Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP based Message Flow Optimization for FILS

Published byAri Budiono Modified over 5 years ago

Similar presentations

Presentation on theme: "EAP based Message Flow Optimization for FILS"— Presentation transcript:

1 EAP based Message Flow Optimization for FILS
Month Year doc.: IEEE yy/xxxxr0 July 2012 EAP based Message Flow Optimization for FILS Date: Authors: Name Affiliations Address Phone Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin Sourth 9, Nanshan District, Shenzhen, Guangdong, China, Dapeng Liu China Mobile 32 Xuanwumen West Street Beijng, Xicheng District, China Huawei, China Mobile John Doe, Some Company

2 Month Year doc.: IEEE yy/xxxxr0 July 2012 Abstract This contribution proposes a Fast authentication proposal for FILS. This proposal is based on EAP and mainly focuses on the message optimization of conventional authentication, association, EAP and 4 way handshake. Huawei, China Mobile John Doe, Some Company

3 Conformance w/ TGai PAR & 5C
Month Year doc.: IEEE yy/xxxxr0 July 2012 Conformance w/ TGai PAR & 5C Conformance Question Response Does the proposal degrade the security offered by Robust Security Network Association (RSNA) already defined in ? No Does the proposal change the MAC SAP interface? Does the proposal require or introduce a change to the architecture? Does the proposal introduce a change in the channel access mechanism? Does the proposal introduce a change in the PHY? Which of the following link set-up phases is addressed by the proposal? (1) AP Discovery (2) Network Discovery (3) Link (re-)establishment / exchange of security related messages (4) Higher layer aspects, e.g. IP address assignment 3, 4 Huawei, China Mobile John Doe, Some Company

4 Month Year doc.: IEEE yy/xxxxr0 July 2012 Background This contribution is based on 1047r6 and updated based on discussion on1160r9, which merged with 1047 and proposes fast authentication for FILS using EAP/EAP-RP; This contribution focuses on the optimization of message flows of conventional full EAP authentication and association, providing detailed explain of implementation problem received per discussion on 1160r9. Comments on this contribution can be updated into 1160r10. Huawei, China Mobile John Doe, Some Company

5 Conventional initial link setup
Nov-18 doc.: IEEE yy/xxxxr0 July 2012 Conventional initial link setup Authentication frames can be omitted as these two messages do nothing in the flow. But it would be good to start authentication for the state machine The AKM SuitType in Association Request frame indicates that whether a 802.1x authentication will be called. According to IEEE 802.1x and RFC 3748, the EAP-Request/Identity and EAP-Response/Identity messages can be omitted if the Authenticator can obtain Identify with other approachs. Some EAP methods only need one pair of EAP messages like EAP-AKA, but some others need multiple pair of messages. 4-way handshake is started by AP. AP will not accept any unexpected EAPoL-Key message in order to avoid DOS attacking. See sub-clause of 802.1x controlled port is unblocked here, when the AP believes the non-AP STA holds the same PTK. Huawei, China Mobile John Doe, Some Company

6 Nov-18 doc.: IEEE yy/xxxxr0 July 2012 Principle of FILS FILS shall be compatible with current standard, so Authentication and Association frames shall be remained to comply with current state definitions in subclause 10.3 of IEEE FILS shall not degrade the security currently offered by Robust Security Network Association (RSNA) already defined in IEEE , so 11ai shall make the most reuse of current mechanism e.g x and 4-way handshake and must be cautious in involving unproved new authentication scheme. Considering to interwork with other heterogeneous network e.g. 3GPP which is the most important 3G wireless communication network and in which the EAP-AKA/EAP-AKA’ authentication method is used only, so EAP must be supported in FILS. Huawei, China Mobile John Doe, Some Company

7 Optimized EAP with concurrent PTK handshake
Nov-18 doc.: IEEE yy/xxxxr0 July 2012 Optimized EAP with concurrent PTK handshake Step 1: Non-AP STA indicates FILS with 802.1x is expected, and includes the User ID and EAPoL-Start message in Authentication First frame. The AP Generates an EAP-Response/ID message instead receiving an EAP-Response/ID message since it has got the User ID. So a pair of EAP-Req/ID and EAP-Resp/ID messages can be omitted on the air. This is allowed by 802.1x. Step 4: The AP receives an EAP-Request (1st message of EAP method). The AP sends an Authentication Second frame to the non-AP STA and the EAP-Request message and an first message of 4-way handshake which includes ANonce are packed in the frame. Step5: Extra EAP messages for some EAP methods are as normal EAPoL messages packed in data frames. Step7: Once the non-AP derived MSK, then it also derives PTK, it sends an Association Request frame to the AP and the last EAP-Response message and an second message of 4-way handshake which includes SNonce are packed in the frame. Step 16: The AP sends Association Response frame. An EAP-Success and a third message of 4-way handshake are packed in the frame. A quick DHCP exchange is suggested to be concurrent with Association frames. Huawei, China Mobile John Doe, Some Company

8 PSK authentication under the same framework
Nov-18 doc.: IEEE yy/xxxxr0 July 2012 PSK authentication under the same framework In principle, we don’t suggest designing FILS for WPA2-Personal case. But if really someone want FILS for WPA2-Personal case, the same framework can work. The gray entities are remained in this figure to compare with Optimized EAP flow. Step 1 indicates FILS with PSK is expected. Step 2, 4 and 8 fulfill the first 3 steps of 4-way handshake in current standard. Current 4-way handshake mechanism is not changed just the last step of 4-way handshake is omitted. Huawei, China Mobile John Doe, Some Company

9 Analysis of Optimized EAP based FILS
Nov-18 doc.: IEEE yy/xxxxr0 July 2012 Analysis of Optimized EAP based FILS Any EAP method can be deployed e.g. EAP-AKA/EAP-AKA’ for interworking with 3GPP or EAP-TTLS for interworking with WiMAX. Step 4, 7, 15 included EAPoL-Key messages which fulfils the first three messages of 4-way handshake. The last message of 4-way handshake is just a confirm of message 3 and it is can be omitted actually. So the security of PTK handshake will not be downgrade. Note that current 4-way handshake is a good design which can avoid DOS attack by the non-AP STA or a fake AP sending first 4-way HS message to the non-AP STA. See subclause in DHCP message is forwarded after step 12 at which the AP verified the non-AP STA holds the same PTK with itself so the 802.1x controlled port can be unblocked. It complies 802.1x. For step 7: The non-AP STA knows when it gets MSK, so it knows when it shall send Association Request. For step 11: If the AP receives more EAP-Request but not a EAP-Success or EAP-Failure from the AS, the AP can exchange EAP messages by data frames like possible step 5 with the non-AP STA and defer sending Association Response frame. Huawei, China Mobile John Doe, Some Company

10 Implementation of EAP Authenticator
Nov-18 doc.: IEEE yy/xxxxr0 July 2012 Implementation of EAP Authenticator If the FILS with Optimized EAP is invoked, the MAC entity of AP will send the Identity received from an STA to the EAP Authenticator. The EAP Authenticator will generate an EAP-Response/ID message if it has got the Identity and send the message to AS side (maybe send to a AAA Client module in AP first), or the EAP Authenticator will generate an EAP-Request/ID message and send the message to the non-AP STA to ask a Identity. Huawei, China Mobile John Doe, Some Company

11 Conclusion July 2012 Proposal Summary
Nov-18 doc.: IEEE yy/xxxxr0 July 2012 Conclusion Proposal Summary 4-way handshake is carried out concurrently with Authentication and Association frames to reduce message rounds and the main mechanism of current 4-way handshake is kept. Existing EAP Method can be called so the interworking between cellular technology and WiFi technology will not be affected. The EAP-Request/ID and EAP-Response/ID messages are omitted to reduce messages on the air interface. FILS over EAP and FILS over PSK can work under the same framework. Huawei, China Mobile John Doe, Some Company

12 July 2012 SP Do you support to add the FILS proposal defined in slide 7 into 11ai SFD security section? Yes No Abstain Huawei, China Mobile

13 Reference [1] 11-11-1160-09-00ai-fast-re-authentication
Month Year doc.: IEEE yy/xxxxr0 July 2012 Reference [1] ai-fast-re-authentication [2] ai-using-upper-layer-message-ie-in-tgai Huawei, China Mobile John Doe, Some Company

Download ppt "EAP based Message Flow Optimization for FILS"

Similar presentations

Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Using Upper Layer Message IE in TGai

Using Upper Layer Message IE in TGai
Doc.: IEEE 802.11-11/1436r0 Submission NameAffiliationsAddressPhoneemail Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Doc.: IEEE /1436r0 Submission NameAffiliationsAddressPhone Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Doc.: IEEE 802.11-11/0780r1 Submission NameAffiliationsAddressPhoneemail Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.

Doc.: IEEE /0780r1 Submission NameAffiliationsAddressPhone Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.
Doc.: IEEE 802.11-11/1498-01-00ai Submission NameAffiliationsAddressPhoneemail Phillip BarberHuawei Technologies Co., Ltd. 1700 Alma Rd, Ste 500 Plano,

Doc.: IEEE / ai Submission NameAffiliationsAddressPhone Phillip BarberHuawei Technologies Co., Ltd Alma Rd, Ste 500 Plano,
Doc.: IEEE 802.11-12/0067r0 Submission Jan 2012 Phillip Barber, HuaweiSlide 1 Active Scanning Time Notification Date: 2012-01-12 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0067r0 Submission Jan 2012 Phillip Barber, HuaweiSlide 1 Active Scanning Time Notification Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802. 11-12/0547r1 Submission May 2012 Dapeng Liu, China MobileSlide 1 Extend 802.1X for higher layer configuration in FILS Date: 2012-04-21.

Doc.: IEEE /0547r1 Submission May 2012 Dapeng Liu, China MobileSlide 1 Extend 802.1X for higher layer configuration in FILS Date:
Doc.: IEEE 802.11-12/0158r2 Submission Jan 2012 Phillip Barber, HuaweiSlide 1 Proposed Additions to SFD Date: 2012-03-13 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0158r2 Submission Jan 2012 Phillip Barber, HuaweiSlide 1 Proposed Additions to SFD Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/01047r2 Submission NameAffiliationsAddressPhoneemail Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.

Doc.: IEEE /01047r2 Submission NameAffiliationsAddressPhone Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.
Doc.: IEEE 802.11-11/1499-00-00ai Submission NameAffiliationsAddressPhoneemail Phillip BarberHuawei Technologies Co., Ltd. 1700 Alma Rd, Ste 500 Plano,

Doc.: IEEE / ai Submission NameAffiliationsAddressPhone Phillip BarberHuawei Technologies Co., Ltd Alma Rd, Ste 500 Plano,
Doc.: IEEE 802.11-12/278r0 Submission NameAffiliationsAddressPhoneemail Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.

Doc.: IEEE /278r0 Submission NameAffiliationsAddressPhone Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.
Doc.: IEEE 802.11-12/0080r0 Submission Jan 2012 Phillip Barber, HuaweiSlide 1 AP Admission Control in TGai Date: 2012-01-13 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0080r0 Submission Jan 2012 Phillip Barber, HuaweiSlide 1 AP Admission Control in TGai Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/01047r4 Submission NameAffiliationsAddressPhoneemail Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.

Doc.: IEEE /01047r4 Submission NameAffiliationsAddressPhone Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.
Doc.: IEEE 802.11-11/1426r00 Submission NameAffiliationsAddressPhoneemail ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,

Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
Doc.: IEEE 802.11-11/1426r02 Submission NameAffiliationsAddressPhoneemail ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE 802.11-12/0269r1 Submission NameAffiliationsAddressPhoneemail ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District, Chengdu,

Doc.: IEEE /0269r1 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District, Chengdu,
Access Control Mechanism for FILS

Access Control Mechanism for FILS
Omission of Probe Request

Omission of Probe Request
Month Year doc.: IEEE yy/xxxxr0 May 2012

Month Year doc.: IEEE yy/xxxxr0 May 2012
AP discovery with FILS beacon

AP discovery with FILS beacon

Similar presentations

Ads by Google