Mutual Authentication

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Advertisements

802.1 AE/AF Platform considerations
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE /0877r0 Submission June WG Slide 1 TGs response to CN NB comments Date: Authors:
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Wireless and Security CSCI 5857: Encoding and Encryption.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Doc.: IEEE /0056r0 Submission January 2010 Dan Harkins, Aruba NetworksSlide 1 Security Review of WAI Date: Authors:
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Wireless security Wi–Fi (802.11) Security
Doc.: IEEE /0310r0 Submission Sept 2007 Srinivas Sreemanthula Slide 1 IEEE MEDIA INDEPENDENT HANDOVER DCN: MIH-Security-Options.ppt.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
Doc.: IEEE /1212r0 Submission September 2011 IEEE Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.
Doc.: IEEE /1145r1 Submission August WG Slide 1 Mutual Authentication Date: Authors: Slide 1.
Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date:
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 draft-urien-eap-smartcard-06.txt “EAP-Support in Smartcard”
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
History and Implementation of the IEEE 802 Security Architecture
Richard EAP-WAI Authentication Protocol Stockholm, IETF 75th draft-richard-emu-wai-00.
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
History and Implementation of the IEEE 802 Security Architecture
Web Applications Security Cryptography 1
Device Security in Cognitive Radio
Enhanced Security Date: Authors: May 2009 May 2009
Enhanced Security Features for
Information Security.
CS259: Security Analysis of Network Protocols, Winter 2008
Teleconference Agenda
Discussions on FILS Authentication
Enhanced Security Features for
Security of a Local Area Network
January 15th Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security protocol for Body area networks]
Mesh Security Proposal
Security Req. related to Authentication
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
TGr Architectural Entities
3GPP2-WLAN Interworking update
Stefan Rommer, Mats Näslund, András Méhes (Ericsson)
Cryptography and Network Security
Strong Password Authentication Protocols
TAP & JIT Key Hierarchy Notes
Agenda retrospective - B. Aboba Lunch
Mutual Authentication
Security Properties Straw Polls
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Link Setup Flow July 2011 Date: Authors: Name Company
Florent Bersani, France Telecom R&D
CID#89-Directed Multicast Service (DMS)
Rekeying Protocol Fix Date: Authors: Month Year
FTM Frame Exchange Authentication
TGr Authentication Framework
Security Activities in IETF in support of Mobile IP
HIP DEX for Fast Initial Authentication in
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
Link Setup Flow July 2011 Date: Authors: Name Company
Submission Title: Dallas i/ Liaison Report.
Security Ad-Hoc Report Draft
3GPP2-WLAN Interworking update
Presentation transcript:

Mutual Authentication Month Year doc.: IEEE 802.11-yy/xxxxr0 Mutual Authentication Date: 2011-08-28 Authors: Slide 1 Page 1 John Doe, Some Company

August 2011 doc.: IEEE 802.11-11/1145r2 Abstract This document provides a statement from the IEEE 802.11 Working Group on the topic of mutual authentication IEEE 802.11 WG

What is “Mutual Authentication” Process where each side is assured of the other side’s identity Each side possesses a credential (an uniquely identifying piece of information plus an identity) that is trusted, or can be trusted by the other Does not require that each side use the same credential as the other Authentication is accomplished by verification that the side claiming some identity possesses the unique information for that identity Thwarts man-in-the-middle attacks Typical (but not required) properties of mutual authentication protocols Non-repudiation Key generation

RSN Networks The common view of an RSN network involves 3 parties: a client, an AP, and a AAA server that speaks EAP Client authenticates to network via AAA server using EAP method AAA server sends resulting PMK to AP, AP does 4wayHS AP protects bulk data using CCMP Properties of EAP and 4wayHS ensure mutual authentication Client AAA AP RADIUS/ Diameter 802.1x EAP EAP PMK 4wayHS 4wayHS PMK disclosure PTK PTK bulk data protection CCMP CCMP “the network”

RSN Networks A different deployment Client authenticates to network via AP using EAP method AP does 4wayHS AP protects bulk data using CCMP Properties of EAP and 4wayHS ensure mutual authentication Client AP 802.1x EAP EAP PMK PMK 4wayHS 4wayHS PTK PTK “the network” bulk data protection CCMP CCMP

Different Deployments Represent Network Optimization Deployment of RSN scales better when using a stand-alone EAP server Network credentials in one place instead of many Expanding coverage and adding users is simpler AAA server represents multi-homed network The RSN protocol remains the same regardless of deployment Client is completely unaware of network deployment Both deployments provide “mutual authentication” Threat model for network access is unchanged

WAPI = WAI + WPI The players: ASUE is a client device, performs ECDH and ECDSA The AE is an access point, performs ECDH and ECDSA The ASE is a clearing house for the ASUE’s and AE’s certificates ASUE and AE do authenticated Diffie-Hellman (WAI) using ASE for certificate validation followed by Unicast Key Exchange ASUE and AE do WPI for bulk data protection using USK Client/ASUE AP/AE ASE DH+DSA + UKE certificate validation WAI WAI WAI USK USK bulk data protection WPI WPI

A “Split MAC” Architecture for WAPI The “real time” aspects of the MAC remain in each AP, the “non real time” aspects of all APs are aggregated into a single controller For WAPI, that means moving WAI to controller, leaving WPI in AP AE WPI Client/ASUE ASE WPI DH+DSA + UKE certificate validation WAI WAI WAI WPI USK WPI bulk data protection WPI

“Split MAC” WAPI How does it work? Controller/AE and ASUE have certificates, AP does not The AP passes all traffic with ethertype 0x88b4 to the controller/AE, all other ASUE traffic is blocked Controller/AE performs ECDH and ECDSA, talks to ASE Controller/AE authenticates ASUE, and derives BK Controller/AE performs UKE and derives USK Controller sends USK to AP AP unblocks ASUE traffic filter AP performs WPI using the USK An alternate form involves splitting WAI functionality, leaving part of it in the AP Controller/AE sends BK to AP AP performs Unicast Key Exchange and derives USK

A “Split MAC” Architecture A “split MAC” deployment scales better Less devices to provision APs do not contain long-term secrets for network access Increasing coverage is as easy as adding new “thin” APs 100% WAPI compliant! The WAPI protocol is not changed ASUE does not know that there is a “split MAC” architecture Authentication is still between ASUE and AE but… AP does not derive BK and is not a party to the WAI exchange USK (or BK) needs to be transferred from AE/controller to AP What about “mutual authentication”?

“Mutual Authentication”? Two Views A “split MAC” architecture is merely a deployment optimization The location in which the components of the MAC layer protocol are spoken change, but the MAC layer protocol does not change WAPI still performs “mutual authentication” Or is it? WAPI is insecure because AP is not authenticated WAPI lacks “mutual authentication” Secret key (USK/BK) is disclosed to AP by AE!

The Conclusion… This logic leads us to conclude that: Either both WAPI and RSN provide “mutual authentication”; or, Neither WAPI nor RSN provide “mutual authentication”.

References 11-11-0703-06-000s-p802-11s-sponsor-ballot-4th-recirc-comments.xls Slide 13