Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-16-MOBILE] [handoff] Security requirements in handover (or vice-versa) [resend]



All,

This is a resend (previous mail was not formatted right).

Apropos the handover-levels discussion, here is a list of the levels of
authentication and key-establishment that are necessary on various
kinds of network entry:


Level 1) Full Authentication
          ----------------------------------------------------

        - At this level there is full Authentication and full Traffic
           Encryption Key Establishment

        - This level is necessary in

                   * initial network entry
                   * post-HO reentry to a BS that only supports PKMv1


Level 2)  AK establishment handshake and TEK establishment only
           -----------------------------------------------------

        - At this level, BS and SS conduct PKM-Establish-Key-Req /
           PKM-Establish-Key-Reply/PKM-Establish-Key-Confirm

        - KeyReq/Rsp for TEKs is required

        - Full authentication is omitted/not needed

         - This level is done after handover in the case that the SS and
          BS share a Master Key that they obtained via one of:

               * Preauthentication (ie. direct authentication of MSS
                 to Target BS via backbone before HO)

               * Backbone Transfer of Derived Security Context


Level 3)  Continue using security context,
           -------------------------------

        - no PKM exchanges needed whatsoever

         - This appears to be possible only in the case of
          "inter-sector HO", and even then only in the case
          of "make-before-break"

Reentry after a drop will probably require level 2).

This scheme appears compatible with the HO Adhoc's taxonomy, even if
it's not precisely the same.

Regards,

- Jeff Mandin
Security Adhoc Chair