802.11r explained
TRANSCRIPT
Outline 802.11r & its purpose
Types of 802.11r
802.11r Capability Detection
Basic 4-way Handshake
FT 4-way Handshake
FT Key Hierarchy
Over the Air
Over the Distributed System
802.11r [Fast BSS Transition] IEEE 802.11r specifies Fast Basic Service Set [BSS] Transitions [FT] between access
points by redefining the security key negotiation protocol, allowing both thenegotiation and requests for wireless resources to occur in parallel.
802.11r is a mechanism to reduce the time of ASSOCIATION between client andAP, when client roams between different APs of a same Extended ServiceSet[ESS].
Purpose Traffic types such as VOIP, VoWiFi should not be delayed or dropped by
devices. Hence, such applications require FT mechanism implemented whenclient roams from AP to AP in a same Extended Service Set [ESS]
Types of 802.11r FT Mechanisms supported by Wi-Fi devices can be of two types:
Over The Air
Over The Distributed System [DS]
Over The Air
The client communicates directly with the target AP using IEEE 802.11 FT-Authentication and FT-(Re)Association frames to completeAuthentication between client and target AP and to generate required keysfor encryption of unicast and multicast traffic.
Over The DS
The client communicates with the target AP through the current AP. Thecommunication between the client and the target AP is carried in FTaction frames between the client and the current AP and is then sentthrough the Central Management Entity [CME] or Controller.
IE’s Introduced By 802.11r Following Information Elements [IE] are introduced by 802.11r
Mobility Domain
Fast BSS Transition
Mobility Domain IE
This IE is used in detecting support of 802.11r by an AP.
Mobility Domain Identifier: This is the string or valuewhich helps the Client to understand if it can roambetween APs of same ESS using 802.11r mechanism.
Fast BSS Transition over DS: If this value is set, it indicatesthat over the DS mechanism is supported else Over theAir mechanism is supported.
Fast BSS Transition IE.
This IE includes information needed to perform the FTauthentication sequence during a fast BSS transition in anRSN.
This IE is present in FT-Authentication, FT-(Re)Association frames transmitted by devices thatsupport 802.11r.
This IE is present in EAPOL frames that are involved in 4-way handshake with the Current AP [First AP that aClient connects in an ESS.
This IE provides information related to parameters asbelow:
‐ R0-KH ID / R0-KH Name
‐ R1-KH ID / R1-KH Name
‐ PMK-R0 / PMK-R1
Detection of 802.11r RSN and MD are the IE that user need to look if an AP supports
802.11r
RSN IE
This IE is used in detecting support of 802.11r by an AP.
Authentication Key Management [AKM] does advertisetype of key management with FT Support.
This information carries PMKR1-Name in 4-wayhandshake EAPOL frames to derive PTK & GTK.
AP
It advertises 802.11r capability in Management frames suchas Beacon, Probe Response and (Re)Association Responseframes.
Client
It advertises its 802.11r capability in Management framessuch as (Re)Association Request frames.
Basic 4-Way Handshake 4-way handshake is used by security protocols such as
WPA/WAP2/802.1x. Purpose of WPA [TKIP], WPA2[TKIP/CCMP], 802.1x is to generate dynamic unique encryptionkeys for each clients connected to an AP.
Two different keys are generated using 4-way handshake
Pairwise Transient Key [PTK]
Group Temporal Key [GTK]
Pairwise Transient Key
A value that is derived from Pairwise Master Key [PMK],Authenticator Address [AA], Supplicant Address [SA],Authenticator Nonce [ANonce], Supplicant Nonce[Snonce] using the pseudo-random function [PRF].
This key is used by AP and Clients to encrypt unicastframes that are transmitted between AP and a Client.
Group Temporal Key
A random vale derived by AP and shared with all the clientsconnected to a Basic Service Set Identifier [BSSID]
As per the standard, it is mandatory that GTK value shouldbe updated whenever a Client is moved away/disconnectedfrom a BSSID.
This key is used by AP and Clients to encryptbroadcast/multicast frames that are transmitted betweenAP and a Client.
FT 4-Way Handshake FT 4-way handshake
It takes place between Initial AP and a Client in a ESS.
This mechanism is not much different from pre-802.11r devices. Some additional information is carried in the EAPOL frames.
Additional information that is carried in the EAPOL frames is as follows:
‐ Mobility Domain IE
‐ Fast BSS Transition IE
‐ PMK-R1
Above additional information with basic 4-way handshake information is used in determining PTK and GTK.
FT Key Hierarchy As you can see in the diagram, FT Key hierarchy consists of three
levels.
R0KH Key Holder
‐ PMK-R0 – the first-level key of the FT key hierarchy. This key is derived as a function of the master session key (MSK) or PSK. It is stored by the PMK-R0 key holders, R0KH and S0KH.
R1KH Key Holder
‐ PMK-R1 – the second-level key of the FT key hierarchy, This key is mutually derived by the S0KH and R0KH.
S0KH/S1KH Key Holder
‐ PTK – the third-level key of the FT key hierarchy that defines the IEEE 802.11 and IEEE 802.1X protection keys. The PTK is mutually derived by the PMK-R1 key holders, R1KH and S1KH.
FT Key Hierarchy Below is the short description of how keys are generated:
R0-Key-Data = KDF-384 (XXKey, "R0 Key Derivation", SSIDlength || SSID || MDID || R0KH-ID || 0x00 || SPA)
PMK-R0 = L(R0-Key-Data, 0, 256)
PMK-R0 key shall be computed as the first 256 bits (bits 0-255) of the R0-Key-Data. The latter 128 bits of R0-Key-Data shall be used as the PMK-R0Name-Salt to generate the PMKR0Name.
PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID)
PMKR0Name = Truncate-128(SHA-256("R0 Key Name" || SSIDlength || SSID || MDID || R0KH-ID || 0x00 || SPA || PMK-R0Name-Salt))
PMKR1Name = Truncate-128(SHA-256(“R1 Key Name” || PMKR0Name || R1KH-ID || 0x00 || SPA))
FT - Over The Air This mechanisms allows the Client or Station[STA] to connect to
Target AP using FT-Authentication and FT-(Re)Associationframes.
As per 802.11r, PTK and GTK keys are generated for a client usingFT-Authentication and FT-(Re)Association frames by depleting 4-way handshake mechanism.
FT – Over the DS This mechanisms allows the Client or Station[STA] to connect to
Target AP using FT-Action and FT-(Re)Association frames.
As per 802.11r, PTK and GTK keys are generated for a client usingFT-Action and FT-(Re)Association frames by depleting 4-wayhandshake mechanism.
FT-Action frames do not communicate directly with Target APbut via Current AP through some central entity such asController.
The dotted lines in the state diagram indicates that the Clientcommunicates through Current AP to get authenticated withTarget AP. In real time deployments, it happens through a centralentity such as Controllers.