Chapter 2 Background and Related Work
2.5 Fast Authentication Methods
2.5.4 Summary
The design of 802.11i, such as key hierarchy and redundant open system authentication, does not take the handoff into consideration and affects the quality of time-sensitive ap-plications. Furthermore, most EAP methods require multiple round-trip message ex-changes and will result in significant authentication latency.
Since 802.11 is a link layer protocol, it should not touch the problem out of the scope, i.e. EAP authentication latency. Related researches focus on reducing the demand of the EAP authentication instead of improving it.
802.11r provides a solution to optimize message exchanges and separate the 802.1X authentication from the network access control. However, considerable quanti-ties of conventional WLANs have been deployed. These devices support neither the fast authentication nor the target AP prediction. It is impossible to replace or update all de-vices in the near future.
Besides, the 802.11 handoff is a mobile controlled handoff (MCHO), while the handoff decision is decided by the STA. Since STAs are powered by the battery, the handoff algorithms must consider the power consumption of the signal measuring and analysis. Some mechanisms, such as the NG scheme, can provide the precisely target AP prediction but require the topology information to assist the decision.
We propose a new security mechanism for STAs to remove the authentication phase from handoff procedures. The proposed mechanism performs on the premise that the security of 802.11i RSN is assured. Neither MSK nor PMK is transmitted via the wireless media. Furthermore, no modifications are needed for STAs to apply the new mechanism. The proposed mechanism is presented in the next chapter.
Chapter 3
Integrated Security Domain
To reduce the overhead of authentication and encryption processing, we propose a mechanism to integrate the security domains of WLAN Mesh. An MPP and the MAPs connected to this MPP form an integrated security domain (ISD). An STA only performs 802.1X authentication while first time connects to an MAP within the ISD. Authentica-tion latency is removed from the following handoffs in the same ISD. Furthermore, an end-to-end security channel between an STA and an MPP is established without ex-changing any extra message. The security channel can improve the performance of WLAN Mesh in routing the encrypted frame.
3.1 Architecture
With ISD, security functions of the AP services, such as 802.1X authentication and RSNA key management, are implemented in the MPP. As shown in Figure 3-1, the role of 802.1X authenticator is adopted by the MPP instead of the serving MAP.
STA (Supplicant)
Integrated Security Domain
Portal MP
MP MP
MP AP
MP AP
MP AP
MP AP MPP (Authenticator)
MAP
Figure 3-1 WLAN Mesh security architecture with ISD
MAP is the edge of WLAN Mesh and responsible for blocking malicious STAs from accessing the network. In order to provide the ability for MAP to verify frame in-tegrity, PTK and GTK are distributed from MPP to the serving MAP via secured mesh links right after 4-way handshake. Figure 3-2 shows the PTK distribution.
MPP
MP
MAP MAP MAP
MP
MAP
PTK PMK
PTK PMK
PTK
STA
Figure 3-2 PTK distribution
3.2 RSNA Establishment
While an STA initially associated to any MAP within the IDS, it is required to perform 802.1X authentication and 4-way handshake to establish the security association with the MPP. For being compatible with conventional STAs, the message flows in the STA portion are identical to ISD and 802.11i in the RSNA establishment.
Since MPP is an authenticator, serving MAP participates in neither 802.1X authen-tication nor 4-way handshake but forwards all authenauthen-tication messages between STA and MPP. Figure 3-3 illustrates the procedures of RSNA establishment for an STA ini-tially authenticating with an MAP within the ISD.
1. The serving MAP checks the Association Request frame to see is any PMKID included. If not, an STA Authentication Request message is sent to the MPP to initialize 802.1X authentication.
RADIUS-A.-Req.
RADIUS-A.-Challenge RADIUS-A.-Req.
RADIUS-A.-Accept (MSK)
MAP MP … MPP (Authenticator) AS
STA (Supplicant)
*Key Distribution (PTK)
*STA Auth. Req.
Figure 3-3 RSNA establishment with ISD
2. The STA and the MPP perform 802.1X authentication and 4-way handshake, and all messages are forwarded via the serving MAP.
3. The MPP distributes the PTK to the serving MAP for integrity verifying.
4. Once the serving MAP obtains the PTK, it will switch the port to the author-ized state, and thus the STA is able to access the network.
5. If a GTK is assigned by the MPP in 4-way handshake, it will be distributed to the serving MAP as well.
3.3 Handoff Procedures
802.11s allows multiple MPPs reside in one WLAN Mesh, and thus the handoff behav-iors with ISD are categorized into intra-MPP handoff and inter-MPP handoff. Moreover, the authentication procedures vary in the two types.
3.3.1 Intra-MPP Handoff
Intra-MPP handoff means that an STA drops current connection and reassociates with another MAP connecting to the same MPP.
MP AP1
STA
ESS1, BSS1 ESS1, BSS2 ESS1, BSS3 MPP
MP
AP2 MP
AP3
Figure 3-4 Intra-MPP handoff
Since MPP is the authenticator, STA does not change the authenticator in the in-tra-MPP handoff. If the PMK is cached by the authenticator, 802.1X authentication will be skipped. Figure 3-5 illustrates the message flows of intra-MPP handoff.
Current MAP MP … MPP (Authenticator) AS
STA (Supplicant)
802.11
EAPOL-Start (optional) EAP-Success (optional) Association Req. (PMKID)
Association Resp.
PMK
N_PTK PMK
*Key Distribution (PTK) 4-way Handshake #1
*PMK Veri. (PMKID)
*PMK Veri. Success
4-way Handshake #1 4-way Handshake #2 4-way Handshake #3
N_PTK
Figure 3-5 Intra-MPP handoff with ISD
1. The STA reassociates with the target MAP. The PMKID is passed to the MPP for verifying the PMK cached in the STA.
2. The PMKID is compared with the PMK cached in the MPP. If the PMKID is
valid, the MPP will inform the target MAP with a PMK Verification Success message.
3. Some implementations4 of the supplicant use the EAPOL-Start message to initialize 802.1X authentication. If the target MAP receives an EAPOL-Start message, it will reply an EAP-Success message to skip the EAP authentica-tion.
4. Following 4-way handshake and PTK distribution are identical to the RSNA establishment mentioned before.
3.3.2 Inter-MPP Handoff
Inter-MPP handoff is performed while an STA moves from one MAP to another MAP connecting to the different MPP. The STA will switch to another ISD in the inter-MPP handoff.
MP AP1
STA
ESS1, BSS1 ESS1, BSS2 ESS1, BSS3 MPP1
MP
AP2 MP
AP3
MPP2
Figure 3-6 Inter-MPP handoff
If the ISD has not been visited by the STA or the cached PMK is expired, preau-thentication will be performed. However, the STA may fail to preauthenticate with the new MPP, and thus the overhead of 802.1X authentication is introduced.
There are many factors cause preauthentication to be failed, such as the moving speed of the STA, the size of the overlapping coverage area, the target AP prediction,
4The EAPOL-Start message is used by Wireless Zero Configuration service in Windows XP, but not wpa_supplicant 0.5.7 in Linux.
the latency of EAP authentication, etc.
RADIUS-A.-Req.
RADIUS-A.-Challenge RADIUS-A.-Req.
RADIUS-A.-Accept (MSK)
Target MAP MP … MPP (Authenticator) AS
STA (Supplicant)
*Key Distribution (PTK)
*PMK Veri. Req. (PMKID)
4-way Handshake #1
Association Req. (PMKID) Association Resp.
Figure 3-7 Inter-MPP handoff with ISD
Figure 3-7 illustrates the message flows of inter-MPP handoff and RSNA estab-lishment. Detail procedures are as follows:
1. The STA reassociates with the target MAP. The PMKID is forwarded to the MPP for verifying the PMK cached in the STA.
2. Since the new MPP does not cache the PMK, the PMKID verification is failed, and a message will be sent to the target MAP for informing that following au-thentication messages should be forwarded to the MPP.
3. 802.1X authentication and 4-way handshake are performed, followed by the PTK distribution. The procedures are the same as the RSNA establishment described in section 3.2.
3.4 Encapsulation
To mitigate the routing overhead incurred by the hop-by-hop encryption in the
multi-hop network, the proposed mechanism establishes an end-to-end security channel between STA and MPP. Therefore, if the correspondent host is outside the WLAN Mesh, encryption and decryption operations will be only performed by serving MAP and MPP.
Encryption protocols of 802.11i, i.e. TKIP and CCMP, take some or all fields of the MAC header as inputs. As shown in Figure 3-8 and Figure 3-9, the inputs with the star symbol are referenced from the MAC header.
Phase 1 Key Mixing
WEP Processing
Encrypted and Authenticated Frames WEP IV WEP Secrete Key
TTAK
Frame Payload + MIC
Clear Text Frames Sequence
Counter
Payload
Figure 3-8 TKIP frame encryption processing
Data
Header DataData MIC FCS
Packet Number
Plaintext Frame Temporal
Key
Key ID
Figure 3-9 CCMP frame encryption processing
However, the MAC header generated by the source will be replaced in routing op-erations. Thus, one end of the security channel can not decrypt the frame encrypted by another end.
We construct a bidirectional MAC tunnel between serving MAP and MPP to avoid the MAC header used as the input of the frame encryption processing being modified.
Figure 3-10 gives an instance to explain the encapsulation processing of ISD.
MPP
MP MP
MAP MAP MAP MAP
PTK
PTK PTK
P H1 H2
P H1 H2
P H1
STA
GW
WLAN Frame WLAN Mesh Frame P
H1
Figure 3-10 Encapsulation processing (external destination)
The STA transmits a WLAN frame to the destination which is outside the WLAN Mesh, e.g., the default gateway (GW). Detail procedures are as follows:
1. The STA constructs a WLAN frame (H1 + P, where H1 is the header of the WLAN frame, and P is the payload) and encrypts the frame with the PTK.
2. The WLAN frame is transmitted to the serving MAP via an 802.11 link.
3. The MAP verifies the MIC code of the frame with the PTK. If the MIC code is invalid, this frame will be discarded, otherwise the destination will be ex-amined.
4. If the destination is outside the WLAN Mesh, the MAP will encapsulate the
WLAN frame into a WLAN Mesh frame (H2 + H1 + P, where H2 is the header of the WLAN Mesh frame) and forward the frame to the next hop.
Thus, the inner header (H1) will not be altered in the routing.
5. The MP forwards the frame to the next hop. No further operations are needed.
6. The MPP removes the WLAN Mesh header (H2) and decrypts the WLAN frame (H1 + P) with the PTK.
7. Finally, the MPP encapsulates the payload (P) into an Ethernet frame and forwards the frame to the destination.
Figure 3-11 illustrates the encapsulation processing for the source which is outside the WLAN Mesh. For example, the GW transmits an Ethernet frame to the STA.
MPP
MP MP
MAP MAP MAP MAP
PTK PTK
STA P H1
P H2 H2
P H2 H2
P H2
GW
WLAN Frame WLAN Mesh Frame PTK
P H2
Figure 3-11 Encapsulation processing (external source)
1. The MPP receives an Ethernet frame and translates into the WLAN Mesh format (H2 + P). The frame is encrypted by the PTK and encapsulated into another WLAN Mesh Frame (H2 + H2 + P). Two identical WLAN Mesh headers can keep the inner header intact in the routing. After encryption and encapsulation processing finished, the MPP forwards the frame to the next
hop.
2. The MP forwards the frame to the next hop.
3. The MAP removes the outer WLAN Mesh header (H2) and decrypts the inner WLAN Mesh frame (H2 + P) with the PTK.
4. The MAP encapsulates the payload (P) into a WLAN frame (H1 + P) and en-crypts the frame with the PTK. Finally, the MAP forwards the WLAN frame to the STA.
To improve the routing performance, if destination and source are both reside the WLAN Mesh, 802.11s will apply the shortcut routing path instead of the regular routing path while. For example, as shown in Figure 3-12, D→B→A→C→G is replaced by D→B→C→G.
A
B C
D E F G
PTK_1 PTK_1 PTK_DB
PTK_BC PTK_BC
PTK_DB PTK_CG
P H2
P H3
P H4
P H1
PTK_2
PTK_2
P H5 PTK_CG
WLAN Frame WLAN Mesh Frame MPP (A)
MP (B, C) MAP (D, E, F, G)
STA1 STA2
GW
Figure 3-12 Encapsulation processing (internal)
To support the shortcut routing path, ISD applies the original hop-by-hop encryp-tion of 802.11s. Figure 3-12 shows the encapsulaencryp-tion processing for the STA1
transmit-ting a WLAN frame to the STA2. Detail procedures are as follows:
1. The STA1 constructs a WLAN frame (H1 + P). The frame is encrypted with the PTK_1 and transmitted to the MAP D.
2. The MAP D decrypts the WLAN frame with the PTK_1 and encapsulates the payload (P) into a WLAN Mesh frame (H2 + P). The frame is encrypted with the PTK_DB and forwarded to the MP B.
3. The MP B and the MP C decrypt the frame and then re-encrypt it with the PTK of the next-hop. After that, the frame is forwarded to the next-hop.
4. The MAP G decrypts the WLAN Mesh frame with the PTK_CG and encap-sulates the payload (P) into a WLAN frame (H5 + P). The frame is encrypted with the PTK2 and forwarded to the STA2.
5. STA2 decrypts the WLAN frame with the PTK_2.
3.5 Fragmentation Issue
The maximum transmission unit (MTU) defines the largest frame size that the link layer protocol can pass onwards. The encapsulation mechanism of ISD needs an additional WLAN Mesh header and could result in extra fragmentations.
The fragmentation issue can be avoided by configuring the MTU value of the mesh network. As showing in Figure 3-13 (a), modern operating systems, such as Window XP and Linux, treat the wireless NIC as an Ethernet NIC, and the default MTU value of the wireless NIC is 1500 bytes.
According to 802.11s, the size of a WLAN frame encapsulated into a WLAN Mesh frame is 1552 bytes. As shown in Figure 3-13 (b), since the allowable size of the largest encrypted frame is 2356 bytes (TKIP) or 2372 bytes (CCMP), there will be enough free space for the additional WLAN Mesh header. The administrator can set the MTU value of the mesh network to be 1552-2372/2376 to avoid the extra fragmentation.
MTU = 1500 AP
STA
MTU = 1500
MTU = 1500 MPP
MP
MAP MAP MAP
MP
MAP
STA
MTU = 1500
1552 ≦ MTU ≦ 2372 or 2376
(a) (b)
Figure 3-13 MTU value and fragmentation issue
Chapter 4
Security Considerations
To claim that ISD is a secure mechanism, it is necessary to state the security goal as well as the security assumptions. The security goal of ISD is to secure the wireless communication between STA and MAP, and the strength of ISD should be equivalent to 802.11i.
ISD assumes that STAs and MAPs are 802.11i-based devices and the 802.11i secu-rity assumptions should be satisfied. Besides, mesh links among MPs are required to be protected by EMSA services.
To present ISD is as secure as 802.11i, we first analyze the trust relationship of IDS, and then threat models are examined.
4.1 Trust Relationship
An STA and its serving MAP perform 802.1X authentication and 4-way handshake to establish the RSNA in the ASD. Therefore, the STA↔AS↔MAP trust chain shown in Figure 4-1 is established by 802.11i. To secure the connection between STA and MAP, ISD must provide an equivalent STA↔MAP trust relationship.
MPP
MP
MAP MAP MAP
MP
MAP PMK
AS
STA EAP
Credential
RADIUS Secret
Figure 4-1 Trust Relationships in the ASD
As shown in Figure 4-2, mesh links between two MPs are secured by the EMSA, and thus there is an MAP↔AS↔MP↔AS↔…↔MPP trust chain established in the MSD.
AS
MPP
MP
MAP MAP MAP
STA MP
MAP
PMK-MA
PMK-MA
RADIUS Secret
RADIUS Secret EAP Credential
RADIUS Secret EAP Credential
Figure 4-2 Trust Relationships in the MSD
For ISD, as shown in Figure 4-3, 802.1X authentication and 4-way handshake are performed by the STA and the MPP, and the STA↔AS↔MPP trust chain is established.
Since there is the MAP↔MPP trust relationship, the STA↔MPP↔MAP trust chain can be inferred from the former two trust relationships. Therefore, we can claim that the trust relationship provided by ISD is equivalent to 802.11i.
AS
MPP
MP
MAP MAP MAP
STA MP
MAP
PMK-MA
PMK-MA PMK
Implicit Trust EAP
Credential
RADIUS Secret
Figure 4-3 Trust Relationships in the ISD
In terms of the handoff, there are three related trust relationships: STA↔AS, STA↔MAP and STA↔MPP. The STA↔MAP trust relationship is destroyed in the in-tra-MPP handoff and needs to be reestablished. For ISD, since the STA↔MPP and the MAP↔MPP trust relationship are remained, the implicit trust exists between the STA and the new MAP. However, to secure the connection between the STA and the new MAP, a new PTK is necessary to prevent the unauthorized disclosure to the old MAP.
Therefore, in the intra-MPP handoff, STA and MPP need to perform 4-way handshake to derive a fresh PTK. Since the old MAP has neither the new PTK nor the PMK, it can not obtain the content encrypted by the new PTK.
For 802.11i, to reestablish the STA↔MAP trust relationship, the STA needs to perform 802.1X authentication with the new MAP. Consequentially, it will introduce significant latency.
4.2 Threat Model
The proposed mechanism should avoid introducing any security degradation to the 802.11i RSN. In addition to the threats against 802.11i and 802.11s, there are other threats need to be recognized for ISD.
y PMKID Leakage
Even though an attacker may obtain the corresponding PMKID from previous eavesdropping and is able to skip 802.1X authentication, it does not result in any security flaw. Due to MSK and PSK are never transmitted via the wireless media, a valid PTK can not be derived by the attacker. Therefore, the attacker can not compute the valid MIC code of message #2 in the 4-way handshake, and the attacker is blocked by the MAP.
y Authenticator Compromise
In the situation that an authenticator is compromised or stolen, an attacker may obtain all PMKs cached in this authenticator. With ISD, the attacker can access the WLAN Mesh via any MAP connected to this authenticator. However, 802.11r also incurs this vulnerability. The compromised authenticator in 802.11r will expose PMK-R0s to the attacker. Since IEEE 802.11 working group allows this situation to occur, we believe this vulnerability is acceptable.
y Unauthorized Disclosure
Compromised mesh links will result in the unauthorized disclosure of keys. For 802.11i, an MSK is transmitted from the AS to the serving MAP via mesh links.
If the security of mesh links is compromised, it is possible that the MSK will be exposed to an attacker. For ISD, only the PTK is transmitted via mesh links.
Since the hierarchy of PTK is lower than MSK, the compromised PTK will not introduce further security degradation compared with the compromised MSK.
4.3 Advantages
With separated security domains, maintaining the consistent security configuration throughout the entire set of MAPs in the WLAN Mesh is problematic. Moreover, MAPs outside of the network center are difficult to apply the physical security control.
The proposed mechanism takes advantages of the centralized authenticator. It is much efficient to enforce security policy and distribute security configuration among the whole network in the centralized architecture. Furthermore, it is easier to enhance the physical security of one MPP instead of all MAPs within the WLAN Mesh.
Chapter 5
Handoff Overhead Estimation
In this chapter, we analysis the link layer security mechanisms and present the related handoff overhead. For STA, the major concern is whether the handoff latency will damage the quality of real-time applications or not. For WLAN Mesh, the handoff
In this chapter, we analysis the link layer security mechanisms and present the related handoff overhead. For STA, the major concern is whether the handoff latency will damage the quality of real-time applications or not. For WLAN Mesh, the handoff