1. 1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: Key Hierarchy Discussion Date Submitted: January 5, 2009 Present at a Future IEEE 802.21a meeting (TBD) Authors: Lily Chen (NIST) Abstract: This document focus on IEEE 802.11 and IEEE 802.16 key hierarchy to understand the impact of introducing a media independent key hierarchy. 121-09-00xx-00-sec

2. 2 2 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6http://standards.ieee.org/board/pat/faq.pdf

3. 3 Background  At January 5 21a teleconference, it appeared that group members have different understandings about the media specific key hierarchy vs. media independent key hierarchy.  This presentation will explain the author’s understanding for further discussions.

4. 4 Proposed MIA Key Hierarchy  Document #102 proposed this new key hierarchy.  Document #164 discussed options to distribute MS-PMKs to different MSAs. MSK or rMSK MI-PMK MS 1 -PMKMS 2 -PMK MSA 1 MSA 2

5. 5 IEEE 802.11 Key Hierarchy

6. 6 802.11r Key Hierarchy  PMK-R0 KH is considered as a MSA. PMK-R0 KH PMK-R0 PMK-R1 A PMK-R1 B MSK PTK A PTK B

7. 7 If Use MS-PMK as MSK to PMK-R0 KH,… MSK or rMSK MI-PMK MS 1 -PMK PMK-R0 KH PMK-R0 PMK-R1 A PMK-R1 B PTK A PTK B

8. 8 Then there are two key hierarchies MSK or rMSK MI-PMK MS 1 -PMK PMK-R0 PMK-R1 PTK PMK-R0 MSK or rMSK PMK-R0 PMK-R1 PTK PMK-R0 With 802.11 initial entry authentication With media independent authentication

9. 9 In an initial entry authentication 802.11 Auth Client MN 802.11 Auth Server MSK PMK-R0 KH PMK-R1 KH A PMK-R1 KH B PMK-R1 A PMK-R1 B Existing 802.11r MSK PMK-R0 PMK-R1 A PMK-R1 B

10. 10 In a media independent authentication, MI Auth Client 802.16 Auth Client 3GPP USIM MIHF MN PoS- MIA 802.11 Auth Server 802.16 Auth Server 3GPP AuC/HLR MSK MS-PMK PMK-R0 KH PMK-R1 KH A PMK-R1 KH B PMK-R1 A PMK-R1 B Existing 802.11r MSK PMK-R0 PMK-R1 A PMK-R1 B 802.11 Auth Client MI Auth Server MI-PMK MS-PMK

11. 11 Conclusion – Part 1  The same MN for 802.11 access, in a initial entry authentication and a media independent authentication, will derive different key hierarchies.  Therefore, what a MIA accommodated should be a “media specific authentication for 802.11” and generate the same key hierarchy.  The key distributed to R0 KH should be MSK. Do not use MS-PMK as a MSK!

12. 12 IEEE 802.16 Key Hierarchy

13. 13 802.16e – PKMv2  802.16e PKMv2 support two main authentications.  RSA Based authorization with BS.  RSA Based authorization with BS and then EAP authentication with AAA. Optionally, it can execute a second EAP with BS.  The different authentications generate different key hierarchies.

14. 14 802.16e – PKMv2 RSA Based Authorization  Pre-PAK is transported from BS to MS encrypted with MS’s RSA public key.  AK is derived from PAK.  KEK is a truncation of AK and will be used to deliver TEKs in three way handshake.  In this case, all the keys are derived at MS and BS. How to introduce media independent key hierarchy? Pre-PAK EIKPAK AK MAC keysKEK MSBS X.509 Cert Authorization Req Authorization Reply (Pre-PAK encrypted by MS’s RSA PK)

15. 15 802.16e – PKMv2 RSA and EAP  Pre-PAK is transported from BS to MS encrypted with MS’s RSA public key. (The BS is engaged in a very early stage.)  MSK is obtained through EAP.  AK is derived from PMK and PAK.  An EIK is derived from Pre-PAK to protect EAP.  If a media independent authentication is introduced, how to plug the target BS in?  How to map media independent key hierarchy to this case? Pre-PAK EIKPAK AK MAC keysKEK MSK PMK MSBSAAA Pre-PAK encrypted by MS’s RSA PK EAP (protected by EIK) MSK Pre-PAK MSK

16. 16 802.16e – PKMv2 RSA and EAP (AK from MSK)  There is an option that AK can be derived only from PMK, which is derived from MSK.  In this case, if using MS-PMK as a MSK in handover, assuming it is doable ignoring all the issues, it introduces a different key hierarchy. MI authentication key hierarchy MAC keysKEK MSK PMK AK MI-PMK MS-PMK MSBSAAA Pre-PAK EAP (protected by EIK) MSK Pre-PAK MSK Initial entry key hierarchy MAC keysKEK MSK PMK AK

17. 17 802.16e – PKMv2 RSA and 2 EAP  Pre-PAK is transported from BS to MS encrypted with MS’s RSA public key.  MSK1 is obtained through the first EAP.  An EIK1 is derived from Pre- PAK to protect the first EAP.  An EIP2 is derived from MSK1 to protect the second EAP.  How to map media independent key hierarchy to this case? MSBSAAA Pre-PAK encrypted by RSA PK EAP (protected by EIK1) MSK1 Pre-PAK MSK1 Optional EAP (Protected by EIK2) MSK2 AK MAC keysKEK MSK1 PMK2 MSK2 EIK2PMK1

18. 18 Conclusion –Part 2 In 802.16, it will need a BS to authorize before a MS is engaged in an EAP protocol. Media Independent Authentication can hardly plug in the target BS.  When AK is derived from PAK key and MSK, it can hardly map to the media independent key hierarchy as introduced in #102.  When AK is derived from one MSK only, using a MS-PMK as an input to an authenticator will introduce a different key hierarchy!

19. 19 Conclusion Introducing Media Independent Key Hierarchy will make 802.11 to use two different key hierarchies. Media Independent Key Hierarchy can hardly map to 802.16 key hierarchy. (Independent authentication has more issues.)  We should not introduce Media Independent Key Hierarchy in 21a.