Chapter 1 Introduction
1.3 Synopsis
The remainder of this thesis is organized as follows. Chapter 2 introduces background technologies and related works. Chapter 3 presents the proposed mechanism, including system architecture and message flows. The security analysis and the estimated handoff latency are presented in chapter 4 and chapter 5. At last, we conclude this research and introduce our future works in chapter 6.
Chapter 2
Background and Related Work
We begin this chapter by describing the system architecture and the security mechanism of WLAN Mesh, following by analyzing handoff procedures and latency. Finally, re-lated works are discussed.
2.1 WLAN Mesh Networking
The WLAN infrastructure usually consists of APs connecting to a wired network pro-viding wireless connectivity for STAs. The non-mesh WLAN deployment model is il-lustrated in Figure 2-1.
AP
STA
AP AP
Wired Network
Figure 2-1 Non-mesh WLAN infrastructure
An example of the WLAN Mesh infrastructure is shown in Figure 2-2. A WLAN Mesh is an 802.11-based wireless distribution system (WDS) consisting of a set of MPs interconnected via wireless links. An MP may be collocated with an AP to provide both mesh services and AP services in a single device referred to as MAP. STAs have to as-sociate with an MAP to access the WLAN Mesh.
Portal MP
MP
MP AP
MP AP MAP
MPP
STA
IEEE 802.11s IEEE 802.11i
Figure 2-2 WLAN Mesh infrastructure
MPs and MAPs participate in operations of the mesh networking, but STAs dose not. Two security mechanisms operate independently in the MSD and the ASD; hence the security architecture of WLAN Mesh is divided into two domains.
2.2 AP Security Domain
The security mechanism of ASD consists of 802.1X authentication, 4-way handshake and encryption protocols, i.e. TKIP and CCMP. The security mechanism is designed to establish a robust security network association (RSNA) between an STA and an MAP for securing the wireless connection.
Due to the delay of the ratification to 802.11i, Wi-Fi protected access (WPA), a subset of the 802.11i standard, is adopted by the Wi-Fi Alliance as a transitional solution to WEP insecurities. WPA2 is the full implementation of the 802.11i standard and pro-vides a robust security protocol for WLAN.
2.2.1 Architecture
There are three components defined by 802.1X. As shown in Figure 2-3, the supplicant is an STA which requests to access WLAN Mesh. The authenticator is the serving MAP which controls the access to the network and blocks unauthorized traffics. The
authen-tication server (AS), e.g. a RADIUS server, provides authenauthen-tication services for check-ing the credentials of the supplicant on behalf of the authenticator.
Supplicant Applications/protocols using services offered
by Authenticator
Supplicant PAE
Authenticator
Services offered
by Authenticator Authenticator PAE
LAN
AS
Authentication Server Authentication
Protocol
EAP EAPOL
802.11
EAPOL
802.11
RADIUS UDP/IP
802.3
RADIUS UDP/IP
802.3
Figure 2-3 802.1X architecture and protocol stack of ASD
802.1X provides the port-based network access control for authenticating devices attached to a LAN port. Ports on an 802.1X-capable device are switched between au-thorized state and unauau-thorized state. A port is enabled while in the auau-thorized state, or disable, while in the unauthorized state. The 802.1X specification permits initialization traffics, such as DHCP messages, to pass the port in the unauthorized state.
The protocol stack of 802.1X is illustrated in Figure 2-3. On the top is the EAP layer which includes the EAP protocol and EAP methods. The EAP protocol is a framework allows EAP methods to perform authentication transactions between the supplicant and the AS. EAP messages are carried by EAPOL frames transmitted be-tween the supplicant and the authenticator. All EAP messages are encapsulated into RADIUS packets and forwarded to the AS for further processing.
2.2.2 Authentication
The message flows of 802.1X authentication are shown as Figure 2-4. Detail procedures are as follows:
STA (Supplicant) MAP (Authenticator) MPP AS
EAPOL-Start (optional)
EAP-Req./Identity EAP-Resp./Identity
Security Channel
RADIUS-A.-Req. RADIUS-A.-Req.
RADIUS-A.-Challenge RADIUS-A.-Challenge EAP-Req./Method
EAP-Resp./Method RADIUS-A.-Req. RADIUS-A.-Req.
.:
EAP-Success RADIUS-A.-Accept (MSK) RADIUS-A.-Accept (MSK) MP …
.:
MSK MSK MSK
Figure 2-4 802.1X authentication
1. An 802.1X authentication may be initialized by an EAPOL-Start message sent by the STA or an EAP-Request/Identity message sent by the MAP.
2. The STA responds the user identifier with an EAP-Response/Identity message, and the identifier is encapsulated into a RADIUS-Access-Request packet and forwarded to the AS.
3. The AS issues an authentication challenge. This challenge is passed to the STA as an EAP-Request/Method message for negotiating the EAP method used later.
4. The STA and the AS exchange the authentication information carried by EAP-Request/Respond messages. This step may be repeated many times de-pending on the EAP method.
5. After finishing the EAP authentication, both the STA and the AS generate a master session key (MSK). For authorizing the serving MAP, the MSK is dis-tributed from the AS to the MAP via the security channel.
6. In the end, a RADIUS-Access-Accept packet is passed to the STA as an
EAP-Success message for indicating that the 802.1X authentication is com-plete.
2.2.3 Key Hierarchy
After an STA passed the 802.1X authentication, it is authorized to access the network, and the communication between the STA and its serving MAP should to be secured. In order to provide data encryption and integrity for the 802.11 connection, a key hierarchy is adopted by the 802.11i standard to derive a session key. Figure 2-5 illustrates the key hierarchy and derivations.
MSK or PSK
PTK
Authenticator PMK
PTK
Supplicant
PMK PTK MSK
PMK
AS MSK
MSK PSK
Figure 2-5 Key hierarchy and derivations of 802.11i
An MSK or a PSK is the highest order keys never exposed to any other party ex-cept the AS, the authenticator and the supplicant. The MSK is generated by the EAP method and consists of two portions: Enc-RECV-Key and Enc-SEND-Key. The suppli-cant and the authenticator may either take the Enc-RECV-Key or the PSK as a PMK.
The PTK is a session key derived from the PMK, which collaborates with TKIP or CCMP to provide confidentiality, integrity and origin authenticity.
TKIP PTK (512 bits)
KCK (128 bits)
KEK (128 bits)
TK (128 bits)
MIC Key (128 bits)
CCMP PTK (384 bits)
KCK (128 bits)
KEK (128 bits)
TK (128 bits)
PMK (256 bits)
Figure 2-6 PTK structure of TKIP and CCMP
802.11i defines two structures of PTK. As shown in Figure 2-6, both of TKIP and CCMP start with the EAPOL key confirmation key (KCK) used to compute the message integrity check of the EAPOL-Key message. After that is the EAPOL key encryption key (KEK) used to encrypt the EAPOL-Key message. The temporal key (TK), is used for data encryption. Since TKIP is designed to be compatible with the traditional en-cryption and authentication scheme of WEP, it requires an additional key to perform the Michael integrity check (MIC). For CCMP, the TK is used for both data encryption and integrity check.
2.2.4 RSNA Establishment
An STA has to first establish the RSNA with its serving MAP and is able to access WLAN Mesh. The procedures of RSNA establishment consist of 802.1X authentication and 4-way handshake. Figure 2-7 shows the message flows of RSNA establishment, where the MPP is not involved but forwards the authentication information to the AS.
STA (Supplicant) MAP (Authenticator) MPP AS
EAPOL-Key(key-info, ANonce, PMKID)
EAPOL-Key(key-info, ANonce, SNonce, MIC)
EAPOL-Key(key-info, ANonce, SNonce, GTK, MIC)
EAPOL-Key(key-info, MIC)
RADIUS-A.-Accept (MSK) RADIUS-A.-Accept (MSK)
Figure 2-7 802.11i RSNA establishment
1. After associating with the MAP, the STA performs 802.1X authentication.
2. The AS and the STA obtain an MSK from the EAP method. The AS distrib-utes the MSK to the MAP.
3. The STA and the MAP derive a PMK from the MSK. If the PSK is used in-stead of the PMK, 802.1X authentication will be skipped.
4. The STA and the MAP perform 4-way handshake. To prevent replay attacks the MAP sends ANonce to the supplicant with message #1. The PMKID is also included in this message for synchronizing the PMK used in the hand-shake. Message #1 is neither encrypted nor authenticated, and thus the re-sponse missing or mismatching will fail the handshake.
5. The STA derives a fresh PTK and sends SNonce and robust security network information element (RSNIE) to the MAP with message #2. This message is authenticated whit the MIC calculated by the STA with the KCK.
6. The MAP derives the symmetric PTK and checks the integrity of message #2.
If the MIC is invalid, the handshake fails, otherwise the MAP acknowledges
the STA that the PTK is successfully derived. In addition, a GTK could be also distributed to the STA with message #3.
7. The STA responds a confirmation to the MAP for informing that the PTK is installed. Message #4 is authenticated with the KCK, too.
8. After establishing the RSNA, the MAP switches the 802.1X port to the au-thorized state, and thus the network access is allowed.
2.3 Mesh Security Domain
The efficient mesh security association (EMSA) proposed by 802.11s secures mesh links between an MP and its peers, which includes EMSA authentication, 4-way hand-shake, key distribution and encryption protocols.
2.3.1 Architecture
The 802.1X architecture of MSD is essentially the same as ASD. However, since an MP is capable of utilizing and providing the distribution service, the roles of supplicant and authenticator are both adopted by the MP.
Figure 2-8 illustrates the 802.1X architecture of MSD. If MP A requires making use of the services provided by MP B, MP A’s supplicant PAE has to be authenticated by MP B’s authenticator PAE, and vice versa. Therefore, without the EMSA, an MP needs to perform enormous 802.1X authentications to establish the link security with peer MPs. For instance, an MP in the fully connected WLAN Mesh with 5 MPs and 10 mesh links will perform 8 rounds of 802.1X authentication.
LAN MP A
Services offered by MP A
Supplicant PAE Authenticator
PAE
AS Authentication
Server
MP B
Services offered by MP B
Supplicant PAE
Authenticator PAE Authentication
Protocol
Figure 2-8 802.1X architecture of the MSD
EMSA services permit two MPs efficiently establish the link security without per-forming 802.1X authentication. There are two types of mesh key holders defined by the EMSA: mesh authenticators (MAs) and mesh key distributors (MKDs). The functions of the 802.1X authenticator are distributed between MKD and MA. An MP may imple-ment one type or both.
2.3.2 Key Hierarchy
802.11s also introduces a new key hierarchy. As shown in Figure 2-9, an MSK or a PSK is the highest order key never exposed to any other party except the AS, the MKD and the supplicant MP. Under that the key hierarchy splits into two branches.
The left portion is the link security branch which provides keys for authentication and encryption between a supplicant MP and an MA. The functions of the PMK are di-vided into PMK-MKD and PMK-MA. The PMK-MKD is a proof that the supplicant has been authenticated. The PMK-MA is used to derive the session key and is generated by the MKD for each MA respectively. Separating the PMK functions is able to sim-plify following authentications for subsequent mesh link establishments.
PMK-MKD
PMK-MA (a) PMK-MA (b)
KDK (b)
Figure 2-9 Key hierarchy and derivations of 802.11s
The right portion is the key distribution branch which provides keys to secure the distribution of PMK-MAs between an MKD and MAs. The KDK is a proof that the MA and the MKD have established the security association. The PTK-KD is the session key derived from the KDK to secure the PMK-MA distribution.
2.3.3 Initial EMSA Authentication
A supplicant MP which has not established any security association needs to perform the initial EMSA authentication to establish the EMSA with the MA. Moreover, a mesh key hierarchy is also constructed in both the supplicant MP and the MA. Figure 2-10 explains the initial EMSA authentication, where the MA (a) is an MKD.
1. The supplicant MP performs full 802.1X authentication with the MA (a).
RADIUS messages are forwarded via the MPP.
2. The MSK is distributed from the AS to the MKD.
3. According to the mesh key hierarchy, the MKD and the supplicant MP derive the PMK-MKD and the PMK-MA (a)
4. The supplicant MP and the MA (a) perform 4-way handshake to derive the
PTK (a). Procedures of 4-way handshake are the same as the RSNA estab-lishment described in section 2.2.4.
Supplicant MP (s) MA (a) MPP AS
EAP-Req./Identity
EAP-Resp./Identity RADIUS-A.-Req.
RADIUS-A.-Challenge EAP-Req./Method
EAP-Resp./Method RADIUS-A.-Req.
EAP-Success RADIUS-A.-Accept (MSK)
4-way Handshake #1 4-way Handshake #2 4-way Handshake #3 4-way Handshake #4
PMK-MKD
Secure Channel
.:
PMK-MKD
PMK-MA (a) PMK-MA (a)
PTK (a) PTK (a)
RADIUS-A.-Req.
RADIUS-A.-Challenge RADIUS-A.-Req.
RADIUS-A.-Accept (MSK)
Figure 2-10 Initial EMSA authentication
2.3.4 Subsequent EMSA Authentication
Once a mesh key hierarchy is established, an MP performs the subsequent EMSA au-thentication to establish security associations with peer MPs. The 802.1X auau-thentication is removed, and thus multiple mesh links can be established efficiently. The message flows of the subsequent EMSA authentication are shown as Figure 2-11.
1. The supplicant MP derives the PMK-MA (b) from the PMK-MKD generated in the initial EMSA authentication.
2. The MA (b) requests the PMK-MA (b) from the MKD, i.e. MA (a).
3. The MKD derives the PMK-MA (b) and encrypts it with the PTK-KD (b).
After that, the PMK-MA (b) is distributed to the MA (b) with a PMK-MA De-livery Pull Mesh Action frame.
4. Once the supplicant MP and the MA (b) have the PMK-MA (b), they will perform 4-way handshake to derive the PTK (b).
Supplicant MP (s) MA (b) MKD AS
4 Way Handshake #1 4 Way Handshake #2 4 Way Handshake #3 4 Way Handshake #4
PMK-MKD
Secure Channel
KDK (b) PTK-KD (b)
PMK-MA (b) PMK-MA (b)
PMK-MA Request
PMK-MA Delivery Pull (PMK-MA) PMK-MA (b)
PTK (b) PTK (b)
KDK (b) PTK-KD (b) PMK-MKD
Figure 2-11 Subsequent EMSA authentication
The PTK-KD (b) is derived from the mesh key holder security handshake. Detail procedures of the handshake are described in the next section.
2.3.5 Mesh Key Holder Security Association
The mesh key holder security association provides data integrity and origin authenticity for the EAP authentication message transmitted between MA and MKD. Furthermore, it secures the distribution of PMK-MA and facilitates subsequent EMSA authentication.
After the supplicant MP passed the initial EMSA authentication, it can access the mesh network via the MA (a). However, if the supplicant MP further needs to operate as an MA, it has to establish the mesh key holder security association with the MKD.
Figure 2-12 illustrates the message flows of the mesh key holder security handshake, where the MKD is the MA (a) mentioned in the previous section.
Supplicant MP (s) MKD MPP AS
Mesh Key Holder Security Handshake #1
PMK-MKD
Secure Channel
PMK-MKD
KDK (s) KDK (s)
PTK-KD (s) PTK-KD (s)
Mesh Key Holder Security Handshake #2
Mesh Key Holder Security Handshake #3
Figure 2-12 Mesh key holder security handshake
The mesh key holder security association start with the discovery of the MKD, followed by the 3-way handshake initiated by the MKD. After the handshake, a PTK-KD is derived from the KDK, and the supplicant MP (s) is able to provide the MA service. Frames transmitted between MA and MKD, such as the PMK-MA distribution, are encrypted by the PTK-KD.
2.3.6 EMSA Establishment
The overall message flows of the EMSA establishment and mesh key holder security association are shown in Figure 2-13, where the MKD and MAs are implemented at different MPs.
1. The supplicant MP establishes a mesh link with the MA (a) and performs full EAP authentication.
2. Since the MA (a) is not the MKD, all EAP messages are forwarded to the MKD with the mesh EAP message transport protocol. The MKD encapsulates EAP messages into RADIUS packets and forwards to the AS.
3. After the EAP authentication, the MKD constructs the mesh key hierarchy and distributes the PMK-MA (a) to the MA (a).
4. The MA (a) and the supplicant MP perform 4-way handshake to derive the PTK (a).
5. The supplicant MP continues to establish another mesh link with MP (b). The subsequent EMSA authentication is performed.
6. The supplicant MP establishes the mesh key holder security association with the MKD.
7. After all, two mesh links between are established, and the supplicant MP is ready to provide the MA service.
Supplicant MP (s) MA (a) MKD AS
EAP-Success RADIUS-A.-Accept (MSK)
4-way Handshake #1 PMK-MA Delivery Pull (PMK-MA) PMK-MA (a) PMK-MA Delivery Pull (PMK-MA) PMK-MA (b)
PTK (b)
Mesh Key Holder Security Handshake #1 Mesh Key Holder Security Handshake #2 Mesh Key Holder Security Handshake #3
PTK-KD (s) PTK-KD (s)
PTK (b)
Figure 2-13 Overall EMSA establishment
2.4 IEEE 802.11 Handoff
Mobility is an inherent characteristic of the wireless networking. However, all wireless transmissions have a limited geographical range. The transmission range of an 802.11 AP is typically a few hundred feet. Upon moving out of the range of the current associ-ated AP, an STA enters into the range of another AP and performs handoff procedures to regain the connectivity.
Handoff mechanisms are designed to deal with STAs moving between APs, so that the continuous and QoS-guaranteed communication is supported. The 802.11 standard provides the mobility support for STAs traveling between basic service sets (BSSs), but not the extended service set (ESS).
Transitions between APs can be categorized into three types:
1. No transition. STAs move within the signal range of the current AP, no further considerations are needed.
2. BSS transition. STAs drop the connection to the current AP and then reassoci-ate with another AP in the same ESS. To reconnect to the distribution system (DS), STAs need to be authenticated by the new AP. Figure 2-14 gives an example of the BSS transition.
AP1
STA
ESS1, BSS1 ESS1, BSS2 ESS1, BSS3
AP2 AP3
Figure 2-14 BSS transition
3. ESS transition. STAs move from one AP to another AP in a distinct ESS.
Higher-layer mobility management protocol, such as Mobile IP, is necessary
to support the seamless handoff. The ESS transition is out of scope of this re-search.
2.4.1 Handoff Latency
Handoff latency is the amount of time that the connectivity between an STA and the DS is lost. 802.11 handoff procedures consist of four portions: discovery phase, commit phase, authentication phase and handshake phase, where authentication phase and handshake phase are only introduced in the network applying 802.1X and 802.11i.
STA Target AP
Association Req.
Association Resp.
EAPOL-Start (optional)
EAP-Req./Identity
EAP-Success
4-way Handshake #1 4-way Handshake #2 4-way Handshake #3 4-way Handshake #4
.:
Open System Authentication Req.
Open System Authentication Resp.
Probe Req.
Probe Resp.
.:
Discovery Phase Probe Req.
Probe Resp.
Commit Phase
Authentication Phase
Handshake Phase 20 ~ 300 ms
4 ~ 20 ms
750 ~ 1200 ms
10 ~ 80 ms
Figure 2-15 802.11 handoff procedures [5]
Because of signal strength decreasing or transmission errors, an STA decides to handoff to the target AP. In the discovery phase, the STA performs the active scan to construct a candidate AP list. The handoff algorithm chooses the “best” AP from the list to be the target AP and controls the STA to associate with it. Following that is the com-mit phase; the STA authenticates (open system) and associates with the target AP to es-tablish an 802.11 link. Current handoff latency in the non-802.11i environment is too
long to support real-time services1; nevertheless, the authentication phase makes it worse. The research [5] indicates that about 75% to 95% of the handoff latency is con-tributed by the 802.1X authentication.
802.1X authentication is composed of time-consuming mathematical operations.
The EAP protocol needs several message round-trips to exchange the authentication in-formation and derivate keys. For example, the PEAP/EAP-MSCHAPv2 protocol re-quires 22 EAPOL messages. Moreover, authentication messages may be transmitted over the Internet while the AS resides in the remote network. Therefore, to support the seamless handoff, the substantial latency incurred by the 802.1X authentication must be eliminated.
2.5 Fast Authentication Methods
The issue of 802.1X authentication has been addressed. Some methods have been
The issue of 802.1X authentication has been addressed. Some methods have been