1. 11ay Fast Association Authentication
Month Year
doc.: IEEE yy/xxxxr0
11ay Fast Association Authentication
Date:
Authors:
Name
Affiliations
Address
Phone
Robert Sun;
Huawei Technologies Co., Ltd.
Suite 400, 303 Terry Fox Drive, Kanata, Ontario K2K 3J1
Yan Xin
Osama Aboul-Magd
Edward Au
Rob Sun etc, Huawei.
John Doe, Some Company

2. Problem Statements
Auth Server
PCP/AP
DMG STA
Beacon/Announce/Probe Req-Resp
(11ad) defines the Security Association operations in PBSS
The Association and Authentication are lock step procedures in order to satisfy the RSNA trust model.
However it takes substantial time in completion of the authentication and association following the steps as specified in [1]
How to optimize it?
Authentication Request
Not Used for DMG
Authentication Response
State 2
State 2
Association Request
Association Response + RSN IE
EAPol Start
EAPol Req ID
EAPol Resp ID
Radius Req
EAP Authentication Method
EAPol Success
EAPol Success
State 3
State 3
PBSS 4 Way Handshake
State 4
State 4

3. 11ad Authentication State Machine (10.3.2)
DMG STA association and authentication goes through State 2->3->4 with IEEE 802.1x RSNA AKM.
Short cut state transition (State 2 ->State 4) is serving the fast re-authentication and enable the PBSS 4 way handshake
Problem:
11ad didn’t specify the PBSS 4 way handshake in a way that really enables the short cut state transition.
In another words, as per 11ad the PBSS 4 way handshake can only take place after state 3.
Observations:
- The short cut state transition will be beneficial in making speedy association/authentication

4. Design Principle Keep 11ad Authentication/Association scheme intact
Section
Section
Reuse the RSNA compliant 802.1x authentication/association state machine
No one-shoe-fits-all 11ay association/authentication solution.
Some Use Cases (UC#1, #2) have different pre-shared credentials than others (UC#4,5) and required different authentication schemes to meet the timing requirements.
Other cases can still keep using the legacy 11ad authentication/association procedure.

5. Solution: RSNA-based Authentication
PCP/AP
DMG STA
DMG Beacon/Announce/Probe Req-Resp
(RSN 11ay FAA Capability bit+ Authentication IE […||Anonce])
State 2
State 2
(re)Association Req ( +Authentication IE [Snonce +MIC])
DMG STA constructs PTK
PCP/AP constructs PTK
(re)Association Resp (+Authentication IE [MIC])
State 3/4
State 3/4

6. 11ay Fast Association/Authentication Protocol Analysis
If dot11RSNAEnabled is true, and if the RSNA is based on IEEE 802.1X AKM in PBSS.
No TTP (Trust Third Party) Auth Server ( i.e UC#1, UC#2, UC#3) required.
No other DMG STA in the proximity (UC#1 or UC#2)
Least concern for eavesdropping or MITM attack.
Both PCP/AP and DMG STA shares the common Shared Secret (K) cryptographically secure (NIST SP800-97)
K is the Authentication Key ( at least 128bits)
The 1st message of 4 way handshake is now piggybacked over DMG beacon from PCP/AP
11ay FAA (Fast Association/Authentication Capability Bit and Authentication IE could be appended to the DMG Beacon, or Announcement or Probe Response Frames.
The 4th message of 4 way handshake is omitted in order to save flight time which traditionally is deployed for key confirmation purpose. The removal is not a concern if “No other DMG STA is proximity”
11ad PBSS 4 way handshake messages are piggybacked with optional MBO parameters for MBO operations. The 11ay FAA may support it by appending the MBO IEs.

7. Solution: RSNA-based Authentication with Key ID initiating from PCP/AP
In UC #1, A PCP/AP (toll gate) has to maintain up to thousands of pre-shared secrets (K) in order to support the massive pass through STAs.
The K has to be differed from STA to STA in order to prevent the key forgery attack.
Key ID is used for STA to indicate to PCP/AP which Key it starts to authenticate.
The Key ID will be input into the MIC to prevent the replay attack.
The Key ID could be indicated by either PCP/AP or DMG STA, However it’s more practical for PCP/AP to store massive keys in database.
The Key ID format could be as specified in RFC 4880
Note: This Key ID is different than the GCMP MPDU Key ID octet ( )
PCP/AP
DMG STA
DMG Beacon/Announce/Probe Req-Resp
(RSN 11ay FAA Capability bit +Authentication IE [Key ID|| ANonce]])
State 2
State 2
(re)Association Req ( +Authentication IE [… Key ID, SNonce +MIC])
DMG STA constructs PTK
PCP/AP constructs PTK
(re)Association Rsp (+Authentication IE [MIC])
State 4
State 4

8. Solution: RSNA-based Authentication with Key ID initiating from DMG STA
PCP/AP
DMG STA
Authentication with Key ID initiating from DMG STA
In the Case of DMG STA has the storage of the Keys database (Out of scope of IEEE )
DMG STA attach its Key ID in the Association Req frame as the Extended IE to indicate PCP/AP which key it’s intended to use for this particular session.
DMG Beacon/Announce/Probe Req-Resp
(RSN 11ay FAA Capability bit + Authentication IE( ANonce))
State 2
State 2
(re)Association Req ( +Authentication IE [Key ID, SNonce +MIC])
DMG STA constructs PTK
PCP/AP constructs PTK
(re)Association Rsp (+Authentication IE [Key ID,MIC])
State 4
State 4

9. 11ay Key Hierarchy (W/O Key ID)
K (PMK)
KDF-X( K, “11ay Key Generation”,
Min(MAC_s, MAC_a)||Max(MAC_s, MAC_a)
||Min(SNonce, ANonce)|| Max(SNonce, ANonce))
PTK
Key confirmation key
L(PTK,0,B)
KCK
Key encryption key
L(PTK,B, B)
KEK2
Temporal Key
L(PTK,B or 2*B,TK_bits) TK
Note: B should be at least 128bits

10. 11ay Key Hierarchy (W/ Key ID)
K (PMK)
Note 2
KDF-X( K, “11ay Key Generation”, Key ID||
Min(MAC_s, MAC_a)||Max(MAC_s, MAC_a)
||Min(SNonce,ANonce)|| Max(SNonce, ANonce))
PTK
Key confirmation key
L(PTK,0,B)
KCK
Key encryption key
L(PTK,B, B)
KEK2
Temporal Key
L(PTK,B or 2*B, TK_bits) TK
Note 1
Note 1: B should be at least 128bits
Note 2: Key ID is getting involved into the key generation

11. 11ay Key Usage and Management
Key Management
K is used to derive KCK (>=128bits), KEK(>=128bits) and TK (>=128bits)
The Cipher Suites are GCMP (OUI: 00-0F-AC:8)
Key ID is specially designed for the scenarios where no TTP server and both devices are in very close proximity (less threat from eavesdropping or man in the middle)
Key ID is to identify the Key from pre-shared Key database to prevent the forgery attack
The Key management should be following PTKSA life cycle management (10.3.5)
The 11ay re-association operation could repeat the same protocol in order to resume the upper layer sessions without breakout.

12. NEW RSN Capabilities field for 11ay Fast Association/Authentication
FAA
Capability
(Subclause )
- Define the 11ay FAA Capability Bit for indication: 0 is not using 11ay FAA
1 is using 11ay FAA
- If the 11ay FAA Capability bit is 1, an Authentication IE is attached thereafter

13. New: 11AY Authentication IE Format
Element ID
11ay PBSS Auth Options
Length
Key ID
Nonce's
MIC
Octets: 1 1 1
0 or 16
0 or 8
0 or 16
PCP/AP as Key ID initiator 1
DMG STA as key ID initiator B0 B2 B4 B5 B6 B7
Association
Authentication type
Handshake #
Key ID Usage
Key ID initiator
Reserved B3 B2 B3 B0 B1 00
Message #1 (Within the DMG Beacon or other frames) 01
Message #2
( Within the (re) Association Request Frame) 10
Message #3
(Within the (re) Association Response Frame) 11
Message #4 (Not used if B0::B1= 01 and 10) 00
Reserved 01
11ay PBSS Fast Association/Authentication with PSK 10
11ay PBSS Fast re-association/ re-authentication with PSK 11
11ay association/authentication using other frames than association/authentication frames

14. References
[1]Rob Sun, et al, Performance of EAP authentication and authorization

15. SP/Motion Do you agree to insert the following text into the SFD?
Mar 2016
SP/Motion
Do you agree to insert the following text into the SFD?
“An EDMG STA may include the Authentication IE within management frames during discovery and association phase to parallelize the pre-shared key based authentication and key generation, to speed up the process of authentication and association”
Yes:
No:
Abstain:
Huawei