KDE’s ANonce in Message 2 is conveyed as KDE AP-Challenge to ensure STA liveness proof to AP

8 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 8 4-way Handshake Optimized Message 2 Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) SNonce (32 octets) Key MIC (16 octets) Key Data Length (2 octets)RSN IE, PMKID, ANonce

9 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 9 4-way Handshake Optimized Message 3 Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) ANonce (32 octets) Key MIC (16 octets) Key Data Length (2 octets)RSN IE, GTK, AP-Challenge

10 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 10 4-way Handshake Optimized Message 4 Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) Key MIC (16 octets) Key Data Length (2 octets)AP-Challenge

11 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 11 Inserting 802.1X in 802.11 802.1X EAPOL Key Frame (Message 2 and 3) are embedded into Reassociation Request and Response in new IE Element IDLengthData TBD802.1X packet length 802.1X EAPOL Key frame

12 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 12 Optimizations enable Reuse of TGi Compression of exchanges reduce latencies Enables the STA to precompute PTK prior to association (to minimize time spent during association) Enables the STA to plumb PTK prior to reassociation….fixes race conditions in 4-way handshake

13 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 13 Questions?

14 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 14 Backup slides

15 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 15 EAPOL Message FieldMessage 1Message 2Message 3Message 4 Key InformationVersionV1 or v2 Key Type1111 Install0010 Key ACK1010 Key MIC0111 Secure0011 Error0000 Request0000 ENC Key Data 0010 Key LengthCipher spec0 0 Key Replay Counternnn+1 Key NonceANonceSNonceANonce0 Key IV000 if v2 Random v1 0 Key RSC00GTK’s PN0 Key MIC0MIC 0 Key Data Length22Len-2Len-30 Key DataPMKIDRSNIE STA RSNIE AP, GTK0 802.11i 4-way Handshake Message values

16 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 16 EAPOL Message FieldMessage 1Message 2Message 3Message 4 Key Information VersionNot Used on Reassociation V1 or v2 Key Type111 Install110 Key ACK010 Key MIC111 Secure011 Error000 Request000 ENC Key Data010 Key Length0Cipher spec0 Key Replay Counternn+1 Key NonceSNonceANonce0 Key IV00 if v2 Random v1 0 Key RSC0GTK’s PN0 Key MICMIC 0 Key Data Length62RSNIE AP + GTK len0 Key DataRSNIE STA, PMKID, ANonce RSNIE AP, GTK, AP-Challenge Optimized 802.11i 4-way Handshake Message values

17 doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 17 EAPOL Key Frame Format Key Descriptor Type (1 octet) Key Information (2 octets)Key Length (2 octets) Key Replay Counter (8 octets) Key Nonce (32 octets) Key IV (16 octets) Key RSC (8 octets) Reserved (8 octets) Key MIC (16 octets) Key Data Length (2 octets)Key Data (n octets)

Download ppt "Doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Submission doc.: IEEE 802.11-12/0789r3 NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,

Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Doc.: IEEE 802.11-10/0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date: 2010-01-07.

Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
Doc.: IEEE 802.11-10/0560r0 Submission May 2010 Ashish Shukla, MarvellSlide 1 TDLS TPK Handshake Date: 2010-05-15 Authors:

Doc.: IEEE /0560r0 Submission May 2010 Ashish Shukla, MarvellSlide 1 TDLS TPK Handshake Date: Authors:
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
TGai FILS Authentication Protocol

TGai FILS Authentication Protocol
Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004.

Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.
Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.

Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho

IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Doc.: IEEE 802.11-12/0039r0 Submission NameAffiliationsAddressPhoneemail Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.

Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE 802.11-04/1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE 802.11-04/0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE 802.11-06/0566r1 Submission May 2006 Sood, Walker, Cam-Winget, CalhounSlide 1 TGr Security Architecture Notice: This document has been prepared.

Doc.: IEEE /0566r1 Submission May 2006 Sood, Walker, Cam-Winget, CalhounSlide 1 TGr Security Architecture Notice: This document has been prepared.

Similar presentations

Ads by Google