Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Initial Authentication

Published byTiffany Jones Modified over 6 years ago

Similar presentations

Presentation on theme: "Fast Initial Authentication"— Presentation transcript:

1 Fast Initial Authentication
January 2010 doc.: IEEE /0059r0 March 2010 Fast Initial Authentication Date: Authors: Name Company Address Phone Hiroki NAKANO Trans New Technology, Inc. Sumitomo-Seimei Kyoto Bldg. 8F, 62 Tukiboko-cho Shimogyo-ku, Kyoto JAPAN Hitoshi MORIOKA ROOT Inc. #33 Ito Bldg. Tenjin, Chuo-ku, Fukuoka JAPAN Hiroshi MANO 8F TOC2 Bldg Nishi-Gotanda, Shinagawa-ku, Tokyo JAPAN Hiroki Nakano, Trans New Technology, Inc. Hiroki Nakano, Trans New Technology, Inc.

2 The purpose of this presentation
January 2010 doc.: IEEE /0059r0 March 2010 The purpose of this presentation “Fast Initial Authentication” and any other preparation require cooperation among all layers including IEEE802.11, IP etc. We are focusing on the procedure of IEEE to set up communication channel between AP and Non-AP STA. This presentation just introduces some ideas to make the procedure faster in order to show their technical possibilities and to help you to consider starting official discussion about “Fast Initial Authentication” in WG. Hiroki Nakano, Trans New Technology, Inc. Hiroki Nakano, Trans New Technology, Inc.

3 Why “Fast Initial Authentication?”
March 2010 Why “Fast Initial Authentication?” We should prepare for “Fast Initial Authentication” because of… Moving users with HIGH VELOCITY through a cell of AP HUGE NUMBER of users within reach of each AP Very SMALL CELL of each AP See IEEE /0286r0 and come to the tutorial session for more detail Hiroki Nakano, Trans New Technology, Inc.

4 Quick update contents and push services
March 2010 Quick update contents and push services You can update new messages and location data while just passing an AP's coverage. You do not have to stop many times like serious landing operation. Service provider can distribute the handbill without stopping the foot of the customer. Pop New location and presence Updated new twitters and messages Get new handbills Location Messages Handbill No need stop! Just pass through! Hiroki Nakano, Trans New Technology, Inc.

5 Who consume time for authentication and setting up channel?
March 2010 Who consume time for authentication and setting up channel? AP Discovery (802.11?) Association (802.11) Authentication (802.11, 802.1X) DHCP (IPv4), RA (IPv6) ARP (IPv4), NDP (IPv6) Protocols on more upper layer Mobile IPv4/6 DNS VPN HTTP… Hiroki Nakano, Trans New Technology, Inc.

6 An Example of Packet Exchange
March 2010 An Example of Packet Exchange STA AP RADIUS Server Home Agent Beacon Probe Request Probe Response Open System Authentication Open System Authentication Association Request Association Accept EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS-Access-Request/Identity RADIUS-Access-Challenge/TLS-Start EAP-Request/TLS-Start EAP-Response/TLS-client Hello RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/ Server Certificate EAP-Request/Pass Through EAP-Response/Client Certificate RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/Encryption Type EAP-Request/Pass Through EAP-Response RADIUS-Access-Request RADIUS-Access-Accept EAP-Success EAP-Key DHCP Discover DHCP Offer DHCP Request DHCP Ack Mobile IPv4 Registration Request Mobile IPv4 Registration Request Mobile IPv4 Registration Reply Mobile IPv4 Registration Reply Hiroki Nakano, Trans New Technology, Inc.

7 Challenge to minimum procedure
March 2010 Challenge to minimum procedure We employ too many packets to pile up layers. Can we decrease packets for initial setup? The least procedure is “single roundtrip.” Can we do that? Let’s think about IEEE first. Hiroki Nakano, Trans New Technology, Inc.

8 Assumed Goal Employ just SINGLE round-trip exchange of frames
March 2010 Assumed Goal Employ just SINGLE round-trip exchange of frames STA to AP, then AP to STA Do all things to start user’s data exchange Association Authentication Key Exchange No direct contract between AP and non-AP STA ‘Authentication Server’ mediates between AP and non-AP STA For separation of service providers and AP infrastructure Possibly compatible with existing framework Old STAs can be still operated together. Hiroki Nakano, Trans New Technology, Inc.

9 Ideas? Omit Pre-RSNA authentication process
March 2010 Ideas? Omit Pre-RSNA authentication process Piggyback authentication information onto Association Request/Response Piggyback upper information onto Association Request/Response Hiroki Nakano, Trans New Technology, Inc.

10 Idea 1: Omit Pre-RSNA Auth. Process
March 2010 Idea 1: Omit Pre-RSNA Auth. Process We use “Open System” authentication on Pre-RSNA framework at anytime. Anyone using Shared Key auth? “Open System auth. is a null auth. algorithm. Any STA requesting Open System auth. may be authenticated” Quoted from section Nevertheless, it takes ONE round-trip time to do that! Standard should be changed to allow to run Association process without Open System authentication process. Any problem occurs? Hiroki Nakano, Trans New Technology, Inc.

11 Reason of existence of Open System auth.
March 2010 Reason of existence of Open System auth. “NOTE 3—IEEE Open System authentication provides no security, but is included to maintain backward compatibility with the IEEE state machine (see 11.3).” Quoted from section b) Hiroki Nakano, Trans New Technology, Inc.

12 March 2010 Figure 11-6 Hiroki Nakano, Trans New Technology, Inc.

13 Modified Figure? March 2010 Successful Association by new protocol
Hiroki Nakano, Trans New Technology, Inc.

14 Backward Compatibility
March 2010 Backward Compatibility Old AP not supporting FastAKM New AP supporting FastAKM Old STA No problem Old STA begins to talk in old protocol and New AP speaks in the old protocol. New STA New STA tries new protocol but Old AP doesn’t accept. And then New STA goes in old protocol. Hiroki Nakano, Trans New Technology, Inc.

15 Idea 2: Piggyback Auth. Info. onto Association Request/Response
March 2010 Idea 2: Piggyback Auth. Info. onto Association Request/Response Can “Mutual Authentication” be done by just A round-trip of Association Request/Response? “Single Round-trip Authentication” is a common problem. STA AP Authentication Server Beacon (Probe Request) (Probe Response) Authentication (Open System) Authentication (Open System) Association Request Access Request Access Response Association Response (Accept) Hiroki Nakano, Trans New Technology, Inc.

16 Supposed Service Model
March 2010 Supposed Service Model (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Hiroki Nakano, Trans New Technology, Inc.

17 Relations in Real World
March 2010 Relations in Real World (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Contract to provide wireless access to users specified by Authentication Server (i.e. Service Provider) Set up secure communication channel to exchange information about users Contract to provide wireless access via AP infrastructure. Share information to identify each other properly, e.g. username, password, digital certificate, etc. Hiroki Nakano, Trans New Technology, Inc.

18 Cryptographic Keys Set up in advance by contract March 2010 AP-KEY
(Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Set up in advance by contract AP-KEY USER-KEY Hiroki Nakano, Trans New Technology, Inc.

19 Relations in Computer Network
March 2010 Relations in Computer Network (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Secure channel by cryptographic key set up in advance Encrypted bundle including the followings: User ID Key How can we exchange keys safely? Hiroki Nakano, Trans New Technology, Inc.

20 Step 1: Make Key on Non-AP STA
March 2010 Step 1: Make Key on Non-AP STA (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP TMP-KEY STA generates a Key from random number generator Hiroki Nakano, Trans New Technology, Inc.

21 Step 2: Send Encrypted Bundle toward AP
March 2010 Step 2: Send Encrypted Bundle toward AP (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Bundle encrypted by USER-KEY includes the followings: User’s ID TMP-KEY Auth. Server Selector Hiroki Nakano, Trans New Technology, Inc.

22 Step 3: AP Forwards data to Auth Server
March 2010 Step 3: AP Forwards data to Auth Server (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP AP doesn’t see data inside bundle because data are encrypted by USER-KEY which AP doesn’t have any knowledge about. Select Auth. Server Auth. Server Selector Hiroki Nakano, Trans New Technology, Inc.

23 Step 4: Auth Server sends back to AP
March 2010 Step 4: Auth Server sends back to AP (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Send back TMP-KEY to AP Remind that there is a secure channel by AP-KEY Auth. Server Selector Hiroki Nakano, Trans New Technology, Inc.

24 Final Step: AP Acknowledges to STA
March 2010 Final Step: AP Acknowledges to STA (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Now, both share TMP-KEY! Acknowledge and additional information encrypted by TMP-KEY Hiroki Nakano, Trans New Technology, Inc.

25 After Exchanging Key… March 2010
(Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Normal communication encrypted by TMP-KEY Hiroki Nakano, Trans New Technology, Inc.

26 Authentication Server
March 2010 Attack 1: Fake STA (Service Provider) Authentication Server (Customer) Fake STA (Infrastructure) AP Auth. Server can not extract data from bundle because of lack of USER-KEY. No USER-KEY shared Bundle reaches Auth. Server Hiroki Nakano, Trans New Technology, Inc.

27 Authentication Server
March 2010 Attack 2: Fake AP (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) Fake AP No secure channel because of no cryptographic key shared AP can not send anything to Auth. Server Hiroki Nakano, Trans New Technology, Inc.

28 Attack 3: Fake AP and Fake Auth Server
March 2010 Attack 3: Fake AP and Fake Auth Server Fake Authentication Server (Service Provider) Non-AP STA (Customer) (Infrastructure) Fake AP Auth. Server can not extract data from bundle because of lack of USER-KEY. No USER-KEY shared Bundle reaches Auth. Server Hiroki Nakano, Trans New Technology, Inc.

29 Attack 4: Man In The Middle of AP and STA
March 2010 Attack 4: Man In The Middle of AP and STA (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP ? He can not have TMP-KEY… ? Normal communication encrypted by TMP-KEY Hiroki Nakano, Trans New Technology, Inc.

30 Attack 5: DoS by Auth Request
March 2010 Attack 5: DoS by Auth Request (Service Provider) Authentication Server (Customer) Fake STA (Infrastructure) AP Numerous Auth Request Numerous Auth Request Hiroki Nakano, Trans New Technology, Inc.

31 Attack 6: DoS by Fake “Auth Failed”
March 2010 Attack 6: DoS by Fake “Auth Failed” (Service Provider) Authentication Server Non-AP STA (Customer) (Infrastructure) AP Fake “Auth Failed” messages ? Acknowledge and additional information encrypted by TMP-KEY Hiroki Nakano, Trans New Technology, Inc.

32 Idea 3: Piggyback upper information onto Association Request/Response
March 2010 Idea 3: Piggyback upper information onto Association Request/Response Association Request/Response can be open to upper layers in order to bring back their information like IP address, Netmask etc. IEEE can provide framework for this. STA AP Authentication Server Beacon (Probe Request) (Probe Response) Authentication (Open System) Authentication (Open System) Association Request Access Request Access Response Association Response (Accept) With upper network configuration Hiroki Nakano, Trans New Technology, Inc.

33 March 2010 Difference from Additional state transition to skip Open System Auth. Figure 11-6—Relationship between state variables and services Few additional elements to Table 7-26 Element IDs Authentication Server Selector (240 temporally) Bundle for User Information (241 temporally) Upper layer data RSN with key obtained by new FastAKM framework RSN information element (for beacon and probe resp.) Both Group and Pairwise Cipher Suites are set to CCMP. AKM Suite is set to the brand-new one! Define new AKM Suite (00-d is used temporally.) Assign officially on Table 7-34 AKM suite selectors in future… Hiroki Nakano, Trans New Technology, Inc.

34 Conclusion Not-so-many changes enables FastAKM framework.
March 2010 Conclusion Not-so-many changes enables FastAKM framework. IEEE can help upper layers to be configured quickly. We need place to keep more technical discussion; to build and verify authentication method about any effect of changing standard to write down detailed specification Hiroki Nakano, Trans New Technology, Inc.

35 March 2010 Hiroki Nakano, Trans New Technology, Inc.

Download ppt "Fast Initial Authentication"

Similar presentations

Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22.

Submission doc.: IEEE /1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date:
Submission doc.: IEEE 11-12/0271r1 March 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Big IE Date: 2012-03-03 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0271r1 March 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Big IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: 2011-08-16 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.

Submission doc.: IEEE /1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.
Doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: 2010-01-19 Authors:

Doc.: IEEE /0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: Authors:
Doc.: IEEE 802.11-12/0032r0 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0032r0 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Submission doc.: IEEE 11-12/0273r8 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: 2012-05-14 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0273r8 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 11-12/0273r9 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: 2012-05-14 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0273r9 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 11-10/0701r0 May 2012 Hitoshi Morioka, Allied Telesis R&D CenterSlide 1 Supplemental Information for HLCF Date: 2012-05-17 Authors:

Submission doc.: IEEE 11-10/0701r0 May 2012 Hitoshi Morioka, Allied Telesis R&D CenterSlide 1 Supplemental Information for HLCF Date: Authors:
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Doc.: IEEE 802.11-11/0977r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-

Doc.: IEEE /0977r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
Doc.: IEEE 802.11-12/0275r3 Submission March 2012 Hitoshi Morioka, Allied Telesis R&D CenterSlide 1 Higher Layer Configuration Function for TGai SFD Date:

Doc.: IEEE /0275r3 Submission March 2012 Hitoshi Morioka, Allied Telesis R&D CenterSlide 1 Higher Layer Configuration Function for TGai SFD Date:
Doc.: IEEE 802.11-11/0977r1 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-

Doc.: IEEE /0977r1 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
Doc.: IEEE 802.11-10/0873r0 Submission July 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Effectiveness of Reduction of Message Exchanges Date:

Doc.: IEEE /0873r0 Submission July 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Effectiveness of Reduction of Message Exchanges Date:
Doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Fast Initial Authentication Date: 2010-03-16 Authors:

Doc.: IEEE /0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Fast Initial Authentication Date: Authors:

Similar presentations

Ads by Google