1 / 9

PMK “sharing”

PMK “sharing”. Tim Moore. Wish. Share PMK between multiple APs within a physical box Translate to Share keying information from a 802.1X authentication for use by 4-way handshakes on multiple APs within a physical box. PMK. PMK = MSK(0..31) MSK – master session key first 256bits

harken
Download Presentation

PMK “sharing”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PMK “sharing” Tim Moore Tim Moore, Microsoft

  2. Wish • Share PMK between multiple APs within a physical box • Translate to • Share keying information from a 802.1X authentication for use by 4-way handshakes on multiple APs within a physical box Tim Moore, Microsoft

  3. PMK • PMK = MSK(0..31) • MSK – master session key first 256bits • MSK is what is delivered to AP from RADIUS server a AAA Key Tim Moore, Microsoft

  4. Security • Do not reuse symmetric key • Can derive keys from a single symmetric key and use the derived keys Tim Moore, Microsoft

  5. Security fix • Derive multiple PMKs from MSK, one per AP • PMK = PRF(MSK(0..31), “PMK Key”|BSSID) • Now have unique symmetric key rather than reusing PMK Tim Moore, Microsoft

  6. Implementation issue • How does Supplicant know which MSKs can be used to derive a PMK to another AP? • Need additional information from AP • Add a Authenticator Group MAC address • A MSK from a 802.1X authentication from any authenticator with the same group address can be used to derive a PMK for use with this authenticator Tim Moore, Microsoft

  7. Implementation issue • How does Authenticator know which MSKs can be used to derive a PMK to another Supplicant? • Need additional information from the Supplicant • Add a Supplicant Group MAC address • A MSK from a 802.1X authentication from any supplicant with the same group address can be used to derive a PMK from this supplicant Tim Moore, Microsoft

  8. Group Address • Add a MAC address to the RSN IE • Group address in Beacon and Probe response contains Authenticator Group Address • Group address in (re)associate request contains Supplicant Group Address Tim Moore, Microsoft

  9. Changes • PMK = PRF(MSK(0..31), “PMK Key”|BSSID) • RSNIE • Add “Group MAC Addr” field • Text in PMK caching to describe use of Group Addresses Tim Moore, Microsoft

More Related