Privacy and Authentication for Wireless Local Area Networks

Overview/Main Points

• Goals: seamless integration; mutual authentication; design for future advances in cryptography
• Idea: machines exchange protocols and public keys, then exchange random numbers to use as session key. Thus both private keys must be compromised in order to compute session key.
• Generally, each message contains some stuff, and then the same stuff signed by the sender:

1. First msg (challenge): MH sends to BS (in clear) certificate, nonce, list of all shared-key cryptosystems (SKCS) supported by mobile.
2. Challenge Response: BS sends certificate in clear, chosen SKCS in clear, Z={R1}pub_mobile, and (Z, chosen SKCS, original nonce, original list of SKCS) signed by BS. The signed piece authenticates this message as being a reply to the first.
3. Mobile then chooses random number R2, and sends {R2}pub_base and ({R2}pub_base,{R1}pub_mobile) signed by mobile.
4. New session key is R1 xor R2.

• Requires 4 expensive (private key) operations; 6 if using Diffie-Hellman key exchange
• Key change protocol: exchange pair of authenticated messages. Either side can initiate.
• With multiple CA's: BS needs to include certificate path and current Certificate Revocation List (CRL) in message 2. (What if BS is malicious and delivers less-than-up-to-date CRL to allow illegitimate access?)
• Proof of security using Logic of Authentication, except that fresh() needs to be assumed for certificates modulo CRL's, since fresh() is required to promote "once said" to "now believes".

Relevance

Flaws

• Why not sign message digests instead of whole messages during the protocol?
• Decryptability of data packets in presence of packet losses: can include cumulative byte count in each packet header. End-to-end would of course fix this.