Secure Handover in Enterprise WLANs
Transcription
Secure Handover in Enterprise WLANs
1 Secure Handover in Enterprise WLANs: CAPWAP, HOKEY, and IEEE 802.11r T. Charles Clancy Electrical and Computer Engineering University of Maryland, College Park [email protected] Abstract— As Wireless LANs become more and more ubiquitous, the number and types of applications they are supporting is ever-increasing. As real-time performance requirements begin to emerge, the latency involved in a handover from one access point to another becomes crucial. CAPWAP and HOKEY are two suites of protocols being defined and standardized within the IETF that include support for fast handover. IEEE 802.11r is implementing extensions to the IEEE 802.11 base specification to directly support fast handover in the MAC protocol. This article details all three protocols, and compares their relative security properties, performance, and use cases. I. I NTRODUCTION The IEEE 802.11 standards [1] specifying Wireless Local Area Networks (WLANs) have significantly changed the way we work and access information. They were the birth of highrate wireless access to portable computers. IEEE 802.11 has also had its share of hiccups, most notably the specification of the Wired Equivalence Protocol (WEP). The original designers of IEEE 802.11 had no idea the level of security provided by WEP would be severely insufficient for its eventual applications. As a result, Task Group i produced the revision IEEE 802.11i [2] to provide enterprise-level security, based on the IEEE 802.1X protocols, specifically the Extensible Authentication Protocol (EAP) [3]. One drawback to IEEE 802.11i, however, is the length of time it takes to authenticate to an access point (AP), due to the execution of complex cryptographic algorithms between the client (also known as a “station” or “STA”), AP, and backend Authentication, Authorization, and Accounting (AAA) server. This makes it difficult to support real-time networking protocols, such as streaming multimedia, as a mobile user transitions from one AP to another. A number of new protocols are working to address this problem, each with a unique approach. Within the IETF, the Control and Provisioning of Wireless Access Points (CAPWAP) working group is finalizing the design of a protocol to support distributed management of an enterprise WLAN, and one of the incorporated features is the ability to perform fast handover between APs [4]. Also within the IETF, the Handover Keying (HOKEY) working group is seeking to extend the AAA architecture to support deriving and distributing security credentials without requiring a full EAP authentication [5]. Lastly, within the IEEE, Task Group r has developed a protocol to support passing credentials directly between APs as a mobile STA transitions from one to the other [6]. Each of these protocols offers a complementary approach to solving the problem of fast handover. This article describes each, and outlines their relative security properties. Section II gives a quick introduction to IEEE 802.11i security, as it is currently defined. Section III describes the CAPWAP, HOKEY, and IEEE 802.11r protocols. Section IV investigates their security and performance. Section V concludes. II. IEEE 802.11 I S ECURITY IEEE 802.11i defines the operation of a Robust Security Network (RSN). Authentication to an AP consists of a number of phases. The first is initial discovery between the STA and AP, which is followed by an EAP authentication executed between the STA and AAA server, proxied by the AP. With respect to EAP terminology, the AP is called the authenticator, because it is responsible for using AAA protocols to communicate with the AAA server, and is also responsible for receiving the derived session key. EAP supports a wide variety of authentication protocols called methods, which are transported over EAP. These methods support a large variety of credential types, ranging from shared keys to passwords to certificates. Upon successful authentication, the EAP method derives a Master Session Key (MSK) which the AAA server delivers to the AP. The first 256 bits of the 512-bit MSK becomes the Pairwise Master Key (PMK), and is used to derive traffic keys (TKs) using a cryptographic handshake between the STA and AP, called the four-way handshake. The goal of a fast-handover protocol is to reduce the number of round trips required in each of these stages to as few as possible, while still preserving the security properties of the network. The initial authentication can still follow the full IEEE 802.11i-specified protocol, but future authentications within the same session should be simplified, and bootstrapped by the trust relationship established during the initial authentication. The following section describes three new protocols that each simplify the cryptographic handover process in different ways. 2 TABLE I TABLE OF HANDOVER - RELATED ACRONYMS Acronym AAA AC DSRK EAP EMSK ERP HRK PMK PMK-R0 PMK-R1 TK WTP Meaning Authentication, Authorization, and Accounting Access Controller Domain-Specific Root Key Extensible Authentication Protocol Extended Master Session Key EAP Reauthentication Protocol Handover Root Key Pairwise Master Key Pairwise Master Key, Root Zero Pairwise Master Key, Root One Traffic Key Wireless Termination Point III. N EW P ROTOCOL S TANDARDS In this section we detail three new protocols supporting fast handover in mobile WLANs: CAPWAP, HOKEY, and IEEE 802.11r. CAPWAP and HOKEY do not change the IEEE 802.11 protocol, but rather operate on the wired side of the network, running over the Internet Protocol (IP). As such, they are being standardized by the Internet Engineering Task Force (IETF) in the form of Request for Comments (RFCs). IEEE 802.11r is a change to the IEEE 802.11 protocol itself, and is therefore being completed by the IEEE. A. CAPWAP The goal of CAPWAP is to provide a protocol to support enterprise WLAN environments, from corporate networks to university campuses. It assumes all APs will be managed by a central authority. To support this management architecture, APs are split into two logical components. A traditional “fat AP” implements both the Physical (PHY) and Medium Access Control (MAC) layers of the IEEE 802.11 protocol. With CAPWAP, the PHY and lower portions of the MAC protocol are implemented in “thin APs” called Wireless Termination Points (WTPs), while the upper-MAC functionality for all APs in the enterprise network is implemented by a centralized controller called the Access Controller (AC). After this split, the authentication and access control features of the IEEE 802.11 protocol now reside in the centralized AC, allowing it to connect clients to any of the WTPs without an EAP re-authentication. In CAPWAP, the AC acts as the authenticator, and the AAA server has no knowledge of the split nature of the WLAN deployment. During an initial authentication, the STA executes an EAP conversation with the AAA server, per standard IEEE 802.11i. Once it completes, the resulting session key is delivered to the AC. The AC then executes the four-way handshake with the STA, via the WTP. Once the traffic keys are derived, the AC securely delivers them to the WTP using the CAPWAP protocol. When a STA wishes to roam to a new WTP, after performing the discovery phase the AC executes a new four-way handshake with the STA and simply delivers a new traffic key without derivation of a new session key. Figure 1 depicts the entire authentication and handover process. Description Server responsible for back-end network authentication Network controller for CAPWAP Root key for derivation of usage keys within a domain IETF protocol for network authentication Key derived by EAP used as the root HOKEY key Protocol extending EAP to support fast reauthentication ERP root key Key derived by EAP used as the root IEEE 802.11 RSN key Root key used by IEEE 802.11r IEEE 802.11r per-AP key derived from PMK-R0 Key used to encrypt packets traversing a wireless network Light-weight access point used in CAPWAP B. HOKEY Another working group of the IETF is standardizing protocols for handover keying (HOKEY). The goal is to support both handover from one AP to another, but also support roaming between different operators. To accomplish this, HOKEY has extended EAP to natively support fast re-authentication, independent of the EAP method that performed the original authentication. The EAP Re-authentication Protocol (ERP) [7] allows a STA to use keys derived during an initial EAP authentication to perform a one-round-trip re-authentication to derive a session key for a new AP. This AP then performs the IEEE 802.11i four-way handshake with the STA to derive the traffic key. Here, each AP in the WLAN is an independent authenticator, and ERP allows AAA protocols to be used to generate multiple new session keys for each, without re-executing the original EAP method. Another key feature of HOKEY is its ability to support roaming. When a client tries to associate to an AP from another network, if that network has a roaming relationship with the STA’s home network it can proxy the authentication to the STA’s home AAA server. HOKEY also supports fast re-authentication to the visited network, drastically cutting the handover time between APs in that visited network, since credentials can be cached in a local AAA server and used to rapidly and locally derive new session keys. During a re-authentication to a visited network, the AAA protocols are used to pass keys to a local HOKEY server, typically collocated with that visited network’s AAA server. The protocol exchange is depicted in Figure 2. Rather than reusing any of the existing keys in the IEEE 802.11i keying hierarchy, HOKEY makes use of the Extended Master Session Key (EMSK) which is derived during the initial EAP authentication, and until now unused. Part of the HOKEY group’s charter is to define a keying hierarchy based on the EAP EMSK that can be used for generating applicationspecific keys [8]. Keys are grouped into key management domains, each rooted by a domain-specific root key (DSRK) generated from the EMSK, and from the DSRK we can generate a handover root key (HRK) for re-authentication. 3 C. IEEE 802.11r In the IEEE 802.11r protocol, the first AP a STA authenticates to will cache its PMK, and use it to derive session keys for other APs in the same “mobility domain”. This AP is called the R0 Key Holder (R0KH) as it holds the PMKR0, symbolizing level 0 the PMK keying hierarchy. When a STA transitions to a different AP, the R0KH will derive a PMK-R1 which is a new session key from the PMK-R0, and forward that to the new AP. The new AP is termed the R1 Key Holder (R1KH). To ensure key orthogonality, the R0KH uses the second half of the PMK, not used by the standard four-way handshake. The protocol between the STA and APs is a new MAClevel protocol defined by IEEE 802.11r. The exchange consists of an initial round-trip between the AP to which the STA is currently associated, signaling the desire to perform the handover, followed by another single round-trip between the STA and the new AP to confirm the proper key was derived and delivered. This exchange also serves to derive the traffic key, and is depicted in Figure 3. With IEEE 802.11r, the initial AP acts as the authenticator, communicating with the AAA server. After that, each AP interacts with the initial AP, rather than directly with the AAA server. An important property of IEEE 802.11r is key management. There needs to be a key transfer protocol between the R0KH and the R1KH; in other words, there is either a star configuration of security associations between the key holder and a centralized entity that serves as the R0KH, or if the first authenticator is the default R0KH, there will be a full-mesh of security associations between all authenticators. This could require up to O(n2 ) keys to be managed between n APs, and since no protocol has been defined to accomplish this it’s unlikely that IEEE 802.11r will scale to large networks. IV. P ROTOCOL P ROPERTIES In this section, the relative properties of each of the three protocols are compared and contrasted. A. Key Hierarchies Each protocol changes the standard IEEE 802.11i keying hierarchy in one way or another. Figure 4 shows the keying hierarchies for each of the three protocols, including the original hierarchy for IEEE 802.11i. The left-most column of the diagram indicates the purpose of the keys at that particular level in the hierarchy. Per RFC 4962 [9], any system that uses EAP or AAA must have a strong set of security principles guiding its use of keying material. One specific requirement is that the scope and context must be defined for all keys. Scope specifies who is authorized to possess a key, and context specifies the intended use for that key. This motivates the key purposes column in Figure 4. All keys are scoped for the STA, whereas root keys are scoped for home AAA servers, domain keys are scoped for visited AAA servers, application keys are scoped for specific services, and traffic keys are scoped for APs. Likewise, the context for root keys is to derive all keys in the system, while the context for domain keys is to derive keys within a specific domain. Application keys’ context is for that specific service, which in this case is network authentication or re-authentication. Traffic keys’ context is to encrypt and authenticate network traffic. From the diagram, we can see the relative complexity and features of the hierarchies. HOKEY is the only hierarchy to support domain-level keys, and as such it’s the only handover scheme which can natively support inter-enterprise roaming. At the application level, we can see that CAPWAP is the simplest. Since the PMK resides at the centralized AC, it can use it to easily derive multiple traffic keys. HOKEY generates a handover key for each domain, which can be used to derive the traffic keys. In IEEE 802.11r, we can see the self-forming hierarchical nature of its application-level keys, with the R0KH getting promoted to application root key holder to support a particular user’s handovers. Additionally, for all protocols we can see traffic keys are derived from the application-level keys, whether it’s via the four-way handshake as in CAPWAP or HOKEY, or a new MAC protocol as in IEEE 802.11r. Key hierarchies have a big influence in overall system security. Any entity involved in the creation or delivery of a key may be able to use it for unauthorized purposes. While the protocols themselves are secure, network entities may be attacked via other means, and their software compromised. CAPWAP centralizes security in the AC, and compromise of an AC yields to compromise of all session keys in the network. HOKEY distributes keys along the AAA hierarchy, thus compromise of any AAA entity will compromise all keys benieth it in the keying hierarchy. IEEE 802.11r centralizes keys in the R0KH, which could be an AP on a wall, which would be by far the easiest to compromise. Thus from an architectural perspective, IEEE 802.11r has the weakest security model since it pushes root keys out to the edge of the network where the probability of compromise is greatest. B. Handover Performance Each protocol offers different performance benefits. First let’s compare relative handover times for handover within one’s home domain. Let Ne be the number of round trips required for the execution of any particular EAP method. Let Tw be the transmission latency between the STA and AP (or WTP). Let Tc be the latency between any two relative close devices in a wired LAN, including AP to AP communications and WTP to AC communications. Finally, let Ta be the latency between the various infrastructure components and the local AAA server. An initial IEEE 802.11i handover requires 2Ne (Tw + Ta ) + Ta + 4Tw (1) Breaking down each term, the first represents the time to complete the EAP authentication, the second is the time to distribute the MSK to the AP, and the third is the time for the four-way handshake. Examining a CAPWAP handover, we obtain 4(Tw + Tc ) + Tc (2) 4 which covers the four-way handshake executed between the STA and AC, and then key distribution to the WTP. For HOKEY, we have 2(Tw + Ta ) + 4Tw (3) which includes the single round trip execution of ERP, which automatically delivers the HRK, followed by the four-way handshake. Lastly, for IEEE 802.11i we have 2Tw + 2Tc + 2Tw (4) representing the initial handover request, back-end key distribution, and final key handshake at the destination AP. Using numbers typical of many network deployments, Tw = 15µs, Tc = 5µs, and Ta = 20µs [10], we get a CAPWAP handover time of 85µs, HOKEY handover time of 130µs, and an IEEE 802.11r handover time of 70µs (see Figure 5). IEEE 802.11r and CAPWAP are the clear winners, but if you compare that to a full IEEE 802.11i authentication using an EAP method that requires 4 round trips, you’ll see that all those numbers are far less than 360µs. While HOKEY may have worse intra-domain handover performance than CAPWAP and IEEE 802.11r, it really shines when it comes to cross-domain handovers. No other protocol supports handing credentials from one authenticator to another, whether that authenticator is in the same domain or a remote one. With intercontinental latencies across the Internet ranging from 100 ms to 300 ms [11], local handover using a local AAA server that has cached your credentials is a significant improvement in wireless handover times. Also, no protocol other than HOKEY could support cross-technology handover, e.g. WLAN to WMAN, or WLAN to 3G handover. An important thing to conclude is that all three handover protocols have roughly similar performance, and all perform significantly better than systems without handover. All three will offer end users a similar experience; however, each has substantially different requirements on the back-end infrastructure. Thus network operators should select a handover protocol based on their usage model, and not based on which one performs handovers in the least amount of time. C. Usage Scenarios All handover protocols require the same order of magnitude of time to execute, thus time cannot be a major distinguishing factor. However, given the unique security properties of each protocol, each is geared for use in a different environment. A summary of the use cases is presented in Table II. CAPWAP is designed to simplify deployment and management of an enterprise WLAN infrastructure. The ability to do fast handover is a side effect of centralizing access point control. There are a variety of other use cases for CAPWAP, but they all generally involve extending an enterprise network to some other geographic location by tunneling CAPWAP over the Internet, allowing a telecommuter, for example, to have an AP at home that provides them direct access to their corporate network. HOKEY, on the other hand, is more geared for serviceprovider networks, rather than enterprise networks. Its inherent support for roaming makes it well suited for that environment. Additionally, there are some specifics about how HOKEY deals with the AAA protocol, and its inability to easily prevent exposure of STA keying material to AAA proxies makes it less appropriate for an enterprise network where these proxies are at a greater risk of compromise. In a service-provider network these proxies are inherently trusted, which makes any possible attack less probable. IEEE 802.11r is well suited for WLAN environments that are not centrally managed, or require extremely-low-latency handover performance. Requiring pairwise keys between all APs participating in the mobility domain makes it difficult to scale to a large number of APs. Lastly, there is no reason you couldn’t use HOKEY in conjunction with either CAPWAP or IEEE 802.11r. HOKEY can derive application keys for a particular domain, and deliver them to either an AC or an R0KH. V. C ONCLUSION This article provided a high-level introduction to three emerging protocols for WLANs to support fast mobile handover between access points. Each protocol operates differently, and seeks to optimize different parts of the authentication process, and consequently they have different security properties, performance characteristics, and use cases. Over the next 12 months, all three standards should be finalized and should start appearing in commercial equipment soon thereafter. R EFERENCES [1] IEEE 802.11, “Wireless LAN medium access control and physical layer specification,” 2007. [2] IEEE 802.11i, “Wireless LAN medium access control and physical layer specification: Ammendment for enhanced security,” 2004. [3] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Extensible authentication protocol,” RFC 3748. [4] B. O’Hara, P. Calhoun, and J. Kempf, “Configuration and provisioning for wireless access points problem statement,” RFC 3990. [5] T. Clancy, M. Nakhjiri, V. Narayanan, and L. Dondeti, “Handover key management and re-authentication problem statement,” RFC 5169. [6] IEEE 802.11, “Wireless LAN medium access control and physical layer specification: Ammendment for fast bss transition,” Draft D-7, 2007. [7] V. Narayanan and L. Dondeti, “Eap extensions and eap re-authentication protocol,” draft-ietf-hokey-erx-14. [8] J. Salowey, L. Dondeti, V. Narayanan, and M. Nakhjiri, “Specification for the derivation of root keys from an extended master sesssion key,” draft-ietf-hokey-emsk-hierarchy-05. [9] R. Houseley and B. Aboba, “Guidance for authentication, authorization, and accouting key management,” RFC 4962, BCP 132. [10] A. Mishra, M. Shin, and W. Arbaugh, “An emperical analysis of the ieee 802.11 mac-layer handoff process,” ACM SIGCOMM Computer and Communications Review, 2003. [11] J. Ledlie, P. Gardner, and M. Selter, “Network coordinates in the wild,” USENIX Symposium on Networked System Design and Implementation 2007. — Dr. Charles Clancy is a senior researcher with the Laboratory for Telecommunications Sciences, and an adjunct professor of Electrical Engineering at the University of Maryland. He received his M.S. in Electrical Engineering 5 TABLE II S UMMARY OF THE USE CASES FOR VARIOUS HANDOVER PROTOCOLS Protocol Approach Use Case HOKEY AAA extension CAPWAP MAC centralization IEEE 802.11r MAC extension service provider wireless networks e.g. WLAN hotspot providers, 3G/4G cellular networks enterprise WLAN wireless networks e.g. large corporate or university networks unmanaged WLAN wireless networks e.g. residential or small office networks from the University of Illinois and Ph.D. in Computer Science from the University of Maryland. He chairs the HOKEY working group and is the security advisor to the CAPWAP and EAP working groups of the IETF. His research interests include next-generation wireless networks and security. Deployment Requirements new STA drivers, APs, AAA server new APs new STA hardware, STA drivers, and APs Key Features support for roaming and intertechnology handover easiest to deploy best performance 6 1) Execution of EAP method between STA and AAA server 2) Key distribution from the AAA server to the authenticator, the AC 3) Four-way handshake executed between STA and AC 4) CAPWAP Add-Mobile message from AC to WTP1 with traffic key 5) STA wishes to handover to WTP2 ; executes four-way handshake with AC via WTP2 6) CAPWAP Add-Mobile message from AC to WTP2 with traffic key 7) STA wishes to handover to WTP3 ; executes four-way handshake with AC via WTP3 8) CAPWAP Add-Mobile message from AC to WTP3 with traffic key Fig. 1. CAPWAP architecture, showing an initial authentication followed by a handover of a STA from one WTP to another 1) Execution of EAP method between STA and home AAA server 2) Key distribution from the AAA server to the AP1 3) Four-way handshake executed between STA and AP1 4) STA wishes to handover to AP2 in another domain; executes ERP with local AAA server 5) Local AAA server requests and receives a domain-specific re-authentication key 6) Local AAA server generates session key and delivers it to AP2 7) STA executes four-way handshake with AP2 8) STA wishes to handover to AP3 ; executes ERP with local AAA server 9) Local AAA server uses domain-specific reauthentication key to derive a session key for AP3 , and delivers it 10) STA executes four-way handshake with AP3 Fig. 2. HOKEY authentication, re-authentication, and re-authentication to a visited network 7 1) Execution of EAP method between STA and home AAA server 2) Key distribution from the AAA server to the AP1 , termed R0 Key Holder (R0KH) 3) Four-way handshake executed between STA and AP1 4) STA wishes to handover to AP2 ; requests handover from AP1 to AP2 5) AP1 generates session key for AP2 , termed the R1KH, and transfers it 6) STA completes handover by executing protocol with AP2 and derives traffic key 7) STA wishes to handover to AP3 ; requests handover from AP2 to AP3 8) AP2 asks AP1 to generate a session key for AP3 9) AP1 transfers session key to AP3 10) STA completes handover by executing protocol with AP3 and derives traffic key Fig. 3. Protocol exchanges for handing over between APs in an IEEE 802.11r-enabled WLAN Fig. 4. Keying hierarchies for CAPWAP, HOKEY, and IEEE 802.11r, as compared to the original IEEE 802.11i hierarchy 8 Fig. 5. Comparison of handover times of CAPWAP, HOKEY and IEEE 802.11r, as compared to IEEE 802.11