Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: 2010-03-08 Authors:

Published byBarry Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: 2010-03-08 Authors:"— Presentation transcript:

1 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: 2010-03-08 Authors:

2 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 2 Abstract This presentation provides an overview on how to clarify the use of PMK caching in our standard.

3 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 3 PMK Caching A way to avoid costly EAP authentications when a PMK already exists at the Authenticator of the AP to which a STA is attempting a BSS transition. Support is negotiated at (Re)Association time –Supplicant includes a list of PMKIDs in its (Re)Associate Request. –If Authenticator has a PMKSA identified by one of the PMKIDs EAP authentication is skipped. Robust –If a Supplicant wants to do it and an Authenticator does not then it’s just the same behavior as if the Supplicant never asked in the first place. –If the Supplicant doesn’t want to do it, it won’t happen –Either side controls its own cache and can “flush” it for any reason. –No extra messages if negotiation of PMK caching fails. –No loss of security if it succeeds or if it fails.

4 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 4 PMK Caching This is not a new feature to add to the standard! –PMK caching is already in the standard, it’s just poorly worded. –PMK caching is implemented– the laptop in front of you right now most likely supports it! –There are multiple, independent, and interoperable implementations of PMK caching. Existing support is in spite of, not due to, the way it is specified in our standard today. We need to clarify current behavior. –With high probability, someone should be able to make an interoperable implementation by just reading the standard.

5 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 5 PMK Caching Some vendors have no problems, others have problems. –Closely correlates to vendor presence in 802.11. Common questions include: –Do I used the same PMKID for different AAs or do I generate a new PMKID for each target AA? –How many PMKIDs do I include in a (Re)Association Request? The particular implementation of a PMKSA database is outside the scope of our standard. –We don’t need to impose requirements on implementation of the database. We need to clarify how to support PMK caching in our standard. –Describe what each side should expect of the other. –See 11-10/0209r0.

6 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 6 Traditional “fat” AP EAP AAA 4-Way HS data PMK AAA server Authenticator/AP

7 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 7 WLAN Controller and “thin” APs EAP AAA 4-Way HS data CAPWAP PMK AAA server Authenticaor AP

8 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 8 Clarification of PMK Caching A PMK SA can have multiple authenticator addresses, and therefore multiple PMKIDs. STA’s PMKSA is dynamically updated through ESS interaction –Using the Neighbor Report a STA can determine that another AP has the same Authenticator as the AP to which it is associated and compute a PMKID for its BSSID to avoid EAP when doing a BSS transition. –Alternately, a STA can opportunistically compute PMKIDs from valid PMKs and the target AP’s BSSID and hope that one of them is valid. If it works, great, a costly EAP exchanage has been avoided. If it doesn’t work, then the behavior is just like it would’ve been had the STA not tried in the first place– another EAP exchange. No loss of security! Authenticator PMKSA can be viewed statically –Authenticator adds PMKIDs for all its AAs at creation time

9 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 9 A motion! Instruct the editor to incorporate changes from submission 11-10/0209r0 into the draft and resolve CIDs 2098, 2099, 2100, and 2101.

10 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 10 Backup

11 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 11 Spurious Claims against PMK Caching IEEE 802.11-2007 prohibits using one PMK with different Authenticator addresses PMK caching voids security guarantees of the 4-Way Handshake in IEEE 802.11-2007 There is a “contract” between the AS and Supplicant to only use the PMK with a single AA. PMK caching violates NIST recommendations PMK caching violates IETF guidelines PMK caching is insecure

12 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 12 Prohibited by IEEE 802.11-2007 (Authenticator Can Have Only 1 Address) PMK caching was added by 802.11i –Original contribution specified a single bit to indicate support. One bit needed because no ambiguity about what PMK (only one per AA). –Subsequently changed to include a list of PMKIDs because ambiguity can arise– client is not aware of back-end topology and may repeatedly cross a controller boundary. It has to be able to send multiple PMKIDs. –The data structure used– a list– would be unnecessary if a PMK was bound to a single Authenticator address. It’s a list for a reason and the reason is to enable PMK caching! Neighbor Report includes a Key Scope bit –Indicates that “this BSSID [in the Neighbor Report] has the same authenticator as the AP sending the report.” –The standard explicitly says an authenticator can have multiple BSSIDs! Claim is incorrect!

13 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 13 Voids the Security Guarantees of 4-Way Handshake in IEEE 802.11-2007 Analysis of 4-Way Handshake in 8.5.3.7 says –Supplicant’s STA and the Authenticator’s STA are only entities that know the PMK –SPA is the Supplicant’s IEEE 802 address –AA is the Authenticator’s IEEE 802 address –Protocol assumes the AS delivers the correct PMK to the AP with 802 address AA. None of these things are voided by PMK caching regardless of which AA is used for a particular instance of the 4-Way Handshake. Even so, the 4-Way Handshake has been proven secure without the SPA and AA! They are not required for the security of the exchange. –C. He and J. Mitchell, Analysis of the 802.11i 4-Way Handshake states “[t]he MAC addresses of the authenticator and the supplicant do not appear to be necessary for the authentication process.” 4-Way Handshake provides proof-of-possession of the PMK. That doesn’t change if different Authenticator addresses are used with different 4-Way Handshakes. The claim is incorrect.

14 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 14 There is a Contract Between AS and Supplicant Constraining PMK to One AA Not found anywhere in IEEE 802.11-2007 The AS has no knowledge of a BSSID! EAP is used to establish the PMK and IEEE 802.11-2007 is therefore bound by the EAP Key Management Framework –Section 2.3 of that document states: “Since an authenticator can have multiple ports, the scope of the authenticator key cache cannot be described by a single endpoint address.” The “port” is the AP and the “endpoint address” is its BSSID. –IEEE 802.11-2007 is forbidden from imposing such a constraint. Contract is neither express nor implied in IEEE 802.11-2007. The AS can not constrain a key to something it knows nothing about! The claim is incorrect.

15 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 15 Violates NIST SP800-108, Cannot be FIPS certified This claim is made because SP800-108 says –“…, the identity (or identifier, as the term is defined in [1] and [2]) of each entity that will access (meaning derive, hold, use and/or distribute) any segment of the keying material should be included in the Context string input to the KDF, provided that this information is known by each entity who derives the keying material.” But this is in regard to key derivation. The PMK is derived by the AS and Supplicant and, regardless of whether PMK caching is used or not, does not include the AA. The PTK does have the AA and PMK caching doesn’t change that. Implementations supporting PMK caching have been FIPS certified! Evidence abounds to disprove this claim. This claim is incorrect.

16 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 16 Violates IETF Guidelines Following quote from RFC 4962 is used as evidence to support this claim: “[M]any base stations may share the same authenticator identity. The authenticator identity is important in the AAA protocol exchange and in the secure association protocol conversation.” However, the preceding sentence from RFC 4962 is always omitted when this claim is presented: “When multiple base stations and a ‘controller’ (such as a WLAN switch) comprise a single EAP authenticator, the ‘base station identity’ is not relevant; the EAP method conversation takes place between the EAP peer and the EAP server.” The “authenticator identity” is the NAS-Id which is not used by 802.11 (proposal to include it in a beacon was defeated). The “base station” identity is the BSSID, and “is not relevant”. CAPWAP explicitly describes the Controller/”thin AP” architecture with the Authenticator on the controller. This claim is incorrect.

17 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 17 PMK Caching is Insecure This claim is followed by: “Suppose an authenticator is compromised….” –But that’s not an attack against PMK caching! –The same “security” “flaw” also applies to 11r. Is 11r insecure? Then the tables are turned: you can’t prove PMK caching is secure. But: –There is no cryptographic binding of any authenticator address into the PMK. –If the AA is not necessary for the security of the 4 way HS then making it variable instead of static cannot introduce a security problem! A one-way function does not leak information about an input– seeing a PMKID does not give an attacker information about the PMK! PMK caching is NOT PMK sharing. The PMK never leaves the Authenticator. None of the security assumptions in IEEE 802.11- 2007 change. This claim is incorrect.

18 doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 18 References

Download ppt "Doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: 2010-03-08 Authors:"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Secure Pre-Shared Key Authentication for IKE

Secure Pre-Shared Key Authentication for IKE
Doc.: IEEE 802.11-08/0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: 2008-07-13 Authors:

Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE 802.11-09/0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: 2009-03-08 Authors:

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.

EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
Doc.: IEEE 802.11-04/1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE 802.11-04/0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Similar presentations

Ads by Google