Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-12/1281r1 Submission NameAffiliationsAddressPhoneemail Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Published byStephon Parrick Modified over 10 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-12/1281r1 Submission NameAffiliationsAddressPhoneemail Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,"— Presentation transcript:

1 doc.: IEEE 802.11-12/1281r1 Submission NameAffiliationsAddressPhoneemail Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata, Ontario K2K 3J1 +1-613-2871948Rob.sun@huawei.com TGai FILS Authentication Protocol and State Machine Date: Nov 2012 Slide 1 Authors: Rob Sun etc, Huawei.

2 doc.: IEEE 802.11-12/1281r1 SubmissionSlide 2 Abstract Huawei. Nov 2012 This submission is aiming at providing in depth analysis of the FILS authentication scheme and FILS state machine in respective and also providing the technical ground for proposed texts in 11-12-1282r0

3 doc.: IEEE 802.11-12/1281r1 Submission Conformance w/ TGai PAR & 5C Huawei.Slide 3 Conformance QuestionResponse Does the proposal degrade the security offered by Robust Security Network Association (RSNA) already defined in 802.11? No Does the proposal change the MAC SAP interface?No Does the proposal require or introduce a change to the 802.1 architecture?No Does the proposal introduce a change in the channel access mechanism?No Does the proposal introduce a change in the PHY?No Which of the following link set-up phases is addressed by the proposal? (1) AP Discovery (2) Network Discovery (3) Link (re-)establishment / exchange of security related messages (4) Higher layer aspects, e.g. IP address assignment 3 Nov 2012

4 doc.: IEEE 802.11-12/1281r1 Submission FILS Authentication Design The desirable FILS authentication design should consider: – Reusable: possibly most of the existing AKM protocols, cipher suites – Less impact: on 802.1x and EAP state machine; no need to drastically re-design the WiFi security system. – Cost effective: easier to implement and no tangible IPR liability. How to design the FILS authentication scheme – System level design: How can a system architecture help to make FILS authentication/FILS easier? – Other relevant performance hog components: ie, DHCP/DNS, remote TTP server. How can we make them fly for FILS? – Re-authentication vs Initial Authentication: How to make re- authentication design to be compatible with Initial Authentication HuaweiSlide 4 Nov 2012

5 doc.: IEEE 802.11-12/1281r1 Submission Whats the main contributors of the Delay Authentication and 4 way handshake are taking too long (in range of 100ms to 1000ms) –12/041r1 contribution has the detailed performance analysis of 802.11EAP authentication. https://mentor.ieee.org/802.11/documents?is_dcn=41&is_group=00ai –Authentication at some occasions also involves backend systems which adds significantly to the overall delay in BSS. Certification reading and verification Authentication Key initialization and generation. EAP interlock state machine Chatty EAP-TLS handshake IP layer functions taking too long – 802.1x state machine blocks the DHCP and Other IP layer functions till the STA is authenticated. Can we do the piggy-back way (i.e piggy-back DHCP over other messages) ? HuaweiSlide 5 Nov 2012

6 doc.: IEEE 802.11-12/1281r1 Submission FILS System Design Network A: -TTP authentication/Authorization -802.1X/EAP based RSNA architecture Network B: -Wall Gardened Architecture for FILS client - Routed FILS connectivity within Wall Gardened zone -802.1x (EAP is optional, ie. PSK) based RSNA architecture - Similar to Guest 802.1x port in implementation. Ref: http://www.cisco.com/en/US/docs/solutions/Enterpri se/Network_Virtualization/AccContr.pdf HuaweiSlide 6 WiFi HostAP Authentication Server Secured Network WiFi HostAP Authentication Server Secured Network DHCP Server Wall –Gardened Network FILS Link Nov 2012

7 doc.: IEEE 802.11-12/1281r1 Submission For Network A Existing IEEE 802.11 components – 802.1X PAE (including state machine and Management Entities, MIB) – EAP (EAP-TLS, RFC 5216 and RFC 3748) (Only as reference model) – 4-way handshake Note: IEEE 802.11ad is reliant on 4-way handshake to delivery information?? Mandates strong WPA/WPA2 security requirements – Mutual authentication with 4 way handshake (RSNA) – Link Setup time requirements can not degrade the security property. HuaweiSlide 7 Nov 2012

8 doc.: IEEE 802.11-12/1281r1 Submission IEEE 802.11 TGai FILS Authentication HuaweiSlide 8 Supplicant AP / Authenticator AS 1) 802.11 Beacon 2) 802.11 Probe Request 3) 802.11 Probe Response 4) |802.1x EAP OL-Start with Security Parameters for FILS handshake) Access Request (EAP Request) EAPOL-EAP ( EAP Authentication Protocol Exchange) AS Generates PMK Accept/ EAP Success/ PMK 5) msg 1: EAPOL-KEY (Anounce, Unicast)) Supplicant Generates PMK EAPOL-Start Triggers the 802.1X PAE EAPOL-Start TLV carries the NID information (i.e Certificate) Authenticator Stores PMK And Generate Anounce Supplicant Derives PTK State 1 State 5 State 1 State 5 Remove EAP-ID req/response RFC 3748 states: EAP-ID Request/Response not necessarily the first message, in section 2 EAPOL-EAP ( EAP Authentication Protocol Exchange) Nov 2012

9 doc.: IEEE 802.11-12/1281r1 SubmissionHuaweiSlide 9 Supplicant AP / Authenticator 6) Msg 2: EAPOL-Key (Snounce, Unicastm MIC) 7) Msg 3: EAPOL-Key (Install PTK, unicast, MIC, Encrypt (GTK, IGTK) )) 8) Msg 4: EAPOL-Key (Unicast, MIC) Secure Data Communication Supplicant with PTK Authenticator with PTK |GTK|IGTK Install PTK, GTK IGTK Install PTK, GTK IGTK IEEE 802.11 TGai FILS Handshake (Revising 802.11Revmb Section 4.10.3.2) State 5 State 4 State 5 State 4 Nov 2012

10 doc.: IEEE 802.11-12/1281r1 Submission Protocol Analysis Pros: –Keep IEEE 802.11 RSNA architecture (Authentication then Data Communication) – Omit the IEEE 802.11 open authentication handshake and association handshake. (FILS association is done when the FILS authentication is completed) – Keep the 4 way handshake intact (No need to evaluate the security property) – Generally applicable to TTP based authentication and IBSS based authentication. – No piggyback datagram on Frames (Piggyback datagram on frame is violating the IEEE 802.1x design principles) – No impact on relevant Standards and implementations Cons: – No improvements on EAP-(TLS) multiple rounds of handshake given fragmentation could take place EAP based authentication with Remote AAA server still takes significant time IP layer functions (DHCP and DNS) is still taking its toll in making FILS authentication slow HuaweiSlide 10 Nov 2012

11 doc.: IEEE 802.11-12/1281r1 Submission For Network B Enable the Wall gardened FILS solution – Enable Virtual Port on IEEE 802.1X PAE on both supplicant and Authenticator to guide the FILS specific authentication scheme into a Wall Garden /VLAN. Note: Section 12.1 of IEEE 802.1X Rev-d4. – AP (authenticator) can choose most flexible authentication scheme (PSK, or no authentication) to provide minimum effort in authentication. – STA and AP can still utilize the 4 way handshake to generate keying materials (PTK, GTK|IGTK) to protect the OTA communication. – The DHCP / DNS could be arranged locally (on AP or collocating with AP) Or using Frame-IP-Address (Radius Attribute 8) to allocate IP address to device during the authentication process – FILS traffic are contained within the zone (with Firewall or other means) which regulates the traffic which is beyond the scope of IEEE 802.11TGai HuaweiSlide 11 Nov 2012

12 doc.: IEEE 802.11-12/1281r1 Submission What is Virtual Port As defined in IEEE 802.1X rev d4 –A MAC Service or Internal Sublayer service access point (D.4) that is created on demand. Virtual ports can be used to provide separate secure connectivity associations over the same LAN. – How to create and delete the Virtual ports on Authenticators PAE is based on section 12.7 of IEEE 802.1X. – Within the virtual port, the FILS station can maintain different security association than regular association. HuaweiSlide 12 Nov 2012

13 doc.: IEEE 802.11-12/1281r1 Submission IEEE 802.11 TGai FILS Authentication with 4 way handshake HuaweiSlide 13 Supplicant AP / Authenticator AS 1) 802.11 Beacon 2) 802.11 Probe Request 3) 802.11 Probe Response 4) |802.1x EAP OL-Start with FILS AP create the Virtual Port on Receipt of EAPOL-Start AS Generates PMK Authentication Scheme (TBD) 5) msg 1: EAPOL-KEY (Anounce, Unicast)) Supplicant Generates PMK Authenticator Stores PMK And Generate Anounce Supplicant Derives PTK State 1 State 5 State 1 State 5 EAPOL-EAP ( EAP Authentication Protocol Exchange) VLAN ABC FILS authentication Scheme (TBD) If enable the Frame-IP-address on EAP request, then DHCP Can be omitted Nov 2012

14 doc.: IEEE 802.11-12/1281r1 SubmissionHuaweiSlide 14 Supplicant AP / Authenticator 6) Msg 2: EAPOL-Key (Snounce, Unicastm MIC) 7) Msg 3: EAPOL-Key (Install PTK, unicast, MIC, Encrypt (GTK, IGTK) )) 8) Msg 4: EAPOL-Key (Unicast, MIC) Secure Data Communication Supplicant with PTK Authenticator with PTK |GTK|IGTK Install PTK, GTK IGTK Install PTK, GTK IGTK IEEE 802.11 TGai FILS Handshake (Option 1: With 4 Way handshake)) State 5 State 4 State 5 State 4 VLAN ABC Nov 2012

15 doc.: IEEE 802.11-12/1281r1 Submission Protocol Analysis Utilizing the Virtual Port to contain the FILS traffic and regulate on the basis of backend security system design. Enable separate FILS security association which can separate the FILS state from regular Association Inheriting the 4 way handshake to make sure the OTA communication is secured Local Authentication (At the proximity of the AP) which should be faster Timer or Event triggers the FILS device to do the Full authentication/Full association. HuaweiSlide 15 Nov 2012

16 doc.: IEEE 802.11-12/1281r1 Submission References IEEE 802.1X Rev D4-5 HuaweiSlide 16 Nov 2012

17 doc.: IEEE 802.11-12/1281r1 Submission The Security Model of RSNA HuaweiSlide 17 Policy Decision Point Policy Decision Point Policy Enforcement Point Policy Enforcement Point STA AS AP 1.Authenticate to derive MSK 2: Derive PMK from MSK 3: Use PMK to enforce 802.11 channel access Derive and use PTK Reference: IEEE 802.11i Overview, 2002, Nancy Cam-Winget, et al Nov 2012

18 doc.: IEEE 802.11-12/1281r1 Submission 802.1X-REV/D4.5 HuaweiSlide 18 Nov 2012

19 doc.: IEEE 802.11-12/1281r1 Submission Stroll Poll Straw-Poll-1: Do you support the proposal of the FILS Authentication Procedure as described in Slide 13 and 14 of this contribution? Result Yes No Abstain_______________ Nov 2012 HuaweiSlide 19

20 doc.: IEEE 802.11-12/1281r1 Submission Questions & Comments Slide 20Huawei. Nov 2012

Download ppt "Doc.: IEEE 802.11-12/1281r1 Submission NameAffiliationsAddressPhoneemail Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
Doc.: IEEE 802.11-12/1043 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,

Doc.: IEEE /1043 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-11/1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1

Doc.: IEEE /1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1
Doc.: IEEE 802.11-12/0786r2 Submission Differentiated Initial Link Setup (Follow Up) July 2012 Lin Cai et al,Huawei.Slide 1 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0786r2 Submission Differentiated Initial Link Setup (Follow Up) July 2012 Lin Cai et al,Huawei.Slide 1 Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: 2011-08-16 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Using Upper Layer Message IE in TGai

Using Upper Layer Message IE in TGai
Doc.: IEEE 802.11-11/1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: 2012-01-17 Authors:

Doc.: IEEE /1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: Authors:
Submission doc.: IEEE 11-12-1238-01-00ai November 2012 Lei Wang, InterDigital CommunicationsSlide 1 Proposals for the FD Frame Capability, Security and.

Submission doc.: IEEE ai November 2012 Lei Wang, InterDigital CommunicationsSlide 1 Proposals for the FD Frame Capability, Security and.
Doc.: IEEE 802.11-11/0119r00 Submission January 2011 Marc Emmelmann, Fraunhofer FokusSlide 1 Requirements for FILS Submissions coming from PAR & 5C Date:

Doc.: IEEE /0119r00 Submission January 2011 Marc Emmelmann, Fraunhofer FokusSlide 1 Requirements for FILS Submissions coming from PAR & 5C Date:
Doc.: IEEE 802.11-11/1436r0 Submission NameAffiliationsAddressPhoneemail Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,

Doc.: IEEE /1436r0 Submission NameAffiliationsAddressPhone Robert Sun Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Doc.: IEEE 802.11-11/0780r1 Submission NameAffiliationsAddressPhoneemail Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.

Doc.: IEEE /0780r1 Submission NameAffiliationsAddressPhone Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.
Doc.: IEEE 802.11-12/0041r1 Submission NameAffiliationsAddressPhoneemail Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.

Doc.: IEEE /0041r1 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.
Doc.: IEEE 802.11-12/0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: 2012-05-04 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: Authors: NameAffiliationsAddressPhone .
TGai FILS Authentication Protocol

TGai FILS Authentication Protocol
Doc.: IEEE 802.11-11/1498-01-00ai Submission NameAffiliationsAddressPhoneemail Phillip BarberHuawei Technologies Co., Ltd. 1700 Alma Rd, Ste 500 Plano,

Doc.: IEEE / ai Submission NameAffiliationsAddressPhone Phillip BarberHuawei Technologies Co., Ltd Alma Rd, Ste 500 Plano,
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Doc.: IEEE 802.11-12/933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: 2012-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /933r6 Submission July 2012 Fang Xie (CMCC)Slide 1 Access Control Mechanism for FILS Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/1042r3 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,

Doc.: IEEE /1042r3 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang,

Similar presentations

Ads by Google