Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Fast Initial Authentication Date: 2010-03-16 Authors:

Published byUrsula Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Fast Initial Authentication Date: 2010-03-16 Authors:"— Presentation transcript:

1 doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Fast Initial Authentication Date: 2010-03-16 Authors: NameCompanyAddressPhoneemail Hiroki NAKANOTrans New Technology, Inc. Sumitomo-Seimei Kyoto Bldg. 8F, 62 Tukiboko-cho Shimogyo-ku, Kyoto 600-8492 JAPAN +81-75-213-1200cas.nakano@gmai l.com cas@trans-nt.com Hitoshi MORIOKAROOT Inc.#33 Ito Bldg. 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-7630hmorioka@root- hq.com Hiroshi MANOROOT Inc.8F TOC2 Bldg. 7-21-11 Nishi- Gotanda, Shinagawa-ku, Tokyo 141-0031 JAPAN +81-3-5719-7630hmano@root- hq.com

2 doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 2 The purpose of this presentation “Fast Initial Authentication” and any other preparation require cooperation among all layers including IEEE802.11, IP etc. We are focusing on the procedure of IEEE802.11 to set up communication channel between AP and Non-AP STA. This presentation just introduces some ideas to make the procedure faster in order to show their technical possibilities and to help you to consider starting official discussion about “Fast Initial Authentication” in 802.11 WG.

3 doc.: IEEE 802.11-10/0361r0 Submission Why “Fast Initial Authentication?” We should prepare for “Fast Initial Authentication” because of… 1.Moving users with HIGH VELOCITY through a cell of AP 2.HUGE NUMBER of users within reach of each AP 3.Very SMALL CELL of each AP See IEEE802.11-10/0286r0 and come to the tutorial session for more detail March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 3

4 doc.: IEEE 802.11-10/0361r0 Submission Quick update contents and push services –You can update new messages and location data while just passing an AP's coverage. –You do not have to stop many times like serious landing operation. –Service provider can distribute the handbill without stopping the foot of the customer. –Pop E-mail March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 4 LocationMessagesHandbill New location and presence Updated new twitters and messages Get new handbills No need stop! Just pass through!

5 doc.: IEEE 802.11-10/0361r0 Submission Who consume time for authentication and setting up channel? AP Discovery (802.11?) Association (802.11) Authentication (802.11, 802.1X) DHCP (IPv4), RA (IPv6) ARP (IPv4), NDP (IPv6) Protocols on more upper layer –Mobile IPv4/6 –DNS –VPN –HTTP… March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 5

6 doc.: IEEE 802.11-10/0361r0 Submission An Example of Packet Exchange March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 6 STAAPRADIUS Server Beacon Probe Request Probe Response Association Request Association Accept EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/TLS-Start RADIUS-Access-Request/Identity RADIUS-Access-Challenge/TLS-Start EAP-Response/TLS-client Hello EAP-Success RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/ Server Certificate EAP-Key EAP-Request/Pass Through EAP-Response/Client Certificate RADIUS-Access-Request/Pass Through RADIUS-Access-Challenge/Encryption Type EAP-Request/Pass Through EAP-Response RADIUS-Access-Request RADIUS-Access-Accept Open System Authentication DHCP Discover DHCP Offer DHCP Request DHCP Ack Mobile IPv4 Registration Request Mobile IPv4 Registration Reply Home Agent Mobile IPv4 Registration Request Mobile IPv4 Registration Reply

7 doc.: IEEE 802.11-10/0361r0 Submission Challenge to minimum procedure We employ too many packets to pile up layers. Can we decrease packets for initial setup? The least procedure is “single roundtrip.” Can we do that? Let’s think about IEEE802.11 first. March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 7

8 doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 8 Assumed Goal Employ just SINGLE round-trip exchange of frames –STA to AP, then AP to STA Do all things to start user’s data exchange –Association –Authentication –Key Exchange No direct contract between AP and non-AP STA –‘Authentication Server’ mediates between AP and non-AP STA –For separation of service providers and AP infrastructure Possibly compatible with existing 802.11 framework –Old STAs can be still operated together.

9 doc.: IEEE 802.11-10/0361r0 Submission Ideas? 1.Omit Pre-RSNA authentication process 2.Piggyback authentication information onto Association Request/Response 3.Piggyback upper information onto Association Request/Response March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 9

10 doc.: IEEE 802.11-10/0361r0 Submission Idea 1: Omit Pre-RSNA Auth. Process We use “Open System” authentication on Pre-RSNA framework at anytime. –Anyone using Shared Key auth? “Open System auth. is a null auth. algorithm. Any STA requesting Open System auth. may be authenticated” Quoted from 802.11-2007 section 8.2.2.2 Nevertheless, it takes ONE round-trip time to do that! Standard should be changed to allow to run Association process without Open System authentication process. –Any problem occurs? March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 10

11 doc.: IEEE 802.11-10/0361r0 Submission Reason of existence of Open System auth. “NOTE 3—IEEE 802.11 Open System authentication provides no security, but is included to maintain backward compatibility with the IEEE 802.11 state machine (see 11.3).” Quoted from 802.11-2007 section 8.4.1.2.1 b) March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 11

12 doc.: IEEE 802.11-10/0361r0 Submission 802.11-2007 Figure 11-6 March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 12

13 doc.: IEEE 802.11-10/0361r0 Submission Modified Figure? March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 13 Successful Association by new protocol

14 doc.: IEEE 802.11-10/0361r0 Submission Backward Compatibility Old AP not supporting FastAKM New AP supporting FastAKM Old STA not supporting FastAKM N.P. Old STA begins to talk in old protocol and New AP speaks in the old protocol. New STA supporting FastAKM New STA tries new protocol but Old AP doesn’t accept. And then New STA goes in old protocol. N.P. March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 14

15 doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 15 Idea 2: Piggyback Auth. Info. onto Association Request/Response Can “Mutual Authentication” be done by just A round- trip of Association Request/Response? –“Single Round-trip Authentication” is a common problem. STA AP Authentication Server Beacon (Probe Request) (Probe Response) Authentication (Open System) Access Request Access Response Association Request Association Response (Accept)

16 doc.: IEEE 802.11-10/0361r0 Submission Supposed Service Model March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 16

17 doc.: IEEE 802.11-10/0361r0 Submission Relations in Real World March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 17 Contract to provide wireless access via AP infrastructure. Share information to identify each other properly, e.g. username, password, digital certificate, etc. Contract to provide wireless access via AP infrastructure. Share information to identify each other properly, e.g. username, password, digital certificate, etc. Contract to provide wireless access to users specified by Authentication Server (i.e. Service Provider) Set up secure communication channel to exchange information about users Contract to provide wireless access to users specified by Authentication Server (i.e. Service Provider) Set up secure communication channel to exchange information about users

18 doc.: IEEE 802.11-10/0361r0 Submission Cryptographic Keys March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 18 Set up in advance by contract USER-KEYAP-KEY

19 doc.: IEEE 802.11-10/0361r0 Submission Relations in Computer Network March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 19 Secure channel by cryptographic key set up in advance Encrypted bundle including the followings: User ID Key How can we exchange keys safely?

20 doc.: IEEE 802.11-10/0361r0 Submission Step 1: Make Key on Non-AP STA March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 20 TMP-KEY STA generates a Key from random number generator

21 doc.: IEEE 802.11-10/0361r0 Submission Step 2: Send Encrypted Bundle toward AP March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 21 Bundle encrypted by USER-KEY includes the followings: User’s ID TMP-KEY Auth. Server Selector

22 doc.: IEEE 802.11-10/0361r0 Submission Step 3: AP Forwards data to Auth Server March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 22 Auth. Server Selector AP doesn’t see data inside bundle because data are encrypted by USER-KEY which AP doesn’t have any knowledge about. Select Auth. Server

23 doc.: IEEE 802.11-10/0361r0 Submission Step 4: Auth Server sends back to AP March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 23 Auth. Server Selector Send back TMP-KEY to AP Remind that there is a secure channel by AP-KEY

24 doc.: IEEE 802.11-10/0361r0 Submission Final Step: AP Acknowledges to STA March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 24 Acknowledge and additional information encrypted by TMP-KEY Now, both share TMP-KEY!

25 doc.: IEEE 802.11-10/0361r0 Submission After Exchanging Key… March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 25 Normal communication encrypted by TMP-KEY

26 doc.: IEEE 802.11-10/0361r0 Submission Attack 1: Fake STA March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 26 Bundle reaches Auth. Server No USER-KEY shared Auth. Server can not extract data from bundle because of lack of USER-KEY.

27 doc.: IEEE 802.11-10/0361r0 Submission Attack 2: Fake AP March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 27 No secure channel because of no cryptographic key shared AP can not send anything to Auth. Server

28 doc.: IEEE 802.11-10/0361r0 Submission Attack 3: Fake AP and Fake Auth Server March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 28 Bundle reaches Auth. Server No USER-KEY shared Auth. Server can not extract data from bundle because of lack of USER-KEY.

29 doc.: IEEE 802.11-10/0361r0 Submission Attack 4: Man In The Middle of AP and STA March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 29 Normal communication encrypted by TMP-KEY He can not have TMP-KEY… ? ?

30 doc.: IEEE 802.11-10/0361r0 Submission Attack 5: DoS by Auth Request March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 30 Numerous Auth Request

31 doc.: IEEE 802.11-10/0361r0 Submission Attack 6: DoS by Fake “Auth Failed” March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 31 Fake “Auth Failed” messages Acknowledge and additional information encrypted by TMP-KEY ?

32 doc.: IEEE 802.11-10/0361r0 Submission Attack 2: Someone between AP and STA March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 32 Normal communication encrypted by TMP-KEY

33 doc.: IEEE 802.11-10/0361r0 Submission Idea 3: Piggyback upper information onto Association Request/Response Association Request/Response can be open to upper layers in order to bring back their information like IP address, Netmask etc. IEEE802.11 can provide framework for this. March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 33 STA AP Authentication Server Beacon (Probe Request) (Probe Response) Authentication (Open System) Access Request Access Response Association Request Association Response (Accept) With upper network configuration

34 doc.: IEEE 802.11-10/0361r0 Submission Difference from 802.11-2007 Additional state transition to skip Open System Auth. –Figure 11-6—Relationship between state variables and services Few additional elements to Table 7-26 Element IDs –Authentication Server Selector (240 temporally) –Bundle for User Information (241 temporally) –Upper layer data RSN with key obtained by new FastAKM framework –7.3.2.25 RSN information element (for beacon and probe resp.) –Both Group and Pairwise Cipher Suites are set to CCMP. –AKM Suite is set to the brand-new one! Define new AKM Suite (00-d0-14-01 is used temporally.) Assign officially on Table 7-34 AKM suite selectors in future… March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 34

35 doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 35 Conclusion Not-so-many changes enables FastAKM framework. IEEE802.11 can help upper layers to be configured quickly. We need place to keep more technical discussion; –to build and verify authentication method –about any effect of changing standard –to write down detailed specification

36 doc.: IEEE 802.11-10/0361r0 Submission Straw Poll “Does WNG think that we need another place to discuss this topic ?” Yes: No: Don’t Care: March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 36

37 doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 37

Download ppt "Doc.: IEEE 802.11-10/0361r0 Submission March 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Fast Initial Authentication Date: 2010-03-16 Authors:"

Similar presentations

Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22.

Submission doc.: IEEE /1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date:
Submission doc.: IEEE 11-12/0271r1 March 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Big IE Date: 2012-03-03 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0271r1 March 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Big IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: 2011-08-16 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.

Submission doc.: IEEE /1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.
Doc.: IEEE 802.11-10/0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: 2010-01-19 Authors:

Doc.: IEEE /0059r3 Submission January 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 An Example Protocol for FastAKM Date: Authors:
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
Doc.: IEEE 802.11-12/0032r0 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0032r0 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-12/0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: 2012-05-04 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-22 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r3 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-12/0034r0 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0034r0 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-07/0299-00-0wng Submission March 2007 Takeshi Nakamura, Trinity Security Systems, Inc.Slide 1 IPN-WLAN: ‘IPN’ enabled Wireless LANs A.

Doc.: IEEE / wng Submission March 2007 Takeshi Nakamura, Trinity Security Systems, Inc.Slide 1 IPN-WLAN: ‘IPN’ enabled Wireless LANs A.
Submission doc.: IEEE 802.11-11/1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Doc.: IEEE 802.11-11/0023r0 Submission January 2011 Hitoshi MORIOKA, ROOT INC.Slide 1 Use Case Scenario for TGai Date: YYYY-MM-DD Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0023r0 Submission January 2011 Hitoshi MORIOKA, ROOT INC.Slide 1 Use Case Scenario for TGai Date: YYYY-MM-DD Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 11-12/0273r8 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: 2012-05-14 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0273r8 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 11-12/0273r9 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: 2012-05-14 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0273r9 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: Authors: NameAffiliationsAddressPhone .
KAIS T Security architecture in a multi-hop mesh network Conference in France, 2006 2006. 9. 26. Presented by JooBeom Yun.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Shambhu Upadhyaya 1 802.11 Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Submission doc.: IEEE 11-10/0701r0 May 2012 Hitoshi Morioka, Allied Telesis R&D CenterSlide 1 Supplemental Information for HLCF Date: 2012-05-17 Authors:

Submission doc.: IEEE 11-10/0701r0 May 2012 Hitoshi Morioka, Allied Telesis R&D CenterSlide 1 Supplemental Information for HLCF Date: Authors:

Similar presentations

Ads by Google