1 / 12

Fast Pre-Authentication Based on Proactive Key Distribution for 802.11 Infrastructure Networks

Fast Pre-Authentication Based on Proactive Key Distribution for 802.11 Infrastructure Networks. M. Kassab, A. Belghith, J. Bonnin, S. Sassi ACM WMuNeP`05 2006/10/31 CS Div. NS Lab. Junbeom Hur. Problem Definition.

maida
Download Presentation

Fast Pre-Authentication Based on Proactive Key Distribution for 802.11 Infrastructure Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fast Pre-Authentication Based on Proactive Key Distribution for 802.11 Infrastructure Networks M. Kassab, A. Belghith, J. Bonnin, S. Sassi ACM WMuNeP`05 2006/10/31 CS Div. NS Lab. Junbeom Hur

  2. Problem Definition • How to reduce the re-authentication latency during handoff in IEEE 802.11 network environment? Authentication Server AP Authentication Re-authentication Station

  3. IEEE 802.11 • High-speed wireless Internet connectivity • Lack of mobility support • 802.1x full authentication per handoff : 1000ms • 802.11i recommendation – EAP/TLS • Obstacle for real-time applications (e.g., 50ms of VoIP) Fig. 1. IEEE 802.1x Architecture

  4. EAP/TLS Authentication PMK = PRF(MK, ‘client EAP encryption’|ClientHello.random|ServerHello.random) PTK = PRF(PMK, ANonce, SNonce, STAmac, APmac) Fig. 2. Complete EAP/TLS Authentication Exchange

  5. Proactive Key Distribution [Arunesh04] • Fast handoff • Pre-authenticate to the neighbor APs before handoff Fig. 3. Authentication Exchange Process with PKD • PMK0 = PRF(MK, ‘client EAP encryption’|ClientHello.random|ServerHello.random) • PMKn = PRF(MK, PMKn-1|Apmac|STAmac)

  6. Proposed Method • PKD with IAPP caching • PKD with anticipated 4-way handshake

  7. PKD with IAPP Caching • PKD + IAPP cache mechanism • Temporary authentication within a time limit (a) Pre-authentication (b) Re-authentication Fig. 4. Authentication Exchange Process with ‘PKD with IAPP Caching’ • PTKx = PRF(PMK, PTKinit|Apmac|STAmac)

  8. PKD with Anticipated 4-Way Handshake • 4-way handshake through the current AP (a) Pre-authentication (b) Re-authentication Fig. 5. Authentication Exchange Process with ‘PKD with anticipated 4-way handshake’

  9. Analysis • m : # of neighbor APs

  10. Performance Evaluation • Test-bed • Two STAs associate with an AP • 500kb UDP packets with exponential inter-packet time (a) Re-authentication latency (b) Association latency

  11. Discussion • PKD with IAPP caching • Computation overhead • Violation of 802.11i security requirements • Mutual authentication and fresh key derivation at each AP • No man-in-the-middle attack • Security degradation from temporary authentication • PKD with anticipated 4-way handshake • Communication overhead • 2 X (4-way handshake) per neighbor AP • Computation overhead • Unnecessary PTKs computation • Impracticality • No support for 802.11f

  12. Conclusion • Two methods for PKD-based fast pre-authentication • PKD with IAPP caching • Temporary authentication • Security degradation • PKD with anticipated 4-way handshake • 4-way handshake during pre-authentication phase • Communication / computation overhead

More Related