aaa based keying for wireless handovers problem statement
play

AAA based Keying for Wireless Handovers: Problem Statement - PowerPoint PPT Presentation

Dec 23, 2022 •117 likes •294 views

AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid Nakhjiri (Huawei USA/Motorola Labs) Mohan Parthasarathy (Nokia) Julien Bournelle (GET/INT/FT) Hannes Tschofenig (Siemens) R. Marin Lopez (TARI)

  1. AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid Nakhjiri (Huawei USA/Motorola Labs) Mohan Parthasarathy (Nokia) Julien Bournelle (GET/INT/FT) Hannes Tschofenig (Siemens) R. Marin Lopez (TARI) IETF 67 San Diego Nov 2006 1

  2. Slide from IETF 65: EAP Keying for fixed peers Holds Peer credential EAP/AAA peer Authenticator server Generation of EAP-XXX Method Authentication Generation of MSK, EMSK, MSK, EMSK, EAP over L2 EAP over AAA EAP MSK transport EAP complete complete Security Association Protocol (TSKs) Transported MSK Generation of Generation TSKs of TSKs Use TSKs for link security Nov 2006 2

  3. Mobility Old Access link (Old SA) MSK1 MN Auth-1/AN1 New link (new SA) MSK2 Auth2/AN2 EAP/AAA server • Secure Access link: MN-AN SA • Access link Handover: create MN-AN2 SA • If Authenticator=AN: – MSK goes to AN1 – MN-AN2 SA: requires new MSK at AN2? • Run EAP again?? Handover performance suffers • Don ’ t send MSK to Authenticator, • Extend key hierarchy, create a per-authenticator key derived from previous EAP Nov 2006 3

  4. Session Longevity Access link established MSK MN Auth EAP/AAA server • Secure session established: previous lengthy EAP-XXX • Session and keys about to expire • Run EAP-XXX again? • No, perform a “ fast re-authentication ” – Use state/keys from previous EAP – Design specific signaling for re-authentication Nov 2006 4

  5. Network Management scalability Wireless Access Network Architecture/CAPWAP Access Gateway Access link MN Access Gateway AAA server Access Node • Access Nodes (WiMAX: BS, CAPWAP/802.11: WTP/AP) – providing access links (wireless termination) – Lightweight/ less security-AAA functions/ less need for upgrades • Access Gateways (WiMAX: ASN-GW, CAPWAP AC) – Management functions, backend communications – More trusted, AAA server interaction – Manages mobility across ANs (handovers) without interaction with AAA server – Typically manages one access technology. Nov 2006 5

  6. EAP authenticator split to Manage scalability and AN-handover performance Authenticator TSK PMK MN EAP. AAA server MSK AG AG ANs • Splitting the EAP authenticator into 2 solves the intra-authenticator handover performance problem (SDOs) 1. ASN_GW, R0KH, AC: – holds key from AAA server, creates per AN keys: 2. AN, WTP, Auth port – receives Per AN keys, creates SA with peer (MN) • It does not solve Inter-authenticator problem • Authenticator a logical function, AN/AG physical entities (channel binding) • Solutions varies between SDOs: media-independent handover difficult Nov 2006 6

  7. Goals and Requirements Authentication Of Prevention of Channel binding All parties Media Independence domino effect, Key scope Fresh keys, key life times Delay performance Security Requirements Mobility Requirements Session longevity Network Mgmt (re-auth) EAP based Scalability Key distribution Key Hierarchy Mobility Protocol design (handovers) Key Mgmt Reduce AAA Design Goals specifications roundtrips Consistent terminology Tools/ideas Nov 2006 7

  8. Problem statement/ To Dos • Create consistent terminology • Specify security, mobility, management goals • Decide levels of key hierarchy – Map hierarchy levels to key holders – Define key derivation function and parameters – Define messaging to exchange the parameters – Define key management rules • How far down the key hierarchy can IETF go? • Do the needed protocols exist? Nov 2006 8

  9. New Terminology/ Concepts • Handover Root Key (HRK) – Used as the root of key hierarchy for handover (and re-auth) – AAA server is HRK holder – HRK is used to create per-ADC keys (ADMSKs) • Access Domain Controller (ADC) – Top level key holder in an access domain (holds ADMSK) – Responsible for keying needs within an Access Domain (reduce the need to AAA interactions). – 802.11r calls this Mobility domain controller (MDC): • MDC or ADC? Nov 2006 9

  10. Access Domain controllers Access domain 1 TSK MN EAP. AAA server ADMSK1 ADC ADC ADMSK2 HRK ANs Access domain 2 • ADC is a key holder and a AAA client – It can be the authenticator, but does not have to be – ADC is a AAA client (it receives ADMSK from AAA server) – Both authenticator-split and flat architectures can be supported. – ADC provisions the access domain ANs with keys – Access domain can be mapped to an access technology region, if needed Nov 2006 10

  11. Tough problems • Terminology, Terminology, terminology • What key to use to derive handover root key? – MSK or as USRK from EMSK? (created at EAP server?) • Compatibility with other SDOs? Backward compatibility? • Architecture: – ADC part of the authenticator? Positioning ADC vs Authenticator? – Access technology mapping – To accomodate physically separate ADC and AN? • Channel binding/ key derivation parameters/ Messaging – ADC and AN collocated (EAP keying) or not (SDO) • Messaging – Exchange parameters for key derivation (e.g. ADC-ID) • Channel binding – EAP keying item: ADC and AN are both part of Authenticator – Handover keying with deeper hierarchy? Nov 2006 11

  12. Problem: IETF scope? LSAP-MK should be defined in Info RFCs, IMHO • Intra ADC handover: Key management and key derivation inside same ADC (Is this within IETF scope? Info RFCs?) • Inter ADC handover: Key Management and key derivation through different ADCs but same AAA, without running EAP again. AN1 ADC1 LSAP LSAP-MK1 MN AAA ADMSK-1 server Intra-ADC HO LSAP-MK2 AD1 Inter-ADC HO HRK AN2 ADMSK-2 ADC2 LSAP-MK3 AN3 AD2 Nov 2006 12

  13. Positioning of EAP authenticator wrt ADC (alternative 1) AAA server ADMSK1 AD2 AD1 LSAP-MK ADC1/ ADC2 Authenticator Key Holder 1 AN1: port1 AN3 AN2 LSK EAP signaling MN Non-EAP signaling Channel binding issues Nov 2006 13

  14. Positioning of EAP authenticator wrt ADC (alternative 1) AAA server EAP signaling AD2 AD1 ADMSK1 ADC2 Authenticator ADC1/ LSAP-MK Key Holder 1 AN3 AN1 AN2 LSK MN Nov 2006 14

  15. Backup:Related charter deliverables • Re-authentication (including handover) and key management problem statement – Security and performance goals. • Choice of MSK or EMSK in HRK (not a deliverable, but important) • Handover Root Key (HRK) and key hierarchy derivation and management specification • Handover/re-authentication protocol specification • Key distribution protocol specifications Nov 2006 15

  16. Backup: Why ADC instead of Authenticator • Allows for easier management of heterogeneous roaming/ handovers (e.g. per-domain technology) – Combine key mgmt with mobility mgmt • Handover root key transport/caching behavior – HRK (e.g. MSK) is kept at AAA server, not sent to authenticator – A per ADC master keys (ADMSK) are sent to ADC • Separation of EAP auth. and handover keying signaling – Key mgmt and mobility mgmt can be inside an ADC, independent of entity that acts as pass-thru Auth, – Pass-thru auth either in AN or ADC • More crisp key usage guidelines – Authenticator master key<->Authenticator port master key? – Use ADC master key (ADMSK) and AN master key (LSAP_MK) instead Nov 2006 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Optimizing Handovers in Wireless Networks Utilizing Extended MIIS Facilities Muhammad Qasim Khan

Optimizing Handovers in Wireless Networks Utilizing Extended MIIS Facilities Muhammad Qasim Khan

Optimizing Handovers in Wireless Networks Utilizing Extended MIIS Facilities Muhammad Qasim Khan Department of Telematics NTNU 31. August 2012 www.ntnu.no Muhammad Qasim Khan, Optimizing Handovers in Wireless Networks Utilizing Extended MIIS

2.11k views • 187 slides
Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying Vidya Narayanan , vidyan@qualcomm.com Lakshminath Dondeti , ldondeti@qualcomm.com IETF-67 San Diego, CA November 2006 Contents EAP keying

614 views • 15 slides
2 RFC 4650 - HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) RFC

2 RFC 4650 - HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) RFC

2 RFC 4650 - HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) RFC 4738 - MIKEY-RSA-R: An Additional Mode of Key Distribution in Multimedia Internet KEYing (MIKEY) 3 4 5 Based on an Identity Based asymmetric

472 views • 12 slides
Modulation Techniques Signal Encoding Techniques Digital Data, Analog Signals Amplitude

Modulation Techniques Signal Encoding Techniques Digital Data, Analog Signals Amplitude

CMPE 477 Wireless and Mobile Networks Modulation Techniques Signal Encoding Techniques Digital Data, Analog Signals Amplitude Shift Keying Frequency Shift Keying Phase Shift Keying CMPE 477 Analog and Digital Signaling

504 views • 14 slides
Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading, interference, hidden terminal problem IEEE 802.11 ( wi-fi ) CSMA/CA reflects wireless channel characteristics DIFS, SIFS,

1.43k views • 83 slides
WiPrint 3D Printing Your Wireless Coverage Justin Chan, Changxi Zheng*, Xia Zhou Dartmouth

WiPrint 3D Printing Your Wireless Coverage Justin Chan, Changxi Zheng*, Xia Zhou Dartmouth

WiPrint 3D Printing Your Wireless Coverage Justin Chan, Changxi Zheng*, Xia Zhou Dartmouth College, *Columbia University 1 Problem 1 Rx Tx Performance 2 Problem 2 Security 3 Problem Statement -35 -40 -45 -50 -55 -60

579 views • 34 slides
Statement Problem A: Bijection In this problem, you have to establish a bijection between

Statement Problem A: Bijection In this problem, you have to establish a bijection between

Problem A: Bijection Statement Statement Problem A: Bijection In this problem, you have to establish a bijection between combinations and pairs of a regular bracket sequence and an integer. Ivan Kazmenko (SPb SU) Problem Analysis 28.01.2020

2.1k views • 181 slides
lecture 20 Image Compositing - chroma keying - alpha - F over B - OpenGL blending -

lecture 20 Image Compositing - chroma keying - alpha - F over B - OpenGL blending -

lecture 20 Image Compositing - chroma keying - alpha - F over B - OpenGL blending - chroma keying revisited: &quot;pulling a matte&quot; Organization of Course 1: Viewing transformations 2: Visibility, geometry modelling 3:

685 views • 41 slides
1 Reference Signaling Conventional Channel Estimation In wireless communications, we use

1 Reference Signaling Conventional Channel Estimation In wireless communications, we use

Outline Research Problem Statement Physical Layer Security Overview Introduction to Achievable Rate and Capacity Physical Layer (PHY) Security Yao Zheng Some Research Results Conclusions and Future work 2 Wireless

453 views • 8 slides
Texture Synthesis Presented by James Hays Problem Statement 1 Problem Statement Problem

Texture Synthesis Presented by James Hays Problem Statement 1 Problem Statement Problem

Texture Synthesis Presented by James Hays Problem Statement 1 Problem Statement Problem Statement 2 Problem Statement Problem Statement 3 Problem Statement Problem Statement 4 Problem Statement Problem Statement 5 Problem Statement

521 views • 26 slides
coding Xin Sheng Zhou Problem for Wireless Networks Traffic demand Main problem: Shared

coding Xin Sheng Zhou Problem for Wireless Networks Traffic demand Main problem: Shared

Cooperative networks and coding Xin Sheng Zhou Problem for Wireless Networks Traffic demand Main problem: Shared medium = Interference What we have done? Wireless throughput had doubled every 30 months over a period of 104 years,

455 views • 23 slides
ALTO Problem Statement draft-marocco-alto-problem-statement-02 Enrico Marocco Vijay Gurbani 72

ALTO Problem Statement draft-marocco-alto-problem-statement-02 Enrico Marocco Vijay Gurbani 72

ALTO Problem Statement draft-marocco-alto-problem-statement-02 Enrico Marocco Vijay Gurbani 72 nd IETF Meeting Outline History The problem Main issues Use cases The cache location sub-problem Internet Applications

716 views • 26 slides
Wireless LAN Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux &amp; freeBSD Securing &amp; Managing Wireless LAN : Implementing 802.1x EAP-TLS PEAP-MSCHAPv2

278 views • 14 slides
Problem statement Probability based severity of conflicts using bivariate Extreme Value models

Problem statement Probability based severity of conflicts using bivariate Extreme Value models

Problem statement Probability based severity of conflicts using bivariate Extreme Value models Attila Borsos, University of Gy r, Hungary Haneen Farah, TU Delft, Netherlands Aliaksei Laureshyn, Lund University, Sweden 32 nd ICTCT Workshop,

299 views • 4 slides
Learning Wi-Fi Connection Loss Predictions for Seamless Vertical Handovers Using Multipath TCP

Learning Wi-Fi Connection Loss Predictions for Seamless Vertical Handovers Using Multipath TCP

Learning Wi-Fi Connection Loss Predictions for Seamless Vertical Handovers Using Multipath TCP Jonas Hchst, Artur Sterz, Alexander Frmmgen, Denny Stohr, Ralf Steinmetz, Bernd Freisleben TU Darmstadt and Philipps-Universitt Marburg 1 |

695 views • 30 slides
Problem Statement National Carwash Solutions has a sensor on a car wash arm that is powered by a

Problem Statement National Carwash Solutions has a sensor on a car wash arm that is powered by a

Problem Statement National Carwash Solutions has a sensor on a car wash arm that is powered by a set of batteries . Currently, the batteries are not rechargeable and they have proposed to employ a wireless charging system. The sensor cannot be

951 views • 21 slides
Overview DAQ for dE/dx tests DAQ for dE/dx tests Sampling ADC overview Sampling ADC

Overview DAQ for dE/dx tests DAQ for dE/dx tests Sampling ADC overview Sampling ADC

Overview DAQ for dE/dx tests DAQ for dE/dx tests Sampling ADC overview Sampling ADC overview free running parameter extraction, triggerless free running parameter extraction, triggerless data output, SODA data output,

430 views • 15 slides
Next generation CASPER Conference , digitizers for CAL TECH, Aug 2017 PRESENTER: Sias Malan

Next generation CASPER Conference , digitizers for CAL TECH, Aug 2017 PRESENTER: Sias Malan

Next generation CASPER Conference , digitizers for CAL TECH, Aug 2017 PRESENTER: Sias Malan MeerKAT South African radio astronomy www.ska.ac. za Talk outline MeerKAT frequency bands L-band digitization UHF-band digitization S-band

659 views • 17 slides
EECS 373 Design of Microprocessor-Based Systems Announcements Prabal Dutta Sampling

EECS 373 Design of Microprocessor-Based Systems Announcements Prabal Dutta Sampling

Outline EECS 373 Design of Microprocessor-Based Systems Announcements Prabal Dutta Sampling University of Michigan ADC DAC Sampling, ADCs, and DACs Some slides adapted from Mark Brehob, Jonathan Hui &amp; Steve Reinhardt 1 2

414 views • 6 slides
with HeuristicLab An Open Source Optimization Environment for Research and Education S. Wagner,

with HeuristicLab An Open Source Optimization Environment for Research and Education S. Wagner,

Algorithm and Experiment Design with HeuristicLab An Open Source Optimization Environment for Research and Education S. Wagner, M. Affenzeller Heuristic and Evolutionary Algorithms Laboratory (HEAL) School of Informatics/Communications/Media,

427 views • 17 slides
Analog to digital conversion in AVR Microcontrollers (Chapter 13 of the text book) Contents

Analog to digital conversion in AVR Microcontrollers (Chapter 13 of the text book) Contents

Microprocessors, Lecture 10: Analog to digital conversion in AVR Microcontrollers (Chapter 13 of the text book) Contents ADC units of ATmega32 ADC programming in C University of Tehran 2 ADC in AVR University of Tehran 3 ADC

776 views • 25 slides
Tempesta FW Linux Application Delivery Controller Alexander Krizhanovsky Tempesta Technologies,

Tempesta FW Linux Application Delivery Controller Alexander Krizhanovsky Tempesta Technologies,

Tempesta FW Linux Application Delivery Controller Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com Who am I? CEO &amp; CTO at Tempesta Technologies (Seattle, WA) Developing Tempesta FW open source Linux Application

1.05k views • 55 slides
Front-end Electronics and Data Acquisition in Particle Physics Igor Konorov Institute for

Front-end Electronics and Data Acquisition in Particle Physics Igor Konorov Institute for

Front-end Electronics and Data Acquisition in Particle Physics Igor Konorov Institute for Hadronic Structure and Fundamental Symmetries (E18) Technical University of Munich Department of Physics Advanced Workshop on Modern FPGA-Based

940 views • 61 slides
nesC Announcement Programming language for TinyOS and applications Slides available

nesC Announcement Programming language for TinyOS and applications Slides available

nesC Announcement Programming language for TinyOS and applications Slides available online. Support TinyOS components and event/command Open floor discussions. Whole-program analysis at compile time Improve robustness:

268 views • 3 slides

More recommend