Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Advertisements

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Doc.: IEEE /0946r3 Submission August 2012 A proposal for next generation security in built on changes in ac 23 August 2012 Slide.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.
Doc.: IEEE /0580r0 Submission May 09 Myles et al (Cisco)Slide 1 Discussion on the proposal to start a new Security SG in WG.
WEP Protocol Weaknesses and Vulnerabilities
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
1 July, 2002 doc:.: /275r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Lecture 24 Wireless Network Security
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Doc.: IEEE e Submission Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security.
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Doc.: IEEE /0010r1 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
KeyProv PSKC Specification Philip Hoyer Mingliang Pei Salah Machani 74 nd IETF meeting, San Francisco Nov
Doc.: IEEE /0946r1 Submission July 2012 A proposal for next generation security in built on changes in ac 16 July 2012 Slide 1 Authors:
November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,
Doc.: IEEE /0964r0 Submission September 2010 David Halasz, AclaraSlide 1 Smart Grid and Key Lengths Date: Authors:
Doc.: IEEE /1147r1 Submission November 2009 David Halasz, AclaraSlide 1 Path Protection Date: Authors:
Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date:
af-Secure-Enabelement-and-CVS-without-Association Submission June 2011 Secure Enablement and CVS without Persistent Association Slide 1Qualcomm.
History and Implementation of the IEEE 802 Security Architecture
November 14, 2016 Secure MAC algorithms for use with NTP draft-aanchal4-ntp-mac-03 CFRG: IETF97 Aanchal Malhotra Sharon Goldberg.
Wireless Protocols WEP, WPA & WPA2.
Motions to Address Some Letter Ballot 52 Comments
AES Mode Choices OCB vs. Counter Mode with CBC-MAC
Mesh Security Proposal
<month year> <doc.: IEEE doc> January 2013
December 2, 2018 doc.: IEEE r0 May, 2004
March 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [SG SECN Call for Proposals] Date Submitted:
July 2010 doc.: IEEE /0903r0 A proposal for next generation security in built on changes in ac 23 August 2012 Authors: Name Company.
Traffic Class Control in MBSS
Beacon Protection Date: Authors: July 2018 July 2018
Beacon Protection Date: Authors: May 2018 January 2018
January 16, 2019 doc.: IEEE r0 September, 2004
December 2015 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security considerations for 15.3e] Date.
Overview of Changes to Key Holder Frame Formats
Security of Wireless Sensor Networks
Beacon Protection Date: Authors: July 2018 July 2018
Overview of Improvements to Key Holder Protocols
Beacon Protection Date: Authors: May 2018 January 2018
Security Requirements for an Abbreviated MSA Handshake
Overview of Improvements to Key Holder Protocols
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
A Better Way to Protect APE Messages
Counter With Cipher Block Chaining-MAC
Presentation transcript:

doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission July 2009 Slide 2 Abstract This submission proposes: –Replacing the required use of AES-SIV in P802.11s draft with AES-CCM Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission July 2009 Slide 3 Current situation  P802.11s D3.0, Mar 2009, Section 11.B GTK Distribution: “… The deterministic authenticated encryption mode of AES-SIV, defined in IETF RFC 5297, shall be used to protect the GTK field using the AKEK derived from the chosen PMK…”  Requirement to use AES-SIV for s GTK protection has been in draft since D2.02, Sep 2008  AES-CCM is the mandatory authenticated encryption algorithm for Robust Security Network compliance throughout the existing universe Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission July 2009 Slide 4 Why consider AES-CCM for 11s?  Con –Late in the game: AES-SIV is already in D3.0 (ref given above) –AES-SIV is more “misuse resistant” than AES-CCM  Pro –AES-CCM is the established Authenticated-Encryption standard for WPA2 and Robust Security Network applications –CCM is the NIST approved block cipher mode for authenticated encryption, NIST SP800-38C –11s is a component of the much larger universe, as such it should re-use established methods wherever possible Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission Primary reason for (re)consideration July 2009 Slide 5  Yes, it is late in the game. -AES-SIV is in the document that has gone through initial voting/approval - The core engine of AES-SIV is the approved and well known AES - AES-SIV has received significant academic scrutiny  But, was this feature carefully considered by all concerned - Cost of implementing a new variation: learning and properly building - H/W & S/W cost of supporting an additional cipher – still must support 11i - Risks of implementing a non-NIST approved algorithm  s is a part of the larger universe - Is it the place to introduce a new cipher mode when one is already in place and widely implemented? - Would it be better to expend a bit more effort now in carefully weighing the consequences rather than being unpleasantly surprised later? Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission SIV – CCM Comparison  Differences are minor –Both use CMAC mode of AES to compute MAC –Both use AES in counter (CTR) mode to encrypt data  Nonce vs. “Synthetic Initialization Vector” (SIV) –CTR mode requires a 128-bit initialization vector (IV) –CCM uses a random nonce for IV, SIV uses the MAC for IV  i uses the packet number for the nonce in CCM  Constraint on nonce is that it not be reused for a given encryption key  At bit level, packaging and padding, differences are more evident – the devil resides in the details July 2009 Slide 6 Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission So, what’s the big deal?  Precisely because the CCM – SIV differences are not significant, it begs the question, “Why change at all from the widely implemented and established method?” –SIV appears to offer better nonce misuse protections in general  But, for s application being considered here this is easily solved –The bit level differences will entail significant effort in designing, coding, implementing and testing  Is this effort worth the gain?  Where else within can the SIV block of code (or piece of hardware) be applied to amortize the expense of building? July 2009 Slide 7 Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission Whither AES-SIV  AES-SIV is a sound algorithm with some good features  It should be given serious consideration for use in new protocols and technologies or for major security service upgrades  But neither AES-SIV, nor any other new authenticated or encryption mode, should be introduced for confidentiality and integrity of a single sub-element July 2009 Slide 8 Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission Conclusion  A proven, approved, already designed, built and widely employed solution exists to solve the secure GTK transport problem in s  The secure GTK transport problem is too minor an application to warrant developing a new solution  Requiring a new solution for a single sub-element within s should be carefully considered  To determine if the advantage gained justifies the expense of implementation  To determine if a single application within s is the place to introduce new security mode July 2009 Slide 9 Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission Summary The purpose of s is to develop acceptable standards for wireless mesh networking within the framework s is not the place to introduce new security algorithms if accepted and adequate security algorithms already exist in –New algorithms impose added implementation cost –Additional algorithms impose added maintenance/support cost –Algorithms that are not yet approved by NIST or other security standards bodies have additional risk –802.11s should not be burdened with these costs and risk July 2009 Slide 10 Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission Recommendation  Recommend that P802.11s D3.0, Mar 2009, Section 11.B GTK Distribution: “… The deterministic authenticated encryption mode of AES-SIV, defined in IETF RFC 5297, shall be used to protect the GTK field using the AKEK derived from the chosen PMK…” be amended* to replace “AES-SIV defined in IETF RFC 5297” with “AES-CCM defined in IETF RFC 3610” *This change will have a modest ripple effect of changes elsewhere in the draft where this requirement is referenced and applied July 2009 Slide 11 Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission July 2009 Slide 12 Comments? Russ Housley (Vigil Security), et. al.

doc.: IEEE /770r0 Submission July 2009 Slide 13 Acronyms AKEK – Abbreviated Handshake Key Encryption Key AAD – Additional Authenticated Data PMK – Pairwise Master Key GTK – Group Temporal Key SIV – Synthetic Initialization Vector CCM – Counter with Cipher Block Chaining-MAC MAC – Message Authentication Code RSN – Robust Security Network Russ Housley (Vigil Security), et. al.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.