| Although the wireless technology nowadays | | | | derived from a full EAP authentication. The stored |
| provides satisfying bandwidth and higher speeds, it | | | | security association can then be used later on if |
| still lacks improvements with regard to handoff | | | | the wireless station comes back to the same |
| performance. Several studies have shown that | | | | location. |
| the IEEE 802.11 scanning phase introduces most | | | | Opportunistic PMK pre-caching |
| of the latency in pre-802.11i deployments. | | | | The opportunistic PMK pre-caching technique |
| However, when IEEE 802.11i is used, link layer | | | | works as follows: when a wireless station enters |
| authentication based on the Extensible | | | | an access network, it uses IEEE 802.11i/EAP and |
| Authentication Protocol (EAP) can also introduce | | | | establishes a fresh security association with the |
| substantial delays. | | | | first access point it encounters. The controller of |
| There exist four main alternatives for reducing | | | | the local access network retrieves the security |
| authentication delays during handoffs in IEEE | | | | association from the first access point and |
| 802.11 networks. | | | | forwards it to other access points in the access |
| IEEE 802.1X pre-authentication | | | | network. When the station moves to another |
| The IEEE 802.11i standard specifies how wireless | | | | access point, the pre-distributed security |
| stations can perform pre-authentication over the | | | | association is used to perform mutual |
| distribution system while still connected to their | | | | authentication between the station and the access |
| current access point. The idea is that if the station | | | | point without the need for using a full EAP |
| can perform authentication in advance, fewer | | | | exchange. |
| exchanges will be needed during the handoff | | | | Fast BSS transitions : IEEE 802.11rwhen an IEEE |
| which reduces the handoff latency. | | | | 802.11r compliant station enters an access |
| To initiate a pre-authentication, the station issues | | | | network, it first performs authentication using |
| an IEEE 802.1X EAPOL-Start message destined to | | | | EAP with the access network's controller. The |
| the target access point. This message is | | | | resulting keying materials are used by the station |
| forwarded by the current access point to the | | | | and the controller to derive a key called PMK-R0. |
| target access point based on routing information | | | | PMK-R0 is then used to derive per-access-point |
| embedded in the message. The target access | | | | keys. The name for such keys is PMK-R1. The |
| point processes the EAPOl-Start message and | | | | controller finally sends the PMK-R1 keys to their |
| initiates an IEEE 802.1X/EAP authentication. The | | | | corresponding access points. The controller that |
| result of a successful IEEE 802.1X/EAP | | | | holds the PMK-R0 key is called 'R0 Key Holder' |
| pre-authentication is a security association shared | | | | (R0KH), while the access points to which PMK-R1 |
| between the station and the access point. When | | | | keys are delivered are called 'R1 Key |
| the station eventually decides to associate with | | | | Holders'(R1KH). After this initla key distribution |
| the target access point the pre-established | | | | phase, the wireless station is able to perform |
| security association is used and the full EAP | | | | mutual authentication with any access point in the |
| exchange is avoided. | | | | access network without the need for a full EAP |
| Pairwise Master Key (PMK) caching | | | | exchange. |
| PMK caching is a basic handoff optimization | | | | Be sure to check the latest information on |
| technique that all IEEE 802.11i compliant wireless | | | | wireless security and performance that will help |
| devices already support. Wireless stations and | | | | you get more in depth in these topics. |
| access points can store security credentials | | | | |