802.11r [Fast BSS Transition]

Shashank Tadakamadla

Outline 802.11r & its purpose Types of 802.11r 802.11r Capability Detection Basic 4-way Handshake FT 4-way Handshake FT Key Hierarchy Over the Air Over the Distributed System

802.11r [Fast BSS Transition] IEEE 802.11r specifies Fast Basic Service Set [BSS] Transitions [FT]

between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources to occur in parallel.

802.11r is a mechanism to reduce the time of ASSOCIATION between client and AP, when client roams between different APs of a same Extended Service Set[ESS].

Purpose Traffic types such as VOIP, VoWiFi should not be delayed or

dropped by devices. Hence, such applications require FT mechanism implemented when client roams from AP to AP in a same Extended Service Set [ESS]

Types of 802.11r FT Mechanisms supported by Wi-Fi devices can be of two types:

Over The Air Over The Distributed System [DS]

Over The Air The client communicates directly with the target AP using

IEEE 802.11 FT-Authentication and FT-(Re)Association frames to complete Authentication between client and target AP and to generate required keys for encryption of unicast and multicast traffic.

Over The DS The client communicates with the target AP through the

current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the Central Management Entity [CME] or Controller.

IE’s Introduced By 802.11r Following Information Elements [IE] are introduced by

802.11r Mobility Domain Fast BSS Transition

Mobility Domain IE This IE is used in detecting support of 802.11r by

an AP. Mobility Domain Identifier: This is the string or

value which helps the Client to understand if it can roam between APs of same ESS using 802.11r mechanism.

Fast BSS Transition over DS: If this value is set, it indicates that over the DS mechanism is supported else Over the Air mechanism is supported.

Fast BSS Transition IE. This IE includes information needed to perform

the FT authentication sequence during a fast BSS transition in an RSN.

This IE is present in FT-Authentication, FT-(Re)Association frames transmitted by devices that support 802.11r.

This IE is present in EAPOL frames that are involved in 4-way handshake with the Current AP [First AP that a Client connects in an ESS.

This IE provides information related to parameters as below:‐ R0-KH ID / R0-KH Name‐ R1-KH ID / R1-KH Name‐ PMK-R0 / PMK-R1

Detection of 802.11r RSN and MD are the IE that user need to look if an AP

supports 802.11r RSN IE

This IE is used in detecting support of 802.11r by an AP.

Authentication Key Management [AKM] does advertise type of key management with FT Support.

This information carries PMKR1-Name in 4-way handshake EAPOL frames to derive PTK & GTK.

AP It advertises 802.11r capability in Management

frames such as Beacon, Probe Response and (Re)Association Response frames.

Client It advertises its 802.11r capability in

Management frames such as (Re)Association Request frames.

Basic 4-Way Handshake 4-way handshake is used by security protocols such as

WPA/WAP2/802.1x. Purpose of WPA [TKIP], WPA2 [TKIP/CCMP], 802.1x is to generate dynamic unique encryption keys for each clients connected to an AP.

Two different keys are generated using 4-way handshake

Pairwise Transient Key [PTK] Group Temporal Key [GTK]

Pairwise Transient Key A value that is derived from Pairwise Master Key

[PMK], Authenticator Address [AA], Supplicant Address [SA], Authenticator Nonce [ANonce], Supplicant Nonce [Snonce] using the pseudo-random function [PRF].

This key is used by AP and Clients to encrypt unicast frames that are transmitted between AP and a Client.

Group Temporal Key A random vale derived by AP and shared with all

the clients connected to a Basic Service Set Identifier [BSSID]

As per the standard, it is mandatory that GTK value should be updated whenever a Client is moved away/disconnected from a BSSID.

This key is used by AP and Clients to encrypt broadcast/multicast frames that are transmitted between AP and a Client.

Basic 4-Way Handshake

FT 4-Way Handshake FT 4-way handshake

It takes place between Initial AP and a Client in a ESS.

This mechanism is not much different from pre-802.11r devices. Some additional information is carried in the EAPOL frames.

Additional information that is carried in the EAPOL frames is as follows:‐ Mobility Domain IE‐ Fast BSS Transition IE‐ PMK-R1

Above additional information with basic 4-way handshake information is used in determining PTK and GTK.

FT 4-Way Handshake

FT Key Hierarchy As you can see in the diagram, FT Key hierarchy

consists of three levels. R0KH Key Holder

‐ PMK-R0 – the first-level key of the FT key hierarchy. This key is derived as a function of the master session key (MSK) or PSK. It is stored by the PMK-R0 key holders, R0KH and S0KH.

R1KH Key Holder‐ PMK-R1 – the second-level key of the FT key

hierarchy, This key is mutually derived by the S0KH and R0KH.

S0KH/S1KH Key Holder‐ PTK – the third-level key of the FT key

hierarchy that defines the IEEE 802.11 and IEEE 802.1X protection keys. The PTK is mutually derived by the PMK-R1 key holders, R1KH and S1KH.

FT Key Hierarchy Below is the short description of how keys are generated:

R0-Key-Data = KDF-384 (XXKey, "R0 Key Derivation", SSIDlength || SSID || MDID || R0KH-ID || 0x00 || SPA)

PMK-R0 = L(R0-Key-Data, 0, 256) PMK-R0 key shall be computed as the first 256 bits (bits 0-255)

of the R0-Key-Data. The latter 128 bits of R0-Key-Data shall be used as the PMK-R0Name-Salt to generate the PMKR0Name.

PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) PMKR0Name = Truncate-128(SHA-256("R0 Key Name" ||

SSIDlength || SSID || MDID || R0KH-ID || 0x00 || SPA || PMK-R0Name-Salt))

PMKR1Name = Truncate-128(SHA-256(“R1 Key Name” || PMKR0Name || R1KH-ID || 0x00 || SPA))

FT - Over The Air This mechanisms allows the Client or Station[STA] to

connect to Target AP using FT-Authentication and FT-(Re)Association frames.

As per 802.11r, PTK and GTK keys are generated for a client using FT-Authentication and FT-(Re)Association frames by depleting 4-way handshake mechanism.

FT - Over The Air

FT - Over The Air

FT – Over the DS This mechanisms allows the Client or Station[STA] to

connect to Target AP using FT-Action and FT-(Re)Association frames.

As per 802.11r, PTK and GTK keys are generated for a client using FT-Action and FT-(Re)Association frames by depleting 4-way handshake mechanism.

FT-Action frames do not communicate directly with Target AP but via Current AP through some central entity such as Controller.

The dotted lines in the state diagram indicates that the Client communicates through Current AP to get authenticated with Target AP. In real time deployments, it happens through a central entity such as Controllers.

FT – Over the DS

For any queries, please mail me at shashank.tadakamadla@gmail.com