350 likes | 508 Views
Background Study :802.11i Encryption. MK (Master Key) PMK (Pair-wise Master Key) PTK (Pair-wise Transient Key) GMK (Group Master Key) GTK (Group Transient Key). Background Study : ECC (Elliptic Curve Cryptography)[Neil Koblitz, Victor Miller, 1985]. General Form. 質數體. 二元體. 質數體加法規則.
E N D
MK (Master Key) • PMK (Pair-wise Master Key) • PTK (Pair-wise Transient Key) • GMK (Group Master Key) • GTK (Group Transient Key)
Background Study : ECC (Elliptic Curve Cryptography)[Neil Koblitz, Victor Miller, 1985] • General Form 質數體 二元體
質數體加法規則 • O: Point at infinity • P+O=O+P=P
乘法規則 • nP=O n稱為order • Given G, Q=dG, d is randomly selected. It is nearly impossible to derive d (橢圓曲線離散對數問題). G is called generator. Q is called public key. d is called private key.
ECCDH • Given E, a generator point P. • A selects a private key da. A derives public key Qa= da∙P • B selects a private key db. B derives public key Qb=db∙P • A and B exchange their public Key • A derives share key Sab=da∙Qb • B derives share key Sab=db∙Qa
Bilinear pairing • Establishment of a session key requires only one message for exchange • Two cyclic group bilinear mapping • G1: cyclic addition group, G2 cyclic multiply group
Introduction • Roaming delay is composed by • Channel scanning and probing • Mobile client must disconnect from the current AP and join a new AP and it takes 20ms~380ms • Authentication at the new AP • The overall roaming delay should be kept under 50ms, ideally the authentication should not take more than 20ms to allow 30ms for channel scanning and probing.
802.11i • Authentication is done by 802.1x, or by a pre-shared key. • PMK, 4-way handshake for PTK, 2-way handshake for GTK. • Full authentication takes 750~1200ms • Roaming authentication takes 200ms, or 50ms for the best case.
Proactive key distribution method • Distributes a new PMK to neighbor APs • Roaming authentication time reduce to 21ms on the average. • Heavy burden on AS • AP must track the movement of clients • Pre-authentication • A client connects to multiple APs first. • 0 delay • Impose heavy burden on AS and may not extend beyond the first access router
Predictive authentication • All the neighboring APs can receive the authentication response. • Drawbacks are similar to pre-distribution • 802.11r • Authentication time of best case is 10ms • Pre-distribution of the keys to all the AP within the subnet • Drawbacks still remain
Reducing 4-way handshake is important. Best case analysis of 4-way handshake is 20ms. • Inter-domain roaming
Background • IDC (Identity-based Cryptography) • Known identity information is used in ID-based cryptography to derive a public key thus no public key exchange is necessary. • Identity value may be alphanumeric character string or MAC address. • PKG (Private Key Generator) • Given private key to the ID owner through a secure channel
Bilinear map • Multiply integers with points on elliptic curves • Given P and sP, it is nearly impossible to compute s
Public/private key generation • PKG uses a master key s and a fixed point P on a elliptic curve. • Public key Oid • PKG hashes user’s ID to a point Qid on the curve. • Private key s∙Qid • P, s∙P, cryptographic function H1 can be made available in public
Proposed scheme SFRIC • To use a WLAN, a user logs into the network through 802.11i process. • For static client SFRIC is not necessary • SFRIC has 2 phases. In phase 1 a client accesses the PKG to get a private key. When the client decides to roam it first finds and joins a new APs by probing and scanning, and follows the phase 2 procedure to exchange authentication messages.
Phase 1 preparation • APs and client both contact to PKG with their MAC and receive a private key via secure channel • Private key of client • {MAC||expiration date||expiration hour||Nounce} • Private key of AP • {MAC||current date||current hour} • Both are periodically refreshed in every hour
Comment • Figure 3 says message 1 is encrypted in Ka, but figure 4 says it is K1 to be used for encrypted instead.
Comment: The above equation can prove anything. Comment:(rKa, sP)=(Kc-1, rP)? • Serious error in equation. Can not prove security key of a equals to security key of csKa = Kc-1??
{MACc} is called the proof of ID. If the MAC address of ID matches the MAC address in the packet header, the sender is proven to posses the MAC address and the right private key. • Comment: Verification of MAC is smart but weak.
Comment: If MACc is encrypt by c’s private key, there is no way to decrypt it in a.
The most time consuming is the pairing operations E2, D1, and D2, while the cost of the rest is almost negligible. • Comment: I am not convincible why E1 pairing operation can be negligible. • Comment: Authors is too optimistic to neglect the network operation, especially in worst cases.
The authors claim there will be only 2pairing operations require, which take 17ms (cited by [23] that one pairing operation is 8.7ms for best case), one can be done in advance. • Comment: there is no simulation for the computation. Nothing but site by other work. Conviction is weak.
Review Suggestion • Rate the importance of the topic addressed in the paper and its timeliness within its area of research Excellent Above average Average Below average None • Rate the technical contribution of the paper, its soundness and scientific rigourExcellent Solid work Valid work Marginal work Questionable • Rate the novelty and originality of the work presented in the paperPioneering Novel Some Novel Minor variation It has been said many times before
Rate the paper organization, the clearness of text and figures, the completeness and accuracy of references.Excellent Well written Readable Substantial revision work is needed Unacceptable • Strengths: • Weakness: • Recommended changes: