160 likes | 307 Views
Fast Roaming Compromise Proposal. Tim Moore, Microsoft Keith Amann, Spectralink Nancy Cam-Winget, Cisco Jesse Walker, Intel. Standard Draft Open auth request/response Associate request/response Message 1/2 Message 3/4 Group update/Ack Total = 5 exchanges. Roaming Proposal
E N D
Fast Roaming Compromise Proposal Tim Moore, Microsoft Keith Amann, Spectralink Nancy Cam-Winget, Cisco Jesse Walker, Intel Cam-Winget et. al.
Standard Draft Open auth request/response Associate request/response Message 1/2 Message 3/4 Group update/Ack Total = 5 exchanges Roaming Proposal Open Auth request/response Associate request (includes standard draft message 1 & 3) /Associate response (includes standard draft message 2 and group update) Message 3,Group Ack Total = 2½ exchanges Comparisons Cam-Winget et. al.
Comparison(2) • Send GTK during PTK exchange • Removes 1 round-trip • Merge part of key exchange into re-associate request/response • Removes 1 round-trip • PTK uniqueness is obtained from Counter-mode not from nonce mixing; also use random liveness • Removes 1/2 round-trip • Key hierarchy changes • Allows pre-computing the PTK at station • Removes 3 or 4 HMAC-SHA1 from message 1->2 and 2->3 processing • PRF-512(HMAC-SHA1) ~ 844us on 125MHz • Requires fresh, named PMKs per station and AS pair • Removes need for 802.1X authentication on roaming • Current PSK can’t use fast keying key hierarchy • PTK exchange in management messages • Pre-load TK keys • Removes race condition of loading TKs that 4-way/group key works around Cam-Winget et. al.
Possible changes to current draft • Modification to send GTK during PTK exchange • Removes 1 exchange • Allow GTK optionally in message 3 • Use 2 octets of reserved field for GTK length • Add encrypted GTK to end of data field if GTK length is non zero • Overload Associate request/response with Message1/2 • Does require changing the Nonces to Random numbers • Removes 1 exchange • Replace PRF using HMAC-SHA1 with AES-CBC-MAC • Reduces time for PRF, especially if AES in hardware • Add PMK identifier to RSNIE to enable PMK caching • Removes the need for 802.1X authentication on roaming • Doesn’t assume fresh PMK • Supports current PSK • Total changes: 5 exchanges -> 3 exchanges Cam-Winget et. al.
Missing features • PRF changes reduces pre-compute need but doesn’t remove it • Can’t remove ½ round trip • Doesn’t solves sync problem of plumbing keys Cam-Winget et. al.
New Proposal • Use new scheme to define MKID based on first PMK • Use PMK delivered by AS as the base roaming key to generate AP unique pairwise master keys • Use 802.1X EAPOL-Key message as the reassociation confirm (3rd message) • Include the MKID in the RSN IE as an optional field Cam-Winget et. al.
Fast Roaming Key Hierarchy MS-MPPE( PMK-EAP ) MKID = AES-Encrypt(PMK-EAP, 0) Default Key Hierarchy Roaming Key Hierarchy (RKH) Unspecified means for generating AP unique PMK’s Base Roam Key (BRK) = PMK-EAP Pairwise Master Key (PMK) = PMK-EAP Current radius derivation Pairwise Master Key Roaming (PMK-R) = Roaming-PRF (BRK, “fast roaming PMK” | MKID | STA MAC Addr | BSSID) PTK-R = Roaming-PRF(PMK-R, “fast roaming PTK” | new BSSID | Counter) PTK = Current PTK derivation Key Management Integrity Key – KMIK bits 0–127 Key Management Encryption Key – KMEK bits 128–255 Temporal Key – PTK bits 256–n – can have cipher-suite-specific structure Cam-Winget et. al.
Fast Roaming Key Hierarchy (3) Algorithm Roaming-PRF Input: Key K, Label L, Nonce N, Output Length OL Output:OL-octet string Out Out = “” fori = 1 to (OL+15)/16 do Out = Out | AES-CBC-MAC(K, L | N | i | OL) return first OL octets out of Out Cam-Winget et. al.
Fast Roam negotiation Cam-Winget et. al.
PMK-R, PMKIDSTA, Counter1 PMK-R, PMKIDAP, Counter2 Re-assoc Resp (RSN IE, {Fast-Rekey IE(Counter2, Arand, RSC, EKMEK(GTK), MIC)}) EAPOL-Key( Arand, MIC) Install TK Counter2 = Counter1 Install TK AP Rekeying Re-association STA Counter1 = Counter1 + 1, PTK-R = KMIK|KMEK | TK = Roaming-PRF() Re-assoc Req (RSN IE(AKM=RKH, {PMKIDSTA}), {Fast-Rekey IE(Counter1 , Srand)}) if MKIDSTA == MKIDAP if (AKM=RKH and Counter1 > Counter2) then KMIK|KMEK | TK = Roaming-PRF() else initiate 4-way handshake else initiate 802.1X Cam-Winget et. al.
Rekeying Reassociations (1): MICs • GTK encryption Algorithm: AES Key Wrapping (RFC 3394) • Pad with 16bytes of zeroes for CCMP • Reassociation Request MIC: HMAC-SHA1-64(KMIK, RSNIESTA | Fast Rekey IE sans MIC) • Reassociation Response MIC: HMAC-SHA1-64(KMIK, Srand | RSNIEAP | Fast Rekey IE sans MIC) • Reassociation Confirm is now an EAPOL-Key message echoing ARand in the message and protected using the EAPOL-Key conventions Cam-Winget et. al.
Rekeying Reassociations (2): Fast-Roaming IE Cam-Winget et. al.
MKID as optional field in RSN IE Cam-Winget et. al.
Feedback? Cam-Winget et. al.
Initial Association AS STA AP 802.11 Open Authentication Association Req + RSN IE Association Response (success) EAP type specific mutual authentication AKM is relayed to AS using same back-end protocol (e.g. Radius attribute) Derive Pairwise Master Key (PMK1) Derive Pairwise Master Key (PMK1) Access ACCEPT (PMK1) 802.1X/EAP-SUCCESS 4-way handshake Group Key Install TK Install TK Cam-Winget et. al.