Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-16-MOBILE] [security] Summary of issues and requirements for PKMv2



Title: :::::HanaFOS.com:::::
Hi Yigal,
 
Basic security requirement for MAC Management messages, such as Regi, De-Regi, and Location Update is Crypto Synchronized Message Authentication that prevent Replay Attack and message forgery.
Message Encrpytion will add additional processing overhead, and should be used in selective MAC messages such as PKM EAP encapsulation message.  The rationale behind to encrypt PKM EAP message is same as PEAP and other TLS based EAP tunnelling protocol that depends on certificate or shared key.  The major difference is in this way, PKMv2 is able to provide link layer security not depending on EAP method.
 
Regards,
JH SONG
 
 
----- Original Message -----
Sent: Wednesday, June 02, 2004 5:58 AM
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues and requirements for PKMv2

Dear JH SONG,
 
Could you please explain the rationale behind encrypting MAC messages, and specifically which MAC messages will be encrypted and what delay you expect such encryption to introduce.
 
Thanks,
Yigal
-----Original Message-----
From: owner-stds-802-16-mobile@LISTSERV.IEEE.ORG [mailto:owner-stds-802-16-mobile@LISTSERV.IEEE.ORG]On Behalf Of JUNHYUK SONG
Sent: Tuesday, June 01, 2004 8:53 AM
To: STDS-802-16-MOBILE@LISTSERV.IEEE.ORG
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues and requirements for PKMv2

Jeff,

 

Here is my minimum requirements for PKMv2.

 

 

0. Reuse PKM structure as much as we can

 

1. Extended 256 bits Key Hierarchy for enhanced key derivation

    1.1 Shall provide enough key materials to support MAC message protection key and Group Key generations, and future expansion

    1.2 Shall be able to support EAP inner method Key derivation function if AAA key was generated by inner method

 

2. Define top level Security Association that manages security info of MAC messages in either awake and idles state

 

3. Mutual authentication is EAP method specific requirement and may not be captured in 802.16e, unless we want to extend existing PKI based authentication

 

4. Secure MAC management messages support (Note: Here MAC Managements messages including PKM EAP encapsulation messages)

   4.1 Crpyto Synchronized Integrity check support against Replay Attack

   4.2 Confidentiality support for Identity and session info protection

 

5. fix and complete EAP encapsulation message defined in current baseline to encapsulate EAP messages as defined in RFC 2284bis ID.

 

6. Hardware Friendly AES Authentication mode, Authenticated encryption mode, and Encryption mode support

 

7. Pre-authentication/Fast Reauthentication support based on below criteria

    7.1 Shall minimize HO reconnection time

    7.2 Shall not degrade Security defined in SA

 

8. Shall be able to support MBS and other multimedia service

    8.1 Shall support Macro diversity in neighborhood cells 

    8.2 Shall be able to support crypto binding between PKM based link layer Encrpytion Key and MBS and other application service encryption key from third party service provider

 

9. May support optional flexable Encrpytion location

 

Thanks,

JH SONG



HanaFOS.com