1 / 10

FILS Association

FILS Association. Authors:. Date: 2012-03-09. Overview. Current. FILS. Discovery Passive scanning Active scanning Device & service discovery. Discovery Passive scanning Active scanning Device & service discovery. Authentication Association. Simplified association.

yehuda
Download Presentation

FILS Association

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FILS Association Authors: Date: 2012-03-09 Robert Stacey, Apple

  2. Overview Current FILS Discovery • Passive scanning • Active scanning • Device & service discovery Discovery • Passive scanning • Active scanning • Device & service discovery Authentication Association Simplified association 802.1X Authentication 802.1X Authentication Key distribution - 3-way handshake Key distribution - 4-way handshake Higher layer setup • DHCP • ARP Higher layer setup • DHCP • ARP Robert Stacey, Apple

  3. Associate using 3-way handshake • Plus full 802.1X authentication when needed • Association includes pairwise and group key distribution when needed • Association includes block ack parameter handshake • This presentation does not address the piggybacking of higher layer setup on association messaging Proposal Robert Stacey, Apple

  4. Association handshake: • Capability exchange • Block ack parameter exchange • Reduces legacy exchange from 8 to 3 messages (assuming bidirectional block ack setup) FILS: Open authentication Robert Stacey, Apple

  5. Association Request: • STA sends fresh SNonce • Association Response: • AP selects cipher suite • AP sends fresh ANonce • Carries encrypted GTK • Association Confirm: • Client confirms association • Reduces exchange from 16 to 3 (assuming bidirectional block ack setup) FILS: PSK/PMKSA caching Robert Stacey, Apple

  6. Association Request: • Carries implicit EAP start; triggers authentication exchange • STA sends SNonce • 802.1X exchange • Association Response: • EAP success • AP sends ANonce + encrypted GTK • Association Confirm • Small speedup due to reduced messaging (removes 9 messages); latency dominated by 802.1X exchange FILS: Full 802.1X authentication Robert Stacey, Apple

  7. Reduce FT protocol to a 3-way handshake (instead of 4-way handshake) GTK, IGTK are transferred in Association Response RIC-Request/Response in FT protocol deprecated (block ack exchange included in association exchange) Reduces exchange from 6 to 3 messages (assuming bidirection block ack setup) FILS and Fast BSS transition Robert Stacey, Apple

  8. Removes race condition with key plumbing • Authenticator plumbs key prior to sending Association Response • Supplicant plumbs key on receiving Association Response and prior to sending Association Confirm • Without the confirm, the AP does not know when the STA has plumbed the keys • Provides a response to AP’s block ack setup request Why have an Association Confirm? Robert Stacey, Apple

  9. It is possible to piggyback DHCP Discover or DHCP Request on Association Confirm • Encapsulation is tricky (data frame with management frame) • If encrypted, implementation difficulties with decryption at AP • Not part of the normal data path flow • Likely involves software decryption (vs hardware for data frame) Piggy backing higher layer frames Robert Stacey, Apple

  10. Spec framework text • The draft specification shall support association using a 3-way handshake • The association exchange shall support the following: • Capability exchange • Cipher negotiation • Pairwise and group key distribution • Bidirectional block acksetup Robert Stacey, Apple

More Related