By: Alex Feldman. A mobile station is connected to the network wirelessly through another device. In case of WiFi (IEEE 802.11) this would be an access.

By: Alex Feldman

A mobile station is connected to the network wirelessly through another device.

In case of WiFi (IEEE 802.11) this would be an access point.

In case of WiMax (IEEE 802.16) it is a base station.

The mobile station may need to change its connection point to the network.

The connection point “Hands Over” the connection to the new point.

It has to be secure It has to be fast It has to be standardized

Supplicant (Sta)– the station entering the network to be authenticated.

Authenticator (Au) – the access point directly connected to the station, and acting as a proxy to the authentication server.

Authentication Server (AS) – database containing credentials for all users, reachable by the authenticator.

Extensible Authentication Protocol -Transport Layer Security

Widely supported but rarely used.8-way handshake. Very secure but

also very time consuming.Doesn’t scale well when clients

handoff often.

PMK - Pairwise Master KeyPTK – Pairwise Transient KeyEMSK – Extended Master Session Key

RADIUS – Remote Authentication Dial In User Service. Uses a shared secret to cipher and authenticate the communication.

1. Authentication – PMK and EMSK generated on SA and Station.

2. AS moves PMK to Au by using RADIUS.

3. 4-way handshake – PTK generated by Au and Station

When a station changes access points, re-authenticating the PMK is slow.

Only the PTK needs to be renewed, and PMK can be left alone.

How do we transmit the PMK from Au1 to Au2????

Au1 is a bad guy. Pushes false PMK Sta is a bad guy that

gets access to Au2 Sta is a good guy that

gets a denial of service

Au2 is a bad guy.Pulls PMK from Au1.Now it can decipher traffic.

Don’t use AS for re-authentication! Pull/Push policies to transfer keys. Provides good performance. More complicated.

Use when: Handover speed is crucial & path to the AU

is long Don’t want to be dependant on the AU

server

Contact the Au on every handover.

Slower performance.Gained security.

Possible danger if the protocol used to move PMK is not strong. Need good reasons to transfer PMKs.

Goal: reduce the number of packets required for TLS exchange by re-using information generated in the first authentication.

EMSK remained on the Authentication Server, so it can be used to re-authenticate the Station

Based on contacting the Authentication serverBased on contacting the Authentication server

Au

PTK

EAP-TLS took 2.34 seconds

on average

Proposed protocol took 0.62 seconds on average

74% improvement over EAP-TLS!

82% improvement when including retransmissions

Internet Engineering Task Force (IETF) – working on new standard to used the EMSK for re-authentication.

Pull and push methods to transfer keys for nodes within same mobility domains

EAP-TLS is slow for re-authentication.

Big improvements can be made by following the proposed protocol, which Reduces number of packets required Reduces retransmissions Decreases time

Original paper written by:

Romano Fantacci, Leonardo Maccari, and Tommaso Pecorella

from: University of Florence

Federico Frosalifrom: Telecom Italia Lab