210 likes | 295 Views
Fast Security Setup. Authors:. Abstract. This document p roposes an approach for accelerating the security setup for FILS. Conformance w/ Tgai PAR & 5C. Background. 11/1160r4 has proposed that Use of optimized full EAP in 11/1047r6 when EAP-RP context is not setup, or has expired;
E N D
FastSecurity Setup Authors: ZTE Corporation
Abstract This document proposesan approach for accelerating the security setup for FILS. ZTE Corporation
Conformance w/ Tgai PAR & 5C ZTE Corporation
Background • 11/1160r4 has proposedthat • Use of optimized full EAP in 11/1047r6 when EAP-RP context is not setup, or has expired; • Otherwise use EAP-RP based fast authentication in 11/1160r4. • Our comments: • It is a good idea to combine full EAP authentication with EAP re-authentication; • It could cover both initial security setup case and re-authentication case; • It could provide fast security setup effectively. ZTE Corporation
Our Concern: 1 • EAPmethod authentication procedure is out of scope of IEEE 802.11. • In the full EAP procedure in 11/1160r4, message 3, 4, 7 and 9 are EAP method specific. Why are they introduced in IEEE 802.11ai? • FILS procedure should be independent with EAP method specific procedure. ZTE Corporation
Our Concern: 2 • If DHCP lasts a long time, STA doesn’t receive the Association Response message in a pre-defined time, how does STA do? • STA can’t know what’s the problem is. It doesn’t know if EAP authentication is successful or not, if DHCP procedure is successful or not. • STA can only have to retransmit Association Request message, also carrying EAP related message. DHCP procedure lasts too long! ZTE Corporation
Our Concern: 2 (Cont.) • State Machine: Only after receiving the successful message 15 (Association Rsp) STA could transform from NO Authentication Context to FULL-EAP-Session. • But actually, after step 12, authentication has finished successfully. • No need to wait for step 15, especially there is something wrong with DHCP procedure and too much time is wasted. EAP authentication shall not be performed with DHCP procedure concurrently! State Machine in 11/1160r4 ZTE Corporation
Proposal Introduction • EAP-based authentication is used. The specific method should be an implementation issue and is out of 802.11ai scope. • The 4-way handshake procedure is reduced to 1 round. • The key agreement procedure follows EAP authentication. • EAP authentication procedure is performed separately with DHCP procedure. • After successful EAP authentication, STA can change to FULL EAP session state. No need to wait for DHCP message. ZTE Corporation
4-way/Group Key handshake messages reduction STA AP STA AP GenerateANonce EAPOL-KEY(ANonce) GenerateSNonce GenerateSNonce, derive PTK, Auth(SNonce) EAPOL-KEY(SNonce, MIC1) …. GenerateANonce and GTK, Derive PTK derive PTK, verify MIC1 EAPOL-KEY(ANonce, MIC2) Auth(ANonce, GTK[KEK], MIC1) verify MIC2 derive PTK, verify MIC1 EAPOL-KEY(MIC3) Generate GTK and GNonce Association Req (SNonce, MIC2) EAPOL-KEY(GNonce, GTK[KEK], MIC4) verify MIC2 Decrypt GTK EAPOL-KEY(MIC5) ZTE Corporation ZTE
4-way/Group Key handshake messages reduction • Original 4-way handshake: • 1st message: AP sends ANonce to STA; • 2nd message: STA generates SNonce, derives PTK, and sends SNonce and MIC1 to AP; • 3rd message: AP derives PTK, verifies MIC1 and sends MIC2 to STA; • 4th message: It serves no cryptographic purpose. It serves as an acknowledgment to Message 3. • Group Key handshake: 2 messages are used to transfer GTK • Proposed key agreement procedure: • ANonce is transferred to AP in advance: the 1st message could be removed; • Only 2 messages are used to verify keys; • Group key handshake could be carried out in key agreement procedure concurrently: the 4th message could be avoided. ZTE Corporation
Proposed Fast Security Setup Procedure ZTE Corporation
State transition diagram When STA receives Authentication message, STA can enter State 2 (Authenticatedand unassociated). State 3 is skipped!. ZTE Corporation
Conclusions • EAP-based authentication is unchanged and the specific EAP method is out of scope as 802.11 has defined. • DHCP procedure is independent of EAP authentication. • After successful EAP authentication, STA can change to FULL EAP session state. No need to wait for DHCP message. • Key agreement procedure is independent of EAP authentication. • Key verification is performed after a successful EAP authentication. • The 4-way handshake procedure is reduced to 1 round. • Group key handshake is performed with key verification concurrently. ZTE Corporation
Response to Questions ZTE Corporation
Question 1: How to trigger Message 1? • Message 1 could be Authentication message. • It could be triggered by receiving Beacon or Probe Response. ZTE Corporation
Question 2: SNONCE is sent to AP before EAP authentication. Is there any security problem? • In the current 802.11 RSNA, ANONCE and SNONCE is sent to STA without encryption protection. There is no risk. So there is no requirement for nonce encryption. • Either current RSNA or 1426, one of the two nonces has no integrity protection. If anyone of the two nonces is tampered, the keys generated by AP and STA respectively would be different, so the key verification would be failed. • Even if SNONCE is sent to AP before authentication, it is used only after the successful authentication. ZTE Corporation
Question 3: Key verification is reduced from 2 rounds to 1 round, and is triggered by AP. Is there any security problem, e.g., MITMattack? ZTE Corporation
Question 3: Key verification is reduced from 2 rounds to 1 round, and is triggered by AP. Is there any security problem, e.g., MITMattack?(Cont.) • If there is a MITM attack, the key agreement message 1 and message 2 can not be successfully verified. • As the PTK includes the IEEE 802 MAC addresses of both STA and AP, MAC address tampering would result in key asynchronization between STA and AP, thus MIC verification would fail. ZTE Corporation
Question 4: How to allocate an IPv6 address? ZTE Corporation
Question 4: How to allocate an IPv6 address? (Cont.) ZTE Corporation
Thanks! ZTE Corporation