Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.

Published byLawrence Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh."— Presentation transcript:

1 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh Mishra, Minho Shin, William Arbaugh University of Maryland College Park Insun Lee, Kyunghun Jang Samsung Electronics

2 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Goals of this Talk Introduce the different methods for key predistribution (the good and the bad). Introduce a back-end protocol that is independent of key management and hand-shakes. Information slides on example implementations for key distribution (not covered in talk)

3 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi MUST Support Fast Roaming Otherwise non-standard and non-vetted solutions will evolve….creating potential “brand” problems. Transparent roaming was one cause of exponential growth in the cellular market. Interworking is around the corner.

4 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Backend Requirement Protocol MUST be standardized within IETF –This requires that key material NOT leave the AS. –This means that the protocol should fit within current and future AAA practice.

5 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Pre-authentication RADIUS (AAA) ABCDE MK PMK PTK PMK PTK MK PMK EAP/TLS Authentication Via Next AP

6 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Problems with Pre-Auth Expensive in terms of computational power for client, and time (Full EAP-TLS can take seconds depending on load at RADIUS Server). TLS- Resume will make things faster, but other problems persist. Requires well designed and overlapping coverage areas Can not extend beyond LAN No opportunity for Interworking

7 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Goals Permit fast roaming without reducing overall security Fast roaming occurs when the total cost of Layer 1-3 hand-off times is less than 50ms (Ideally 35ms).

8 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi Fast Roaming Goals Handoff to next AP SHOULD NOT require a complete EAP/TLS re-authentication. Compromise of one AP MUST NOT compromise past or future key material, i.e. perfect forward secrecy, and with stand known key attacks.

9 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi Trust Assumptions AAA Server is trusted AP to which STA is associated is trusted. All other AP’s are untrusted.

10 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Only Three Ways to meet TGi Goals Exponentiation support for asymmetric cryptographic operations at AP, or Trusted Third Party, i.e. Authentication/Roaming Server Use IAPP with proactive caching

11 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Three methods for key distribution Static roam keys –Does not provide PFS –Simple implementation for back-end although storage requirements at the AP’s can be large! One key for every STA in the LAN, but can be combined with proactive key distribution. IAPP with proactive caching –Communications from the next association is compromised if STA associates to a compromised AP. Proactive key distribution –Provides PFS and protection from known key attacks –Slightly more complex.

12 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Static Roam keys sketch AS pushes a unique seed for key derivation, e.g. PMK, to each AP which the STA knows how to derive without further communications. The PTK is then derived via some form of a hand-shake. –Past communications are subject to compromise if the AP becomes compromised. –Large memory requirement for AP unless combined with a proactive distribution means.

13 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP The AP derives the next PMK (for each neighbor AP) via a hash chain and a roam key(RK) provided by AS such as: –PMK next = PRF(RK, PMK current, STA mac, next AP mac ) –PMK next is sent to next AP via IAPP caching (TGf) –PTK is derived via some handshake Compromised AP only compromises current and next PTK.

14 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution (TGi) Extend Neighbor Graphs and Proactive Caching (IEEE 11-02-758r1.ppt) to support key distribution by the AS Eliminates problems with sharing key material amongst multiple APs –Easily extended to support WAN roaming –Extendable to support Interworking

15 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Neighbor Definition and Graph Two APs i and j are neighbors iff –There exists a path of motion between i and j such that it is possible for a mobile STA to perform a reassociation –Captures the ‘potential next AP’ relationship –Distributed data-structure i.e. each AP or AS/RS can maintain a dynamic list of neighbors 1 A B C E D A B E D C

16 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang AP Neighborhood Graph – Automated Learning Construction –Manual configuration for each AP/RS or, –AP/RS can learn: If STA c sends Reassociate Request to AP i, with old-ap = AP j : Create new neighbors (i,j) (i.e. an entry in AP i, for j and vice versa) Learning costs only one ‘high latency handoff’ per edge in the graph. Enables mobility of APs, can be extended to wireless networks with an ad-hoc backbone infrastructure. Dynamic implementation using LRU replacement permits invalid and stale entries to time out.

17 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Graph Synchronization The graph’s state at the accounting server is updated by: –Accounting-Request messages from the current AP (draft-congdon-radius-8021x)

18 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Roaming Example Given the following infrastructure with associated neighbor graph with STA about to associate to AP A. A B C E D A B E D C

19 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Post Authentication and 4-handshake RADIUS (AAA) ABCDE Accounting Server Accounting-Request(Start)

20 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution RADIUS Authentication Server (AS) ABCDE Accounting Server Notify-Request

21 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution Post Authentication ABCDE AS Accounting Access-Request Access-Accept(key material) Access-Request Access-Accept(key material)

22 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang AP Actions on Notify Request Dynamic Keys, i.e. PMK changes per roam. –AP MUST send an ACCESS-REQUEST to AS Static Key, i.e. PMK is unique per AP but never changes. –Nothing unless authorization is required.

23 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Maximum STA Velocity For the Notify and PMK install to occur in time, we need: 2 RTT + handshake < D/v Where: D = coverage diameter v = STA velocity RTT = round-trip time from AP to AAA server, including processing. Assuming D=100 ft, handshake = 10 ms, and RTT = 100ms, we get: v = 100 ft/ (200ms + 10 ms) ~ 500 ft/sec = Mach 0.5!!

24 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Conclusions Provided an overview of various options Provided a protocol that: –Can support high speed roaming, meets IETF requirements (draft-arbaugh-radius-handoff-00.txt), –Is independent of the type of key management/derivation used (static or dynamic), i.e. can IEEE11-03-008r0-I or the method in the information slides of this presentation. –Is independent of the type of hand-shake used.

25 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Acknowledgements Bernard Aboba assisted with the best way to integrate Proactive key distribution with RADIUS. The maximum STA velocity calculation is from Bernard Aboba. Jesse Walker pointed out potential synchronization problems in an earlier version of proactive key distribution. Nancy Cam-Winget raised several concerns which caused the creation of the IAPP distribution method.

26 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Informational Slides How to do predistribution of keys via IAPP and with an accounting server.

27 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi Pairwise Key Hierarchy Review Master Key (MK) Pairwise Master Key (PMK) = TLS-PRF(MasterKey, “client EAP encryption” | clientHello.random | serverHello.random) Pairwise Transient Key (PTK) = EAPoL-PRF(PMK, AP Nonce | STA Nonce | AP MAC Addr | STA MAC Addr) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256– n – can have cipher suite specific structure

28 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Key Locations RADIUS (AAA) MK PMK AP1AP2 PMK PTK MK PMK PTK

29 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP The AP derives the next PMK (for each neighbor AP) via a hash chain such as: –PMK next = PRF(RK, PMK current, STA mac, next AP mac ) –PMK next is sent to next AP via IAPP caching (TGf) –PTK is derived via some handshake Compromised AP only compromises current and next PTK.

30 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP Pairwise Key Hierarchy Review MK PMK curr PTKRK=PRF(PMK, “Roam Key”, AP nonce,STA nonce ) PMK next =PRF(RK,PMK curr,STA mac,AP mac )

31 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP Example RADIUS (AAA) ABCDE AP and STA derive PTK,RK via 4-way MK,PMK,PTK,RK

32 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP Caching of Next PMK to Neighbors RADIUS (AAA) ABCDE PMK next =PRF(RK,PMK curr,STA mac,AP mac ) PMK next =PRF(RK,PMK curr, STA mac,AP mac ) MK,PMK curr,PTK curr,RK

33 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Reassociation RADIUS (AAA) ABCDE MK,PMK next,RK AP and STA Derive new PTK via fast Roam handshake Or worst case 4-way

34 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Changes Needed TGi –Use of RSN IE reserved bit –Derivation method for RK IETF –None

35 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution (TGi) Extend Neighbor Graphs and Proactive Caching (IEEE 11-02-758r1.ppt) to support key distribution by the AS/RS Eliminates problems with sharing key material amongst multiple APs –Easily extended to support WAN roaming –Extendable to support Interworking

36 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Pre Association RADIUS (AAA) ABCDE

37 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Post Authentication and 4-handshake RADIUS (AAA) ABCDE MK PMK PTK PMK PTK MK PMK Accounting Server Accounting-Request(Start)

38 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution RADIUS Authentication Server (AS) ABCDE MK PMK PTK PMK PTK MK PMK Accounting Server Notify-Request

39 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution Post Authentication ABCDE MK PMK A PTK PMK A PTK AS Accounting PMK B =TLS-PRF(MK, PMK A, AP B -MAC-Addr, STA-MAC-Addr) PMK E =TLS-PRF(MK, PMK A, AP E -MAC-Addr, STA-MAC-Addr) PMK B PMK B, timeout PMK E Access-Request Access-Accept

40 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang PMK Generation Each AP is given a unique PMK per roam, or generation. The PMK for the AP for that generation becomes that generation’s PMK.

41 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Generations Generation: –PMK 0 = TLS-PRF(MK,”client EAP encryption”, client-Hello.random, serverHello.random) –PMK 1-B = TLS-PRF(MK, PMK 0,AP B -MAC-Addr, STA-MAC-Addr) –PMK 1-E = TLS-PRF(MK, PMK 0,AP E -MAC-Addr, STA-MAC-Addr) STA roams to AP B : –PMK 1-B  PMK 0

42 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang PMK Synchronization STA maintains PMK for each generation (can be combined with timeouts to require only a “window” of PMK’s). First message of 4-way handshake (or derivative) from AP indicates the generation PMK held at the AP. STA derives the correct PMK based on the provided generation. Maintains security even if synchronization is lost, i.e. latest generation PMK hasn’t arrived at AP yet. Also maintains security (and speed) even if roam to a non- neighbor (but was at one time before timeout).

43 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Synchronization Example STA roam pattern: A  B  C ≈ D PMK 0 PMK B PMK E PMK G PMK A PMK C PMK D PMK E PMK B PMK E 0 1 234Generation

44 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang How do the AP and STA know that Fast Roaming is supported? STA asserts that it supports fast roaming by setting a bit (use of the current reserved bits) in the RSN information field element in the REASSOCIATION-REQUEST. AP asserts the same bit in the REASSOCIATION- RESPONSE if and only if the AP supports fast roaming and it is provisioned with a derived PMK for the STA. If either bits are unset, then a full reauthentication MUST be done.

45 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution STA Roam to AP B ABCDE PMK B =TLS-PRF(MK, PMKA, AP B -MAC-ADDR, STA-MAC-ADDR) PTK via standard 4-way handshake or other means PMK A PTK RADIUS (AAA) Accounting Server PMK B PMK E New AP informs Acct. Server Updates Neighbor Graph

46 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Roaming Functions Handled at Accounting Server Reduces exposure of MK, i.e. the MK remains only at the AS and STA Reduces load on AS Takes advantage of the already defined accouting process

47 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Changes Needed TGi –Use of RSN IE reserved bit –Addition of “Generation” field to Message 1 of 4-way handshake IETF –Define two new RADIUS messages to install derived PMK’s at AP’s (draft-arbaugh-radius-handoff-00.txt) –Perhaps one or two new RADIUS attributes

48 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Open Source Availability The University of Maryland and Samsung Electronics will provide an open source implementation under both the GPL and *BSD style licenses shortly.

49 doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang External Review This proposal will be submitted to an academic conference for peer review soon.

Download ppt "Doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.

IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho

IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
By: Alex Feldman.  A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE 802.11) this would be an access.

By: Alex Feldman.  A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE ) this would be an access.
Doc: 11-03-0763-00-0000 Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
21-07-0387-00-00011 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0387-00-0001 Title: Problem Statement for Authentication Signaling Optimization Date.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
Shambhu Upadhyaya 1 802.11 Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE 802.11-03/540 Submission July 2003 Arunesh Mishra, Min-ho Shin, William Arbaugh, Insun Lee, Kyunghun Jang. Fast handoffs using Fixed Channel.

Doc.: IEEE /540 Submission July 2003 Arunesh Mishra, Min-ho Shin, William Arbaugh, Insun Lee, Kyunghun Jang. Fast handoffs using Fixed Channel.
Doc.: IEEE 802.11-00/137r2 Submission June 2000 Tim Godfrey, IntersilSlide 1 TGe Requirements Version r2 8 June 2000.

Doc.: IEEE /137r2 Submission June 2000 Tim Godfrey, IntersilSlide 1 TGe Requirements Version r2 8 June 2000.
ProjectIEEE 802.20 Working Group on Mobile Broadband Wireless Access TitleIEEE 802.20 MBWA Security Architecture.

ProjectIEEE Working Group on Mobile Broadband Wireless Access TitleIEEE MBWA Security Architecture.
KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb. 2006 Hyeongseop Shim NS Lab, Div. of.

KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.

Similar presentations

Ads by Google