Overview of Key Holder Security Association Teardown Mechanism

1
Overview of Key Holder Security Association
Teardown Mechanism

• Date 2007-09-05

Authors
2
Abstract

• This submission provides an overview of document
  11-07/2372r0, which proposes a protocol for
  tearing down a mesh key holder security
  association that had been set up between a mesh
  authenticator and a mesh key distributor

3
Outline

• Overview
• Mesh Key Holder Security Associations
• Teardown Mechanism
• Discussion of questions received

4
Mesh Key Holder Security Association

• A MP is elevated to a Mesh Authenticator after
  establishing a Mesh Key Holder Security
  Association (MKHSA) with an MKD
• A MKHSA between an MA and its MKD is identified
  by
• MPTK-KDShortName
• The MKHSA state consists of
• MPTK-KD (session key)
• Key Replay Counters
• If an MP moves to a new MKD domain, it should
  attempt to tear down the MKHSA in its old domain
• Allows the MKD to delete old state

Figure Mesh Key Holder Security Association
Handshake
5
Example of MA behavior when changing MKD domains
MKD 1 MA 1
MA3
MKD 2MA 2
Initial MSA Authentication
In MKDD 1
Key Holder Security HS
Initial MSA Authentication
Proposed in 07/2372
Key Holder Security HS
Key Holder Security Teardown
In MKDD 2

• After the Key Holder Security Teardown, MA3 has a
  secure peer link with both MA1 and MA2, but it
  only has a MKHSA with MKD2.

6
Key Holder Security Teardown protocol details
Either MA or MKD may initiate

• The MKHSA torn down is identified by
  MPTK-KDShortName
• The teardown allows the MKD and MA to clean up
  state
• The Key Holder Security Teardown protocol permits
  the MA to delete a prior session, when joining a
  new MKD domain.
• The protocol may also be used by an MKD if it
  must stop its services as an MKD to one or more
  MAs.

Requester
Responder
Teardown Request
Teardown Response
7
Earlier Questions Received

• Question What happens if the MA initiates a new
  security session while the MKD is tearing down a
  pre-existing security association? Can this lead
  to livelock, where one side keeps proposing a new
  security association and the other tears it down
• Answer The MKHSA to be torn down is identified
  in the teardown request message by its
  MPTK-KDShortName, which will be different than
  the identifier for the new security session. Of
  course, the MKD is free to accept or decline a
  request for the new session

8
Earlier Questions Received (cont.)

• Question How does it work if the MA and MKD
  both initiate the teardown simultaneously.
• Answer protocol supports timeout and retry
  features to increase the probability of success
• Any party sending a teardown request starts a
  timer, waits for response. When the timer
  expires it may retransmit request
• If a teardown response is not received after the
  teardown retransmission limit is reached, the
  MKHSA is deleted.
• Any party receiving a teardown request sends out
  a teardown response and starts a timer. The
  identified MKHSA is deleted when the timer
  expires.
• Any party receiving a duplicate request while
  decrementing the timer should send out a
  duplicate response
• When a party receives a valid response after
  sending out a teardown request, it deletes the
  identified MKHSA
• Any party receiving a teardown request while
  waiting for a response to its own teardown
  request for the same MKHSA should send a teardown
  response