Oct 2021 doc.: IEEE 802.11-21/1585r10 TG bh Identifiable Random MAC
24 Slides90.77 KB
Oct 2021 doc.: IEEE 802.11-21/1585r10 TG bh Identifiable Random MAC Address Date: 2021-10 Authors: Name Company Address Phone email Olivia Fernandez SRT Group Sunrise , FL [email protected] Graham Smith SRT Group Sunrise , FL [email protected] Submission Slide 1 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Intro This is a presentation on “Identifiable Random MAC Address”, IRMA Rev 1, Presented initial idea to TGbh 10/12/2021 Rev 2, Added “No IRMK found” to cover case when the AP has deleted the “old” IRMKs. AP can ask for new IRMK (STA sends new or same) Added “Private” to IRM element to allow IRM STA to use a private MAC address (eliminate need to set I/G bit) Rev 3 Added “IRMK Check” – – Used to down-select stored IRMKs in AP Used to confirm back to STA that correct IRMK has been found Rev 4 - Discussed Change to stop any possible brute force attack Rev 5 - Delete Provide IRMK ? (can’t see a good use case for it) Rev 6 - Worked on Advantages. Corrected ANQP-element Rev 7 - Added IRMK Check Request and Response. Rev 8 – Added slides on security Rev 9 – Added IRMK Check numbers and performance Rev 10 – Edits, counter to “spoof”, delete Criteria slide. Submission Slide 2 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 MAC Addresses MAC Address 48-bit Two Types: Fixed – Assigned MAC. Random – Two types, Non-identifiable - random, STA does not want to be known in any way Identifiable – random, but STA wishes to be identified/remembered by particular APs (networks) Submission Slide 3 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 802.11 Definitions Identifiable Random MAC (IRM) : a scheme where a non-AP STA uses identifiable random medium access control (MAC) addresses (IRMA) to prevent third parties from tracking the non-AP STA while still allowing trusted parties to identify the non-AP STA. Identifiable Random MAC Address (IRMA) – a random MAC address used by a STA using IRM Identifiable Random MAC Key (IRMK) – a Key used to resolve an IRMA Submission Slide 4 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Identifiable Random MAC Address - IRMA Purpose – Prevent third-parties from tracking the STA while still allowing trusted parties to recognize the STA. Identifiable – Uses a key shared with trusted AP/network – IRMK – – – – STA generates IRMK , or Option is that AP could provide an IRMK to a STA, STA generates an “IRM Hash” using IRMK and IRMA IRMA is the TA MAC address IRM Hash is sent in IRM element (in Association Request) STA can use same IRMK or may change it for every connection Changing TA address – TA MAC Address (IRMA) changes every use. – Does NOT use same MAC address for each ESS Submission Slide 5 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRM Address (IRMA) Two basic random MAC address types: – – Random private (changes randomly, non-identifiable)) Random identifiable IRMA MAC Address is 48 bits – Least significant bit of first octet (“I/G bit”) – Second-least-significant bit of the first octet (“U/L bit”) 0 unicast, 1 multicast 0 globally unique, 1 locally administered Random MAC is described in Clause 12.2.10 (D0.0) “The STA shall construct the randomized MAC address from the locally administered address space” Note: Also compatible with SLAP if the 4 bits are required. – IRMA looks like any other randomized MAC address, IF IRM element includes the IRM Hash, then the address is an IRMA, i.e., “identifiable” IF IRM element indicates “Private”, the IRM Hash is NOT sent and the address is a private randomized MAC, i.e., NOT an IRMA. Submission Slide 6 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 CAPABILITY BIT An IRM Capability field is used in the STA and AP The AP looks for the IRM Capability AND the IRM Hash in IRM element AP can use the IRM Capability bit to indicate to STAs that there may be a reason to be identified, i.e., “I provide a service” Bit ANA Submission Information IRM Capability Notes The STA sets IRM Capability subfield to 1 to indicate support for IRM and sets to 0 if IRM Capability is not supported. Slide 7 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRMK and Hash function IRMK (Identifiable Random MAC Key) 1. STA generates the IRMK – Could be constant; could vary for each SSID; could be preset. – Option for AP to provide a key to the STA 2. STA shares IRMK with AP when first associated 3. STA provides IRM Hash in “IRM element” 4. The IRMK is used to resolve the identity of the STA – verifies that the hash included in the IRM element matches the output of the local hash computation – IRM hash function (IRMK, IRMA) Since the AP has the IRMK stored locally and has access to the IRMA included as the MAC address and the IRM Hash in the association packet, it can perform this computation and verify the IRMK NOTE: Scheme is based on known proven technology – “key derivation functions”. A typical usage is take a secret, such as a password or a shared key (IRMK), and a random number (known as a ‘salt’) (IRMA) to produce a key (IRM Hash). Used in many applications. Submission Slide 8 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRM Hash Proposed to use SHA-256 truncated to 128 bits*, i.e.: IRM Hash SHA-256/128 (IRMK, IRMA) Where SHA-256/128 is the truncated SHA-256 where the leftmost 128 bits of the 256-bit hash generated by SHA-256 are selected as the truncated 128 bit IRM Hash A 3rd party chance of discovering the IRMK? – – Chance that AP finds wrong key or more than one key? – – Pre-image resistance 1 in 2 128 Hash collision 1 in 2 64 Two STAs pick same key , 1 in 264 – AP can ask for “New IRMK Request” Note: AP can ask for new key if IRMK not found or duplicate, for example * Could use other hash functions. Want to select a function already known and used. Submission Slide 9 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Basic Steps for IRM 1. STA indicates IRM support in Capability Field 2. STA generates 48 bit IRMA 1. Generates a random 46 bit number 2. Appends I/G 0, U/L 1 (Compatible with 12.2.10) 3. STA calculates IRM Hash value and includes it in the IRM element 1. Element included in (re)association frame 2. Element may be included pre-association ANQP frames 4. STA can also indicate other information for the AP, e.g.: 1. First time association “Unknown” 2. Been here before (you should have my key) “Known” 3. Been here before but want to change key “Change” 5. When first associated, “Unknown” STA provides IRMK to AP 1. Action frame Request and Response exchange(s) 2. AP can suggest new key (e.g. Duplicate, not random) 6. AP uses IRMA and stored IRMKs to calculate hash and identify the STA IRMK. It’s important to note that the IRMK is not used to reveal the STA’s MAC or “identity” address but rather for verification purposes only, i.e., the hash matches Submission Slide 10 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRM element STA can use “private” address IRM element sent in Association Request AP then knows if STA IRMK already known (stored) or not Element ID Octets: 1 Length 1 Element ID Extension 1 IRM Indicator IRM Hash (Not present if IRM Indicator set to 0) 1 (16) Figure – 9-yyy – IRM element format Table 9–zzz – IRM indicator IRM Indicator field value 0 Field name Notes Private 1 Unknown 2 Known 3 Change A non-AP STA sets the IRM Indicator field value to 0 to indicate that the non-AP STA is using a private random MAC address, i.e., is not using an IRMA A non-AP STA sets the IRM Indicator field value to 1 to indicate that the non-AP STA has not previously provided an IRMK to the AP A non-AP STA sets the IRM Indicator field value to 2 to indicate that the non-AP STA has previously provided an IRMK to the AP A non-AP STA sets the the IRM Indicator field value to 3 to indicate that the non-AP STA has previously provided an IRMK to the AP but will change the IRMK once associated 3-255 Reserved Submission Slide 11 IRMK Check (Optional) (2) IRMK Offset Check Octets: 1 1 Figure – 9-jjj – IRMK Check field format See next slide Change – Eliminates all chances of a brute-force attack. Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRMK Check field IRMK Offset Check Octets: 1 1 Figure – 9-jjj – IRMK Check field format IRMK Offset takes a value N, from 0 to 112 (Note: IRMK is 128 bits) The Check field contains the 8 bits representing the EX-OR of the 8 bits of the IRMK, b N to bN 7 with the following 8 bits (bN 8 to bN 15) i.e. For n 0 to 7 Bits in Check field are bn EX-OR (bN n, bN n 8) where bN is Nth bit in IRMK As an example, IRKM Offset 72 Check field b0 is EX OR of bits 72 and 80, and b7 is EX-OR of bits 79 and 87 Acts as a “Hint” to the AP so AP can quickly find a stored IRMK. See slide 18 Note that STA can change the IRMK at any point Submission Slide 12 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Action Frames to get IRMK Table 9-bbb – IRM Action field Action field value 0 1 2 3 4 5 6-255 Meaning IRMK Request IRMK Response IRMK Confirm New IRMK Request IRMK Check Request IRMK Check Response Reserved STA sends “Unknown” AP sends IRMK Request, STA sends IRMK Response with IRMK STA sends “Known” or “Change” AP sends IRMK Confirm optionally with “IRMK check” AP can request New IRMK (with reasons) STA can change IRMK whenever it wants (prevents any possible brute-force attack AP can request “IRMK Check” (If many IRMKs stored for example). Submission Slide 13 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRMK Confirm To provide extra security, AP confirms IRMK and STA can check it without having to declare the full IRMK Category Octets: IRM Action IRMK Check 1 1 2 Figure – 9-eee – IRMK Confirm Action field format The IRMK Confirm Action frame is transmitted from an AP to a non-AP STA to confirm that an IRMK has been recognized IRMK Offset Check Octets: 1 1 Figure – 9-jjj – IRMK Check field format The Check field allows the STA to check that it is the right IRMK without having to send 128 bits. Submission Slide 14 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRMK Check Request/Response If AP has many IRMKs and STA did not include the IRMK Check field in IRM element, then AP can request it. Also, AP can send Check Request, to confirm that the STA is who it says it is. NOTE: STA MUST respond with different IRMK Offset than that used in IRM element used in Association. – – Possibly make this mandatory every association so as to prevent any “spoofing” of the MAC address and Hash? Is this spoof a real problem? Spoof would have to have Password to the network for this to be of use. Then why pretend to be someone else? If AP asks for IRMK Check, then spoof is exposed. Notes: We could consider STA always includes Check in IRM element IF STA recognizes AP as a “busy AP” then STA should include IRMK Check. AP could always challenge STA to provide the Check (different Offset) Submission Slide 15 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 AP requests new IRMK AP can request a new IRMK (provides reason) Table 9-ddd – IRMK Reason field values IRMK Reason field value 0 1 2 3 4 5-255 Meaning No reason provided Non-AP STA requested change No IRMK found Duplicate Key exists Key not random Reserved REASON AP might delete stored IRMKs Old Capacity If STA associates as “Known” and IRMK not found, then AP can request a new IRMA Submission Slide 16 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Pre-Association STA can send IRM ANQP-element AP can use the IRM Hash and the IRMA (TA) to find the IRMK (Can only be used if AP already has the IRMK) Info ID Octets: Submission 1 Length IRM Hash IRM Check (optional) 1 16 Figure – 9-xyz – IRM ANQP-element format Slide 17 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Computational complexity lessened by IRMK Check The “IRMK Check” field allows the AP to down-select list – STA indicates 8 EX-OR’d bits of IRMK from a ‘random’ start – AP can quickly sort through list to reduce number of possible IRMKs – Only reduces security from 128 bits to 120 bits. Hence, 3rd party must perform average of 2119 (6.4 x 1035) hash calculations to find the IRMK. (if 1 hash per microsecond, then 6 x 1020 years) (note: Has to do this for every STA that associates to find if same IRMK, and if STA changes IRMK then impossible) Down-Select at AP with IRMK Check – 216 combinations for 16 bits, 28 combinations for 8 bit EXOR – Down Select is 216/28 256 i.e. 1000 IRMKs down selected to 4. – 1000 IRMKs in store, AP, on average, needs to check 2 to find correct IRMK IRM Check field also used by AP to Confirm IRMK back to STA. – This provides double security that the AP is who it says it is, i.e. the same AP that was originally used to share the Key. Submission Slide 18 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRM is very Secure Every time STA associates, the address IRMA AND IRM Hash values change. Third party would need to brute strength all keys, IRMK (128 bits, or 120 bits if using IRMK Check, to find the IRMK. BUT, next time STA associates, third party must do it all again, find the IRMK then check if seen before. IF STA changes IRMK (once associated) then IMPOSSIBLE to know the STA. Submission Slide 19 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 STA details IRM enables the AP to identify the STA, – i.e. STA “123” AP can exchange frames or higher layer APP can then associate STA 123 with some other specific details/IDs – Membership ID , customer ID, guest ID, family member, employee ID, etc. Submission Slide 20 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Advantages A different Random MAC can be used even when returning to same ESS – more privacy! – – An IRM STA can still choose to use “private” random MAC – – STA can provide old or new However, “IRMK Check” allows AP to keep a large store. 1/256 reduction in list STA can be identified pre-association – – Changed when associated. No way 3rd party can know. Hence even if brute force to find IRMK, if changed, impossible to know if same STA reassociates AP still knows that it is STA X even though IRMK has changed AP can restrict its stored list if necessary and request a new IRMK if “No IRMK found” – – If no IRM Hash field, then private MAC address in use. STA can change IRMK at any time – Even though STA indicates “Known”, No way a 3rd party can know if same STA (unlike “same MAC address for same AP”) MAC address and IRM Hash field values change every time. The last associated IRMK stays constant at the AP. AP can check stored IRMKs as soon as Association Request received OR wait for association STA can send IRMK-ANQP element No reference to any ‘real’ address or real ID Spoof attack can be easily countered Very flexible, easy to add Action frames Provides an ID that solves many Use Case problems created by RCM Submission Slide 21 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 IRM Text Document 21/1673 is the working document for the accompanying text Submission Slide 22 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 QUESTIONS? Submission Slide 23 Graham Smith, SR Technologies
Oct 2021 doc.: IEEE 802.11-21/1585r10 Straw Poll Do you agree that an Identifiable Random MAC scheme, along the lines as described in this document , should be further worked on for possible inclusion in the TGbh Amendment? Submission Slide 24 Graham Smith, SR Technologies