Download presentation
Presentation is loading. Please wait.
1
An Example Protocol for FastAKM
January 2010 doc.: IEEE /0059r0 January 2010 An Example Protocol for FastAKM Date: Authors: Name Company Address Phone Hiroki NAKANO Trans New Technology, Inc. Sumitomo-Seimei Kyoto Bldg. 8F, 62 Tukiboko-cho Shimogyo-ku, Kyoto JAPAN Hitoshi MORIOKA ROOT Inc. #33 Ito Bldg. Tenjin, Chuo-ku, Fukuoka JAPAN Hiroshi MANO 8F TOC2 Bldg Nishi-Gotanda, Shinagawa-ku, Tokyo JAPAN Hiroki Nakano, Trans New Technology, Inc. Hiroki Nakano, Trans New Technology, Inc.
2
January 2010 doc.: IEEE /0059r0 January 2010 Abstract FastAKM framework reduces time to set up association between AP and non-AP STA. This results in reduction of blackout time on handover and enables us to use VoIP in “mobile” environment. We show technical possibility by introducing an trial of example implemention of FastAKM, which establishes an association between AP and non-AP STA by single round-trip exchange of management frames. Hiroki Nakano, Trans New Technology, Inc. Hiroki Nakano, Trans New Technology, Inc.
3
Requirements Employ just ONE round-trip exchange of frames
January 2010 Requirements Employ just ONE round-trip exchange of frames STA to AP, then AP to STA Do all things to start user’s data exchange Association Authentication Key Exchange No direct contract between AP and non-AP STA ‘Authentication Server’ mediates between AP and non-AP STA For separation of service providers and AP infrastructure Possibly compatible with existing framework Old STAs can be still operated together. Hiroki Nakano, Trans New Technology, Inc.
4
An Example Procedure by 802.11-2007
January 2010 An Example Procedure by STA AP RADIUS Server Beacon Probe Request Probe Response Open System Authentication Open System Authentication Association Request Association Accept EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS-Access-Request/Identity RADIUS-Access-Challenge/TLS-Start EAP-Request/TLS-Start EAP-Response/TLS-client Hello RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/ Server Certificate EAP-Request/Pass Through EAP-Response/Client Certificate RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/Encryption Type EAP-Request/Pass Through EAP-Response RADIUS-Access-Request RADIUS-Access-Accept EAP-Success EAP-Key Hiroki Nakano, Trans New Technology, Inc.
5
Complaint about the Procedure…
January 2010 Complaint about the Procedure… STA AP RADIUS Server Beacon Probe process is optional Open System auth. is meaningless Probe Request Probe Response Open System Authentication Open System Authentication Association Request Association Accept Any other framework than EAPOL?? EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS-Access-Request/Identity RADIUS-Access-Challenge/TLS-Start EAP-Request/TLS-Start EAP-Response/TLS-client Hello RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/ Server Certificate EAP-Request/Pass Through EAP-Response/Client Certificate RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/Encryption Type EAP-Request/Pass Through EAP-Response RADIUS-Access-Request RADIUS-Access-Accept EAP-Success EAP-Key Hiroki Nakano, Trans New Technology, Inc.
6
Trial 1: Omit Pre-RSNA Auth. Process
January 2010 Trial 1: Omit Pre-RSNA Auth. Process We use “Open System” authentication on Pre-RSNA framework at anytime. Anyone using Shared Key auth? “Open System auth. is a null auth. algorithm. Any STA requesting Open System auth. may be authenticated” Quoted from section Nevertheless, it takes ONE round-trip time to do that! Standard should be changed to allow to run Association process without Open System authentication process. Any problem occurs? Hiroki Nakano, Trans New Technology, Inc.
7
Reason of existence of Open System auth.
January 2010 Reason of existence of Open System auth. “NOTE 3—IEEE Open System authentication provides no security, but is included to maintain backward compatibility with the IEEE state machine (see 11.3).” Quoted from section b) Hiroki Nakano, Trans New Technology, Inc.
8
January 2010 Figure 11-6 Hiroki Nakano, Trans New Technology, Inc.
9
Modified Figure? January 2010 Association with FastAKM
Hiroki Nakano, Trans New Technology, Inc.
10
Trial 2: Piggyback Auth. Info. onto Association Request/Response
January 2010 Trial 2: Piggyback Auth. Info. onto Association Request/Response Can “Mutual Authentication” be done by just A round-trip of Association Request/Response? “Single Round-trip Authentication” is a common problem. STA AP Authentication Server Beacon (Probe Request) (Probe Response) Authentication (Open System) Authentication (Open System) Association Request Access Request Access Response Association Response (Accept) Hiroki Nakano, Trans New Technology, Inc.
11
Supposed Service Model
January 2010 Supposed Service Model Authentication Server (Service Provider) Non-AP STA (Customer) AP (Infrastructure) Contract to provide wireless access to users specified by Authentication Server (i.e. Service Provider) Set up secure communication channel to exchange information about users Contract to provide wireless access via AP infrastructure. Share information to identify each other properly, e.g. username, password, digital certificate, etc. Real wireless communication channel Provide wireless access in request of Service Provider Hiroki Nakano, Trans New Technology, Inc.
12
Technical Prerequisite
January 2010 Technical Prerequisite Information shared - to identify each other and - to exchange data securely Station (non-AP STA) Authentication Server (AS) Wireless communication Access Point (AP) Secure communication pipe - Information shared to identify each other Hiroki Nakano, Trans New Technology, Inc.
13
Association and Authentication Procedure
January 2010 Association and Authentication Procedure STA AP Auth. Server Selector = name of Auth. Server User Information pack passed through AP toward Auth. Server User Identifier and a kind of digital signature Encrypted session key Countermeasure against replay attack AP AS User Information pack AP AS Plain (decrypted) session key STA AP Proof of AP having legitimate session key Group key Hiroki Nakano, Trans New Technology, Inc.
14
Frame Exchange for Authentication
January 2010 Frame Exchange for Authentication User Information pack - User Identifier - a kind of digital signature - Encrypted session key - Countermeasure against replay attack 1 Station (non-AP STA) Authentication Server (AS) Auth. Server Selector Access Point (AP) - Proof of AP having legitimate session key - Group key Plain (decrypted) session key 3 2 Hiroki Nakano, Trans New Technology, Inc.
15
An Example Implemetation
January 2010 An Example Implemetation OS: NetBSD (i386) Upper MAC Layer: NetBSD’s net80211 WLAN Chipset: Atheros Communications AR5212 Add about 200 lines in C. Hiroki Nakano, Trans New Technology, Inc.
16
January 2010 Difference from Additional state transition to skip Open System Auth. Figure 11-6—Relationship between state variables and services Two additional elements to Table 7-26 Element IDs Authentication Server Selector (240 temporally) User Information Pack (241 temporally) RSN with key obtained by new FastAKM framework RSN information element (for beacon and probe resp.) Both Group and Pairwise Cipher Suites are set to CCMP. AKM Suite is set to the brand-new one! Define new AKM Suite (00-d is used temporally.) Assign officially on Table 7-34 AKM suite selectors in future… Hiroki Nakano, Trans New Technology, Inc.
17
Conclusion Not-so-many changes enables FastAKM framework.
January 2010 Conclusion Not-so-many changes enables FastAKM framework. We need more technical discussion to build and verify authentication method about any effect of changing standard to write down detailed specification Hiroki Nakano, Trans New Technology, Inc.
18
January 2010 Straw Poll “Does WNG think that we need tutorial session exploring the need for support for mobile communication ?” Yes: No: 0 Don’t Care: Hiroki Nakano, Trans New Technology, Inc.
Similar presentations
