Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Published byTaylor Russo Modified over 10 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,"— Presentation transcript:

1 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins, Trapeze Networks

2 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 2 Principles of EAP Key Management Parties –EAP peer & authenticator/NAS may have one or more ports EAP peer may have multiple interfaces An EAP authenticator may have multiple ports –A dialup NAS may have multiple ports/phone lines –A wireless NAS may be comprised of multiple Access Points/BSSIDs Key management –EAP methods export MSK, EMSK –AAA-Key derived on the EAP peer and server, transported to the NAS –Transient Session Keys (TSKs) derived from the AAA-Key –AAA-Key, TSK lifetimes determined by the authenticator, on advice from the AAA server Session-Timeout attribute denotes maximum lifetime while the PMK is in use (e.g. time to reauthentication or PMK re-key) Session-Timeout does not describe the lifetime of the PMK prior to use (e.g. pre- authentication PMK lifetime) No attribute available to determine the PTK/GTK lifetime (e.g. time to session re-key) –Key lifetimes communicated by the AP to the peer via the lower layer

3 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 3 PEKM Principles Endpoints are the EAP Peer and Authenticator –An EAP authenticator may consist of multiple Access Points –Result of the PEKM exchange is binding of PTK to station MAC and AP BSSID addresses. Media Independence –PEKM frames can be encapsulated over multiple lower layers: 802.11 data and management frames Other IEEE 802 technologies: 802.16, 802.3, etc. Security –Compatible with the Housley Criteria (IETF 56) Algorithm negotiation Key naming No cascading vulnerabilities (no key sharing between authenticators) Compatible with EAP Channel Binding –Addresses known 802.11i issues First message protection Explicit Key Install/Delete operations Defined Key Scope Explicit Key lifetime negotiation (PMK, PTK) Group Key Symmetry (IBSS) Management frame protection State machine consistency (e.g. Link Up same in PEKM and 802.11-2003)

4 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 4 PEKM Features Station initiated exchange –Occurs prior to Association/Reassociation Low Latency –Three message exchange –First two messages off the critical path (e.g. STA can pre-key to new AP while associated to an existing AP) Compatible with IETF RFCs and work-in-progress –Not dependent on proprietary backend solutions –Key distribution based on RFC 3576 (Dynamic Authorization), RFC 3579 (RADIUS/EAP) –Key hierarchy based on EAP Key Management Framework (draft-ietf-eap-keying)

5 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 5 Discovery & EAP Overview Discovery phase –PEKM, NAS-Identifier IEs included by AP in the Beacon/Probe Response –PEKM IE identifies the AP as PEKM-capable, indicates capabilities –NAS-Identifier IE identifies the Authenticator An Authenticator can be comprised of multiple BSSIDs/AP Key cache is shared by all ports/BSSIDs within an Authenticator EAP authentication/AAA –EAP peer only initiates EAP with authenticator within whom it does not share a PMK cache entry –NAS-Identifier attribute sent by AAA client to AAA server –NAS-Identifier IE sent by AP to the STA –Result: Authenticator, EAP peer, AAA server all know NAS-Identifier attribute, can verify agreement via EAP Channel Bindings

6 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 6 PEKM: Parties & Identifiers STAs APs Authenticator/ AAA Client EAP Peer EAP/AAA Server Access-Request/ {EAP-Message, User-Name NAS-Identifier} Access-Accept/ AAA-Key Beacon/Probe Response NAS-Identifier IE EAP PEKM

7 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 7 PEKM Overview Functionality –PTK derivation, GTK transport (AP->STA in ESS, symmetric for IBSS) –Key scope identification (via NAS-Identifier) –Key Lifetime negotiation (PMK, PTK) –Capabilities negotiation (not just cryptographic algorithms) –Secure Association/Re-association messages Messages –PEKM Pre-Key PEKM Message 1: PTK-Request, encapsulated in 802.1X EAPOL-Key PEKM Message 2: PTK-Response, encapsulated in 802.1X EAPOL-Key –PEKM Management Frame Protection Association/Reassociation –PEKM Message 3 (PTK Install) embedded within Association/Reassociation PEKM Deauthenticate –PEKM PMK Delete operation embedded in Deauthenticate PEKM Disassociate –PEKM PTK Delete operation embedded in Disassociate

8 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 8 PEKM Exchange Supplicant Authenticator Key (PMK), SNonce, ANonce Known Key (PMK) is Known Derive PTK, Generate GTK Install PTK and GTK Message 1: EAPOL-Key(PTK-Derivation-Request) Message 2: EAPOL-Key(PTK-Derivation-Response) Message 3: Reassociation-Request(Install PTK & GTK, Unicast, MIC) Message 4: Reassociation-Response(Unicast, MIC) Derive PTK, Generate GTK (IBSS)

9 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 9 Details of PEKM Messages Message 1 (PTK-Derivation-Request): –{peer-id, nas-identifier, sta_mac, ap_bssid, snonce, anonce, ptk_lifetime_desired, pmk_lifetime_desired, [, encrypted GTK], capabilities}, {PMKID-1, MIC(PTK-1- KCK, peer-id to capabilities)}, {PMKID-2, MIC(PTK-2-KCK, peer-id to capabilities)} Message 2 (PTK-Derivation-Response): –{peer-id, nas-identifier, sta_mac, ap_bssid, anonce, snonce, Enc(PTK-X-KEK, GTK), ptk_lifetime, pmk_lifetime, capabilities}, {PMKID-X, MIC(PTK-X-KCK, peer-id to capabilities)} where X identifies the PMKID chosen from message 1. Message 3 (PTK-Install-Request, in Association/Reassociation-Request) –{MIC(PTK-X-KCK, peer-id to capabilities, Reassociation-Request)} Message 4 (PTK-Install-Request, in Association/Reassociation-Response) –{MIC(PTK-X-KCK, peer-id to capabilities, Reassociation-Request)}

10 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 10 PEKM Frame Format Next Payload | MjVer | MnVer | OpCode | Flags Message ID | Length Attributes OpCode PTK-Request PTK-Response PTK-Install-Request PTK-Install-Response PTK-Delete-Request PMK-Delete-Request Attributes SNonce ANonce Peer-Id NAS-Id STA_MAC AP_BSSID PTK_Lifetime PMK_Lifetime GTK MIC Capabilities PMKID

11 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 11 State 1 Unauthenticated, Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated EAP PMK Install PEKM PTK Install (In Reassociate) PEKM PTK Delete (In Disassociate) PEKM PMK Delete (In Deauthenticate) PEKM PTK/PMK Delete (In Deauthenticate) Class 1 Frames Class 1 & 2 Frames Class 1, 2 & 3 Frames State Machine

12 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 12 Make Before Break PEKM operations can be encapsulated within Data or Management Frames In order to enable PEKM-based management frame protection (Association/Reassociation, Deauthentication, Disassociation), need to be able to derive PTKs in any State: need make before break Data Frames –Sent in State 3: STA is authenticated, associated to an AP. PEKM frames can be sent over the DS to pre-establish PTK state. –Sent in State 1: STA is unauthenticated, unassociated. 802.1X frames (EAP + PEKM) sent over the WM with From DS, To DS = 0. Requirement –Support for 802.1X Class 1 data frames in ESS Potential alternative: In state 1, Encapsulation of EAP/PEKM within Authentication frames

13 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 13 PEKM Summary Clean, simple architecture –Authentication prior to Association –Full compliance with 802.11-2003 state machine Emphasis on correct operation –State machine consistency –Elimination of Race conditions –Endpoint naming –Explicit key install/delete operations –Compatibility with EAP Channel Binding Low latency –Two roundtrips: Only Reassociation Request/Response in critical path –Key lifetime negotiation, Key Scope Discovery minimize key cache misses Consistent with existing key establishment approaches –Pre-authentication –RADIUS/EAP and Diameter/EAP key transport

14 doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 14 Discussion

Download ppt "Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,"

Similar presentations

Doc.: IEEE 802.11-01/553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE 802.11 Tgi Tim Moore Bernard Aboba.

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE 802.11-98/178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE 802.11e Security IEEE 802.11 Task Group.

Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.

Doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.

IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Doc.: IEEE 802.11-12/1281r1 Submission NameAffiliationsAddressPhoneemail Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Doc.: IEEE /1281r1 Submission NameAffiliationsAddressPhone Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Submission doc.: IEEE 802.11-12/0789r3 NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,

Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE 802.11-11/1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1

Doc.: IEEE /1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1
Doc.: IEEE 802.11-08/1267r0 Submission November 2008 L. Chu Etc.Slide 1 Multiple Radio MP Date: 2008-11-04 Authors:

Doc.: IEEE /1267r0 Submission November 2008 L. Chu Etc.Slide 1 Multiple Radio MP Date: Authors:
Doc.: IEEE 802.11-08-0317r6 Submission July 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:

Doc.: IEEE r6 Submission July 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Doc.: IEEE 802.11-09/0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: 2009-03-08 Authors:

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.

Similar presentations

Ads by Google