| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
|
Hi Graham, On 8/31/23, 2:33 PM, "G Smith" <gsmith@xxxxxxxxxxxxxxxxxxx> wrote: Hi Dan, As usual, food for thought. However, simple soul that I am, I see it as follows. The “authentication” prior to 4 w HS is simply to say “I am an 802.11 device”, and in the 802.11bh world “you may know me from my TA (IRM)”. At the 4 w HS it adds that it knows the network password, and, in the
11bh world, “I have an identity that you gave me previously”. "I am an 802.11 device" is not authentication and 802.11 "Open" authentication does not actually do authentication, it is erroneously named. The 4way HS does not prove that a device knows a password, SAE does that. SAE is done in 802.11
authentication frames. SAE identifies the device (again, the identity will be as useful as your credential is) and generates a PMK, the 4way HS proves possession of the PMK and generates a PTK. If one does 802.1x then the EAP method identifies the device and
generates a PMK whose possession is proven by successful completion of the 4way HS.
regards, Dan. -- "the object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." – Marcus Aurelius To cover Antonio’s problem with having 2 identities, as stated in the Draft they are separate and a STA may choose to use one or the other, or indeed both. The IRM is a MAC Address assigned by the STA, whilst device
ID is a long term identity concept and is assigned by the AP. Going through the Use Cases, one can see advantages in one or the other, or indeed both. Having said that, I am still struggling a bit to understand why we are now changing the device ID concept
by making it a one-time number/code, to cover some use cases which are adequately covered by IRM. I don’t fundamentally object to doing this, but do not call it “Device ID”, it needs a new name.
Graham From: Harkins, Dan <daniel.harkins@xxxxxxx>
Hello, I'm gonna butt in here…. I just did a search for "definition of authentication" and it came back with this:
1.
the process or action of proving or showing something to be true, genuine, or valid. "the prints will be stamped with his seal and accompanied by a letter of authentication"
o
Computing the process or action of verifying the identity of a user or process. "user authentication for each device ensures that the individual using the device is recognized by the company" So authentication in the computing realm is the process of verifying the identity of someone or something. This is significant because these identities—IRMs and Device IDs—care conveyed in the 4way HS but the 4way
HS happens after authentication. There is no way to get to the 4way HS unless you've authenticated. So after we have verified an identity we are exchanging these 11bh identifiers. Am I the only one to see a problem here? If we have verified the
identity of the STA, if we have authenticated it, what use is there in exchanging them in the 4way HS. To say, "things really happen only in the 4-way handshake" is to say that the things happening are pointless—"I have verified your identity, now what is
your identity?" At the beginning when we accepted this text to add this stuff to the 4way HS, I thought it was so the network could provide a new blob—and encrypted form of the STA's long-term identity per the Annex—that would
be used in a subsequent connection and, significantly, outside the 4way HS. But if things are only going to happen in the 4way HS then I'm not sure what the point of this group is. Also, one more comment, if a STA provides some 11bh identifier that the AP doesn't recognize, some "bad information", I would hope that the AP would just treat the message as if the identifier was not there. This
is analogous to PMKSA caching. If the STA asserts some PMKID and the AP doesn't recognize it, it just proceeds as if the PMKID was not there and there will be no PMKSA caching for this association. It doesn't refuse association. "Be conservative in what you
send and liberal in what you accept" is a useful guide for protocols, it's not the law but it's a good guide. We should follow it unless there is a very good reason not to and I haven't seen that reason. OK, I lied. One more comment. I'm still not able to deal with the cognitive dissonance of worry about attacks to discover valid identities and a simultaneous desire to give back a status to the STA about whether
the ID was recognized or not. What is the consensus of this group? Are we worried about this attack or not? Might need a straw poll in the next teleconference. regards, Dan. -- "the object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." – Marcus Aurelius On 8/31/23, 12:50 PM, "Mark Hamilton" <mark.hamilton2152@xxxxxxxxx> wrote: Graham, I continue to be confused by the idea that “the IRM comes first”. For sake of discussion, let’s stick with the normal association process (not FILS, not PASN). I think those others work the same way in the end, but it is too confusing to try to cover them all in the same logic
flow. I agree, the IRM hits the air first, in the TA of some messages. But, I don’t think that’s important useful. The way it really lays out, as I understand it, is that an associating client device will use some
(local) address for authentication/association messages – this may or may not even be an IRM. The network will know if this is meant to be an IRM only at the Association exchange (from the RSNXE). But, it doesn’t communicate anything to the client device
about what it thinks it knows, until Message 3 of the 4-way. Thus, things really happen only in the 4-way handshake. In Message 2 the non-AP STA sends its Device ID. And, now, in Message 3 the AP can say what it thinks of both the IRM and the Device ID. At this point,
the AP has received both, and should have done the mapping to the stored state objects that it has. That mapping could turn out to be any of: neither match anything, one matches and the other doesn’t, both match to the same state object, or both match but
to two different state objects. Also, at this point, the AP might know who the client device is from a security perspective, depending on the security mode being used. And, the AP might have a connection between the client device’s security
identity and it’s TGbh identity, or it might not. If it does has such a connection, it could tell if either/both/neither of the TGbh identities match the security identity. A bunch of “maybes” in this aspect of the process. Anyway, at the point of sending Message 3, when the AP can really say anything useful back to the client, it has all that information all at once. I don’t see that the IRM, nor the Device ID, are particularly
“first” anymore. The AP says what it thinks the status is, based on all the possible conditions I mentioned above, all in parallel (same time).
My opinion is that if the AP doesn’t recognize either of the identifications, or if the identifications don’t match each other (map to the same state object), or if the AP happens to be able to tell if the security
identity matches the TGbh identity(ies) and those don’t match, then it should say “Not recognized” to everything, and make the non-AP STA start over. I think that’s what you said in the end, but I got confused by your comments along the logical path (like saying IRM comes first, and I wasn’t clear about the handling of all the other matching cases). My takeaway
is that the AP should refuse to accept anything from a non-AP STA that provides “bad” information, where bad is claiming to have a TGbh identity, but that identity either doesn’t match anything on the AP, or the identify has any sort of mismatch with other
information the AP has. Are we saying the same thing? And, did that answer Antonio’s question – which I think is that in response to his question, “The new one will be coupled to the "stored state" the IRM is coupled to?” the answer
is “No, something went wrong, and everything must start over.” In all these cases, either the problem is because either the AP has “timed out” its state information, in which case there is nothing left to re-connect to anyway, or the non-AP STA is broken
or lying (an attacker?) with its information, in which case the AP should refuse to make any connection to prior state. Mark From: G Smith <gsmith@xxxxxxxxxxxxxxxxxxx>
Hi Antonio, The IRM comes first as that is the TA that the STA is using to associate/authenticate. The basic idea is that if, for any reason, the AP has a problem with the recognizing the IRM, i.e., not already stored, then
the AP returns “IRM not recognized”. This is the also the case for a first time association, so the STA sends a new IRM and now the STA is “registered” via the IRM with the AP. Similarly, if the STA sends a device ID, and the AP does not have that already stored, then AP returns “Device ID not recognized”. In this case, there is something wrong but I am proposing that the AP “starts
again” and provides a new device ID and now the STA is “registered” via the device ID with the AP. So now for the “mismatch” condition. The AP will send the IRM status and the device ID status in the same frame, e.g., msg 3 of 4w HS. If, it has a problem with matching the IRMand device ID to the stored information,
then it simply treats both IRM and Device ID as “not recognized”. This gives us a clean way ahead, “if in doubt, start again”. Hope this helps. Graham From: ANTONIO DE LA OLIVA DELGADO <aoliva@xxxxxxxxxx>
Hi Graham, regarding the sending of the new DID in case it is not recognized, but when the IRM is recognized. The new one will be coupled to the "stored state" the IRM is coupled to? So basically, if IRM is recognized, the AP knows the "stored state" of the STA and bounds a new DID to it, is this the intention? Thanks Antonio El mié, 30 ago 2023 a las 23:05, G Smith (<gsmith@xxxxxxxxxxxxxxxxxxx>) escribió:
--
Antonio de la Oliva Associate Professor To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1 To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1 To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1 To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1 To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1 |