1 / 25

Keying for Fast Roaming

Keying for Fast Roaming. Nancy Cam-Winget, Cisco Systems Keith Amann, Spectralink Bill Arbaugh, University of Maryland Greg Chesson, Atheros Dan Harkins, Trapeze Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Corporation. Agenda. Concepts

addison
Download Presentation

Keying for Fast Roaming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Keying for Fast Roaming Nancy Cam-Winget, Cisco Systems Keith Amann, Spectralink Bill Arbaugh, University of Maryland Greg Chesson, Atheros Dan Harkins, Trapeze Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Corporation Cam-Winget et. al.

  2. Agenda • Concepts • Fast Roaming Key Hierarchy • Keying Reassociations • Fast Roaming PMK/PTK Usage • Protocol Properties • Back-end Protocol Considerations • Open Issues Cam-Winget et. al.

  3. Concepts • AS-STA Session – • MKID – Master Key Identifier, names a key • PMK Caching • PMK Timeout • PMK – unique per AP Cam-Winget et. al.

  4. Pairwise Master Key (PMK) = Roaming-PRF(MasterKey, “fast roaming pmk” | MKID | BSSID) PTK = Roaming-PRF(PMK, “fast roaming ptk” | new BSSID | STA MAC Addr | MKID | Counter) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have ciphersuite-specific structure Fast Roaming Key Hierarchy (1) Master Key (MK) named MKID = Original BSSID | STA MAC Addr | NTP Timestamp Generate ETEK : End-To-End-Key is used to secure delivery of MKID Cam-Winget et. al.

  5. Fast Roaming Key Hierarchy (2) • No random nonces mixed into PTK • Rationale: Allow STA to pre-compute PTK • Consequence: PMK must be fresh across AS-STA sessions • MKID identifies keys • Rationale: optimizing performance requires identifying right key earlier in key confirmation handshake Cam-Winget et. al.

  6. Fast Roaming Key Hierarchy (3) Algorithm Roaming-PRF Input: Key K, Label L, Nonce N, Output Length OL Output:OL-octet string Out Out = “” fori = 1 to (OL+15)/16 do Out = Out | AES-CBC-MAC(K, L | N | i | OL) return first OL octets out of Out Cam-Winget et. al.

  7. PMK, MKID1, Counter1 PMK, MKID2, Counter2 Reassoc Req (RSN IE, Fast-Rekey IE(MKID1, Counter1 , Srand)) Reassoc Resp(RSN IE, Fast-Rekey IE(MKID2, Counter2, Arand, RSC, EKEK(GTK), MIC)) Action-Frame(Fast-Rekey-Confirm IE(Arand, MIC)) Install TK Counter2 = Counter1 Install TK AP Rekeying Reassociations (1) STA Counter1 = Counter1 + 1, KCK|KEK | TK = Roaming-PRF(PMK, “fast roaming ptk” | BSSID | STA MAC Addr | MKID | Counter) • if MKID1 == MKID2 and Counter1 > Counter2 then • derive KCK|KEK | TK • else reject Cam-Winget et. al.

  8. Rekeying Reassociations (2): Fast-Rekey IE Cam-Winget et. al.

  9. Rekeying Reassociations (3): Fast-Rekey-Confirm IE Cam-Winget et. al.

  10. Rekeying Reassociations (4): MICs • GTK encryption Algorithm: AES Key Wrapping (RFC 3394) • Pad with 16bytes of zeroes for CCMP • Reassociation Response MIC: AES-CBC-MAC-64(KCK, Srand | RSNIEBSSID | Element ID | Length | MKID | Counter | Arand | RSC | GTK Key ID | GTK Length | GTK) • Action Message Confirm MIC: AES-CBC-MAC-64(KCK, Element ID | Length | Arand) The MIC’s effectively cover the entire Fast Rekey IE and must know MIC data length apriori. Cam-Winget et. al.

  11. Rekeying Reassociations (5) • AP proves it is live by MICing SRand in Reassociation Response • STA proves it is live by MICing Arand in Action Message • Counter value rules insure PTK is fresh if PMK is fresh • STA must maintain Counter over MK lifetime • AP must maintain Counter over PMK lifetime Cam-Winget et. al.

  12. Rekeying Reassociations (6) • AES-CBC-MAC requires Fast-Rekey IE, Fast-Rekey-Confirm IE have fixed lengths • Use only with TKIP and CCMP Cam-Winget et. al.

  13. Protocol Properties • Scheme works with • proactive keying (Arbaugh et al) • on-demand key refresh (Cam-Winget) • Scheme aids fast roaming by • Supporting PTK pre-computation • PMK caching at the AP and STA • Reducing roundtrips at reassociation from 7.5 to 2.5 • Scheme is optional Cam-Winget et. al.

  14. Fast Roaming PMK/PTK Usage (1) • AS delivers PMK to AP Authenticator • 802.1X Authenticator derives Fast-Roaming PTK • 802.11 MAC asks 802.1X • to compute MICs over fast roaming rekey messages • to verify MICs of fast roaming rekey messages • to transfer RSC, encrypted GTK Cam-Winget et. al.

  15. Fast Roaming PMK/PTK Usage (2) Service interface: • MLME-Compute-MIC • Indicates offsets for RSC, Encrypted GTK or if not requried • 802.1X inserts RSC, GTK if non-zero offset • MLME-Verify-MIC • Indicates offsets for RSC, Encrypted GTK if present • 802.1X extracts RSC, GTK if present • Service interface allows proprietary keying schemes, too Cam-Winget et. al.

  16. Fast Roaming PMK/PTK Usage (3) • Scheme requires AP to cache PMK, Counter across associations • AP can use server as backing store • AP selects random key K • AP uses K to encrypt PMK, Counter, PMK Timeout and save these in backing store data base indexed by STA MAC Addr • Scheme requires a PMK Timeout to always be present with the PMK Cam-Winget et. al.

  17. Fast Roam negotiation Cam-Winget et. al.

  18. Initial Association AS STA AP 802.11 Open Authentication Association Req + RSN IE (AKM = Fast Roam) Association Response (success) EAP type specific mutual authentication AKM is relayed to AS using same back-end protocol (e.g. Radius attribute) Derive Pairwise Master Key (PMK) Access ACCEPT (MKID IE, PMK) Counter = 1; Derive PTK 802.1X/EAP-SUCCESS Cam-Winget et. al.

  19. Initial Association STA AP New Session Initiate ( MKIDE, RSNIEAP, Fast Rekey IE ) Counter ← 1 Derive PMK and PTK New Session Confirm( RSNIESTA, Fast Rekey IE) Install TK Install TK Cam-Winget et. al.

  20. Initial Association(2): MKID IE Element shared between STA and AS only. ETEK is used to authenticate MKID: MIC = AES-CBC-MAC(ETEK, Element ID | Length | MKID) Cam-Winget et. al.

  21. Initial Association (3) • New Session Initiate Fast Rekey IE : MIC = AES-CBC-MAC(KCK, RSNIEBSSID | Element ID | Length | GTK Key ID | GTK Length | MKID | Counter | ARand | RSC | GTK) • New Session Confirm Fast Rekey IE: MIC = AES-CBC-MAC(KCK, Element ID | Length | Arand) Cam-Winget et. al.

  22. Back-end Protocol Requirements • Must allow AP to specify roaming key hierarchy • Default = 4-way handshake hierarchy when unspecified • Must always support 4-way handshake, because STA may not support fast-roaming keying protocol • Must allow AS to deliver MKID, PMK, MKID IE timeout with PMK to APs within roaming domain Cam-Winget et. al.

  23. Motion • Move to incorporate Fast Roaming Key Hierarchy and protocol from document 03/XXX into the TGi draft as optional. Cam-Winget et. al.

  24. Issues Under Discussion…all related to the backend • Which PMK to use on initial contact association? • AS and STA defines PMK to use in EAP exchange via EAP TLV. • How to deliver MKID to STA on initial contact? • AS delivers the MKID either through EAP TLV or on first initial contact handshake. • How does 802.1X AS know to generate the Fast Roaming PMK instead of 4-way Handshake PMK? • EAP TLV can be inserted in the EAP Identity Response of first STA challenge response. Otherwise, a new EAP method must be provided. • What are the PMK caching rules? • It is being addressed, one example is 03/084 • Effect on 802.1X state machine? • Initial establishment is affected. New MLME interface is needed to allow .11 request new PTK. • Is rekey required? If so, how? • Issue holds for Fast Roam and 4-way handshake Cam-Winget et. al.

  25. Feedback? Cam-Winget et. al.

More Related