Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-05/0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 1 PSA and PSA-D Notice: This document has been prepared to assist.

Similar presentations


Presentation on theme: "Doc.: IEEE 802.11-05/0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 1 PSA and PSA-D Notice: This document has been prepared to assist."— Presentation transcript:

1 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 1 PSA and PSA-D Notice: This document has been prepared to assist IEEE It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE Working Group. If you have questions, contact the IEEE Patent Committee Administrator at.http:// Date: Authors:

2 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 2 Abstract We believe one of the goals of this group is to protect security associations, and it will require a more holistic approach than simply protecting individual management frames. PSA (Protecting Security Associations) and PSA-D (PSA with Defense queries) are two (preliminary & incomplete) proposals for w. PSA deals with the problem of rogue stations perpetrating DoS attacks. PSA-D further deals with the problem of hanging sessions caused by PSA.

3 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 3 Outline PSA: Protection against rogue stations (2 DoS attacks) –AP protocol changes –STA protocol changes PSA-D: Protection against rogue stations + hanging session deadlock issue –AP protocol changes –STA protocol changes What is not covered in this presentation –Other management frames: Action, ATIM, etc. –Group keys –Confidentiality –Negotiation of protection –etc.

4 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 4 PSA Problems addressed –Rogue stations (2 DoS attacks) Changes to –Add MIC to Deauthentication, Disassociation, and Reassociation frames –Other miscellaneous changes Assumes Reassociation frames allowed in State 3 O/W just mimic Association frames

5 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 5 Problems: Rogue stations Associated w/PTKSA Disassociation -or- Authentication Association Reassociation Deauthentication Associated w/PTKSA Association Inform DS MAC address mapping DoS attack 1 DoS attack 2

6 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 6 PSA: AP protocol Management FrameCurrent AP protocolPSA AP protocol Authentication (open/.11r) Do authentication If PTKSA exists, delete it If (.11w protected) PTKSA exists, ignore frame Else do authentication Association If in state 1 Send deauthenticate and quit Else Move to state 3 Inform DS If PTKSA exists, delete it If in state 1 Send deauthenticate and quit Else if PTKSA exists, ignore frame Else Move to state 3 Inform DS when PTKSA established (after 4-way HS) ReAssociation (.11i) Move to state 3 Inform DS If PTKSA exists, delete it If in state 1 Send deauthenticate and quit Else If PTKSA exists, verify MIC and reject if invalid (status code:11) Move to state 3 Inform DS when PTKSA established (after 4-way HS) ReAssociation (.11r) Already protectedSame as.11r DisAssociation If in state 3, move to state 2 If PTKSA exists, delete it Inform DS If PTKSA exists, verify MIC and ignore frame if invalid If in state 3, move to state 2 (Do not inform DS) DeAuthentication If in state 2 or 3, move to state 1 If PTKSA exists, delete it If PTKSA exists, verify MIC and ignore frame if invalid Move to state 1 (Do not inform DS) Note

7 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 7 PSA: STA protocol To send Deauthentication, Disassociation, and Reassociation (.11i) messages –if STA has PTKSA, include MIC When receiving Deauthentication and Disassociation –Same as AP

8 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 8 PSA-D Problems addressed –Rogue stations (2 DoS attacks) –Hanging sessions Changes to PSA –Remove MIC from Deauthenticate and Disassociate frames –Allow STA to defend its PTKSA using a new Defense frame

9 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 9 Problem: Hanging session (reboot) PSA protects all management frames with MICs based on PTKSA Associated w/PTKSA DoS issue Hanging association w/PTKSA STA Reboots Authenticate Deny Disassociate Deny

10 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 10 PSA-D: AP protocol Management FramePSA AP protocolPSA-D AP protocol DisAssociation If PTKSA exists, verify MIC and quit if invalid If in state 3, move to state 2 (Do not inform DS) If PTKSA exists Send Defense query with nonce, set Disassoc timeout, and quit If in state 3, move to state 2 (Do not inform DS) DeAuthentication If PTKSA exists, verify MIC and quit if invalid Move to state 1 (Do not inform DS) If PTKSA exists, Send Defense query with nonce, set Deauth timeout, and quit Move to state 1 (Do not inform DS) Defense Verify nonce/MIC If valid, cancel Deauth/Disassoc timeout TimerPSA-D AP protocol DisAssoc timeout If in state 3, move to state 2 DeAuth timeout Move to state 1

11 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 11 PSA-D: STA protocol On Deauthentication and Disassociation –Same as AP On Auth Defense query –If PTKSA exists, send Auth Defense Assertion On Assoc Defense query –If PTKSA exists, send Assoc Defense Assertion On timeout (no response) after Authentication Request –Could be because of PTKSA at AP, so send Deauthentication On timeout (no response) after Association Request –Could be because of PTKSA at AP, so send Disassociation

12 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 12 PSA-D: AP protocol details On Deauthentication: –If Deauth timeout set, do not reset On Disassociation: –If Disassoc timeout set, do not reset

13 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 13 Requirements 100ForgeryYes 110ConfidentialityNo (not dealing with Action frames yet) 120 Backwards compatability Yes – nothing changes at AP unless w was already negotiated 130NegotiationNo negotiation yet 140Compatability Yes - no change to key hierarchies (just use PTK) 150 Uni/Broad/Multi-cast No multicast or broadcast yet 160 Selected deployment Not considered 170 Protection only after keys established Yes 180Regulatory? 190Delay protection?

14 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 14 References ads-which-management-frames-need- protection.ppt ads-session-mac-address-solves-deadlocks.ppt ads-management-frame-protection.ppt ads-requirements-management-frames-protection- schemes.ppt ads-simple-80211i-extension.ppt ads-protectionmanagementframes- protocolrequirements.ppt ads-PMF-Requirements.ppt ads-requirements-management-protection.doc

15 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 15 Miscellaneous Notes

16 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 16 Review: state diagram State 1: Unauthenticated Unassociated State 2: Authenticated Unassociated State 3: Authenticated Associated (State 3: w/PTKSA) Succesful authentication Deauthentication noification Succesful (re)association Deassociation noification Deauthentication noification IEEE 802.1X Controlled Port unblocked

17 doc.: IEEE /0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 17 Notes: Other solutions to hanging sessions Shadow states –When STA is associated, allow 3 shadow states for STA trying to authenticate/associate. If shadow succeeds, then it becomes real state Session MACs (Edney, Stevens) –Allow STA to use a different MAC address


Download ppt "Doc.: IEEE 802.11-05/0651r0 Submission July 2005 Philip MacKenzie, DoCoMo USA LabsSlide 1 PSA and PSA-D Notice: This document has been prepared to assist."

Similar presentations


Ads by Google