1 / 16

Fast Roaming Compromise Proposal

Fast Roaming Compromise Proposal. Tim Moore, Microsoft Keith Amann, Spectralink Nancy Cam-Winget, Cisco Jesse Walker, Intel. Standard Draft Open auth request/response Associate request/response Message 1/2 Message 3/4 Group update/Ack Total = 5 exchanges. Roaming Proposal

sanaa
Download Presentation

Fast Roaming Compromise Proposal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fast Roaming Compromise Proposal Tim Moore, Microsoft Keith Amann, Spectralink Nancy Cam-Winget, Cisco Jesse Walker, Intel Cam-Winget et. al.

  2. Standard Draft Open auth request/response Associate request/response Message 1/2 Message 3/4 Group update/Ack Total = 5 exchanges Roaming Proposal Open Auth request/response Associate request (includes standard draft message 1 & 3) /Associate response (includes standard draft message 2 and group update) Message 3,Group Ack Total = 2½ exchanges Comparisons Cam-Winget et. al.

  3. Comparison(2) • Send GTK during PTK exchange • Removes 1 round-trip • Merge part of key exchange into re-associate request/response • Removes 1 round-trip • PTK uniqueness is obtained from Counter-mode not from nonce mixing; also use random liveness • Removes 1/2 round-trip • Key hierarchy changes • Allows pre-computing the PTK at station • Removes 3 or 4 HMAC-SHA1 from message 1->2 and 2->3 processing • PRF-512(HMAC-SHA1) ~ 844us on 125MHz • Requires fresh, named PMKs per station and AS pair • Removes need for 802.1X authentication on roaming • Current PSK can’t use fast keying key hierarchy • PTK exchange in management messages • Pre-load TK keys • Removes race condition of loading TKs that 4-way/group key works around Cam-Winget et. al.

  4. Possible changes to current draft • Modification to send GTK during PTK exchange • Removes 1 exchange • Allow GTK optionally in message 3 • Use 2 octets of reserved field for GTK length • Add encrypted GTK to end of data field if GTK length is non zero • Overload Associate request/response with Message1/2 • Does require changing the Nonces to Random numbers • Removes 1 exchange • Replace PRF using HMAC-SHA1 with AES-CBC-MAC • Reduces time for PRF, especially if AES in hardware • Add PMK identifier to RSNIE to enable PMK caching • Removes the need for 802.1X authentication on roaming • Doesn’t assume fresh PMK • Supports current PSK • Total changes: 5 exchanges -> 3 exchanges Cam-Winget et. al.

  5. Missing features • PRF changes reduces pre-compute need but doesn’t remove it • Can’t remove ½ round trip • Doesn’t solves sync problem of plumbing keys Cam-Winget et. al.

  6. New Proposal • Use new scheme to define MKID based on first PMK • Use PMK delivered by AS as the base roaming key to generate AP unique pairwise master keys • Use 802.1X EAPOL-Key message as the reassociation confirm (3rd message) • Include the MKID in the RSN IE as an optional field Cam-Winget et. al.

  7. Fast Roaming Key Hierarchy MS-MPPE( PMK-EAP ) MKID = AES-Encrypt(PMK-EAP, 0) Default Key Hierarchy Roaming Key Hierarchy (RKH) Unspecified means for generating AP unique PMK’s Base Roam Key (BRK) = PMK-EAP Pairwise Master Key (PMK) = PMK-EAP Current radius derivation Pairwise Master Key Roaming (PMK-R) = Roaming-PRF (BRK, “fast roaming PMK” | MKID | STA MAC Addr | BSSID) PTK-R = Roaming-PRF(PMK-R, “fast roaming PTK” | new BSSID | Counter) PTK = Current PTK derivation Key Management Integrity Key – KMIK bits 0–127 Key Management Encryption Key – KMEK bits 128–255 Temporal Key – PTK bits 256–n – can have cipher-suite-specific structure Cam-Winget et. al.

  8. Fast Roaming Key Hierarchy (3) Algorithm Roaming-PRF Input: Key K, Label L, Nonce N, Output Length OL Output:OL-octet string Out Out = “” fori = 1 to (OL+15)/16 do Out = Out | AES-CBC-MAC(K, L | N | i | OL) return first OL octets out of Out Cam-Winget et. al.

  9. Fast Roam negotiation Cam-Winget et. al.

  10. PMK-R, PMKIDSTA, Counter1 PMK-R, PMKIDAP, Counter2 Re-assoc Resp (RSN IE, {Fast-Rekey IE(Counter2, Arand, RSC, EKMEK(GTK), MIC)}) EAPOL-Key( Arand, MIC) Install TK Counter2 = Counter1 Install TK AP Rekeying Re-association STA Counter1 = Counter1 + 1, PTK-R = KMIK|KMEK | TK = Roaming-PRF() Re-assoc Req (RSN IE(AKM=RKH, {PMKIDSTA}), {Fast-Rekey IE(Counter1 , Srand)}) if MKIDSTA == MKIDAP if (AKM=RKH and Counter1 > Counter2) then KMIK|KMEK | TK = Roaming-PRF() else initiate 4-way handshake else initiate 802.1X Cam-Winget et. al.

  11. Rekeying Reassociations (1): MICs • GTK encryption Algorithm: AES Key Wrapping (RFC 3394) • Pad with 16bytes of zeroes for CCMP • Reassociation Request MIC: HMAC-SHA1-64(KMIK, RSNIESTA | Fast Rekey IE sans MIC) • Reassociation Response MIC: HMAC-SHA1-64(KMIK, Srand | RSNIEAP | Fast Rekey IE sans MIC) • Reassociation Confirm is now an EAPOL-Key message echoing ARand in the message and protected using the EAPOL-Key conventions Cam-Winget et. al.

  12. Rekeying Reassociations (2): Fast-Roaming IE Cam-Winget et. al.

  13. Cam-Winget et. al.

  14. MKID as optional field in RSN IE Cam-Winget et. al.

  15. Feedback? Cam-Winget et. al.

  16. Initial Association AS STA AP 802.11 Open Authentication Association Req + RSN IE Association Response (success) EAP type specific mutual authentication AKM is relayed to AS using same back-end protocol (e.g. Radius attribute) Derive Pairwise Master Key (PMK1) Derive Pairwise Master Key (PMK1) Access ACCEPT (PMK1) 802.1X/EAP-SUCCESS 4-way handshake Group Key Install TK Install TK Cam-Winget et. al.

More Related