The Opportunistic PMK caching (OPC) is a technique that even though not standardized, is supported by many wireless network vendors. OPC is used in access networks where access points are grouped into what is called mobility zones (also referred to as `Split-MAC architecture'). A mobility zone is composed of a set of access points connected to a central switch or controller. The controller has access to the PMKSAs in all access points attached to it. The objective of the Opportunistic Pairwise Master Key (PMK) Caching is to reduce handoff latency by pre-establishing security associations between the station and all access points in a mobility zone.

The opportunistic PMK pre-caching technique works as follows: when a wireless station enters a mobility zone, it creates a new PMKSA (PMKSA_0) (See ”The Pairwise Master Key Security Association” article for more information on the PMKSA) with the first access point after performing a full EAP authentication. The controller of the mobility zone retrieves the PMKSA_0 from the first access point and forwards it to other access points in the mobility zone. Each access point recieving the PMKSA_0 from the controller, uses it to derive a new PMKSA (PMKSA_i). These PMKSA_i are derived as follows. The PMKSA's PMK is the same as the original PMKSA_0 recieved from the controller. The PMKSA's PMKID (PMKID_i) is built as follows :

PMKID_i = HMAC-SHA1-128(PMKID_0, "PMK Name" | MAC_AP_i | MAC_STA) (1)

When the station moves to a new access point, it computes PMKID_i as specified in Eq.(1), then includes it in the (Re)Association Request message. If the access point is part of the same mobility zone, it will find a PMKSA that matches the PMKID_i presented by the station and use PMK_0 for the four-way handshake.

This way, a mobile station roaming between access points in the same mobility zone does need to perform a full EAP authentication each time it associates with a new access point. The same PMK will be used to create PMKSAs in all access points part of the same mobility zone.

Opportunistic Key Caching techniques in general involves processing at the MAC layer that is not specified by the IEEE 802.11 working group. The implementation of this fast handoff scheme requires changing all access points in the wireless access network. In small or medium size networks, such changes may be acceptable. However, in large wireless access networks, such upgrades would be very expensive.

Another noticeable shortcoming of the opportunistic PMK pre-caching scheme is that it does not enable fast handoffs between mobility zones. When a station moves to a new mobility zone, a full EAP authentication must take place. This reduces the efficiency of the Opportunistic PMK pre-caching since its adoption does not completely eliminate lengthy handoffs.

From security point of view, the opportunistic PMK pre-caching scheme does not prevent the domino effect which results if an access point is corrupted. In deed, since the same PMK is used by all the access points in the same zone to authenticate a roaming station, if one of the access points is corrupted, all communications in the mobility zone will be corrupted. This issue is against best practices and recommendations of the IETF [rfc4962]

Securing Enterprise air: Understanding and achieving next-generation wireless security with symbol technologies and 802.11i

Labels: wireless, security, performance