There was a debate in the TGmf teleconf today about what values
were possible in the Key Replay Counter field of EAPOL-Key PDUs
sent by the Authenticator.
In particular, is the value in message 3 of the 4WH guaranteed to
be exactly one more than the value in the last message 1? Or
could the Authenticator abandon transmission of a particular M3
MSDU and try again with another M3 with a different (higher) Key
Replay Counter? (Clearly that's possible with M1: if the Authenticator
abandons an M1 transmission because it doesn't see an M2, and then
tries again later, it uses a higher KRC.)
Some parts of the spec might suggest the KRC for M3 does not have to
be exactly +1 the one in M1, e.g.:
The Authenticator shall increment the key replay counter on each successive EAPOL-Key PDU.
NOTE 8—In other words, the Supplicant does not update the key replay counter for message 1 in the 4-way handshake, as it includes no MIC. This
implies the Supplicant needs to allow for retransmission of message 1 when checking for the key replay counter of message 3.
NOTE 10—The key replay counter does not play any role beyond a performance optimization in the 4-way handshake. In particular, replay protection
is provided by selecting a never-before-used nonce value to incorporate into the PTK.
On reception of message 3, the Supplicant shall silently discard the message if the Key Replay Counter field value has already been used or if
the ANonce value in message 3 differs from the ANonce value in message 1.
On reception of message 4, the Authenticator verifies that the Key Replay Counter field value is one that it used on this 4-way handshake and
is strictly larger than that in any other EAPOL-Key PDU that has the Request bit in the Key Information field set to 0 and that has been received during this session; if it is not, it silently discards the message.
the Key Replay Counter field serves no cryptographic purpose in the 4-way handshake. Its presence is not detrimental, however, and it plays a
useful role as a minor performance optimization for processing stale instances of message 2.
So the question is: should the KRC in M3 always be exactly one more
than the one in the last M1, or could it be more than one more?
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
1 Cambridge Square, Cambridge CB4 0AE Fax: +44 1223 434601
ROYAUME UNI WWW:
http://www.samsung.com/uk
To unsubscribe from the STDS-802-11-TGM list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGM&A=1