Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Published byBrent Bowdle Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins."— Presentation transcript:

1 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins

2 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 2 Roaming in 3.0 Section 8.4.1 describes 2 schemes for roaming: –If the AP supports pre-authentication the STA is expected to pre-authenticate prior to roaming. –If the AP does not support pre-authentication the STA is forced to go through a complete 802.1X authentication.

3 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 3 Roaming in 3.0 Section 8.4.6 (3): “When a STA (re)associates with an AP without a (recent enough) pre- authentication, the AP has no cryptographic keys configured for the STA. In this case, the AP’s Authenticator will force a full 802.1X authentication.”

4 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 4 Roaming in 3.0 Problems with this “either-or” approach: A STA can only pre-authenticate with APs it notices during its MLME-SCAN. Depending on how often MLME-SCAN is done a moderately mobile user may move faster than she can pre-authenticate. Unless there is a sufficient amount of coverage overlap everywhere pre-authentication may not be possible. Pre-authentication necessarily creates more security associations than needed. Could be problematic in a large, mobile environment.

5 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 5 A Third Way It is possible for the AP to have the cryptographic keys (for example a derivative of the MK) for the STA when it roams. There are proposals to do this but it’s not necessary to constrain solutions. Unfortunately, 802.11i/D3.0 does not mention any way to take advantage of this!

6 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 6 The Third Way The AP obtains a secret from the AS in a manner outside the scope of this PAR. The AS and supplicant derive the secret to use (derivative of [P]MK or the next secret in a series) but the exact derivation is outside the scope of this PAR. This secret is used for authentication and key derivation in the same way that the PMK is used for initial association.

7 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 7 The Third Way On (re)association the STA requests re- authentication by setting the in RSN Capabilities bitfield in the RSN Information Element. This indicates “I have the secret and want to use it for fast re-authentication” supports pre-authentication supports re-authentication Bit 0 Bit 1 Bit 2 Bits 3-15 1=yes 0=no reserved supports pairwise keys 1=yes 0=no 1=yes 0=no

8 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 8 The Third Way If the AP does not support re-authentication, does not have the secret, or does not wish to perform re- authentication it responds with an EAP request and a full 802.1X authentication is performed. If the AP supports re-authentication and has the secret it responds with the first message of the 4- way handshake using the secret as the PMK. The client and AP finish the 4-way handshake and create a new key hierarchy.

9 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 9 The Third Way Security association, including session keys bound to the MAC addresses of the “new AP” and STA, is created. If the 4 way handshake fails the STA must disassociate (or be forced to disassociate) from the “new AP”.

10 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 10 Benefits of Re-Authentication No interoperability impact on existing deployed base. –An AP which does not support “re- authentication” is required to ignore the “re- authentication” bit so the assumption from 8.4.6 (3) stands. –By not setting the “re-authentication” bit in the RSNE a client that does not support “re- authentication” will merely do a full 802.1X authentication with an AP which does.

11 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 11 Benefits of Re-Authentication Agnostic on the particular cryptographic transfer protocol –Just as we leave the particulars of EAP to the client and AS, we should leave the particulars of how the cryptographic context is transferred to the client and AS. –Able to use any method going forward without having to rev this standard.

12 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 12 Benefits of Re-Authentication No security issues: –Proof of possession of the secret authenticates the STA to the AP under the identity retrieved from the cryptographic context transfer protocol. –Proof of possession of the secret authenticates the AP to the STA as part of a trusted system. –All of the security requirements are on the cryptographic context transfer protocol and the devices that speak it to make up the trusted system. Limited forward secrecy could be provided! Addresses comments 270, 1537, 2069 …

13 doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 13 Proposed: Add support for “re-authentication” to 3.0: Description of “re-authentication” as a 3rd scheme in 8.4.1 New section 8.4.6.2 to define “re- authentication” Modify the Informative analysis of 8.5.3.11 Modify the RSNE in section 7.3.2.17 and accompanying text

Download ppt "Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins."

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: The Role of a Media Independent Authenticator Date Submitted: December 30, 2009.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: The Role of a Media Independent Authenticator Date Submitted: December 30, 2009.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
Doc.: IEEE 802.11-03/080r0A Submission January 2003 Black/Kasslin/Sinivaara, NokiaSlide 1 A Framework for RRM Simon Black, Mika Kasslin, Hasse Sinivaara.

Doc.: IEEE /080r0A Submission January 2003 Black/Kasslin/Sinivaara, NokiaSlide 1 A Framework for RRM Simon Black, Mika Kasslin, Hasse Sinivaara.
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.

Doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.

IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Submission doc.: IEEE 11-12/0553r0 May 2012 Jarkko Kneckt, NokiaSlide 1 Response Criteria of Probe Request Date: 2012-05-04 Authors:

Submission doc.: IEEE 11-12/0553r0 May 2012 Jarkko Kneckt, NokiaSlide 1 Response Criteria of Probe Request Date: Authors:
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE 802.11-10/0259r02 Submission Date: 2010-03-15 802.11ad New Technique Proposal March 2010 Yuichi Morioka, Sony CorporationSlide 1 Authors:

Doc.: IEEE /0259r02 Submission Date: ad New Technique Proposal March 2010 Yuichi Morioka, Sony CorporationSlide 1 Authors:
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-10/1125r0 Submission September 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 How does the (new) Fast Initial Link Set- Up PAR address.

Doc.: IEEE /1125r0 Submission September 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 How does the (new) Fast Initial Link Set- Up PAR address.
Doc.: IEEE 802.11-03/688r0 Submission September 2003 Stephen McCann, Siemens Roke ManorSlide 1 Interworking Update II Stephen McCann, Siemens Roke Manor.

Doc.: IEEE /688r0 Submission September 2003 Stephen McCann, Siemens Roke ManorSlide 1 Interworking Update II Stephen McCann, Siemens Roke Manor.
Doc.: IEEE 802.11-08/0578r0 Submission 2008 May Jarkko Kneckt, NokiaSlide 1 Forwarding in mesh containing MPs in power save Date: 2008-05-12 Authors:

Doc.: IEEE /0578r0 Submission 2008 May Jarkko Kneckt, NokiaSlide 1 Forwarding in mesh containing MPs in power save Date: Authors:
Doc.: IEEE 802.11-11/1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: 2012-01-17 Authors:

Doc.: IEEE /1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: Authors:

Similar presentations

Ads by Google