Presentation is loading. Please wait.

Presentation is loading. Please wait.

Link Setup Flow July 2011 Date: Authors: Name Company

Published bySanteri Elstelä Modified over 5 years ago

Similar presentations

Presentation on theme: "Link Setup Flow July 2011 Date: Authors: Name Company"— Presentation transcript:

1 Link Setup Flow July 2011 Date: 2011-05-10 Authors: Name Company
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Link Setup Flow Date: Authors: Name Company Address Phone Robert Moskowitz Verizon 15210 Sutherland, Oak Park, MI 48237, USA Slide 1 Robert Moskowitz, Verizon Page 1 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

2 doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Abstract This document presents an approach for accelerating the security setup for FILS. It will also provide facilities for supporting acceleration of IP addressing. Slide 2 Robert Moskowitz, Verizon Page 2 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

3 Agenda July 2011 Problem statement Solution overview Conclusions
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Agenda Problem statement Solution overview Conclusions Slide 3 Robert Moskowitz, Verizon Page 3 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

4 Problem Statement July 2011
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Problem Statement The majority of the packets needed for link setup are security related. Are there alternatives? Security is only provided for 'known' (authenticatable) clients Can we increase security deployment by supporting a 'TLS' anonymous client model? A number of use cases fit this model `Setup time MAY be further extended if Authentication Server is separate from the AP Can we authenticate the AP without an AS? Slide 4 Robert Moskowitz, Verizon Page 4 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

5 doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Probe (1 round trip) 1/16 = 6.25% Authentication (1 round trip) 2/16 = 12.5% Association (1 round trip) EAPOL-Start EAPOL-Start (0.5round trip) Most of message exchanges are consumed for Authentication and Association. EAP-Identity (1 round trip) Establishing TLS tunnel for PEAP (3 round trip) 11/16 = 68.75% PEAP EAP-MSCHAPv2 (4 round trip) EAP-Success EAPOL-Success (0.5round trip) EAPOL-Key (2 round trip) 2/16=12.5% 2/16=12.5% Slide 5 Robert Moskowitz, Verizon Page 5 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

6 Solution Overview July 2011 Providing a 'TLS' anonymous client model
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Solution Overview Providing a 'TLS' anonymous client model AP does not know 'who' the client is, but knows that it is always communicating with a given client AP does not authenticate client; relies on client to protect from MITM attack No AS needed by AP. Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. AP and client only parties in a Key Management Protocol Slide 6 Robert Moskowitz, Verizon Page 6 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

7 Solution Overview July 2011 Providing an authenticated client model
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Solution Overview Providing an authenticated client model AP does need to know 'who' the client is Client presents credentials to AP X.509 cert validated by AP or via OCSP No AS needed by AP (well maybe OCSP) Limited choices that are 'fast' Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. May be hard to provide 'fast' solution or 'not so fast' Slide 7 Robert Moskowitz, Verizon Page 7 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

8 Solution Overview July 2011
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Solution Overview Use AUTHENTICATE frames to support Key Management Use a well-architected 2-party KMP between the AP and client Must have security integrity proofs Provide AP authentication to client Eg with X.509 cert Provide nonce exchange and generate both a PMK and PTK and transmit GTK No 4-Way-Handshake needed HIP or IKEv2 Slide 8 Robert Moskowitz, Verizon Page 8 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

9 doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Protocol Sequence to Establish a Connection to the Internet by using Authentication and Association frames AP Authentication Probe [Auth server] STA HIP or IKEv2 (4 packets), optional As access Slide 9 Robert Moskowitz, Verizon Page 9 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

10 Solution Overview July 2011 HIP or IKEv2
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 July 2011 Solution Overview HIP or IKEv2 Cryptographic and liveliness proofs of Identities Supports anonymous Identities Ephemeral 'raw' Public Key Authenticated delivery of X.509 certs uni or bi- directional Support for additional client authentication EAP, SAE, other Full nonce exchange for generation of PMK and PTK Secure transport of GTK Slide 10 Robert Moskowitz, Verizon Page 10 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

11 Conclusions Thank you! May 2011
doc.: IEEE /xxxxr0 May 2011 May 2011 doc.: IEEE /xxxxr0 May 2011 Conclusions Current KMP designs can replace 12 round trip current method with 2 round trips TLS anonymous model has no backend cost Significant reduction in cryptographic operations Thank you! Slide 11 Robert Moskowitz, Verizon Page 11 Konstantinos Georgantas, HIIT Konstantinos Georgantas, HIIT

Download ppt "Link Setup Flow July 2011 Date: Authors: Name Company"

Similar presentations

Doc.: IEEE 802.11-12/0095r0 Submission Jan 2012 Konstantinos Georgantas, HIITSlide 1 HIP DEX for Fast Initial Authentication in 802.11 Date: 2012-01-16.

Doc.: IEEE /0095r0 Submission Jan 2012 Konstantinos Georgantas, HIITSlide 1 HIP DEX for Fast Initial Authentication in Date:
Doc.: IEEE 802.11-11/0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE 802. 11-12/0547r1 Submission May 2012 Dapeng Liu, China MobileSlide 1 Extend 802.1X for higher layer configuration in FILS Date: 2012-04-21.

Doc.: IEEE /0547r1 Submission May 2012 Dapeng Liu, China MobileSlide 1 Extend 802.1X for higher layer configuration in FILS Date:
Doc.: IEEE15-12-0231-00-0009-HIP-over-TG9 Submission May 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal.

Doc.: IEEE HIP-over-TG9 Submission May 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE 802.11-02/230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.

Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Doc.: IEEE 802.11-11/1426r00 Submission NameAffiliationsAddressPhoneemail ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,

Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE 802. 15-11-0790-00-0006 Slide 1Submission Project: IEEE P802.15 Working Group for Wireless Personal.

November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE 802.11-11/1212r0 Submission September 2011 IEEE 802.11Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.

Doc.: IEEE /1212r0 Submission September 2011 IEEE Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.
Doc.: IEEE 802.11-11/1426r02 Submission NameAffiliationsAddressPhoneemail ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE 802.11-07/2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.

Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Submission doc.: IEEE 802.11-10/1146r0 Hitoshi Morioka, ROOT INC. Jun 2010 Feasibility Study of FIA Date: 2010-09-15 Authors: NameCompanyAddressPhoneemail.

Submission doc.: IEEE /1146r0 Hitoshi Morioka, ROOT INC. Jun 2010 Feasibility Study of FIA Date: Authors: NameCompanyAddressPhone .
History and Implementation of the IEEE 802 Security Architecture

History and Implementation of the IEEE 802 Security Architecture
Robust Security Network (RSN) Service of IEEE

Robust Security Network (RSN) Service of IEEE
History and Implementation of the IEEE 802 Security Architecture

History and Implementation of the IEEE 802 Security Architecture
<draft-ohba-pana-framework-00.txt>

<draft-ohba-pana-framework-00.txt>
Authentication and Upper-Layer Messaging

Authentication and Upper-Layer Messaging
Some LB 62 Motions January 13, 2003 January 2004

Some LB 62 Motions January 13, 2003 January 2004

Similar presentations

Ads by Google