Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Upper-Layer Messaging

Published byTodd Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication and Upper-Layer Messaging"— Presentation transcript:

1 Authentication and Upper-Layer Messaging
May 2012 doc.: IEEE /0562r0 May 2012 Authentication and Upper-Layer Messaging Date: Authors: Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

2 May 2012 doc.: IEEE /0562r0 May 2012 Abstract This submission discusses problems with the acceptance (and processing) of upper-layer messages prior to authentication. Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

3 Challenging Goals in 11ai
May 2012 doc.: IEEE /0562r0 May 2012 Challenging Goals in 11ai Fast link set-up Authentication and upper-layer protocol messaging (e.g. address assignment, plus DAD, plus….) with a minimum of delay Cannot degrade RSN security Mutual authentication No replay attacks (“liveness” proof) etc Handle the use case of hundreds of STAs trying to connect simultaneously The doors of the train open and everyone’s phone/PDA tries to connect to wireless network in the station Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

4 Handling of Upper Layer Messages
May 2012 Handling of Upper Layer Messages Piggy-back the upper-layer message on an L2 frame that is conveying its own message Put (some of) the upper-layer messages into (some of) the authentication frames Do as much as possible in parallel Dan Harkins, Aruba Networks

5 Simultaneous Address Assignment w/ERP
May 2012 Simultaneous Address Assignment w/ERP First message from client has both authentication and DHCP message Server simultaneously asks AS to authenticate peer and asks DHCP server for an address Server validates DHCP discover after receipt of DHP ACK Dan Harkins, Aruba Networks

6 Problems with Simultaneous Address Assignment w/ERP
May 2012 Problems with Simultaneous Address Assignment w/ERP Handling is problematic Infrastructure may require authenticated identity to determine appropriate address to assign An address is requested upon receipt of a single unauthenticated message Request is processed before it is validated! This opens up the network to a resource exhaustion attack The network is unable to discriminate between an attacker spraying hundreds of bogus (but semantically valid) messages from fake MAC addresses and hundreds of legitimate users requesting access Remember the train station use case: network must be able to handle hundreds of nascent connections Dan Harkins, Aruba Networks

7 “Concurrent” IP Address Assignment w/ERP
May 2012 “Concurrent” IP Address Assignment w/ERP First message from client has both authentication and DHCP message Server relays ERP message to AS, and retains rest of client message If AS authenticates client the rest of the client message is validated and a DHCP discover is sent to obtain an IP address Dan Harkins, Aruba Networks

8 Problems with Concurrent IP Address Assignment w/ERP *
May 2012 Problems with Concurrent IP Address Assignment w/ERP * It requires a significant amount of state to be maintained on the AP upon receipt of a single unauthenticated message The AP must create per-STA state after receipt of a probe request! ERP message– name, cryptosuite, tag and DHCP offer must be retained until AAA server responds The DHCP offer can be encrypted, making validity heuristics impractical-- impossible to distinguish between an encrypted offer with many attributes and a very large amount of garbage Cost of single request/response is not amortized across all STAs Benefit of “single” request/response is illusory The client doesn’t know whether the AP is implementing “concurrent” or “simultaneous”, how long does it wait? Since it’s 2 round trips to 2 servers the cost is the same as 2 messages * these problems are also inherent to Simultaneous IP Address Assignment with ERP Dan Harkins, Aruba Networks

9 How to Process Authentication and Upper-Layer Messaging
May 2012 doc.: IEEE /0562r0 May 2012 How to Process Authentication and Upper-Layer Messaging Sequentially! Authentication then DHCP To do otherwise opens the network up to resource exhaustion attack In an honest and fair manner Don’t hide two 2-message protocols as one 2-message protocol The client should get feedback on where in the protocol it is Timers can be set realistically without guessing or over compensating The AP should not bear the full cost of hundreds of simultaneous connections when amortizing the cost over all clients is possible Susceptibility to resource exhaustion attacks should not be a requirement for FILS Some cost should be amortized over all STAs (per-STA load will be trivial) Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

10 How to Process Authentication and Upper-Layer Messaging
May 2012 doc.: IEEE /0562r0 May 2012 How to Process Authentication and Upper-Layer Messaging There are two separate things going on, do them separately In a single 2 round-trip exchange– one round-trip for authentication, one round-trip for DHCP Like 11-11/1488r1 (as presented in 11-11/1429r2) Minimal initial resource allocation requirements per-STA state on the network is session id plus nonce per-connection state on the STA is session id plus nonce No built in resource exhaustion attack DHCP request is still integrity protected and can still, optionally, have privacy protection Authenticated identity always known prior to address assignment Authorization attributes can be used to determine IP/VLAN assignment Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

11 References 11-11/1160r6 11-11/1488r1 11-11/1429r2 May 2012
doc.: IEEE /0562r0 May 2012 References 11-11/1160r6 11-11/1488r1 11-11/1429r2 Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

Download ppt "Authentication and Upper-Layer Messaging"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-08/0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: 2008-07-13 Authors:

Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: 2012-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Submission doc.: IEEE 11-14/0062r0 January 2014 Dan Harkins, Aruba NetworksSlide 1 PMK Caching for FILS Date: 2014-01-15 Authors:

Submission doc.: IEEE 11-14/0062r0 January 2014 Dan Harkins, Aruba NetworksSlide 1 PMK Caching for FILS Date: Authors:
Doc.: IEEE 802.11-11/0977r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-

Doc.: IEEE /0977r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
Doc.: IEEE 802.11-12/0897r0 SubmissionJae Seung Lee, ETRISlide 1 Active Scanning considering Operating Status of APs Date: 2012-07-06 July 2012.

Doc.: IEEE /0897r0 SubmissionJae Seung Lee, ETRISlide 1 Active Scanning considering Operating Status of APs Date: July 2012.
Doc.: IEEE 802.11-09/0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure 802.11 Authentication Using Only A Password Date: 2009-01-19.

Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Doc.: IEEE 802.11-01/610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and 802.11 key interactions Tim Moore.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE 802.11-12/1042r1 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,

Doc.: IEEE /1042r1 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,
Doc.: IEEE 802.11-09/0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced 802.11 Security Date: 2008-07-10 Authors:

Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Wireless Network Security CSIS 5857: Encoding and Encryption.

Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE 802.11-11/1000r1 Submission July 2011 Jihyun Lee, LG ElectronicsSlide 1 TGai FILS Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /1000r1 Submission July 2011 Jihyun Lee, LG ElectronicsSlide 1 TGai FILS Proposal Date: Authors: NameAffiliationsAddressPhone .

Similar presentations

Ads by Google