Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Similar presentations


Presentation on theme: "Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:"— Presentation transcript:

1 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:

2 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 2 Abstract This document describes the changes necessary to the s Draft to support suite B compliance

3 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 3 What is suite B? A specification of cryptographic building blocks used to construct a secure system –Key exchange using elliptic curve Diffie-Hellman (ECDH) –Authentication using elliptic curve Digital Signature Algorithm (ECDSA) –Hashing with SHA-256 or greater –Use of approved elliptic curves (over prime field of at least 256 bits) –AES-GCM for bulk data protection A revised set of requirements (on top of FIPS) by NSA and the US government to sell product to protect data with a certain classification level

4 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 4 suite B support in 11s SAE implements an ECDH-like exchange using approved elliptic curves and specifies SHA-256 but… –Authentication is not ECDSA –The keys are still used with AES-CCM Today an 11s implementation would not meet suite B requirements and cannot be sold into certain markets We could do a bit more work to rectify this –Propose a new authentication protocol using ECDH and ECDSA, with SHA-256, that can support approved elliptic curves –Define use of AES-GCM for 11s (that might be a lightning rod for negative comments in the next ballot, or maybe not)

5 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 5 A suite B-compliant Authentication Protocol for 11s Use action frames to request and obtain a peers certificate Use authentication frames to perform a peer-to-peer protocol which does an ECDH exchange and ECDSA to authenticate Leverage lots from SAE –The state machine will be almost identical –A new AKM in beacons indicates support for the exchange –Use the same mechanism for negotiating the elliptic curve –The result of the exchange is an authenticated PMK, just like SAE, that is input to APE to establish a secure peering.

6 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 6 A suite B-compliant Authentication Protocol for 11s Mesh Point A identified by ID-A Mesh Point B identified by ID-B 1.Choose random a less than order of group, nonce Na 2.Compute element A = a*G 1.Choose random b less than order of group, nonce Nb 2.Compute element B = b*G Na, A Nb, B Sign {Na | Nb | A | B | ID-A | ID-B} Sign {Nb | Na | B | A | ID-B | ID-A} Session ID = MAX(Na, Nb) | MIN(Na, Nb) Shared Secret = a * b * G

7 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 7 Straw Polls Ability to sell product into government markets using sensitive data is important –Yes: 5 –No: 0 –Dont Care: 2 We should add another authentication protocol to the Draft to support suite-b for this purpose –Yes: 1 –No: 0 –Dont Care: 0 –Dont Know: 7

8 doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 8 References


Download ppt "Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:"

Similar presentations


Ads by Google