Potential L2 security options for UL BCS

Slides:



Advertisements
Similar presentations
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Advertisements

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Network Security Celia Li Computer Science and Engineering York University.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Distributing a Symmetric FMIPv6 Handover Key using SEND
Security for location determination at a Public Domain
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Teleconference Agenda
On AP Power Saving Usage Model
Module 8: Securing Network Traffic by Using IPSec and Certificates
Discussions on FILS Authentication
Security for location determination at a Public Domain
Using SSL – Secure Socket Layer
Pre-association Security Negotiation for 11az SFD Follow up
Fast Authentication in TGai
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
ESS Mesh Deployment Usage Model
Pooja programmer,cse department
Pre-association Security Negotiation for 11az SFD Follow up
draft-ipdvb-sec-01.txt ULE Security Requirements
Reason Why L2 Per Frame Authentication Is Required
Uplink Broadcast Service
Secure Ranging Measurement
Identity-based secure collaboration in wireless ad hoc networks
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
The Secure Sockets Layer (SSL) Protocol
Low Power Sensor Broadcast Use Cases
ESS Mesh Deployment Usage Model
Protocol ap1.0: Alice says “I am Alice”
Pre-Authentication Authentication of Management Frames
Listen to Probe Request from other STAs
Fast Authentication in TGai : Updates to EAP-RP
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Lecture 10: Network Security.
Install AD Certificate Services
Link Setup Flow July 2011 Date: Authors: Name Company
Fast Authentication in TGai
CDK: Chapter 7 TvS: Chapter 9
802.11bd Timeline Date: Authors: January 2019
Secure How do you do it? Need to worry about sniffing, modifying, end-user masquerading, replaying. If sender and receiver have shared secret keys,
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Snapshot Slide for BCS TIG/SG
FTM Frame Exchange Authentication
Possible Enhancement for Broadcast Services over WLAN
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Advanced Computer Networks
WUR Security Proposal Date: Authors: September 2017
WUR Security Proposal Date: Authors: September 2017
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-0sec
Considerations on MU-MIMO Protection in 11ac
TG1 Draft Topics Date: Authors: September 2012 Month Year
IEEE bc Use Case Document
Electronic Payment Security Technologies
Spec Framework Decision Process Alternatives
On AP Power Saving Usage Model
Link Setup Flow July 2011 Date: Authors: Name Company
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Month Year doc.: IEEE yy/xxxxr0
Comparison of Digital Signature with TESLA
Discussion on Functional Requirements
Virtual BSS For Multi AP Coordination
Discussion on TESLA Based Frame Authentication
Presentation transcript:

Potential L2 security options for UL BCS Month Year doc.: IEEE 802.11-yy/xxxxr0 July 2018 Potential L2 security options for UL BCS Date: 2018-07-02 Authors: Bahar Sadeghi, Intel John Doe, Some Company

Abstract A full security threat analysis is in scope of TG. July 2018 Abstract A full security threat analysis is in scope of TG. Depending on the result of the threat analysis, the TG may make the following conclusions: No L2 security needed L2 data encryption needed (Confidentiality) Verification of sender/destination address needed (Integrity) The following slides outline possible solutions. Note: the goal of this presentation is solely to provide potential solutions to facilitate the PAR and CSD development. The solution will be developed in TG. Note: replay attacks addressed in previous contribution Bahar Sadeghi, Intel

UL Options Server Router AP STA July 2018 UL Options Server Router AP STA Data Data Data Server Address Assumption: E2E security (confidentiality and/or integrity) is in place. However, there may be DOS attacks, severity and level of risk for DOS attacks need to be understood, depending on that one of these options may be considered Option 1: Server address & STA identity signed by CA Option 2: L2 authentication Option 3: L2 encryption Option 4: Option 1 + Option 3 Bahar Sadeghi, Intel

Option 1: Server address is signed by CA July 2018 Option 1: Server address is signed by CA Server Router AP STA Data Data Data Server Address Digital signature STA is pre-installed with the Server address & CA certificate With each packet transmission, STA includes the Server address signed by the CA AP verifies the STA identity/server address using the certificate before forwarding the data Bahar Sadeghi, Intel

Option 2: L2 authentication July 2018 Option 2: L2 authentication Private Key Server Router AP STA Data Data Data Server Address Public Key STA is pre-installed with the Server address STA generates public/private key and signs the data (and server address) With each packet transmission, STA includes the public key AP verifies the STA using the public key before forwarding the packet. Note: mechanisms for verification of the public key by AP required Note: both STA & AP may use a shared secret key Bahar Sadeghi, Intel

Option 3: L2 encryption Server Router AP STA July 2018 Option 3: L2 encryption Private Key Public Key Server Router AP STA Data Data Data encrypted Server Address STA is pre-installed with the Server address & a public key AP is pre-installed with a private key STA encrypts data (and server address) using the public key AP verifies the payload (and address) using the private key before forwarding the packet. Note: both STA & AP may use a shared key Note: If key update is needed STA may receive updated public key distributed by AP Bahar Sadeghi, Intel

Option 4: Server address signed by CA and L2 encryption July 2018 Option 4: Server address signed by CA and L2 encryption Private Key Public Key Server Router AP STA Data Data Data Server Address encrypted Digital signature AP is pre-installed with the CA certificate STA is pre-installed with the Server address & CA certificate STA & AP use a shared key or a pre-installed private/public key pair. Data transmissions are signed by private key AP uses shared/private key to decrypt the packet and verifies the STA identity, and the destination address using the certificate Bahar Sadeghi, Intel

July 2018 Summary One possible solution has been shown for different security requirements that may emerge from the security threat analysis to be conducted by TG. By use of digital signature by CA, the AP can Verify the identity of the STA Verify the destination (IP) address of the data is not corrupted Decide based on the signature / identity of the STA, whether to forward the packet Decide based on the server (IP) address if the packet should be forwarded Bahar Sadeghi, Intel