1 / 21

Fast Security Setup

Fast Security Setup. Authors:. Abstract. This document p roposes an approach for accelerating the security setup for FILS. Conformance w/ Tgai PAR & 5C. Background. 11/1160r4 has proposed that Use of optimized full EAP in 11/1047r6 when EAP-RP context is not setup, or has expired;

kendra
Download Presentation

Fast Security Setup

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FastSecurity Setup Authors: ZTE Corporation

  2. Abstract This document proposesan approach for accelerating the security setup for FILS. ZTE Corporation

  3. Conformance w/ Tgai PAR & 5C ZTE Corporation

  4. Background • 11/1160r4 has proposedthat • Use of optimized full EAP in 11/1047r6 when EAP-RP context is not setup, or has expired; • Otherwise use EAP-RP based fast authentication in 11/1160r4. • Our comments: • It is a good idea to combine full EAP authentication with EAP re-authentication; • It could cover both initial security setup case and re-authentication case; • It could provide fast security setup effectively. ZTE Corporation

  5. Our Concern: 1 • EAPmethod authentication procedure is out of scope of IEEE 802.11. • In the full EAP procedure in 11/1160r4, message 3, 4, 7 and 9 are EAP method specific. Why are they introduced in IEEE 802.11ai? • FILS procedure should be independent with EAP method specific procedure. ZTE Corporation

  6. Our Concern: 2 • If DHCP lasts a long time, STA doesn’t receive the Association Response message in a pre-defined time, how does STA do? • STA can’t know what’s the problem is. It doesn’t know if EAP authentication is successful or not, if DHCP procedure is successful or not. • STA can only have to retransmit Association Request message, also carrying EAP related message. DHCP procedure lasts too long! ZTE Corporation

  7. Our Concern: 2 (Cont.) • State Machine: Only after receiving the successful message 15 (Association Rsp) STA could transform from NO Authentication Context to FULL-EAP-Session. • But actually, after step 12, authentication has finished successfully. • No need to wait for step 15, especially there is something wrong with DHCP procedure and too much time is wasted. EAP authentication shall not be performed with DHCP procedure concurrently! State Machine in 11/1160r4 ZTE Corporation

  8. Proposal Introduction • EAP-based authentication is used. The specific method should be an implementation issue and is out of 802.11ai scope. • The 4-way handshake procedure is reduced to 1 round. • The key agreement procedure follows EAP authentication. • EAP authentication procedure is performed separately with DHCP procedure. • After successful EAP authentication, STA can change to FULL EAP session state. No need to wait for DHCP message. ZTE Corporation

  9. 4-way/Group Key handshake messages reduction STA AP STA AP GenerateANonce EAPOL-KEY(ANonce) GenerateSNonce GenerateSNonce, derive PTK, Auth(SNonce) EAPOL-KEY(SNonce, MIC1) …. GenerateANonce and GTK, Derive PTK derive PTK, verify MIC1 EAPOL-KEY(ANonce, MIC2) Auth(ANonce, GTK[KEK], MIC1) verify MIC2 derive PTK, verify MIC1 EAPOL-KEY(MIC3) Generate GTK and GNonce Association Req (SNonce, MIC2) EAPOL-KEY(GNonce, GTK[KEK], MIC4) verify MIC2 Decrypt GTK EAPOL-KEY(MIC5) ZTE Corporation ZTE

  10. 4-way/Group Key handshake messages reduction • Original 4-way handshake: • 1st message: AP sends ANonce to STA; • 2nd message: STA generates SNonce, derives PTK, and sends SNonce and MIC1 to AP; • 3rd message: AP derives PTK, verifies MIC1 and sends MIC2 to STA; • 4th message: It serves no cryptographic purpose. It serves as an acknowledgment to Message 3. • Group Key handshake: 2 messages are used to transfer GTK • Proposed key agreement procedure: • ANonce is transferred to AP in advance: the 1st message could be removed; • Only 2 messages are used to verify keys; • Group key handshake could be carried out in key agreement procedure concurrently: the 4th message could be avoided. ZTE Corporation

  11. Proposed Fast Security Setup Procedure ZTE Corporation

  12. State transition diagram When STA receives Authentication message, STA can enter State 2 (Authenticatedand unassociated). State 3 is skipped!. ZTE Corporation

  13. Conclusions • EAP-based authentication is unchanged and the specific EAP method is out of scope as 802.11 has defined. • DHCP procedure is independent of EAP authentication. • After successful EAP authentication, STA can change to FULL EAP session state. No need to wait for DHCP message. • Key agreement procedure is independent of EAP authentication. • Key verification is performed after a successful EAP authentication. • The 4-way handshake procedure is reduced to 1 round. • Group key handshake is performed with key verification concurrently. ZTE Corporation

  14. Response to Questions ZTE Corporation

  15. Question 1: How to trigger Message 1? • Message 1 could be Authentication message. • It could be triggered by receiving Beacon or Probe Response. ZTE Corporation

  16. Question 2: SNONCE is sent to AP before EAP authentication. Is there any security problem? • In the current 802.11 RSNA, ANONCE and SNONCE is sent to STA without encryption protection. There is no risk. So there is no requirement for nonce encryption. • Either current RSNA or 1426, one of the two nonces has no integrity protection. If anyone of the two nonces is tampered, the keys generated by AP and STA respectively would be different, so the key verification would be failed. • Even if SNONCE is sent to AP before authentication, it is used only after the successful authentication. ZTE Corporation

  17. Question 3: Key verification is reduced from 2 rounds to 1 round, and is triggered by AP. Is there any security problem, e.g., MITMattack? ZTE Corporation

  18. Question 3: Key verification is reduced from 2 rounds to 1 round, and is triggered by AP. Is there any security problem, e.g., MITMattack?(Cont.) • If there is a MITM attack, the key agreement message 1 and message 2 can not be successfully verified. • As the PTK includes the IEEE 802 MAC addresses of both STA and AP, MAC address tampering would result in key asynchronization between STA and AP, thus MIC verification would fail. ZTE Corporation

  19. Question 4: How to allocate an IPv6 address? ZTE Corporation

  20. Question 4: How to allocate an IPv6 address? (Cont.) ZTE Corporation

  21. Thanks! ZTE Corporation

More Related