1 / 7

Handover Keying

Handover Keying. IETF 65 Dallas. Handover in Wireless Access Networks. Access link. BS/AP providing/controlling access service User/device credentials stored at the backend server Handover: Re-establish secure links with new BS/AP. Handover performance is a crucial service quality factor.

emarlys
Télécharger la présentation

Handover Keying

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Handover Keying IETF 65 Dallas

  2. Handover in Wireless Access Networks Access link • BS/AP providing/controlling access service • User/device credentials stored at the backend server • Handover: Re-establish secure links with new BS/AP. • Handover performance is a crucial service quality factor MN Access Gateway AAA server Access Gateway BS/AP

  3. EAP Keying for fixed peers EAP server peer Authenticator EAP-XXX authentication Generation of MSK, EMSK, EAP over L2 Generation of MSK, EMSK, EAP over AAA EAP Success + MSK transport EAP Success EAP complete EAP complete Generation of MS-BS Security Association (TSKs) Transported MSK Generation of TSKs Generation of TSKs Use TSKs for link security

  4. EAP with handovers Old SA MSK New SA EAP/AAA server BS/Authenticator • SA for the old link – from SAP exchange (using MSK) • If you send MSK to the first BS, you need a new MSK at the second BS • Run EAP again to establish new MSK/ SA ?

  5. Handover keying using EAP: SDO solutions Long term credential+MSK BS1 TSK EAP. AAA server MN PMK MSK AGW BS2 Authenticator • EAP Solutions in SDOs for Handover • Authenticator consists of ports • Gateway: Authenticator (holds MSK, creates PMK) • BS: Authenticator port (receives PMK from Gateway) • Handover?: Create a PMK for each BS from initial MSK (Port to Port HO) • This only solve Intra-authenticator handover

  6. Problem: Inter-authenticator Long term credential PMK • Authenticator handover not supported • Requires re-authentication (rerun of EAP) • Can we avoid running a new EAP as part of Authenticator Handover? EAP. AAA server TSK MN MSK ANs Authenticator

  7. HOAKEY: Create a Key Hierarchy • Use EAP generated master keys, e.g. EMSK/AMSK as root key and create further keys • To support intra-authenticator as well as Inter-authenticator HO in a way that does not require new EAP runs • Define key derivation at each level (down to AP) • Specify if within IETF scope • Requirement/ guidance when outside IETF scope • Keying parameters (channel binding, scoping, caching life time) • Protocols for key request/ distribution • Security goal: Requirement for new protocols/ extensions for existing protocols • Performance Goal: handover optimization (pre-/ post handover signaling)

More Related