170 likes | 302 Views
Fast Roaming Compromise Proposal. Tim Moore, Microsoft Nancy Cam-Winget, Cisco Systems Clint Chaplin, Symbol Technologies Donald Eastlake, Motorola Laboratories Dan Harkins, Trapeze Networks Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel.
E N D
Fast Roaming Compromise Proposal Tim Moore, Microsoft Nancy Cam-Winget, Cisco Systems Clint Chaplin, Symbol Technologies Donald Eastlake, Motorola Laboratories Dan Harkins, Trapeze Networks Russ Housley, Vigil Security Fred Stivers, Texas Instruments Jesse Walker, Intel Cam-Winget et. al.
Voice Requirements for reassociation • ITU guidance on TOTAL hand-off latency is that it should be less than 50 ms. Cellular networks try to keep it less than 35 ms. Cam-Winget et. al.
Key Management Requirements • Explicitly identify the PMK and PMK type being used • Minimize computational load on all device types • Support multiple back-end infrastructures • Minimize the number of messages required while roaming. • Minimize time dependencies in key mgmt • Allow PTK pre-computation to accommodate highly constrained devices Modifications to the information in the 4-way handshake can be made to address 1, 2 and 3 but not in 4, 5 and 6 Cam-Winget et. al.
Why not replace 4-way handshake? • Because: • Generic mechanism for supporting PSK is needed • Industry is already deploying 4-way handshake and must be retained for backward compatibility • Define an optional proposal that allows coexistance with current TGi AKMs Cam-Winget et. al.
Compromise Proposal Cam-Winget et. al.
RSN Security Association • Defines the context to make the PTK usage meaningful • Default RSN SA • Class named by: AP’s BSSID and STA’s MAC address • PTK established by the 4-Way Handshake. • Instance named by ANonce and SNonce • The SA collapses when any party loses or discards the SA context • Alternate RSN SA • Class and instance named by: MKID, AP’s BSSID and STA’s MAC address • PTK established by the R-PMK and R-PMK Counter • The SA collapses when any party loses or discards the SA context Cam-Winget et. al.
Roaming Key Hierarchy PMK-EAP =f(MSK) EMSK is unused Default Key Hierarchy Roaming Key Hierarchy (RKH) Unspecified means for generating AP unique PMK’s Root SA (STA-AS) MKID Base Roam Key (BRK) Pairwise Master Key (PMK) = Current radius derivation Roaming Pairwise Master Key (R-PMK) Pairwise Master SA (STA-AP for Key Mgmt) R-PTK PTK = Current PTK derivation RSN SA (STA-AP for Data) KCK KEK TK Cam-Winget et. al.
Fast Roam negotiation: new AKMs Cam-Winget et. al.
RSN IE: Supports other back-end infrastructures Cam-Winget et. al.
Pairwise Key Hierarchies Cam-Winget et. al.
R-PMK, MKIDSTA, Counter1 R-PMK, MKIDAP, Counter2 Re-assoc Resp ( RKH IE(MKID, Counter2, Srand, Arand, RSC, EKMEK(GTK), MIC, RSN IEBSSID)) EAPOL-Key( Arand, MIC) AP Rekeying Re-association STA Counter1 = Counter1 + 1, R-PTK = KMIK|KMEK | TK = Roaming-PRF() Re-assoc Req (RSN IE(AKMP), RKH IE(MKID, Counter1 , Srand, MIC, RSN IESTA)) Install TK for Rx Install TK Install TK for Tx Counter2 = Counter1 Cam-Winget et. al.
Rekeying Reassociations (2): Roaming Key Hierarchy IE Cam-Winget et. al.
Initial Association: 3-way handshake STA AP MKID = AES-Encrypt(PMK, 0) Counter1 = Counter1 + 1, PTK-R = KMIK|KMEK | TK = Roaming-PRF() APKM EAPOL Key** (0, 1, 1, 0, 0, 1, MKID, SNonce, MIC, RSNIESTA) Install TK for Rx Install TK APKM EAPOL Key** (1, 1, 1, 1, 0, 1, MKID, SNonce, ANonce, MIC, RSNIEBSSID) Install TK for Tx APKM EAPOL-Key** ( 1, 1, 0, 1, 0, 1, ANonce, MIC, 0) Counter2 = Counter1 Initiate GTK handshake **APKM EAPOL Key is as defined in 8.5.2 and uses Version Type 3 or 4 Cam-Winget et. al.
Supports Push and Pull Models • In either Initial Contact or Roam: • If the AP does not have the RSN SA, it can contact the AS to establish it • Through prediction, the AP – AS can establish the RSN SA before the STA attempts reassociation Cam-Winget et. al.
Motions • Move to adopt draft text in 03/241r3 • Move to request IEEE 802.11 Working Group Chair to forward the letter titled “Input to IETF AAA Working Group on Keying Distribution Methods” to the IETF Chair Cam-Winget et. al.
Feedback? Cam-Winget et. al.
Measured WPA values in ms Measurements were taken using Cisco 1200 APs with Intersil and Atheros NIC’s and MS and FUNK WPA Supplicants under ideal conditions (e.g. single client and little to no load on AP) Cam-Winget et. al.