Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhanced Security Features for

Published byDarcy Hugh Bates Modified over 6 years ago

Similar presentations

Presentation on theme: "Enhanced Security Features for"— Presentation transcript:

1 Enhanced Security Features for 802.11
March 2009 doc.: IEEE /0000r0 March 2009 Enhanced Security Features for Date: Authors: Dan Harkins, Aruba Networks Dan Hakrins, Aruba Networks

2 March 2009 doc.: IEEE /0000r0 March 2009 Abstract This document describes important security features that are missing from, or will enhance, IEEE Dan Harkins, Aruba Networks Dan Hakrins, Aruba Networks

3 802.11 Security Services Authentication
March 2009 Security Services Authentication A STA can prove its identity to the network and vice versa Authorization and Access Control Once authenticated a STA can be given access to the network, or a subset of it, or denied access to the network. Data Confidentiality Data sent between the STA and AP is hidden from all but the source and destination of the data. Data Integrity The recipient of a frame is able to verify that the frame was not modified in transit and that a false frame has not been substituted for a valid frame. Data Source Authentication The recipient of a frame is able to ascertain the origin of the frame and it is not possible for anyone else to masquerade as the claimed originator. Dan Harkins, Aruba Networks

4 How are These Services Provided Today?
March 2009 How are These Services Provided Today? WEP Deprecated but still part of the standard. Intended to provide authentication, access control, and confidentiality but does not do so securely. RSN 802.1x Key Management: provides mutual authentication, allows for authorization and access control decision making, generates secure and cryptographically strong keys. PSK Key Management: provides a limited type of authentication, generates weak keys that void some features of RSN ciphers. TKIP: provides confidentiality, data integrity (sub-optimally), and data source authentication. CCMP: provides confidentiality, data integrity, and data source authentication. Dan Harkins, Aruba Networks

5 March 2009 What’s The Problem? Cryptographically strong security is limited to certain use cases. Not every deployment has a centralized AAA server; access to a centralized AAA server cannot always be guaranteed. Hence the WFA’s attempt to generate an adjunct for password-based authentication. Hence different use cases– peer-to-peer and mesh, for instance,-- developing their own way of providing security. Cryptographically strong security doesn’t really work for IBSS or peer-to-peer deployments. New ciphers that are arguable better than those currently defined in have been developed. Unfortunately lacks a definition on how to use them. Some TGs require security for features but such work is outside the scope of existing TGs. Dan Harkins, Aruba Networks

6 What’s The Solution? A new Task Group to work on
March 2009 What’s The Solution? A new Task Group to work on Secure, de-centralized authentication and key management. These solutions should be suitable for a traditional ESS as well as ad hoc, mesh, and various peer-to-peer applications. A password-based key exchange resistant to passive attack, active attack and dictionary attack. A certificate-based key exchange Definition (not development) of new ciphers AES-GCM: a high-performance, single-pass, cipher for authenticated encryption AES-SIV: a misuse-resistant cipher for authenticated encryption Solution to current problems that are outside the scope of existing TGs TGv’s location services Dan Harkins, Aruba Networks

7 Secure, De-centralized Authentication
March 2009 Secure, De-centralized Authentication Requirements Each device has its own authentication credential, a password or a certificate. Each device can authenticate another device without external assistance. Protocols must be defined in a peer-to-peer fashion. Peer-to-peer implies client-server, but the opposite is not true, so a peer-to-peer protocol would cover ESS, ad hoc, mesh, etc. Examples The password-authenticated key exchange in s: SAE. SKEME, a certificate-based authenticated key exchange protocol DHKE-1, a certificate-based authenticated key exchange protocol Dan Harkins, Aruba Networks

8 Support for New Ciphers
March 2009 Support for New Ciphers AES-GCM Like CCM, GCM performs authenticated encryption and accepts additional authenticated data. GCM performs authenticated encryption with one pass over the data. This allows for much higher throughput that CCM which requires two passes. AES-SIV Like CCM, SIV performs authenticated encryption and accepts additional authenticated data. Unlike CCM, SIV will not lose all security if a nonce/counter is reused. This allows for more robust security, especially when the operations are taking place in software or in situations where uniqueness of counters cannot be strictly guaranteed. Dan Harkins, Aruba Networks

9 Address Issues Outside Other TG’s Scope
March 2009 Address Issues Outside Other TG’s Scope TGv’s location services A STA wants to protect announcements it sends out pertaining to its location and these announcements are be received by multiple APs, some of which the STA does not share an active security association. Anything else? Dan Harkins, Aruba Networks

10 A New Task Group Tight focus ensures timely results
March 2009 A New Task Group Tight focus ensures timely results Keep a focus on security enhancements to existing functionality and not creation of new security algorithms, ciphers, etc. Much of this has already been designed– GCM, SIV, SAE– so it’s a problem of defining use in There is a need for de-centralized security in Use of a PSK/password is widespread and will remain so. Unfortunately it is not secure; we should make it so. Other groups– like Wi-Fi Alliance– believe there is market demand. It makes sense for to provide it instead of hoping other organizations do it (and do it right). Data rates keep increasing, ciphers cannot be bottlenecks! Dan Harkins, Aruba Networks

11 March 2009 References NIST SP800-38D P. Rogaway and T. Shrimpton, “Deterministic Authenticated Encryption, A Provable Security Treatment of the Key-Wrap Problem”, Advances in Cryptology– EUROCRYPT ’06, St. Petersburg, Russia, 2006. RFC 5297 H. Krawczyk, ‘SKEME: A Versatile Secure Key Exchange Mechanism for the Internet’, Proceedings of the Internet Society Symposium on Network and Distributed Systems Security, August 1995 V. Shoup, “On Formal Models for Secure Key Exchange”. ACM Computer and Communications Security Conference, 1999. Dan Harkins, Aruba Networks

12 March 2009 Straw Poll “A Study Group to develop a PAR and Five Criteria for Enhanced Security for should be created” Yes: No: Don’t Know, Need More Information: Don’t Care: Dan Harkins, Aruba Networks

Download ppt "Enhanced Security Features for"

Similar presentations

Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE 802.11-08/0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: 2008-07-13 Authors:

Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE 802.11-09/0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: 2009-03-08 Authors:

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Comparative studies on authentication and key exchange methods for 802.11 wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General 802.11 Links Date: 2012-05-08 Authors:

Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General Links Date: Authors:
IEEE 802.11i WPA2. IEEE 802.11i (WPA2) IEEE 802.11i, is an amendment to the 802.11 standard specifying security mechanisms for wireless networks. The.

IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.
Doc.: IEEE 802.11-09/0580r0 Submission May 09 Myles et al (Cisco)Slide 1 Discussion on the proposal to start a new Security SG in 802.11 WG.

Doc.: IEEE /0580r0 Submission May 09 Myles et al (Cisco)Slide 1 Discussion on the proposal to start a new Security SG in WG.

Similar presentations

Ads by Google