Background Study :802.11i Encryption

MK (Master Key) PMK (Pair-wise Master Key) PTK (Pair-wise Transient Key) GMK (Group Master Key) GTK (Group Transient Key)

Background Study : ECC (Elliptic Curve Cryptography)[Neil Koblitz, Victor Miller, 1985] General Form 質數體 二元體

質數體加法規則 O: Point at infinity P+O=O+P=P

乘法規則 nP=O n 稱為 order Given G, Q=dG, d is randomly selected. It is nearly impossible to derive d ( 橢圓曲線離散對數 問題 ). G is called generator. Q is called public key. d is called private key.

ECCDH Given E, a generator point P. A selects a private key da. A derives public key Qa= da ∙ P B selects a private key db. B derives public key Qb=db ∙ P A and B exchange their public Key A derives share key Sab=da ∙ Qb B derives share key Sab=db ∙ Qa

Bilinear pairing Establishment of a session key requires only one message for exchange Two cyclic group bilinear mapping G1: cyclic addition group, G2 cyclic multiply group

Introduction Roaming delay is composed by –Channel scanning and probing Mobile client must disconnect from the current AP and join a new AP and it takes 20ms~380ms –Authentication at the new AP The overall roaming delay should be kept under 50ms, ideally the authentication should not take more than 20ms to allow 30ms for channel scanning and probing.

802.11i –Authentication is done by 802.1x, or by a pre- shared key. –PMK, 4-way handshake for PTK, 2-way handshake for GTK. –Full authentication takes 750~1200ms –Roaming authentication takes 200ms, or 50ms for the best case.

Proactive key distribution method –Distributes a new PMK to neighbor APs –Roaming authentication time reduce to 21ms on the average. –Heavy burden on AS –AP must track the movement of clients Pre-authentication –A client connects to multiple APs first. –0 delay –Impose heavy burden on AS and may not extend beyond the first access router

Predictive authentication –All the neighboring APs can receive the authentication response. –Drawbacks are similar to pre-distribution r –Authentication time of best case is 10ms –Pre-distribution of the keys to all the AP within the subnet –Drawbacks still remain

Reducing 4-way handshake is important. Best case analysis of 4-way handshake is 20ms. Inter-domain roaming

Background IDC (Identity-based Cryptography) –Known identity information is used in ID-based cryptography to derive a public key thus no public key exchange is necessary. –Identity value may be alphanumeric character string or MAC address. PKG (Private Key Generator) –Given private key to the ID owner through a secure channel

Bilinear map Multiply integers with points on elliptic curves –Given P and sP, it is nearly impossible to compute s

Public/private key generation –PKG uses a master key s and a fixed point P on a elliptic curve. –Public key Oid PKG hashes user ’ s ID to a point Qid on the curve. –Private key s ∙Qid P, s∙P, cryptographic function H1 can be made available in public

Proposed scheme SFRIC To use a WLAN, a user logs into the network through i process. For static client SFRIC is not necessary SFRIC has 2 phases. In phase 1 a client accesses the PKG to get a private key. When the client decides to roam it first finds and joins a new APs by probing and scanning, and follows the phase 2 procedure to exchange authentication messages.

Phase 1 preparation APs and client both contact to PKG with their MAC and receive a private key via secure channel Private key of client –{MAC||expiration date||expiration hour||Nounce} Private key of AP –{MAC||current date||current hour} Both are periodically refreshed in every hour

Phase 2 roaming

Comment Figure 3 says message 1 is encrypted in Ka, but figure 4 says it is K1 to be used for encrypted instead.

Comment: The above equation can prove anything. Comment:(rK a, sP)=(K c -1, rP)? Serious error in equation. Can not prove security key of a equals to security key of c sK a = K c -1 ？？

{MACc} is called the proof of ID. If the MAC address of ID matches the MAC address in the packet header, the sender is proven to posses the MAC address and the right private key. Comment: Verification of MAC is smart but weak.

Comment: If MACc is encrypt by c ’ s private key, there is no way to decrypt it in a.

Performance Analysis

The most time consuming is the pairing operations E2, D1, and D2, while the cost of the rest is almost negligible. Comment: I am not convincible why E1 pairing operation can be negligible. Comment: Authors is too optimistic to neglect the network operation, especially in worst cases.

Comment: Inconsistent typos

The authors claim there will be only 2 pairing operations require, which take 17ms (cited by [23] that one pairing operation is 8.7ms for best case), one can be done in advance. Comment: there is no simulation for the computation. Nothing but site by other work. Conviction is weak.

Thank You

Review Suggestion Rate the importance of the topic addressed in the paper and its timeliness within its area of research Excellent Above average Average Below average None Rate the technical contribution of the paper, its soundness and scientific rigour Excellent Solid work Valid work Marginal work Questionable Rate the novelty and originality of the work presented in the paper Pioneering Novel Some Novel Minor variation It has been said many times before

Rate the paper organization, the clearness of text and figures, the completeness and accuracy of references. Excellent Well written Readable Substantial revision work is needed Unacceptable Strengths: Weakness: Recommended changes: