Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Published bySilvester Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail."— Presentation transcript:

1 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail Robert Moskowitz Verizon 15210 Sutherland, Oak Park, MI 48237, USA +1-248-928-6233 rgm@labs.htt-consult.com Tero KivinenAuthenTec Eerikinkatu 28, FI-00180, Helsinki, Finland +358 20 500 7800kivinen@iki.fi

2 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 2 Abstract This document presents an approach for accelerating the security setup for FILS. It will also provide facilities for supporting acceleration of IP addressing.

3 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 3 Agenda Problem statement Solution overview Conclusions

4 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 4 Problem Statement The majority of the packets needed for link setup are security related. –Are there alternatives? Security is only provided for 'known' (authenticatable) clients –Can we increase security deployment by supporting a 'TLS' anonymous client model? A number of use cases fit this model `Setup time MAY be further extended if Authentication Server is separate from the AP –Can we authenticate the AP without an AS?

5 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 5 EAPOL-Start EAP-Success PEAP EAP-MSCHAPv2 (4 round trip) Establishing TLS tunnel for PEAP (3 round trip) EAP-Identity (1 round trip) Association (1 round trip) Authentication (1 round trip) EAPOL-Key (2 round trip) Probe (1 round trip) EAPOL-Start (0.5round trip) EAPOL-Success (0.5round trip) 1/16 = 6.25% 2/16 = 12.5% Most of message exchanges are consumed for Authentication and Association. 11/16 = 68.75% 2/16=12.5%

6 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 6 Solution Overview Providing a 'TLS' anonymous client model –AP does not know 'who' the client is, but knows that it is always communicating with a given client AP does not authenticate client; relies on client to protect from MITM attack No AS needed by AP. Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. –AP and client only parties in a Key Management Protocol

7 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 7 Solution Overview Providing an authenticated client model –AP does need to know 'who' the client is Client presents credentials to AP –X.509 cert validated by AP or via OCSP »No AS needed by AP (well maybe OCSP) –Limited choices that are 'fast' Client validates AP via X.509 or raw Public Key 'white list'. No AS needed by client. –Full cert validation after connection –May be hard to provide 'fast' solution or 'not so fast'

8 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 8 Solution Overview Use AUTHENTICATE frames to support Key Management –Use a well-architected 2-party KMP between the AP and client Must have security integrity proofs Provide AP authentication to client –Eg with X.509 cert Provide nonce exchange and generate both a PMK and PTK and transmit GTK –No 4-Way-Handshake needed HIP or IKEv2

9 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 9 Protocol Sequence to Establish a Connection to the Internet by using Authentication and Association frames AP Authentication Probe [Auth server] STA HIP or IKEv2 (4 packets), optional AS or OCSP access

10 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 10 Solution Overview HIP or IKEv2 –Cryptographic and liveliness proofs of Identities Supports anonymous Identities –Ephemeral 'raw' Public Key –Authenticated delivery of X.509 certs uni or bi- directional –Support for additional client authentication EAP, SAE, other –Full nonce exchange for generation of PMK and PTK –Secure transport of GTK

11 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 11 Solution Overview IKEv2 specific –Supports EAP tunneling –OCSP proxy by AP for client –IP address assignment –Limited 'raw' key support RSA supported, ECDSA not Anonymous client thus needs just a little work

12 doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 12 Solution Overview HIP specific –Anonymity explicit in design – HITs –EAP an Internet Draft –CERT RFC does not include OCSP proxy –Needs IP address parameters

13 doc.: IEEE 802.11-11/1066r2 Submission May 2011 Robert Moskowitz, VerizonSlide 13 Conclusions Current KMP designs can replace 12 round trip current method with 2 round trips –TLS anonymous model has no backend cost –Significant reduction in cryptographic operations Thank you!

Download ppt "Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-12/0095r0 Submission Jan 2012 Konstantinos Georgantas, HIITSlide 1 HIP DEX for Fast Initial Authentication in 802.11 Date: 2012-01-16.

Doc.: IEEE /0095r0 Submission Jan 2012 Konstantinos Georgantas, HIITSlide 1 HIP DEX for Fast Initial Authentication in Date:
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE 802.15-10-0412-06-wng0 Submission June 2010 Robert Moskowitz (ICSAlabs/VzB)Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal.

Doc.: IEEE wng0 Submission June 2010 Robert Moskowitz (ICSAlabs/VzB)Slide 1 Project: IEEE P Working Group for Wireless Personal.
Submission doc.: IEEE 802.11-12/0789r3 NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,

Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-11/0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Doc.: IEEE 802.11-12/0041r1 Submission NameAffiliationsAddressPhoneemail Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.

Doc.: IEEE /0041r1 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li; Edward Au; Phillip Barber Huawei Technologies Co., Ltd.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE privecsg-14-0026-01-Rnd-Modr-MAC-Addr Submission Jan 2015 Robert Moskowitz, HTT Consulting Slide 1 Project: IEEE 802 EC Privacy Recommendation.

Doc.: IEEE privecsg Rnd-Modr-MAC-Addr Submission Jan 2015 Robert Moskowitz, HTT Consulting Slide 1 Project: IEEE 802 EC Privacy Recommendation.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WIRELESS LAN SECURITY Using

WIRELESS LAN SECURITY Using
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho

IEEE MEDIA INDEPENDENT HANDOVER DCN: srho

Similar presentations

Ads by Google