250 likes | 420 Views
Keying for Fast Roaming. Nancy Cam-Winget, Cisco Systems Keith Amann, Spectralink Bill Arbaugh, University of Maryland Greg Chesson, Atheros Dan Harkins, Trapeze Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Corporation. Agenda. Concepts
E N D
Keying for Fast Roaming Nancy Cam-Winget, Cisco Systems Keith Amann, Spectralink Bill Arbaugh, University of Maryland Greg Chesson, Atheros Dan Harkins, Trapeze Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Corporation Cam-Winget et. al.
Agenda • Concepts • Fast Roaming Key Hierarchy • Keying Reassociations • Fast Roaming PMK/PTK Usage • Protocol Properties • Back-end Protocol Considerations • Open Issues Cam-Winget et. al.
Concepts • AS-STA Session – • MKID – Master Key Identifier, names a key • PMK Caching • PMK Timeout • PMK – unique per AP Cam-Winget et. al.
Pairwise Master Key (PMK) = Roaming-PRF(MasterKey, “fast roaming pmk” | MKID | BSSID) PTK = Roaming-PRF(PMK, “fast roaming ptk” | new BSSID | STA MAC Addr | MKID | Counter) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have ciphersuite-specific structure Fast Roaming Key Hierarchy (1) Master Key (MK) named MKID = Original BSSID | STA MAC Addr | NTP Timestamp Generate ETEK : End-To-End-Key is used to secure delivery of MKID Cam-Winget et. al.
Fast Roaming Key Hierarchy (2) • No random nonces mixed into PTK • Rationale: Allow STA to pre-compute PTK • Consequence: PMK must be fresh across AS-STA sessions • MKID identifies keys • Rationale: optimizing performance requires identifying right key earlier in key confirmation handshake Cam-Winget et. al.
Fast Roaming Key Hierarchy (3) Algorithm Roaming-PRF Input: Key K, Label L, Nonce N, Output Length OL Output:OL-octet string Out Out = “” fori = 1 to (OL+15)/16 do Out = Out | AES-CBC-MAC(K, L | N | i | OL) return first OL octets out of Out Cam-Winget et. al.
PMK, MKID1, Counter1 PMK, MKID2, Counter2 Reassoc Req (RSN IE, Fast-Rekey IE(MKID1, Counter1 , Srand)) Reassoc Resp(RSN IE, Fast-Rekey IE(MKID2, Counter2, Arand, RSC, EKEK(GTK), MIC)) Action-Frame(Fast-Rekey-Confirm IE(Arand, MIC)) Install TK Counter2 = Counter1 Install TK AP Rekeying Reassociations (1) STA Counter1 = Counter1 + 1, KCK|KEK | TK = Roaming-PRF(PMK, “fast roaming ptk” | BSSID | STA MAC Addr | MKID | Counter) • if MKID1 == MKID2 and Counter1 > Counter2 then • derive KCK|KEK | TK • else reject Cam-Winget et. al.
Rekeying Reassociations (2): Fast-Rekey IE Cam-Winget et. al.
Rekeying Reassociations (3): Fast-Rekey-Confirm IE Cam-Winget et. al.
Rekeying Reassociations (4): MICs • GTK encryption Algorithm: AES Key Wrapping (RFC 3394) • Pad with 16bytes of zeroes for CCMP • Reassociation Response MIC: AES-CBC-MAC-64(KCK, Srand | RSNIEBSSID | Element ID | Length | MKID | Counter | Arand | RSC | GTK Key ID | GTK Length | GTK) • Action Message Confirm MIC: AES-CBC-MAC-64(KCK, Element ID | Length | Arand) The MIC’s effectively cover the entire Fast Rekey IE and must know MIC data length apriori. Cam-Winget et. al.
Rekeying Reassociations (5) • AP proves it is live by MICing SRand in Reassociation Response • STA proves it is live by MICing Arand in Action Message • Counter value rules insure PTK is fresh if PMK is fresh • STA must maintain Counter over MK lifetime • AP must maintain Counter over PMK lifetime Cam-Winget et. al.
Rekeying Reassociations (6) • AES-CBC-MAC requires Fast-Rekey IE, Fast-Rekey-Confirm IE have fixed lengths • Use only with TKIP and CCMP Cam-Winget et. al.
Protocol Properties • Scheme works with • proactive keying (Arbaugh et al) • on-demand key refresh (Cam-Winget) • Scheme aids fast roaming by • Supporting PTK pre-computation • PMK caching at the AP and STA • Reducing roundtrips at reassociation from 7.5 to 2.5 • Scheme is optional Cam-Winget et. al.
Fast Roaming PMK/PTK Usage (1) • AS delivers PMK to AP Authenticator • 802.1X Authenticator derives Fast-Roaming PTK • 802.11 MAC asks 802.1X • to compute MICs over fast roaming rekey messages • to verify MICs of fast roaming rekey messages • to transfer RSC, encrypted GTK Cam-Winget et. al.
Fast Roaming PMK/PTK Usage (2) Service interface: • MLME-Compute-MIC • Indicates offsets for RSC, Encrypted GTK or if not requried • 802.1X inserts RSC, GTK if non-zero offset • MLME-Verify-MIC • Indicates offsets for RSC, Encrypted GTK if present • 802.1X extracts RSC, GTK if present • Service interface allows proprietary keying schemes, too Cam-Winget et. al.
Fast Roaming PMK/PTK Usage (3) • Scheme requires AP to cache PMK, Counter across associations • AP can use server as backing store • AP selects random key K • AP uses K to encrypt PMK, Counter, PMK Timeout and save these in backing store data base indexed by STA MAC Addr • Scheme requires a PMK Timeout to always be present with the PMK Cam-Winget et. al.
Fast Roam negotiation Cam-Winget et. al.
Initial Association AS STA AP 802.11 Open Authentication Association Req + RSN IE (AKM = Fast Roam) Association Response (success) EAP type specific mutual authentication AKM is relayed to AS using same back-end protocol (e.g. Radius attribute) Derive Pairwise Master Key (PMK) Access ACCEPT (MKID IE, PMK) Counter = 1; Derive PTK 802.1X/EAP-SUCCESS Cam-Winget et. al.
Initial Association STA AP New Session Initiate ( MKIDE, RSNIEAP, Fast Rekey IE ) Counter ← 1 Derive PMK and PTK New Session Confirm( RSNIESTA, Fast Rekey IE) Install TK Install TK Cam-Winget et. al.
Initial Association(2): MKID IE Element shared between STA and AS only. ETEK is used to authenticate MKID: MIC = AES-CBC-MAC(ETEK, Element ID | Length | MKID) Cam-Winget et. al.
Initial Association (3) • New Session Initiate Fast Rekey IE : MIC = AES-CBC-MAC(KCK, RSNIEBSSID | Element ID | Length | GTK Key ID | GTK Length | MKID | Counter | ARand | RSC | GTK) • New Session Confirm Fast Rekey IE: MIC = AES-CBC-MAC(KCK, Element ID | Length | Arand) Cam-Winget et. al.
Back-end Protocol Requirements • Must allow AP to specify roaming key hierarchy • Default = 4-way handshake hierarchy when unspecified • Must always support 4-way handshake, because STA may not support fast-roaming keying protocol • Must allow AS to deliver MKID, PMK, MKID IE timeout with PMK to APs within roaming domain Cam-Winget et. al.
Motion • Move to incorporate Fast Roaming Key Hierarchy and protocol from document 03/XXX into the TGi draft as optional. Cam-Winget et. al.
Issues Under Discussion…all related to the backend • Which PMK to use on initial contact association? • AS and STA defines PMK to use in EAP exchange via EAP TLV. • How to deliver MKID to STA on initial contact? • AS delivers the MKID either through EAP TLV or on first initial contact handshake. • How does 802.1X AS know to generate the Fast Roaming PMK instead of 4-way Handshake PMK? • EAP TLV can be inserted in the EAP Identity Response of first STA challenge response. Otherwise, a new EAP method must be provided. • What are the PMK caching rules? • It is being addressed, one example is 03/084 • Effect on 802.1X state machine? • Initial establishment is affected. New MLME interface is needed to allow .11 request new PTK. • Is rekey required? If so, how? • Issue holds for Fast Roam and 4-way handshake Cam-Winget et. al.
Feedback? Cam-Winget et. al.