Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /0095r0 Submission Jan 2012 Konstantinos Georgantas, HIITSlide 1 HIP DEX for Fast Initial Authentication in Date:
Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE wng0 Submission June 2010 Robert Moskowitz (ICSAlabs/VzB)Slide 1 Project: IEEE P Working Group for Wireless Personal.
Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE /0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Doc.: IEEE /0041r1 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE privecsg Rnd-Modr-MAC-Addr Submission Jan 2015 Robert Moskowitz, HTT Consulting Slide 1 Project: IEEE 802 EC Privacy Recommendation.
802.1x EAP Authentication Protocols
Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WIRELESS LAN SECURITY Using
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Doc.: IEEE Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0977r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
Doc.: IEEE /0547r1 Submission May 2012 Dapeng Liu, China MobileSlide 1 Extend 802.1X for higher layer configuration in FILS Date:
Doc.: IEEE HIP-over-TG9 Submission May 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless Personal.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE Moving-KMP-Forward Submission January 2013 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless.
Doc.: IEEE /0873r0 Submission July 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Effectiveness of Reduction of Message Exchanges Date:
Doc.: IEEE kmp Submission September 2011 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /1212r0 Submission September 2011 IEEE Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.
Doc.: IEEE /1145r1 Submission August WG Slide 1 Mutual Authentication Date: Authors: Slide 1.
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE /484r0 Submission NameAffiliationsAddressPhone George Cherian Santosh Abraham Qualcomm 5775 Morehouse Dr, San Diego, CA, USA +1.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Submission doc.: IEEE /1146r0 Hitoshi Morioka, ROOT INC. Jun 2010 Feasibility Study of FIA Date: Authors: NameCompanyAddressPhone .
History and Implementation of the IEEE 802 Security Architecture
Authentication and Upper-Layer Messaging
Discussions on FILS Authentication
Pre-association Security Negotiation for 11az SFD Follow up
Pre-association Security Negotiation for 11az SFD Follow up
MAC Address Hijacking Problem
Pre-Association Security Negotiation (PASN) for 11az
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
September 2009 doc.: IEEE November 2009
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Robert Moskowitz, Verizon
Fast Authentication in TGai : Updates to EAP-RP
Link Setup Flow July 2011 Date: Authors: Name Company
Performance Analysis of authentication and authorization
HIP DEX for Fast Initial Authentication in
Robert Moskowitz, Verizon
Tero Kivinen, AuthenTec
Konstantinos Georgantas, HIIT
HIP DEX for Fast Initial Authentication in
Link Setup Flow July 2011 Date: Authors: Name Company
Tero Kivinen, AuthenTec
Presentation transcript:

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone Robert Moskowitz Verizon Sutherland, Oak Park, MI 48237, USA Tero KivinenAuthenTec Eerikinkatu 28, FI-00180, Helsinki, Finland

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 2 Abstract This document presents an approach for accelerating the security setup for FILS. It will also provide facilities for supporting acceleration of IP addressing.

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 3 Agenda Problem statement Solution overview Conclusions

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 4 Problem Statement The majority of the packets needed for link setup are security related. –Are there alternatives? Security is only provided for 'known' (authenticatable) clients –Can we increase security deployment by supporting a 'TLS' anonymous client model? A number of use cases fit this model `Setup time MAY be further extended if Authentication Server is separate from the AP –Can we authenticate the AP without an AS?

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 5 EAPOL-Start EAP-Success PEAP EAP-MSCHAPv2 (4 round trip) Establishing TLS tunnel for PEAP (3 round trip) EAP-Identity (1 round trip) Association (1 round trip) Authentication (1 round trip) EAPOL-Key (2 round trip) Probe (1 round trip) EAPOL-Start (0.5round trip) EAPOL-Success (0.5round trip) 1/16 = 6.25% 2/16 = 12.5% Most of message exchanges are consumed for Authentication and Association. 11/16 = 68.75% 2/16=12.5%

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 6 Solution Overview Providing a 'TLS' anonymous client model –AP does not know 'who' the client is, but knows that it is always communicating with a given client AP does not authenticate client; relies on client to protect from MITM attack No AS needed by AP. Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. –AP and client only parties in a Key Management Protocol

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 7 Solution Overview Providing an authenticated client model –AP does need to know 'who' the client is Client presents credentials to AP –X.509 cert validated by AP or via OCSP »No AS needed by AP (well maybe OCSP) –Limited choices that are 'fast' Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. –Full cert validation after connection –May be hard to provide 'fast' solution or 'not so fast'

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 8 Solution Overview Use AUTHENTICATE frames to support Key Management –Use a well-architected 2-party KMP between the AP and client Must have security integrity proofs Provide AP authentication to client –Eg with X.509 cert Provide nonce exchange and generate both a PMK and PTK and transmit GTK –No 4-Way-Handshake needed HIP or IKEv2

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 9 Protocol Sequence to Establish a Connection to the Internet by using Authentication and Association frames AP Authentication Probe [Auth server] STA HIP or IKEv2 (4 packets), optional AS or OCSP access

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 10 Solution Overview HIP or IKEv2 –Cryptographic and liveliness proofs of Identities Supports anonymous Identities –Ephemeral 'raw' Public Key –Authenticated delivery of X.509 certs uni or bi- directional –Support for additional client authentication EAP, SAE, other –Full nonce exchange for generation of PMK and PTK –Secure transport of GTK

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 11 Solution Overview IKEv2 specific –Supports EAP tunneling –OCSP proxy by AP for client –IP address assignment –Limited 'raw' key support RSA supported, ECDSA not Anonymous client thus needs just a little work

doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 12 Solution Overview HIP specific –Anonymity explicit in design – HITs –EAP an Internet Draft –CERT RFC does not include OCSP proxy –Needs IP address parameters

doc.: IEEE /1066r2 Submission May 2011 Robert Moskowitz, VerizonSlide 13 Conclusions Current KMP designs can replace 12 round trip current method with 2 round trips –TLS anonymous model has no backend cost –Significant reduction in cryptographic operations Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.