Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-16-MOBILE] [security] Summary of issues and requirements for PKMv2



Title: Message
I can't speak for JunHuk's reasons, but my own are..
 
1) Protecting PKM-EAP exchanges
2) Protecting from high impact spoofed management messages (like dissasociate)
 
DJ
 
-----Original Message-----
From: owner-stds-802-16-mobile@LISTSERV.IEEE.ORG [mailto:owner-stds-802-16-mobile@LISTSERV.IEEE.ORG] On Behalf Of Yigal Leiba
Sent: Tuesday, June 01, 2004 1:59 PM
To: STDS-802-16-MOBILE@LISTSERV.IEEE.ORG
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues and requirements for PKMv2

Dear JH SONG,
 
Could you please explain the rationale behind encrypting MAC messages, and specifically which MAC messages will be encrypted and what delay you expect such encryption to introduce.
 
Thanks,
Yigal
-----Original Message-----
From: owner-stds-802-16-mobile@LISTSERV.IEEE.ORG [mailto:owner-stds-802-16-mobile@LISTSERV.IEEE.ORG]On Behalf Of JUNHYUK SONG
Sent: Tuesday, June 01, 2004 8:53 AM
To: STDS-802-16-MOBILE@LISTSERV.IEEE.ORG
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues and requirements for PKMv2

Jeff,

 

Here is my minimum requirements for PKMv2.

 

 

0. Reuse PKM structure as much as we can

 

1. Extended 256 bits Key Hierarchy for enhanced key derivation

    1.1 Shall provide enough key materials to support MAC message protection key and Group Key generations, and future expansion

    1.2 Shall be able to support EAP inner method Key derivation function if AAA key was generated by inner method

 

2. Define top level Security Association that manages security info of MAC messages in either awake and idles state

 

3. Mutual authentication is EAP method specific requirement and may not be captured in 802.16e, unless we want to extend existing PKI based authentication

 

4. Secure MAC management messages support (Note: Here MAC Managements messages including PKM EAP encapsulation messages)

   4.1 Crpyto Synchronized Integrity check support against Replay Attack

   4.2 Confidentiality support for Identity and session info protection

 

5. fix and complete EAP encapsulation message defined in current baseline to encapsulate EAP messages as defined in RFC 2284bis ID.

 

6. Hardware Friendly AES Authentication mode, Authenticated encryption mode, and Encryption mode support

 

7. Pre-authentication/Fast Reauthentication support based on below criteria

    7.1 Shall minimize HO reconnection time

    7.2 Shall not degrade Security defined in SA

 

8. Shall be able to support MBS and other multimedia service

    8.1 Shall support Macro diversity in neighborhood cells 

    8.2 Shall be able to support crypto binding between PKM based link layer Encrpytion Key and MBS and other application service encryption key from third party service provider

 

9. May support optional flexable Encrpytion location

 

Thanks,

JH SONG



HanaFOS.com