1 / 13

Naming Cached PMKs

Naming Cached PMKs. Dan Harkins Trapeze Networks. Current PMK Caching. Supplicant sets a “cached PMK” bit in the RSN Capabilities bitfield in the RSN IE in the associate request. Authenticator sends associate response and Begins 4-way handshake if it has a cached PMK for the supplicant

eugene
Télécharger la présentation

Naming Cached PMKs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Naming Cached PMKs Dan Harkins Trapeze Networks Dan Harkins, Trapeze Networks

  2. Current PMK Caching • Supplicant sets a “cached PMK” bit in the RSN Capabilities bitfield in the RSN IE in the associate request. • Authenticator sends associate response and • Begins 4-way handshake if it has a cached PMK for the supplicant • Begins 802.1X authentication if it does not have a cached PMK for the supplicant Dan Harkins, Trapeze Networks

  3. Current PMK Caching • Relies on no ambiguity on which PMK to use in the 4-way handshake • Problematic to use for fast handoff • Proactive (push) techniques can provide an AP with a PMK for the supplicant prior to the associate request being received • Reactive (pull) techniques can allow the AP to retrieve a PMK for the supplicant • This can introduce ambiguity! Dan Harkins, Trapeze Networks

  4. Name Cached PMKs! • pmkname = HMAC-SHA1-128(PMK, “Key Identifier” | AP-mac | STA-mac) • If supplicant sets “cached PMK” bit in associate request, a list of pmknames, and the number of pmknames, is appended to the request. • If authenticator has one of the named PMKs in the list it appends the pmkname to the first message of the 4-way handshake. Dan Harkins, Trapeze Networks

  5. Name Cached PMKs! I have cached PMKs: fjkdkleifjcjd8w2 984oeruwonwru dbnier7owfurn7w 8qo8awq8t348h4 dbnier7owfurn7w Semantics: use PMK named by “dbnier7owfurn7w” in the 4-way handshake Dan Harkins, Trapeze Networks

  6. Advantages of Naming Cached PMKs for fast handoff • No new key hierarchies • No new service primitives • No new PRFs • No new key exchanges • No new management frames • Minimal, simple, change to existing mechanisms– add a list, append a blob Dan Harkins, Trapeze Networks

  7. Advantages of Naming Cached PMKs for Fast Handoff • Can work with any scheme for distributing PMKs • IAPP • Neighbor graphs • It doesn’t matter how the PMK got there, just that it got there. • Protocol does not assume existence of PMKs. Either side can delete a PMK from its cache for any reason and at any time. Dan Harkins, Trapeze Networks

  8. A B A E C E C B D D Advantages of Naming Cached PMKs for Fast Handoff • STA authenticates to A, hibernates and wakes up at D where it authenticates again. PMKs were delivered by AS to B and E for first authentication and different PMKs were delivered to B and E for the second. The STA will assert both when it moves to B. Dan Harkins, Trapeze Networks

  9. A B A E C E C B D D Advantages of Naming Cached PMKs for Fast Handoff • B will select one and initiate the 4-way handshake. If the STA moves to C it will again assert two named PMKs. Depending on the neighbor graph C may have one– in which case C will chose it– or none– in which case C will begin 802.1X authentication of the STA. Dan Harkins, Trapeze Networks

  10. Advantages of Naming Cached PMKs for Fast Handoff • Can work with any scheme for deriving AP-specific PMKs. • Is independent of whatever key hierarchy may be defined. • It doesn’t matter how the key was derived as long as the STA and AS are using the same technique. AP is out-of-the-loop and therefore the protocol does not care. Dan Harkins, Trapeze Networks

  11. Advantages of Naming Cached PMKs for Fast Handoff • Can be used with PSKs too! Dan Harkins, Trapeze Networks

  12. Discussion Dan Harkins, Trapeze Networks

  13. Motion! • Insert changes described in 03/484-r1 to draft. Dan Harkins, Trapeze Networks

More Related