November 2005 doc IEEE 802 11 050894 r
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Broadcast and Unicast Management Protection (BUMP) Authors: Date: 2005 -11 -14 Notice: This document has been prepared to assist IEEE 802. 11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802. 11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http: // ieee 802. org/guides/bylaws/sb-bylaws. pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard. " Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <stuart. kerry@philips. com> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802. 11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee. org>. Submission 1 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Abstract This submission proposes a set of mechanisms to protect IEEE 802. 11 selected management frames. The submission proposes forgery and confidentiality protection for unicast management frames, and forgery-only protection for broadcast management frames. • Proposal Text Doc#: 11 --05 -1045 -00 -000 w-normativetext-bump-proposal Submission 2 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Agenda • • Design Goals Protected Management Frames Overview Protection for Unicast Protection for Broadcast Protection Advertisements Design Choices Proposal Text Walkthrough Submission 3 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Design Goals • • Protect Unicast Management Frames from forgery and disclosu Protect Broadcast Management Frames from forgery Allow 802. 11 w and non-802. 11 w devices to co-exist 802. 11 w must be optional for backward compatibility, but policy Utilize existing security mechanisms where possible Unify protection schemes where possible Meet the requirement doc #11 -05 -718 r 2 Submission 4 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Protection Management Frames Overview State 3 Management Frames 11 r, 11 k Robust Management Frames Unicast Management Frames (Insider Forgery protection) MUP Broadcast Management Frames MUP sends Broadcast as Unicast Frames CCMP BIP TKIP (HC IE) De. Auth, Dis. Assoc Confidentiality, Integrity, Replay, Source Authentication Submission 5 Action Frames Integrity, Replay BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Robust Management Frames • 802. 11 w will provide protection scheme for selected Management Frames, ca – Frames which are sent after key establishment – Frames which are sent before key establishment are unprotected – Can be protected using the 802. 11 key hierarchies, including those from amendments u • The Selected Unicast and Broadcast Management Frames are: – State 3 Disassociation and Deauthentication – State 3 Action frames, including • 802. 11 e and 802. 11 h Action Frames • Other amendments that complete after 802. 11 w can utilize the 802. 11 w mechanisms to prote • TGw delegates (Re)association protection to TGr The rest of this presentation refers to the frames noted in this slide as ‘Robust Management Frames' Submission 6 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Unicast Management Frame Protection Overview • Unicast Management Frames are protected by the same cipher s – AES-CCMP and TKIP – Protected Frame Subfield of Header Frame Control Field is set • • Sender’s Pairwise Temporal Key protects Unicast data as well a Transmitter uses a different unique PN as the IV for Manageme Each receiver implements a new receive counter for Managemen FC bits 11, 12, 13, SC bits 4 -15 set to zero, FC bit 14 set to 1 for Submission 7 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 otected Unicast Management Frame Format using CC Original Unicast Mgmt Frame: 802. 11 hdr FCS Use the same cryptographic algorithm selected for Data MPDUs Protected Unicast Mgmt Frame: 802. 11 hdr Mgmt frame body 802. 11 i header Mgmt frame body MIC FCS Authenticated by MIC Encrypted IV Key ID Encryption used to provide confidentiality Cryptographic Message Integrity Code to defeat forgeries IV used as frame sequence space to defeat replay Submission 8 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 cast Management Frames Protection Using TK • Goals – – Driven by market need, to extend support to existing TKIP deplo To not change the TKIP cipher suite To re-use the same key, as used for data No hardware change, hence, easier field upgrades • Capability – Used only when TKIP for data is selected, and Robust Managem Submission 9 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 rotected Unicast Management Frame Format for TKI Original Unicast Mgmt Frame: 802. 11 hdr TKIP header FCS Use same TKIP algorithm Create HC IE Protected Unicast Mgmt Frame: 802. 11 hdr Mgmt frame body Management Frame Body Header Clone (HC) IE MIC/ ICV FCS Encrypted Integrity (Michael) Michael Message Integrity Code to defeat forgeries Submission 10 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Steps to process MMPDU with TKIP • Steps – – – Create Robust Management Frame (MMPDU), incl. header Create a new Header Clone (HC) Information Element from Rob Append HC IE to Robust Management Frame Process (Robust Management Frame + HC IE) through TKIP Fragmentation, if needed Submission 11 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Broadcast Management Frame Protection Overview • Consistent approach for protection of all Broadcast Management Frames through new SAP • Prevent forgery of Broadcast Management Frames – Insider attacks still feasible on Broadcast Robust Management Frames (NOT on Disassociation/Deauthentication) • Multiple Unicast Protocol (MUP) mode provides additional protections – MUP sends broadcast frames as confidentiality protected unicast – Protect against forgery (including insider attack) • MUP is a MIB settable policy option Submission 12 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Protected Broadcast Management Frame Format Original Broadcast Mgmt Frame: 802. 11 hdr Mgmt frame body FCS Use the advertised mgmt broadcast cipher suite Protected Broadcast Mgmt Frame: 802. 11 hdr Mgmt frame body Authenticated by MIC (MIC computed through Mgmt MIC IE Sequence Num field) Submission 13 Management MIC IE FCS Cryptographic Message Integrity Code to defeat forgeries BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Robust Broadcast Management Protection Cipher Operations • Broadcast KDE used to distribute Integrity GTK (IGTK) and CV • 802. 11 w defines cipher suite for broadcast management frames: – hash(string) = Truncate-128(SHA-256(string)) – MIC(K, string) = AES-128 -CMAC(K, string) • Provides uniform MIC IE structure and encapsulation • Replay protection: Each receiver implements a new receive counter for Broadcast Robust Action Management Frames Submission 14 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Insider Forgery Protection for Broadcast Disassoc/Deauth • If AP is enabled to enforce protection of broadcast management frames: – Generate a random, unpredictable value CGTK whenever it selects a new IGTK (e. g. the key for protecting broadcast management frames). – Distributes the commitment value CV = hash(AA | SA | CGTK) to 802. 11 w STAs when it distributes IGTK • When AP sends broadcast Disassociation/Deauthenticate: – MIC IE includes CGTK as the sequence number, length is updated to 26 – Full packet is MIC’ed per the 802. 11 w broadcast protection (except for muted bits per slide 3) • When an 802. 11 w STA receives a protected broadcast, accept frame if: – CV = hash( AA | SA | CGTK) – MIC is valid – Otherwise discard packet Submission 15 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Broadcast: Key KDE and Cipher Suite Type 1 octet • • Length OUI 1 octet 3 octets Data Type 1 octet Code PN Key. ID 1 octet 6 octets 2 octets Broadcast Key 16 octets Type value = 0 xdd Length value = 29 OUI value = 00 -0 F-AC Data Type value = 5 Code value = SCommit (1), ACommit (2), or BCommit (3) PN = current Sequence Num value in Management MIC IE Key. ID = Key ID identifying Broadcast key in Management MIC IE Key ID field (values is in the range 0. . 212 – 1) Submission 16 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 RSN IE Updates • Allocate bits of the RSN IE Capability field for 802. 11 w • Add a Broadcast management cipher suite field Element ID Len Ver Group Cipher Pairwise Cipher Suite Count Pairwise Cipher Suite List AKM count AKM List RSN capabilities PMKID count PMKID List BUMP Group Cipher 1 1 2 4*m 2 4*n 3 2 16*s 4 RSN Capability fields Bits Pre-auth 0 No pairwise 1 PTKSA replay counter 2: 3 GTKSA replay counter Suite Broadcast Cipher Suite Selector 00 -0 F-AC 0 Reserved 00 -0 F-AC 1 AES-128 -CMAC – default for BIP in Robust Management RSNA 4: 5 00 -0 F-AC 2 -255 Reserved BUMP supported 6 Vendor OUI Other Vendor specific BUMP mandatory 7 Other Any Reserved BUMP Broadcast Protection 8 Reserved 9: 15 Submission 17 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 BUMP Advertisements • 2 new RSN Capabilities to enable and enforce BUMP: – Bit 6: advertise ability to protect management frames – Bit 7: enable Protection of Management Frames – MUP policy set through a MIB variable Bit Setting Robust management frame protection supported Robust management frame protection required Bit 6 Bit 7 Advertisement in Beacon, Probe Response and 3 rd message of the 4 -way handshake Description Negotiation in (Re)association request and 2 nd message of the 4 -way handshake Description 0 0 No support for Robust management frame protection is provided. No support for Robust management frame protection is negotiated. 0 1 Invalid 1 0 Support for Robust management frame protection is optional. Support for Robust management frame protection is disabled. 1 1 Support for Robust management frame protection is required. . Support for Robust management frame protection is enabled. Submission 18 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Proposal Summary • • Extend 802. 11 i Unicast data protection for Unicast Robust Man Consistent approach for protection of all broadcast managemen Allow 802. 11 w and non-802. 11 w devices to co-exist Policy discovery and advertisements for Management Frames P Submission 19 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Design choices • General approach – An extensive proposal covering all the requirements from doc 1105 -718 • Proposed algorithms to cover those requirements • Reduced the number of mechanisms for simplicity • Unified unicast solution fairly straightforward – Extension of 802. 11 i for all unicast management frames – Use of commitment values in pre-802. 11 i 4 -whs messages discussed, but… • Coexistence with legacy devices an issue • Secure negotiation of 11 w impossible before the 4 WHS Submission 20 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Design choices • Unified broadcast protection more problematic – 11 -05 -0529 r 0 (Protecting Broadcast Management Frames) introduced the difficulties and possible algorithms • No good algorithm to provide forgery protection against insider attackers • Confidentiality doable, but the key needs to be updated every time somebody joins or leaves the group – Alternative algorithms to BIP and MUP either • • Submission Presented weaknesses Had too high an overhead for current broadcast management frames Introduced delays potentially unacceptable Weren't compatible with the frame loss rates in real deployments 21 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Design choices • No good “single” solution for all broadcast management frames, but… – Commitment value (CV) protection mechanism simple and efficient for broadcast deauth and disassociate • Not extensible to all broadcast management messages – Optimized the "most likely deployment" with simple mechanisms • AES-CMAC forgery protection against outsider attacks • CV forgery protection with source authentication for broadcast deauth and disassociate – MUP Option for full protection with broadcast sent as unicast • Most efficient algorithm, or so it seems… Submission 22 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Feedback? Submission 23 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Backup Submission 24 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Comparison of broadcast protection mechanisms Overview Pros Cons AES-CMAC Commitment Value MUP Use IGTK to compute MIC Key chain based on a one-way function Send broadcast as multiple unicast -Forgery protection against outsider Forgery protection attacks against all attacks - FIPS approved No protection against insider attacks Submission Only applicable to Deauth and Disassociation Tesla ACK'ed broadcast Send a broadcast, and Key chains based on a confirm it by sending hashes one-way function (either unicast or broadcast) - Forgery protection against all attacks -Trivial implementation - Reliable broadcast Forgery protection against all attacks - Reliable broadcast possible Is equivalent to forbidding broadcast… - Can be defeated - Need to buffer frames and keys - New hardware needed - Unicast less efficient than MUP for current management frames - Reliability issues - New hardware potentially needed 25 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Unicast: Cipher Suites and Keys • AES-CCMP and TKIP support is extended to protect unicast Management Frames • Management Frame unicast Key = same Temporal Key as used by the pairwise cipher suite • The proposal is to not extend WEP to protect Management Frames – WEP is not secure Submission 26 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Unicast: Replay Protection • Transmitter uses next PN as the IV – Use sequence number given by PN/TSC to protect payload and increment counter • Each receiver implements a new receive counter for Management Frames – The new receive counter initialized to zero during the 4 -Way Handshake – Sequence number in received protected Management Frame is compared with new counter value – If received sequence number does not exceed last valid value, discard the frame as a replay – If received sequence number exceeds last valid value and the Management Frame validates correctly, accept the frame and set counter value to received sequence number value Submission 27 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Management MIC IE Element ID Length = 16 or 26 Key ID Sequence Num/ BKey MIC Value • Element ID (1 octet) = TBD • Length (1 octet) = size of this IE • Key ID (2 octet) = broadcast key identifier – Bits 0. . 12 – key id: 213 = 8192 key identifiers (4096 multicast groups) – Bits 13, 14, 15 – reserved and set to 0 • Sequence Num (6 or 16 octets) = 0. . 248 – 1 – For disassociate/deauthenticate CGTK is used (16 octets) • MIC Value (8 octets) = MIC of the 802. 11 packet – FC bits 11, 12, 13, SC bits 4 -15 set to zero, FC bit 14 set to 1 Submission 28 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Broadcast Management Frame Protection Broadcast: Replay protection • Each receiver implements a new receive counter for Broadcast Action Frames – The new receive counter initialized to PN field in the received broadcast key – Sequence number in broadcast protected broadcast management frame is compared with new counter value – If received sequence number does not exceed last valid value, discard the frame as a replay – If received sequence number exceeds last valid value and the broadcast management Frame validates correctly, accept the frame and set counter value to received sequence number value Submission 29 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Broadcast Management Frame Protection Transparency • Use of the MGMT_SAP means that implementations of new management functions (e. g. TGk, TGv) do not need to change behaviour depending on negotiated protection mechanism – If normal security option is selected (MIC only and no insider protection) frame is protected according to TGw and forwarded – If Advanced security option is selected (copy of broadcast sent to each station via unicast protection) then the TGw implementation makes one copy of the broadcast for each connected station. Submission 30 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Discovery and Negotiation: Message Flow 1 (802. 11 i classic) Station Access Point Probe Request Beacon or Probe Response + AP RSN-IE Association Req + STA RSN-IE Association Response (success) 4 -Way HS Msg 2 + STA RSN-IE 4 -Way HS Msg 3 + AP RSN-IE Submission 31 BUMP Consortium
November 2005 doc. : IEEE 802. 11 -05/0894 r 2 Discovery and Negotiation: Message Flow 2 (802. 11 r) Station Access Point Probe Request Beacon or Probe Response + AP RSN-IE Reassociation Req + STA RSN-IE Ressociation Response + AP RSN-IE Submission 32 BUMP Consortium
- Slides: 32