The Problem of Handover Keying IETF 66 Montreal

The Problem of Handover Keying IETF 66 Montreal 7/13/06 1

AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid Nakhjiri (Huawei USA) Mohan Parthasarathy (Nokia) Julien Bournelle (GET/INT/FT) Hannes Tschofenig (Siemens) R. Marin Lopez (TARI) 7/13/06 2

Slide from IETF 65: Handover in Wireless Access Networks Access link MN Access Gateway AAA server Access Node • • Access Gateway Access Nodes (BS/AP) providing secure access links User/device credentials stored at AAA server Handover: Establish a new secure link with new AN. Handover performance is a crucial service quality factor – Desired: Minimal interaction with AAA server during handover. 7/13/06 3

Slide from IETF 65: EAP Keying for fixed peers peer Authenticator EAP-XXX Method Authentication Generation of MSK, EMSK, EAP complete EAP over L 2 Generation of TSKs Use TSKs for link security 7/13/06 Generation of MSK, EMSK, EAP over AAA MSK transport Security Association Protocol (TSKs) EAP server EAP complete Transported MSK Generation of TSKs 4

Slide from IETF 65: Use of EAP keying for handovers Old SA(TSK) MSK 1 MN Auth-1/BS 1 MSK 2 New SA (TSK) Auth 2 -BS 2 EAP/AAA server Auth 3 -BS 3 • Old SA (MN-BS 1 TSKs): created using MSK (or PMK) at BS 1 • New SA: (MN-BS 2 TSKs): Create a new MSK (MSK 2) at BS 2? • Run EAP again for the new MSK/ SA ? 7/13/06 5

Slide from IETF 65: Handover keying using EAP: SDO solutions TSK MN BS 1 PMK MSK BS 2 • • EAP. AAA server AG Authenticator Split the authenticator into two functions (e. g. Wi. MAX) 1. Authenticator = Access Gateway: (holds MSK, creates per AN keys: PMK) 2. Authenticator port=Access node (receives PMK, creates TSK through SAP) Intra-Authenticator Handover? A new PMK for each BS from initial MSK (Port to Port HO) 7/13/06 6

Slide from IETF 65: Problem: Inter-authenticator PMK MN Authenticator EAP. AAA server TSK MSK ANs • Authenticator handover not supported – Requires re-authentication (re-run of EAP) • Can we avoid running a new EAP as part of Authenticator Handover? 7/13/06 7

Slides from IETF 65: HOKEY: Create a Key Hierarchy • Use a EAP method generated key to derive a key hierarchy – To support Intra-authenticator as well as Inter-authenticator HO in a way that does not require new EAP runs – To support heterogeneous access technology roaming • Define key derivation/ management at each level – (i. e. at AAA server, at ADC level, at AN level) – If the level within IETF scope: specify – If outside IETF scope: Requirement/ guidance/ parameters specifications (e. g. for channel binding, scoping, caching life time) • Protocols/ Requirements for key request/ transport/ distribution – Reqs for new protocols/ extensions for existing protocols (e. g. AAA) – Security goals – Performance Goal: handover optimization (pre-/ post handover signaling) 7/13/06 8

Elements according Problem Statement V 03 • Intra ADC handover: Key management and key derivation inside same ADC. • Inter ADC handover: Key Management and key derivation through different ADCs but same AAA, without running EAP again. AN 1 MN LSAP-MK 1 ADMSK-1 Intra-ADC HO Inter-ADC HO ADC 1 AAA server LSAP-MK 2 AD 1 AN 2 ADC 2 ADMSK-2 HRK LSAP-MK 3 AN 3 7/13/06 AD 2 9

Terminology according to PS V 03 • Handover Root Key – Used as the root of key hierarchy (previously called XMSK) is held by AAA server now. • Access Domain – A domain whose authentication and key management goes through the same ADC. • Access Domain Controller – Entity responsible for keying needs within an Access Domain. It holds ADMSK (derived from XMSK) to derive new keys. • Access Domain Controller MSK (ADMSK) – A key that is sent to each Access Domain Controller • Inter-ADC versus Intra-ADC handovers – Instead of inter- versus intra-authenticator 7/13/06 10

To specify • HRK (per AAA server) – Separate derivation Spec? : parameters, PRF • ADMSK (per ADC) – Derivation spec part of key hierarcy (PRF, parameters) – Transport spec (protocol/triggers/AAA requirements/ specs) • LSAP_MK (per AN) – Derivation spec part of key hierarchy (hetero access included) – Transport spec (protocol reqs/triggers/specs) • Guidelines on LSK derivation (outside IETF? ) • Fast re-authentication (session expiry, ADC HO) 7/13/06 11

Backup: Why ADC instead of Authenticator • Allows for easier management of heterogeneous roaming/ handovers (e. g. per-domain technology) – Combine key mgmt with mobility mgmt • Handover root key transport/caching behavior – HRK (e. g. MSK) is kept at AAA server, not sent to authenticator – A per ADC master keys (ADMSK) are sent to ADC • Separation of EAP auth. and handover keying signaling – Key mgmt and mobility mgmt can be inside an ADC, independent of entity that acts as pass-thru Auth, – Pass-thru auth either in AN or ADC • More crisp key usage guidelines – Authenticator master key<->Authenticator port master key? – Use ADC master key (ADMSK) and AN master key (LSAP_MK) instead 7/13/06 12

Tough problems • Terminology, terminology • What key to use as handover root key: – MSK or an USRK/AMSK ([I-D. salowey-eap-emsk-deriv] ) – Creates Milestone issues for key hierarchy spec • Positioning of pass-through Auth. wrt ADC and AN • Definition of fast re-authentiaction (resolved!? ) • Channel binding – Case 1: when ADC and AN are colocated (EAP keying) – Case 2: when ADC and AN are not colocated (SDO cases) 7/13/06 13

Handover keying Deliverables (ML May 25) • Handover keying problem statement draft (Informational). • Handover Root Key (HRK) derivation specification (standards Track) • Handover keying key hierarchy draft (Standards Track) • Handover keying protocol requirements draft (Informational/ Standards Track) • Handover keying protocol solution (depending on the scope) 7/13/06 14

Proposed milestones (ML May 25) • Mar 07 Handover keying PS to IESG • Mar 07 Handover root key specification to IESG • Sep 07 Handover key hierarchy specification to IESG • Dec 07 Handover keying protocol requirements to IESG • Aug 08 Handover Keying protocol solutions to IESG 7/13/06 15

HOAKEY Bo. F/ HOKEYP Mailing list Report 7/13/06 16

IETF 65 HOAKEY Bo. F result • Support for work on handover keying • Issues with multi-application keying: – Separate application keying from handover keying and Pre-auth • HOAKEY became HOKEYP: – Combine handover keying and Pre-authentication charters • Work towards aggressive interim Chartering and/or another Bo. F in IETF 66 7/13/06 17

Progress Since IETF 65 • Produced – – HOKEYP charter V 00 -V 03 (April/May) Handover keying problem statement update to V 02 Pre-authentication problem statement V 00 USRK (AMSK) derivation draft V 00/V 01 • ML generated 51 emails in April, 93 in May • ML Last call on HOKEYP charter proposal on V 03 (May 15 -May 25) 7/13/06 18

MLLC results on HOKEYP charter • MLLC generated 79 emails in 10 days • 11 people approved (13, including ex-Bo. F chairs ) – 6 manufacturers total, 3 operators • 2 persons requesting additions of some remaining EAP WG work into the charter/ clarification of some items • V 04 and V 05 generated during last call period, including changes in text, deliverables and deadlines • V 06 and V 07 generated after last call. • 2 solution drafts posted on the ML 7/13/06 19

Contentious topics • Choice of HRK (MSK versus AMSK/USRK) – TBD by Expert/Design team meeting • USRK/AMSK derivation standardization process? – In HOKEYP, an EAP EXT group? • Definition of fast re-authentication – Method dependent or independent (mostly resolved) • Channel binding solution – For EAP or HOKEY architecture (in HOKEYP or in EAP EXT? ) • Milestone dates – Mostly resolved except those relating to HRK choice 7/13/06 20

Deliverables as of V 07 • Handover keying problem statement draft (Informational). • Handover Root Key (HRK) derivation specification (standards Track) • Handover keying key hierarchy draft (Standards Track) • Handover keying protocol requirements draft (Informational/ Standards Track) • Handover keying protocol solution (depending on the scope) • Pre-authentication problem statement draft (Informational) • Pre-authentication protocol requirements draft (Informational) • Possible partial solution for pre-authentication signaling 7/13/06 21

Proposed Charter milestones • • Nov 06 Pre-authentication PS to IESG Mar 07 Handover keying PS to IESG Mar 07 Handover root key specification to IESG Apr 07 Pre-authentication protocol requirement draft to IESG • Sep 07 Handover key hierarchy specification to IESG • Dec 07 Handover keying protocol requirements to IESG • Aug 08 Handover Keying protocol solutions to IESG 7/13/06 22