Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin,...
Transcript of Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin,...
![Page 1: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/1.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Proactive Key Distribution to supportfast and secure roaming
Arunesh Mishra, Minho Shin, WilliamArbaugh
University of Maryland
College Park
Insun Lee, Kyunghun Jang
Samsung Electronics
![Page 2: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/2.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
TGi MUST Support Fast Roaming
• Otherwise non-standard and non-vetted solutionswill evolve….creating potential “brand” problems.
• Transparent roaming was one cause of exponentialgrowth in the cellular market.
• Interworking is around the corner.
![Page 3: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/3.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Backend Requirement
• Protocol MUST be standardized within IETF– This requires that key material NOT leave the AS.
– This means that the protocol should fit within currentand future AAA practice.
![Page 4: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/4.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Pre-authentication
RADIUS (AAA)
A B C D E
MKPMKPTK
PMKPTK
MKPMK
EAP/TLSAuthentication
ViaNext AP
![Page 5: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/5.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Problems with Pre-Auth
• Expensive in terms of computational power forclient, and time (Full EAP-TLS can take secondsdepending on load at RADIUS Server). TLS-Resume will make things faster, but otherproblems persist.
• Requires well designed and overlapping coverageareas
• Can not extend beyond LAN• No opportunity for Interworking
![Page 6: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/6.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Goals
• Permit fast roaming without reducing overallsecurity
• Fast roaming occurs when the total cost of Layer1-3 hand-off times is less than 50ms (Ideally35ms).
![Page 7: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/7.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
TGi Fast Roaming Goals
• Handoff to next AP SHOULD NOT require acomplete EAP/TLS re-authentication.
• Compromise of one AP MUST NOT compromisepast or future key material, i.e. perfect forwardsecrecy, and with stand known key attacks.
![Page 8: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/8.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
TGi Trust Assumptions
• AAA Server is trusted
• AP to which STA is associated is trusted. Allother AP’s are untrusted.
![Page 9: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/9.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Only Three Ways to meet TGi Goals
• Exponentiation support for asymmetriccryptographic operations at AP, or
• Trusted Third Party, i.e. Authentication/RoamingServer
![Page 10: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/10.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Proactive Key Distribution (TGi)
• Extend Neighbor Graphs and Proactive Caching(IEEE 11-02-758r1.ppt) to support keydistribution by the AS
• Eliminates problems with sharing key materialamongst multiple APs– Easily extended to support WAN roaming
– Extendable to support Interworking
![Page 11: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/11.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Neighbor Definition and Graph• Two APs i and j are neighbors iff
– There exists a path of motion between i and j such that it is possible for a mobile STA toperform a reassociation
– Captures the ‘potential next AP’ relationship– Distributed data-structure i.e. each AP or AS/RS can maintain a dynamic list of neighbors
1
A
B
C
E
D
AB
E
D
C
![Page 12: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/12.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
AP Neighborhood Graph – AutomatedLearning
• Construction– Manual configuration for each AP/RS or,– AP/RS can learn:
• If STA c sends Reassociate Request to AP i, with old-ap = AP j :• Create new neighbors (i,j) (i.e. an entry in AP i, for j and vice versa)• Learning costs only one ‘high latency handoff’ per edge in the graph.• Enables mobility of APs, can be extended to wireless networks with an ad-hoc
backbone infrastructure.• Dynamic implementation using LRU replacement permits invalid and stale
entries to time out.
![Page 13: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/13.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Graph Synchronization
• The graph’s state at the accounting server isupdated by:– Accounting-Request messages from the current AP
(draft-congdon-radius-8021x)
![Page 14: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/14.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Roaming Example
• Given the following infrastructure with associated neighbor graph with STA about toassociate to AP A.
A
B
C
E
D
AB
E
D
C
![Page 15: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/15.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Post Authentication and 4-handshake
RADIUS (AAA)
A B C D E
Accounting Server
Accounting-Request(Start)
![Page 16: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/16.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Proactive Key Distribution
RADIUS Authentication Server (AS)
A B C D E
Accounting Server
Notify-Request Notify-Request
![Page 17: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/17.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Proactive Key DistributionPost Authentication
A B C D E
AS
Accounting
Notify-Accept
Access-Accept(key material)
Notify-Accept
Access-Accept(key material)
![Page 18: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/18.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
AP Actions on Notify Request
• Dynamic Keys, i.e. PMK changes per roam.– AP MUST send an ACCESS-REQUEST to AS
• Static Key, i.e. PMK is unique per AP but neverchanges.– Nothing unless authorization is required.
![Page 19: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/19.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
TGi Pairwise Key Hierarchy ReviewMaster Key (MK)
Pairwise Master Key (PMK) = TLS-PRF(MasterKey, “client EAP encryption”| clientHello.random | serverHello.random)
Pairwise Transient Key (PTK) = EAPoL-PRF(PMK, AP Nonce | STA Nonce| AP MAC Addr | STA MAC Addr)
KeyConfirmation
Key (KCK) – PTKbits 0–127
Key EncryptionKey (KEK) – PTK
bits 128–255
Temporal Key – PTK bits 256–n – canhave cipher suite specific structure
![Page 20: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/20.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
PMK Generation
• Each AP is given a unique PMK per roam, orgeneration.
• The PMK for the AP for that generation becomesthat generation’s PMK.
![Page 21: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/21.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
PMK Generations
• Generation:– PMK0 = TLS-PRF(MK,”client EAP encryption”,
client-Hello.random, serverHello.random)
– PMK1-B = TLS-PRF(MK, PMK0,APB-MAC-Addr)
– PMK1-E = TLS-PRF(MK, PMK0,APE-MAC-Addr)
– PMK2-C = TLS-PRF(MK, PMK1-B,APC-MAC-Addr)
![Page 22: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/22.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Synchronization Example
STA roam pattern: A‡B ‡C ≈ D
PMK0
PMKB
PMKE
PMKG
PMKA
PMKC
PMKDPMKE
PMKB
PMKB
PMKE
0 1 2 3 4 Generation
![Page 23: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/23.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Synchronization
• One of two cases exist:– 1) AP and STA share correct generation of PMK, or– 2) They do not.
• STA ALWAYS has the correct PMK.• The hand-shake determines which case exists and if the
situation is case 2) then a full re-auth is completed. NOTE:The ~10ms it takes to determine the appropriate case is lostin the “noise” of a full EAP/TLS at ~800ms.
• Can be greatly improved by enforcing an invariant that aPMK for a STA only exists at current and neighboringAP’s (requires new message to draft-irtf-aaaarch-handoff-03.txt).
![Page 24: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/24.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
How do the AP and STA know that FastRoaming is supported?
• STA asserts that it supports fast roaming bysetting a bit (use of the current reserved bits) inthe RSN information field element in theREASSOCIATION-REQUEST.
• AP asserts the same bit in the REASSOCIATION-RESPONSE if and only if the AP supports fastroaming and it is provisioned with a derived PMKfor the STA.
• If either bits are unset, then a full reauthenticationMUST be done.
![Page 25: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/25.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Implementation Results
• Significantly easier to implement than expected.
• Little traffic increase on distribution system.
• Synchronization MUCH easier than expected.
• Reduced hand-off times from a full EAP/TLS by afactor of 40!
• Full paper available at:
http://www.cs.umd.edu/~waa/pro-key.pdf– Please do not re-distribute paper
![Page 26: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/26.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Results
NOTE: There is an overhead of 30ms on theseTimes due to problems with power over ethernet.When PoE is not used, we achieved 20ms times.
![Page 27: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/27.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Advantages
• Permits fast roaming with little to no changeswithin current draft.
• Provides similar level of security as a full re-authentication– New PMK
– Interaction with AAA server to authorize access
• Actually has been implemented!
![Page 28: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/28.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Disadvantages
• Does require server changes, but pre-auth can beused until server changes occur (besides serverchanges are minor).
![Page 29: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/29.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
What needs to be done?
• Adjust to EAP key hierarchy.
• Use PMK name (once defined) rather thangeneration.
• Add invariant message.
• Add fast-roam bit to IE.
![Page 30: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/30.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Maximum STA Velocity
For the Notify and PMK install to occur in time, weneed:
2 RTT + handshake < D/vWhere:
D = coverage diameterv = STA velocityRTT = round-trip time from AP to AAA server,
including processing.Assuming D=100 ft, handshake = 10 ms, and RTT =100ms, we get:
v = 100 ft/ (200ms + 10 ms) ~ 500 ft/sec = Mach 0.5!!
![Page 31: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/31.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Conclusions
• Provided an overview of various options
• Provided a protocol that:– Can support high speed roaming, meets IETF
requirements (draft-arbaugh-radius-handoff-00.txt),
– Is independent of the type of keymanagement/derivation used (static or dynamic), i.e.can IEEE11-03-008r0-I or the method in theinformation slides of this presentation.
– Is independent of the type of hand-shake used.
![Page 32: Proactive Key Distribution to support fast and secure roamingwaa/ad-hoc.pdf · Mishra, Shin, Arbaugh, Lee, Jang doc.: IEEE11-03-Presentation Problems with Pre-Auth •Expensive in](https://reader034.fdocuments.us/reader034/viewer/2022043016/5f38b8b756b8a70b0633e48a/html5/thumbnails/32.jpg)
October 2003
Mishra, Shin, Arbaugh, Lee, Jang
doc.: IEEE11-03-
Presentation
Acknowledgements
• Bernard Aboba assisted with the best way tointegrate Proactive key distribution with RADIUS.
• The maximum STA velocity calculation is fromBernard Aboba.
• Jesse Walker pointed out potentialsynchronization problems in an earlier version ofproactive key distribution.