Background Study :802.11i Encryption

• MK (Master Key)

• PMK (Pair-wise Master Key)

• PTK (Pair-wise Transient Key)

• GMK (Group Master Key)

• GTK (Group Transient Key)

Background Study : ECC (Elliptic Curve Cryptography)[Neil Koblitz, Victor

Miller, 1985]• General Form

E y xy x ax b: 2 3 2

pF E y x ax b: 2 3 0274 23 ba

2nF b0E y xy x ax b: 2 3 2

質數體

二元體

質數體加法規則• O: Point at infinity• P+O=O+P=P

1 1( , ) ( )pP x y E F 2 2( , ) ( )pQ x y E F

3 3( , )P Q x y 23 1 2x x x 3 1 3 1( )y x x y

y y

x xP Q

x a

yP Q

2 1

2 1

12

1

3

2

if

if

乘法規則

pk FkP P P

k

次

( ) ( )s tP st P , ps t F

•nP=O n稱為 order

•Given G, Q=dG, d is randomly selected. It is nearly impossible to derive d (橢圓曲線離散對數問題 ). G is called generator. Q is called public key. d is called private key.

ECCDH

• Given E, a generator point P.• A selects a private key da. A derives public

key Qa= da∙P• B selects a private key db. B derives public

key Qb=db∙P• A and B exchange their public Key• A derives share key Sab=da∙Qb• B derives share key Sab=db∙Qa

Bilinear pairing

• Establishment of a session key requires only one message for exchange

• Two cyclic group bilinear mapping

• G1: cyclic addition group, G2 cyclic multiply group

Introduction

• Roaming delay is composed by– Channel scanning and probing

• Mobile client must disconnect from the current AP and join a new AP and it takes 20ms~380ms

– Authentication at the new AP

• The overall roaming delay should be kept under 50ms, ideally the authentication should not take more than 20ms to allow 30ms for channel scanning and probing.

• 802.11i– Authentication is done by 802.1x, or by a pre-

shared key.– PMK, 4-way handshake for PTK, 2-way

handshake for GTK.– Full authentication takes 750~1200ms– Roaming authentication takes 200ms, or 50ms

for the best case.

• Proactive key distribution method– Distributes a new PMK to neighbor APs– Roaming authentication time reduce to 21ms on the

average.– Heavy burden on AS– AP must track the movement of clients

• Pre-authentication– A client connects to multiple APs first.– 0 delay– Impose heavy burden on AS and may not extend

beyond the first access router

• Predictive authentication– All the neighboring APs can receive the authentication

response.

– Drawbacks are similar to pre-distribution

• 802.11r– Authentication time of best case is 10ms

– Pre-distribution of the keys to all the AP within the subnet

– Drawbacks still remain

• Reducing 4-way handshake is important. Best case analysis of 4-way handshake is 20ms.

• Inter-domain roaming

Background

• IDC (Identity-based Cryptography)– Known identity information is used in ID-based

cryptography to derive a public key thus no public key exchange is necessary.

– Identity value may be alphanumeric character string or MAC address.

• PKG (Private Key Generator)– Given private key to the ID owner through a

secure channel

• Bilinear map

• Multiply integers with points on elliptic curves– Given P and sP, it is nearly impossible to

compute s

• Public/private key generation – PKG uses a master key s and a fixed point P on

a elliptic curve.– Public key Oid

• PKG hashes user’s ID to a point Qid on the curve.

– Private key s∙Qid

• P, s∙P, cryptographic function H1 can be made available in public

Proposed scheme SFRIC

• To use a WLAN, a user logs into the network through 802.11i process.

• For static client SFRIC is not necessary• SFRIC has 2 phases. In phase 1 a client accesses

the PKG to get a private key. When the client decides to roam it first finds and joins a new APs by probing and scanning, and follows the phase 2 procedure to exchange authentication messages.

Phase 1 preparation

• APs and client both contact to PKG with their MAC and receive a private key via secure channel

• Private key of client– {MAC||expiration date||expiration hour||Nounce}

• Private key of AP– {MAC||current date||current hour}

• Both are periodically refreshed in every hour

Phase 2 roaming

• Comment

• Figure 3 says message 1 is encrypted in Ka, but figure 4 says it is K1 to be used for encrypted instead.

Comment: The above equation can prove anything.

Comment:(rKa, sP)=(Kc-1, rP)?

• Serious error in equation. Can not prove security key of a equals to security key of csKa = Kc

-1？？

• {MACc} is called the proof of ID. If the MAC address of ID matches the MAC address in the packet header, the sender is proven to posses the MAC address and the right private key.

• Comment: Verification of MAC is smart but weak.

• Comment: If MACc is encrypt by c’s private key, there is no way to decrypt it in a.

Performance Analysis

• The most time consuming is the pairing operations E2, D1, and D2, while the cost of the rest is almost negligible.

• Comment: I am not convincible why E1 pairing operation can be negligible.

• Comment: Authors is too optimistic to neglect the network operation, especially in worst cases.

• Comment: Inconsistent typos

• The authors claim there will be only 2 pairing operations require, which take 17ms (cited by [23] that one pairing operation is 8.7ms for best case), one can be done in advance.

• Comment: there is no simulation for the computation. Nothing but site by other work. Conviction is weak.

Thank You

Review Suggestion

• Rate the importance of the topic addressed in the paper and its timeliness within its area of research Excellent Above average Average Below average None

• Rate the technical contribution of the paper, its soundness and scientific rigourExcellent Solid work Valid work Marginal work Questionable

• Rate the novelty and originality of the work presented in the paperPioneering Novel Some Novel Minor variation It has been said many times before

• Rate the paper organization, the clearness of text and figures, the completeness and accuracy of references.Excellent Well written Readable Substantial revision work is needed Unacceptable

• Strengths:

• Weakness:

• Recommended changes: