Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn

Published byThomas Fletcher Modified over 6 years ago

Similar presentations

Presentation on theme: "WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn"— Presentation transcript:

1 WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn
<month year> doc.: IEEE /xxxr0 November 2001 WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn Jesse Walker, Intel Russ Housley, Doug Whiting, Jesse Walker <author>, <company>

2 Key Contributors Bob Beach, Symbol Ron Brockman, Intersil
November 2001 Key Contributors Bob Beach, Symbol Ron Brockman, Intersil Nancy Cam-Winget, Atheros Clint Chaplin, Symbol Greg Chesson, Atheros Niels Ferguson, MacFergus BV Russ Housley, RSA Labs Marty Lefkowitz, TI Bob O’Hara, Blackstorm Networks Dorothy Stanley, Agere Doug Smith, Cisco Jesse Walker, Intel Doug Whiting, HiFn Albert Young, 3COM Russ Housley, Doug Whiting, Jesse Walker

3 Agenda Review of Consensus Identify Areas for More Work
November 2001 Agenda Review of Consensus Identify Areas for More Work Present Motions to incorporate text into Draft Russ Housley, Doug Whiting, Jesse Walker

4 Review of Consensus Short-term WEP fix rests on 4 pillars:
November 2001 Review of Consensus Short-term WEP fix rests on 4 pillars: IV Sequencing New Per-Packet Key Mixing Function New 32-bit MIC Includes counter-measures New Rekey Mechanism All or nothing the conformance requirement Design is intended as a short term patch to WEP, not a long term solution Russ Housley, Doug Whiting, Jesse Walker

5 November 2001 IV Sequencing Doc r1 specifies IV construction at transmitter: 16 bit counter initialized to zero Value of MSB: 0xA5 IV encoded as a big-Endian value in the WEP IV field Consensus that receiver must maintain a replay window Windowing scheme controlled by whether we adopt an encrypt early or encrypt last scheme Consensus still needed here Russ Housley, Doug Whiting, Jesse Walker

6 Per-Packet Mixing Function
November 2001 Per-Packet Mixing Function Constructs per-packet RC4 key Uses temporal encryption keys from the rekey mechanism Intended as a short-term patch But, due to deployment practicalities, expect it will be in the field indefinitely Two-phase key mixing function algorithm proposed by Doug Whiting and Ron Rivest TTAK = Phase1 (TemporalKey, TA) PPK = Phase2 (TTAK, IV) IV set to 0 when TTAK is first used and 0  IV < 216 Expect implementations to cache the output of Phase 1 Russ Housley, Doug Whiting, Jesse Walker

7 32-bit MIC Constructs per-packet Message Integrity Code
November 2001 32-bit MIC Constructs per-packet Message Integrity Code Uses temporal authentication keys from the rekey mechanism Intended as a short-term patch But, due to deployment practicalities, expect it will be in the field indefinitely New 32-bit MIC Includes counter-measures Alternatives still under investigation Performance on host Performance on MAC processor Goal: prevent packet forgeries Russ Housley, Doug Whiting, Jesse Walker

8 Rekey Mechanism Algorithm defines MAC-level rekey protocol
November 2001 Rekey Mechanism Algorithm defines MAC-level rekey protocol Goal: Temporal Key Derivation, Security Session Management, Roaming Support, Compatibility with 802.1X Provides temporal encryption keys and temporal authentication keys All or nothing the conformance requirement We already have enough insecure protocols Intended as both a short-term patch to WEP and a long-term solution when used with AES Two different mechanisms for key types: Default keys: Countdown-based Rekeying Key-mapping keys: Message-based Rekeying Russ Housley, Doug Whiting, Jesse Walker

9 November 2001 Security Consensus Omission of IV sequencing enables replay (special type of forgery attack) Omission of MIC enables packet forgery Forgery can be turned into attack to derive the privacy key Omission of Mixing Function enables FMS attacks Omission of Rekey enables IV collision attacks Russ Housley, Doug Whiting, Jesse Walker

10 Conformance Consensus
November 2001 Conformance Consensus We already have enough insecure protocols; we don’t need more Vendors claiming conformance must implement all of the features Intended as a short term patch to WEP not a long term solution But deployment practicalities say it will be in the field indefinitely Russ Housley, Doug Whiting, Jesse Walker

11 Agenda Review of Consensus Identify Areas for More Work
November 2001 Agenda Review of Consensus Identify Areas for More Work Present Motions to incorporate text into Draft Russ Housley, Doug Whiting, Jesse Walker

12 Areas Requiring More Work
November 2001 Areas Requiring More Work MIC Encrypt Early/Late Decision Rekey Russ Housley, Doug Whiting, Jesse Walker

13 MIC Work Required Algorithm definition incomplete
November 2001 MIC Work Required Algorithm definition incomplete Candidate MPH algorithm defined, but introduces implementation constraints Cost: ~ 3 cycles/byte, 35K cycles per rekey Optimized for 32-bit little-Endian processors only: poor choice for MAC firmware Poor choice for MAC processor Ferguson and Whiting trying to develop algorithm with acceptable performance on both host and MAC processors Counter-measures definition and consensus also required Russ Housley, Doug Whiting, Jesse Walker

14 Encrypt Early/Late IV sequencing, rekey driving discussion
November 2001 Encrypt Early/Late IV sequencing, rekey driving discussion All implementations must make same IV sequencing decision, or interoperability fails Late encryption minimizes receiver replay window state Late encryption seems to simplify rekey algorithm, but requires hardware acceleration for encryption Need consensus whether to include effects of QoS. If so, need to Agree on architecture with TGe Protect QoS traffic-class bits in MIC computation? Maybe separate sequence spaces for each traffic class? Unicast retransmit also reorders: how much? Need consensus on maximum reordering to design replay mechanism, and where to put crypto functions Russ Housley, Doug Whiting, Jesse Walker

15 Rekey Only one moderately complete proposal
November 2001 Rekey Only one moderately complete proposal Doc r2 But it has not yet been specified in sufficient detail to implement And consensus not complete on the message exchanges Need Consensus whether to continue with this approach If so, resolve outstanding message exchange issues Define details of protocol sufficient for independent interoperable implementations. Russ Housley, Doug Whiting, Jesse Walker

16 Agenda Review of Consensus Identify Areas for More Work
November 2001 Agenda Review of Consensus Identify Areas for More Work Present Motions to incorporate text into Draft Russ Housley, Doug Whiting, Jesse Walker

17 Motions Motion 1: New outline for Clause 8.2.2
November 2001 Motions Motion 1: New outline for Clause 8.2.2 Motion 2: Add Mixing Function Text Motion 3: Add MPDU expansion text Russ Housley, Doug Whiting, Jesse Walker

18 November 2001 Motion 1 Motion to instruct editor to replace Clause 8.2 of draft with following outline: 8.2.1 Overview and Theory of Operation 8.2.2 Placement Cryptographic Processing 8.2.3 IV Sequencing and Replay 8.2.4 WEP2 Mixing Function 8.2.5 WEP2 MIC and Counter-measures 8.2.6 WEP2 MPDU Expansion 8.2.7 WEP2 Interaction with Rekeying Russ Housley, Doug Whiting, Jesse Walker

19 November 2001 Motion 2 Motion to instruct the editor to add the text of Sections 1-5 of Doc r1 as the text of Clause 8.2.4, and to add the text of Section 6, 7 and S-Box definition in Annex A of Doc r1 as a new Annex to the Draft. Russ Housley, Doug Whiting, Jesse Walker

20 November 2001 Motion 3 Motion to instruct the editor to reinsert the existing MPDU expansion text into the draft as the body of Clause 8.2.6, and to amend it to describe the new 32-bit MIC as the last 4 bytes of data prior to the WEP ICV Encoded as a byte string Russ Housley, Doug Whiting, Jesse Walker

Download ppt "WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn"

Similar presentations

Doc.:IEEE 802.11-01/540ar0 Submission November 2001 Albert Young, Bob OHara Slide 1 A Re-Key Proposal Albert Young 3Com Corporation Santa Clara, CA

Doc.:IEEE /540ar0 Submission November 2001 Albert Young, Bob OHara Slide 1 A Re-Key Proposal Albert Young 3Com Corporation Santa Clara, CA
Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Doc.: IEEE 802.11-00/037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.

Doc.: IEEE /037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.

Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.
Michal Rapco 05, 2005 Security issues in Wireless LANs.

Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Shambhu Upadhyaya 1 802.11 Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Doc.: IEEE 802.11-01/495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Similar presentations

Ads by Google