Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.

Published byAlexandrina Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems."— Presentation transcript:

1 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems Inc Doug Smith, Cisco Systems Inc Keith Amann, Spectralink

2 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 2 Fast Roam Goals TGi has provided sound framework and protocols to secure 802.11 link communications Next step is to evaluate Fast Roaming –Voice advocates no more than 50ms handoff latency –Are security considerations for voice the same as data? Submission focuses on fast roaming for voice –Only reassociation exchange is applied

3 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 3 Handoff Times for Voice Doc 02/758 states: –ITU guidance on TOTAL hand-off latency is that it should be less than 50 ms. Cellular networks try to keep it less than 35 ms.

4 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 4 Handoff Process Delays STA APs … Probe Requests Probe Response Pre-authentication Exchange Re-association Exchange4-way & 2-way handshakes Other APs IAPP Discovery Reauthentication New AP

5 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 5 The Handoff Procedure : two phases 1.Discovery (active or passive scanning) Determination to find new AP due to signal strength loss (or inability to communicate) with current AP Probe delays incurred when client searches for new AP 2.Reauthentication Station reauthenticates and reassociates to new AP Reauthentication and reassociation delays Implications: –Discovery phase – out of TGi’s scope –Reauthentication phase must be efficient to support wireless voice

6 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 6 Average Roam latencies in current 802.11 systems PhaseAverage measured latencies Discovery66ms – 440ms Reauthentication (Open Auth, no WEP) 12ms – 40ms

7 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 7 Cryptographic computations for RSN 4-way and 2-way exchanges NodeMessageNonce GenHmac-SHA1 1 ops Hmac-md5 2 ops STA ← AP4-way: 1 st msg1-- STA → AP4-way: 2 nd msg132 STA ← AP4-way: 3 rd msg-32 STA → AP4-way: 4 th msg--(2 4 ) STA ← AP2-way: 1 st msg(1 3 )(3 3 )2 STA → AP2-way: 2 nd msg--2 Total6 msgs268 1 Hmac-SHA1 used as PRF to compute WRAP or CCMP keys 2 Hmac-MD5 requires 2 MD5 operations 3 Only computed when GTK is refreshed 4 MIC check doesn’t affect data flow

8 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 8 RSN Relative Costs Initial AssocReassociation Crypto operations 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 Packet count(4+ EAP + 6) ** packets(4 + 6) ** packets ** 802.11 Open Auth + (Re)Assoc = 4 pkts

9 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 9 Potential delays Computational delay –Each authentication packet –Each packet requiring generation of PRF Media access delay : due to packets sent by other NICs between the authentication packets Example: 1500 octet packet arrives while AP is processing an association response: –AP at 11Mbps ≈ 1.1ms delay between each packet –AP at 6Mbps ≈ 2ms delay between each packet –AP at 2Mbps ≈ 6ms delay between each packet For 10 message exchange, media access delay alone is 10-60ms! The heavier the traffic, the higher the delay….

10 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 10 Fast Roam for voice implies: Pre-authentication is required Re-association 4-way handshake is too expensive Additional 2-way handshake for GTK delivery does not help. GOAL: Hand-off times MUST be efficient to support synchronous connections, e.g. VoIP

11 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 11 Ideally, compress roaming to: Supplicant Client Authenticator AP Reassociate Request: negotiate CKM, authenticate rekey Reassociate Response: validate rekey, random challenge, deliver group key Client and AP can now protect 802.1X and 802.11 packets Reassociate Confirm: random challenge response, MIC

12 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 12 Handoff Procedure using a Roam Server Roam Server 1st APNew AP Establish Security Block Send Security Block Re-association Assumptions: Roam Server can be adapted to document 02/758 Roam Server is trusted, can be the Authentication Server AP is trusted and has trust relationship with Roam Server

13 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 13 Roam Server is Central Key Manager (CKM) Central Key Management (CKM) Protocol: Uses PMK from successful EAP Authentication to derive 1.rekey request key (RRK) – used to authenticate rekey element in reassociation request 2.Rekey base key (RBK) – used to mutually derive pairwise transient keys (PTK) to protect 802.1X and 802.11 packets. RRK and RBK derived on association RRK serves as authorization key RBK serves as Base Key used to derive PTKs Roam Server may only distribute PTKs or with proactive key distribution can forward to APs

14 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 14 New Key Hierarchy PMK implicitly derived as a result of a successful EAP authentication RRK 128 bits RBK 256 bits Generate RRK and BRK: PRF-384(PMK, “Fast-Roam Generate Base Key”, MAC APi | MAC STA | Nonce STA | Nonce RS ) 802.1X Encrypt Key (16bytes) 802.1X MIC Key (16 bytes) 802.11 Encrypt Key (16 bytes) MIC Keys (TKIP only) Tx Key Rx Key 8 bytes 8 bytes PTK RSC = PRF-XXX(RBK, RSC|BSSID)

15 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 15 New Key Hierarchy facilitates reassoc RRK used to authenticate new Reassociation Request element Element ID LengthRekey Sequence Counter MIC 1octet 4octets8octets MIC = HMAC-MD5(RRK, MAC STA | BSSID | RSNE STA | RSC )

16 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 16 Reassociation Response includes GTK MIC RRK = HMAC-MD5(RRK, RSC | MAC STA ) PTK RSC = = PRF-XXX(RBK BSSID, RSC | BSSID ) MIC PTK = HMAC-MD5(TK RSC, RSNE AP | RSC | KeyID unicast | KeyID multicast | Multicast Key length | E(PTK RSC, GTK) ) Elem IDLenRSCRandom Challenge KeyID unicast KeyID multi- cast Multi- cast key length MIC RRK MIC PTK E(GTK) 1octet 4octets16 octects1octet 2octets8 octets N octets

17 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 17 Re-association Confirm New 3 rd message should be management : –3 rd message includes random challenge response –3 rd message confirms liveness of PTK –3 rd message defeats MIM attack

18 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 18 Same Assoc and 802.1X Auth as default RSN Association Req + RSN IE (802.1X, CKM) ** Association Response (success) EAP type specific mutual authentication Derive Pairwise Master Key (PMK) RADIUS ACCEPT (with PMK) 802.1X/EAP-SUCCESS Derive Pairwise Master Key (PMK) ** New AKM → Central Key Management (CKM) is negotiated Open Authentication Request Open Authentication Response

19 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 19 Initial 4-way handshake with Roam Server EAPoL-Key(Unicast, ANonce) PMK Derive ANonce Derive SNonce EAPoL-Key(Unicast, SNonce, MIC, RSNE STA ) EAPoL-Key(Install PTK 1, Unicast, MIC, RSNE AP ) Derive RRK, RBK, PTK 1 EAPoL-Key(Unicast, MIC) Install Keys Deliver PTK 1 RS AP STA Group key handshake used for PTK liveness confirm

20 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 20 Ideally, compress roaming to: Supplicant Client Authenticator AP Reassociate Request: negotiate CKM, authenticate rekey Reassociate Response: validate rekey, random challenge, deliver group key Client determines new AP for roam, increments RSC Generates new PTK i, requests CKM Generate CKM rekey authentication element AP validates CKM rekey authentication element Generates new PTK i, finalizes Client switch to AP Generate CKM rekey response authentication element Deliver group keys to Client Client and AP can now protect 802.1X and 802.11 packets Reassociate Confirm: random challenge response, MIC

21 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 21 Using Roam Server RS AP STA Reassoc Req: negotiate CKM, authenticate rekey Reassoc Resp: validate rekey, random challenge, deliver group key AP requests for STA’s RBK (For proactive key distribution, no request is needed) Deliver STA’s RBK Reassoc Confirm: random challenge response

22 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 22 Reassociation triggers rekey with new AP Rekey obviates need to reauthenticate with AS Rekey obviates need for client to pre-authenticate Rekey is embedded in reassociate exchange to reduce number of packet exchanges Reassociation messages include new authenticated element to validate rekey request

23 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 23 Cryptographic computations for CKM Reassociation NodeMessageNonce GenHmac-Sha1 1 ops Hmac-md5 2 ops STA → APReassoc Request-(3 4 )1 AP → RSPTK request--3 RS → APPTK response-(3 4 )3 STA ← APReassoc Response(1) 3 +1-2 STA → APReassoc Confirm--2 Total3 air pkts + 2 DS pkts1-11 1 Hmac-SHA1 used as PRF to compute CCMP keys 2 Hmac-MD5 requires 2 MD5 operations 3 Only computed when GTK is refreshed 4 Can be precomputed before reassociation commit

24 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 24 Relative Costs RSNCKM Crypto Ops for Assoc 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 2 Nonce Gen + 12 HMAC-SHA1 + 8 HMAC-MD5 Crypto Ops for Reassociation 2 Nonce Gen + 6 HMAC-SHA1 + 8 HMAC-MD5 1 Nonce Gen + 0 HMAC-SHA1 + 11 HMAC-MD5 Assoc pkts(4 + EAP + 6) pkts Reassoc pkts(4 + 6) ** pkts3 pkts over air + 2pkts on DS ** Presumes Pre-authentication

25 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 25 Proposal optimizes Fast roaming by Reduction in packet exchanges Reduction in cryptographic computations No propagation of MK or PMK is required Roam Server can be adapted to use proactive key distribution and forward in context

26 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 26 TGi must address Fast Roaming Roaming must be seamless for all clients Must account for small clients (e.g. wireless phones)

27 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 27 Feedback?

28 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 28 Roam Server generates AP specific Roam Server 1st APNew AP Re-association = PRF-384(PMK, “Fast-Roam Generate Base Key”, MAC AP1 | MAC STA | Nonce STA | Nonce RS )

29 doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 29 Initial 4-way handshake in distributed model…. EAPoL-Key( Unicast, ANonce) PMK Derive ANonceDerive SNonce EAPoL-Key(Unicast, SNonce, MIC, RSNE STA ) EAPoL-Key( Install PTK 1, Unicast, MIC, RSNE AP ) Derive RRK, RBK, PTK 1 EAPoL-Key(Unicast, MIC) Install Keys

Download ppt "Doc.: IEEE 802.11-03/008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-10/0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date: 2010-01-07.

Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
TGai FILS Authentication Protocol

TGai FILS Authentication Protocol
Overview of IEEE 802.11 and 802.16 MAC Layer September 25, 2009 SungHoon Seo

Overview of IEEE and MAC Layer September 25, 2009 SungHoon Seo
Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
1 IEEE 802.11i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,

1 IEEE i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.

IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Similar presentations

Ads by Google