802.11r is the IEEE standard for fast roaming which is being aggresively implemented by WLAN vendors in their products. The standard is quite involved, however, we have implemented and tested it extensively, and to help others, the presentation is a snapshot of our learning of the standard.

1. 802.11r [Fast BSS Transition]

2. Outline
 802.11r & its purpose
 Types of 802.11r
 802.11r Capability Detection
 Basic 4-way Handshake
 FT 4-way Handshake
 FT Key Hierarchy
 Over the Air
 Over the Distributed System

3. 802.11r [Fast BSS Transition]
 IEEE 802.11r specifies Fast Basic Service Set [BSS] Transitions [FT] between access
points by redefining the security key negotiation protocol, allowing both the
negotiation and requests for wireless resources to occur in parallel.
 802.11r is a mechanism to reduce the time of ASSOCIATION between client and
AP, when client roams between different APs of a same Extended Service
Set[ESS].
 Purpose
 Traffic types such as VOIP, VoWiFi should not be delayed or dropped by
devices. Hence, such applications require FT mechanism implemented when
client roams from AP to AP in a same Extended Service Set [ESS]

4. Types of 802.11r
 FT Mechanisms supported by Wi-Fi devices can be of two types:
 Over The Air
 Over The Distributed System [DS]
 Over The Air
 The client communicates directly with the target AP using IEEE 802.11 FT-
Authentication and FT-(Re)Association frames to complete
Authentication between client and target AP and to generate required keys
for encryption of unicast and multicast traffic.
 Over The DS
 The client communicates with the target AP through the current AP. The
communication between the client and the target AP is carried in FT
action frames between the client and the current AP and is then sent
through the Central Management Entity [CME] or Controller.

5. IE’s Introduced By 802.11r
 Following Information Elements [IE] are introduced by 802.11r
 Mobility Domain
 Fast BSS Transition
 Mobility Domain IE
 This IE is used in detecting support of 802.11r by an AP.
 Mobility Domain Identifier: This is the string or value
which helps the Client to understand if it can roam
between APs of same ESS using 802.11r mechanism.
 Fast BSS Transition over DS: If this value is set, it indicates
that over the DS mechanism is supported else Over the
Air mechanism is supported.
 Fast BSS Transition IE.
 This IE includes information needed to perform the FT
authentication sequence during a fast BSS transition in an
RSN.
 This IE is present in FT-Authentication, FT-
(Re)Association frames transmitted by devices that
support 802.11r.
 This IE is present in EAPOL frames that are involved in 4-
way handshake with the Current AP [First AP that a
Client connects in an ESS.
 This IE provides information related to parameters as
below:
‐ R0-KH ID / R0-KH Name
‐ R1-KH ID / R1-KH Name
‐ PMK-R0 / PMK-R1

6. Detection of 802.11r
 RSN and MD are the IE that user need to look if an AP supports
802.11r
 RSN IE
 This IE is used in detecting support of 802.11r by an AP.
 Authentication Key Management [AKM] does advertise
type of key management with FT Support.
 This information carries PMKR1-Name in 4-way
handshake EAPOL frames to derive PTK & GTK.
 AP
 It advertises 802.11r capability in Management frames such
as Beacon, Probe Response and (Re)Association Response
frames.
 Client
 It advertises its 802.11r capability in Management frames
such as (Re)Association Request frames.

7. Basic 4-Way Handshake
 4-way handshake is used by security protocols such as
WPA/WAP2/802.1x. Purpose of WPA [TKIP], WPA2
[TKIP/CCMP], 802.1x is to generate dynamic unique encryption
keys for each clients connected to an AP.
 Two different keys are generated using 4-way handshake
 Pairwise Transient Key [PTK]
 Group Temporal Key [GTK]
 Pairwise Transient Key
 A value that is derived from Pairwise Master Key [PMK],
Authenticator Address [AA], Supplicant Address [SA],
Authenticator Nonce [ANonce], Supplicant Nonce
[Snonce] using the pseudo-random function [PRF].
 This key is used by AP and Clients to encrypt unicast
frames that are transmitted between AP and a Client.
 Group Temporal Key
 A random vale derived by AP and shared with all the clients
connected to a Basic Service Set Identifier [BSSID]
 As per the standard, it is mandatory that GTK value should
be updated whenever a Client is moved away/disconnected
from a BSSID.
 This key is used by AP and Clients to encrypt
broadcast/multicast frames that are transmitted between
AP and a Client.

8. Basic 4-Way Handshake

9. FT 4-Way Handshake
 FT 4-way handshake
 It takes place between Initial AP and a Client in a ESS.
 This mechanism is not much different from pre-802.11r
devices. Some additional information is carried in the
EAPOL frames.
 Additional information that is carried in the EAPOL
frames is as follows:
‐ Mobility Domain IE
‐ Fast BSS Transition IE
‐ PMK-R1
 Above additional information with basic 4-way handshake
information is used in determining PTK and GTK.

10. FT 4-Way Handshake

11. FT Key Hierarchy
 As you can see in the diagram, FT Key hierarchy consists of three
levels.
 R0KH Key Holder
‐ PMK-R0 – the first-level key of the FT key hierarchy.
This key is derived as a function of the master session
key (MSK) or PSK. It is stored by the PMK-R0 key
holders, R0KH and S0KH.
 R1KH Key Holder
‐ PMK-R1 – the second-level key of the FT key
hierarchy, This key is mutually derived by the S0KH
and R0KH.
 S0KH/S1KH Key Holder
‐ PTK – the third-level key of the FT key hierarchy that
defines the IEEE 802.11 and IEEE 802.1X protection
keys. The PTK is mutually derived by the PMK-R1 key
holders, R1KH and S1KH.

12. FT Key Hierarchy
 Below is the short description of how keys are generated:
 R0-Key-Data = KDF-384 (XXKey, "R0 Key Derivation", SSIDlength || SSID
|| MDID || R0KH-ID || 0x00 || SPA)
 PMK-R0 = L(R0-Key-Data, 0, 256)
 PMK-R0 key shall be computed as the first 256 bits (bits 0-255) of the R0-
Key-Data. The latter 128 bits of R0-Key-Data shall be used as the PMK-
R0Name-Salt to generate the PMKR0Name.
 PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID)
 PMKR0Name = Truncate-128(SHA-256("R0 Key Name" || SSIDlength ||
SSID || MDID || R0KH-ID || 0x00 || SPA || PMK-R0Name-Salt))
 PMKR1Name = Truncate-128(SHA-256(“R1 Key Name” || PMKR0Name ||
R1KH-ID || 0x00 || SPA))

13. FT - Over The Air
 This mechanisms allows the Client or Station[STA] to connect to
Target AP using FT-Authentication and FT-(Re)Association
frames.
 As per 802.11r, PTK and GTK keys are generated for a client using
FT-Authentication and FT-(Re)Association frames by depleting 4-
way handshake mechanism.

14. FT - Over The Air

15. FT - Over The Air

16. FT – Over the DS
 This mechanisms allows the Client or Station[STA] to connect to
Target AP using FT-Action and FT-(Re)Association frames.
 As per 802.11r, PTK and GTK keys are generated for a client using
FT-Action and FT-(Re)Association frames by depleting 4-way
handshake mechanism.
 FT-Action frames do not communicate directly with Target AP
but via Current AP through some central entity such as
Controller.
 The dotted lines in the state diagram indicates that the Client
communicates through Current AP to get authenticated with
Target AP. In real time deployments, it happens through a central
entity such as Controllers.

17. FT – Over the DS