1. No category

- IEEE Mentor

January 2010
doc.: IEEE 802.11-10/0059r3
An Example Protocol for FastAKM
Date: 2010-01-19
Authors:
Name
Company Address
Hiroki NAKANO
Hitoshi MORIOKA
Trans New
Technology,
Inc.
ROOT Inc.
Hiroshi MANO
ROOT Inc.
Submission
Phone
Sumitomo-Seimei Kyoto Bldg. 8F, +81-75-213-1200
62 Tukiboko-cho Shimogyo-ku,
Kyoto 600-8492 JAPAN
#33 Ito Bldg.
+81-92-771-7630
2-14-38 Tenjin, Chuo-ku,
Fukuoka 810-0001 JAPAN
8F TOC2 Bldg. 7-21-11 Nishi+81-3-5719-7630
Gotanda, Shinagawa-ku,
Tokyo 141-0031 JAPAN
Slide 1
email
cas.nakano@gmai
l.com
[email protected]
[email protected]
[email protected]
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Abstract
FastAKM framework reduces time to set up association
between AP and non-AP STA. This results in reduction
of blackout time on handover and enables us to use
VoIP in 802.11 “mobile” environment.
We show its technical possibility in this presentation by
introducing a trial of example implementation of
FastAKM, which establishes an association between AP
and non-AP STA by single round-trip exchange of
management frames.
Submission
Slide 2
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Requirements
• Employ just ONE round-trip exchange of frames
– STA to AP, then AP to STA
• Do all things to start user’s data exchange
– Association
– Authentication
– Key Exchange
• No direct contract between AP and non-AP STA
– ‘Authentication Server’ mediates between AP and non-AP STA
– For separation of service providers and AP infrastructure
• Possibly compatible with existing 802.11 framework
– Old STAs can be still operated together.
Submission
Slide 3
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
An Example Procedure by 802.11-2007
STA
AP
RADIUS Server
Beacon
Probe Request
Probe Response
Open System Authentication
Open System Authentication
Association Request
Association Accept
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/TLS-Start
EAP-Response/TLS-client Hello
EAP-Request/Pass Through
EAP-Response/Client Certificate
EAP-Request/Pass Through
EAP-Response
RADIUS-Access-Request/Identity
RADIUS-Access-Challenge/TLS-Start
RADIUS-Access-Request/Pass Through
RADIUS-Access-Challenge/ Server Certificate
RADIUS-Access-Request/Pass Through
RADIUS-Access-Challenge/Encryption Type
RADIUS-Access-Request
RADIUS-Access-Accept
EAP-Success
EAP-Key
Submission
Slide 4
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Complaint about the Procedure…
STA
AP
RADIUS Server
Beacon
Probe process
is optional
Probe Request
Probe Response
Open System Authentication
Open System Authentication
Association Request
Association Accept
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/TLS-Start
EAP-Response/TLS-client Hello
Open System auth. is
meaningless
RADIUS-Access-Request/Identity
RADIUS-Access-Challenge/TLS-Start
Any other
RADIUS-Access-Request/Pass Through
framework
RADIUS-Access-Challenge/ Server Certificate
EAP-Request/Pass Through
than
EAP-Response/Client Certificate
RADIUS-Access-Request/Pass Through
EAPOL??
RADIUS-Access-Challenge/Encryption Type
EAP-Request/Pass Through
EAP-Response
RADIUS-Access-Request
RADIUS-Access-Accept
EAP-Success
EAP-Key
Submission
Slide 5
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Solution?
• We investigated and tried implementing two ideas
below.
– Trial 1: Omit Pre-RSNA Auth. Process
– Trial 2: Piggyback Auth. Info. onto Association Request/Response
Submission
Slide 6
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Trial 1: Omit Pre-RSNA Auth. Process
• We use “Open System” authentication on Pre-RSNA
framework at anytime.
– Anyone using Shared Key auth?
• “Open System auth. is a null auth. algorithm. Any STA
requesting Open System auth. may be authenticated”
Quoted from 802.11-2007 section 8.2.2.2
• Nevertheless, it takes ONE round-trip time to do that!
• Standard should be changed to allow to run
Association process without Open System
authentication process.
– Any problem occurs?
Submission
Slide 7
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Reason of existence of Open System auth.
• “NOTE 3—IEEE 802.11 Open System authentication
provides no security, but is included to maintain
backward compatibility with the IEEE 802.11 state
machine (see 11.3).”
Quoted from 802.11-2007 section 8.4.1.2.1 b)
Submission
Slide 8
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
802.11-2007 Figure 11-6
Submission
Slide 9
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Modified Figure?
Successful Association with FastAKM
Submission
Slide 10
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Trial 2: Piggyback Auth. Info. onto
Association Request/Response
• Can “Mutual Authentication” be done by just A roundtrip of Association Request/Response?
– “Single Round-trip Authentication” is a common problem.
STA
AP
Beacon
Authentication Server
(Probe Request)
(Probe Response)
Authentication (Open System)
Authentication (Open System)
Association Request
Access Request
Access Response
Association Response (Accept)
Submission
Slide 11
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Supposed Service Model
Contract to provide
wireless access to users
specified by Authentication
Server (i.e. Service Provider)
Set up secure communication
channel to exchange
information about users
AP
(Infrastructure)
Authentication Server
(Service Provider)
Contract to provide
wireless access via AP
infrastructure.
Share information to
identify each other properly,
e.g. username, password,
digital certificate, etc.
No Contract
Non-AP STA
(Customer)
Real wireless communication channel
Provide wireless access in request of Service Provider
Submission
Slide 12
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Technical Prerequisite
Information shared
- to identify each other and
- to exchange data securely
Station
(non-AP STA)
Wireless
communication
Access Point
(AP)
Authentication
Server (AS)
- Secure communication pipe
- Information shared to identify each other
Submission
Slide 13
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Association and Authentication Procedure
• STA  AP (piggyback on Association Request)
– Auth. Server Selector = name of Auth. Server
– User Information pack passed through AP toward Auth. Server
• User Identifier and a kind of digital signature
• Session key encrypted by secret shared with Auth. Server
• Countermeasure against replay attack
• AP  AS
– User Information pack
• AP  AS
– Plain (decrypted) session key
• STA  AP (piggyback on Association Response)
– Proof of AP having legitimate session key
– Group key
Submission
Slide 14
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Frame Exchange for Authentication
1
User Information pack
- User Identifier
- a kind of digital signature
- Session key encrypted by secret shared with Auth. Server
- Countermeasure against replay attack
Station
(non-AP STA)
Authentication
Server (AS)
Access Point
(AP)
- Proof of AP having legitimate session key
- Group key
3
Plain (decrypted) session key
2
Submission
Slide 15
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
An Example Implemetation
• OS: NetBSD 5.0.1 (i386)
• Upper MAC Layer: NetBSD’s net80211
• WLAN Chipset: Atheros Communications AR5212
• Add about 200 lines in C.
Submission
Slide 16
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Difference from 802.11-2007
• Additional state transition to skip Open System Auth.
– Figure 11-6—Relationship between state variables and services
• Two additional elements to Table 7-26 Element IDs
– Authentication Server Selector (240 temporally)
– User Information Pack (241 temporally)
• RSN with key obtained by new FastAKM framework
– 7.3.2.25 RSN information element (for beacon and probe resp.)
– Both Group and Pairwise Cipher Suites are set to CCMP.
– AKM Suite is set to the brand-new one!
• Define new AKM Suite (00-d0-14-01 is used temporally.)
• Assign officially on Table 7-34 AKM suite selectors in future…
Submission
Slide 17
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Conclusion
• Not-so-many changes enables FastAKM framework.
• We need more technical discussion
– to build and verify authentication method
– about any effect of changing standard
– to write down detailed specification
Submission
Slide 18
Hiroki Nakano, Trans New Technology, Inc.
January 2010
doc.: IEEE 802.11-10/0059r3
Straw Poll
“Does WNG think that we need tutorial session exploring
the need for support for mobile communication ?”
• Yes: 18
• No: 1
• Don’t Care: 7
Submission
Slide 19
Hiroki Nakano, Trans New Technology, Inc.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz