Link Setup Flow July 2011 Date: Authors: Name Company

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0095r0 Submission Jan 2012 Konstantinos Georgantas, HIITSlide 1 HIP DEX for Fast Initial Authentication in Date:
Advertisements

Doc.: IEEE /0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE /0547r1 Submission May 2012 Dapeng Liu, China MobileSlide 1 Extend 802.1X for higher layer configuration in FILS Date:
Doc.: IEEE HIP-over-TG9 Submission May 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /1212r0 Submission September 2011 IEEE Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Submission doc.: IEEE /1146r0 Hitoshi Morioka, ROOT INC. Jun 2010 Feasibility Study of FIA Date: Authors: NameCompanyAddressPhone .
History and Implementation of the IEEE 802 Security Architecture
Robust Security Network (RSN) Service of IEEE
History and Implementation of the IEEE 802 Security Architecture
<draft-ohba-pana-framework-00.txt>
Authentication and Upper-Layer Messaging
Some LB 62 Motions January 13, 2003 January 2004
Proposed SFD Text for ai Link Setup Procedure
Discussions on FILS Authentication
FILS presentation on High Level Security Requirements
Pre-association Security Negotiation for 11az SFD Follow up
Pre-association Security Negotiation for 11az SFD Follow up
Mesh Security Proposal
Robert Moskowitz, Verizon
MAC Address Hijacking Problem
Using Upper Layer Message IE in TGai
Use of EAPOL-Key messages during pre-auth
Uplink Broadcast Service
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Mutual Authentication
Pre-Association Security Negotiation (PASN) for 11az
AP discovery with FILS beacon
AP discovery with FILS beacon
AP discovery with FILS beacon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Fast Authentication in TGai : Updates to EAP-RP
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Reducing Overhead in Active Scanning with Simulation Results
Robert Moskowitz, Verizon
Link Setup Flow July 2011 Date: Authors: Name Company
CID#89-Directed Multicast Service (DMS)
Performance Analysis of authentication and authorization
Reducing Overhead in Active Scanning with Simulation Results
HIP DEX for Fast Initial Authentication in
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Robert Moskowitz, Verizon
Overview of Improvements to Key Holder Protocols
Konstantinos Georgantas, HIIT
Overview of Improvements to Key Holder Protocols
HIP DEX for Fast Initial Authentication in
Robert Moskowitz, Verizon
Potential L2 security options for UL BCS
Robert Moskowitz, Verizon
Extended Usage of STKSA
Robert Moskowitz, Verizon
Presentation transcript:

Link Setup Flow July 2011 Date: 2011-05-10 Authors: Name Company doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Link Setup Flow Date: 2011-05-10 Authors: Name Company Address Phone email Robert Moskowitz Verizon 15210 Sutherland, Oak Park, MI 48237, USA +1-248-928-6233 rgm@labs.htt-consult.com Slide 1 Robert Moskowitz, Verizon Page 1 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Abstract This document presents an approach for accelerating the security setup for FILS. It will also provide facilities for supporting acceleration of IP addressing. Slide 2 Robert Moskowitz, Verizon Page 2 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Agenda July 2011 Problem statement Solution overview Conclusions doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Agenda Problem statement Solution overview Conclusions Slide 3 Robert Moskowitz, Verizon Page 3 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Problem Statement July 2011 doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Problem Statement The majority of the packets needed for link setup are security related. Are there alternatives? Security is only provided for 'known' (authenticatable) clients Can we increase security deployment by supporting a 'TLS' anonymous client model? A number of use cases fit this model `Setup time MAY be further extended if Authentication Server is separate from the AP Can we authenticate the AP without an AS? Slide 4 Robert Moskowitz, Verizon Page 4 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Probe (1 round trip) 1/16 = 6.25% Authentication (1 round trip) 2/16 = 12.5% Association (1 round trip) EAPOL-Start EAPOL-Start (0.5round trip) Most of message exchanges are consumed for Authentication and Association. EAP-Identity (1 round trip) Establishing TLS tunnel for PEAP (3 round trip) 11/16 = 68.75% PEAP EAP-MSCHAPv2 (4 round trip) EAP-Success EAPOL-Success (0.5round trip) EAPOL-Key (2 round trip) 2/16=12.5% 2/16=12.5% Slide 5 Robert Moskowitz, Verizon Page 5 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Solution Overview July 2011 Providing a 'TLS' anonymous client model doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Solution Overview Providing a 'TLS' anonymous client model AP does not know 'who' the client is, but knows that it is always communicating with a given client AP does not authenticate client; relies on client to protect from MITM attack No AS needed by AP. Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. AP and client only parties in a Key Management Protocol Slide 6 Robert Moskowitz, Verizon Page 6 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Solution Overview July 2011 Providing an authenticated client model doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Solution Overview Providing an authenticated client model AP does need to know 'who' the client is Client presents credentials to AP X.509 cert validated by AP or via OCSP No AS needed by AP (well maybe OCSP) Limited choices that are 'fast' Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. May be hard to provide 'fast' solution or 'not so fast' Slide 7 Robert Moskowitz, Verizon Page 7 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Solution Overview July 2011 doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Solution Overview Use AUTHENTICATE frames to support Key Management Use a well-architected 2-party KMP between the AP and client Must have security integrity proofs Provide AP authentication to client Eg with X.509 cert Provide nonce exchange and generate both a PMK and PTK and transmit GTK No 4-Way-Handshake needed HIP or IKEv2 Slide 8 Robert Moskowitz, Verizon Page 8 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Protocol Sequence to Establish a Connection to the Internet by using Authentication and Association frames AP Authentication Probe [Auth server] STA HIP or IKEv2 (4 packets), optional As access Slide 9 Robert Moskowitz, Verizon Page 9 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Solution Overview July 2011 HIP or IKEv2 doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 July 2011 Solution Overview HIP or IKEv2 Cryptographic and liveliness proofs of Identities Supports anonymous Identities Ephemeral 'raw' Public Key Authenticated delivery of X.509 certs uni or bi- directional Support for additional client authentication EAP, SAE, other Full nonce exchange for generation of PMK and PTK Secure transport of GTK Slide 10 Robert Moskowitz, Verizon Page 10 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Conclusions Thank you! May 2011 doc.: IEEE 802.11-11/xxxxr0 May 2011 May 2011 doc.: IEEE 802.11-11/xxxxr0 May 2011 Conclusions Current KMP designs can replace 12 round trip current method with 2 round trips TLS anonymous model has no backend cost Significant reduction in cryptographic operations Thank you! Slide 11 Robert Moskowitz, Verizon Page 11 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.