From: Hong Liu <hong.liu@intel.com>
To: Jouni Malinen <jkm@devicescape.com>, Jiri Benc <jbenc@suse.cz>
Cc: netdev <netdev@vger.kernel.org>
Subject: about 802.11i IBSS support
Date: Wed, 25 Oct 2006 16:54:41 +0800 [thread overview]
Message-ID: <1161766481.8668.38.camel@devlinux-hong> (raw)
Hi,
I am reading the 802.11i IBSS spec and
trying to find if it is OK to add patches to d80211 to support this feature.
For 802.11i IBSS to work, each STA assumes two roles: supplicant + authenticator.
Usually in BSS network, authenticator is in AP.
The problem is the distribution of group keys.
The group key is used for one-to-many communication.
In BSS, the one is the AP, so the AP is responsible for the distribution of the group key.
In IBSS, every STA has its own group key, used to broadcast data to other STAs.
When a STA (say S1) joins in an IBSS network with N STAs,
it must negotiate keys with all N STAs.
The process for negotiation with one STA is as follows:
1. S1 init a 4-way handshake with one STA (say S2),
to derive the pairwise key between them and then S1 sends its group key to S2,
let S2 can decrypt s1's broadcast data.
2. S2 init the second 4-way handshake with S1, the main purpose for this 4-way handshake
is for S2 to send its group key to S1, although this will also derive a second pairwise key.
3. Because in an IBSS there are two 4-Way Handshakes between
any two STA Supplicants and Authenticators, the pairwise key used between any two STAs
is from the 4-Way Handshake initiated by the STA Authenticator with the higher MAC address.
So any STA in an IBSS network with N STAs must keep 2N-1 keys (N-1 for pairwise key and N for group key).
We need the following parts to make 802.11i IBSS work:
1. for the d80211 part: I don't think there will be much efforts.
We may add a group key to each sta_info for decrypting multicast data from that STA.
And in RX path, we need to add code to select the correct group key for decryption.
And also we need to store our own group key used to send multicast data to others.
It should not be difficult because the infrastructures are all there in the dscape stack.
2. wpa_supplicant: this is the big part, we need to implement the authenticator
in it. Not sure how much efforts needed?
Thanks,
Hong
next reply other threads:[~2006-10-25 9:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 8:54 Hong Liu [this message]
2006-10-25 13:05 ` about 802.11i IBSS support Michael Buesch
2006-10-25 15:48 ` Jouni Malinen
2006-10-25 19:59 ` Simon Barber
2006-10-25 21:46 ` Johannes Berg
2006-10-26 2:47 ` Hong Liu
2006-10-26 3:26 ` Simon Barber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1161766481.8668.38.camel@devlinux-hong \
--to=hong.liu@intel.com \
--cc=jbenc@suse.cz \
--cc=jkm@devicescape.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).