Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: 2013-03-21 Authors:

Published byCandace Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: 2013-03-21 Authors:"— Presentation transcript:

1 doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: 2013-03-21 Authors: NameCompanyAddressPhoneemail René StruikStruik Security Consultancy Toronto ON, CanadaUSA: +1 (415) 690-7363 Toronto: +1 (647) 867-5658 Skype: rstruik rstruik.ext@gmail.com

2 doc.: 11-13-0201-05 Submission March 21, 2013 Review Comments on 802.11ai – D0.2 Ref: 13/0036r09 (tgai-draft-review-combined-comments) CID #242 (David Goodall, 13/0016r0): Comment (8.4.2.184): An X.509v3 certificate may be longer than 253 bytes and therefore requires fragmentation across multiple elements. A certificate chain may require additional fragmentation. Proposed change: 11ai will need to provide a mechanism for fragmenting certificates and certificate chains. It may be possible to adopt a mechanism from 11af etc. Generalized Problem Statement 1)How to handle large objects that fit within a single frame? 2)How to fragment FILS frames, if these become too long due to large objects? Additional problem statement: 3)How to apply tricks to still avoid fragmentation if this would otherwise be required? 4)How to facilitate potential implementation of “aggressive scheme” modes?

3 doc.: 11-13-0201-05 Submission March 21, 2013 Outline 1.Constructs from 802.11-2012  Frame fragmentation/defragmentation  Management frame body components 2.Protocol recap  Certificate-based protocol  Protocol including “piggy-backed info” 3.Application to FILS protocol  Handling of large objects  Handling of “foreign” objects (e.g., higher-layer “piggy-backed data” along key confirmation flows)  Facilitating “aggressive schemes”

4 doc.: 11-13-0201-05 Submission March 21, 2013 Frame Fragmentation (802.11-2012) Conceptual Channel 802.11 Channel w/Fragmentation Notes:  Header contains Sequence Control Field that indicates fragment# (4-bits) and sequence # (12-bits)  Originator (A) partitions frame body and sends individual segments in separate frames, in order  Recipient (B) reconstructs original (conceptual) frame from received segments, in order  When secure channel used, each segment is individually secured (by originator) or unsecured (by recipient)  Duplicate segments and segments received after time-out are acknowledged 802.11-2012 allows fragmentation/defragmentation with individually addressed MSDUs and MMPDUs HDR BodyFCS AB HDR 1 Body 1 FCS 1 AB Body 3 FCS 3 Body 2 FCS 2 A A B B HDR 2 HDR 3

5 doc.: 11-13-0201-05 Submission March 21, 2013 Management Frame Body Components (802.11-2012) Information Elements (8.4.2): Named objects with format (Type, Length, Value), where  Type: Element-ID (1-octet field);  Length: Octet-length of Value field (1-octet field);  Value: Variable field. Fields that are not Information Elements (8.4.1): Specified objects with tailored length and value attributes Notes:  Information elements cannot have size larger than 255 octets, whereas non-information elements can. With 802.11-2012, Authentication frames (8.3.3.11) are specified with field elements that are non-IEs, as is the case with some field elements specified with association request frames (8.3.3.5) and Association Response frames (8.3.3.6).

6 doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 6 Protocol Recap Notes: Our exposition is relative to certificate-based public-key protocol (i.e., without online third party), but does leave out details not necessary for current discussion A Random X, Nonce N A {N A, N B,[Cert CA (Id A,Q A ), sign A ]} KEK2 Key Establishment Key Confirmation B Random Y, Nonce N B {N B, N A,[Cert CA (Id B,Q B ), sign B ]} KEK2 STAAP

7 doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 7 Protocol Recap with “Piggy-Backed Info” Notes:  Key confirmation messages can become quite large, due to accumulation of  certificates;  signature;  “piggy-backed info”.  Certificate (chain) verification has to happen after completion of the key computation (thus, forcing a serialized implementation, rather than option to carry out computations between A and B in parallel).  Processing of “piggy-backed info” can only be initiated after receipt of STA’s key confirmation message (thus, precluding optional implementation of “aggressive scheme” modes (see, 13/041r4, Slides 36-37). A Random X, Nonce N A {N A, N B,[Cert CA (Id A,Q A ), sign A, Text A ]} KEK2 Key Establishment Key Confirmation B Random Y, Nonce N B STAAP {N B, N A,[Cert CA (Id B,Q B ), sign B, Text B ]} KEK2

8 doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 8 Suggested Protocol Flows Notes:  Easy fragmentation/defragmentation of Authentication frames (since no 802.11-2012 frame protection);  Fragmentation on Association frames possible (since no 802.11-2012 frame protection of those frames);  All objects that do not fit restrictions of IEs can easily be represented as field elements (in 802.11-2012’s 8.4.1 sense).  Intra-frame fragmentation of higher-layer TLV objects (13/133r3) can be handled uniformly and aligned with 802.11-2012 fragmentation/re-assembly Sequence Control Field approach (details in next slides) Further “ugly” optimization: Partition certificate that “just does not fit” over 1rst/3 rd flow, resp. 2 nd /4 th flow (thus, not increasing #flows) A Random X, Nonce N A, {N A, N B,[Cert CA (Id A,Q A ), sign A, Text A ]} KEK2 Key Establishment Key Confirmation B Random Y, Nonce N B STAAP {N B, N A,[Cert CA (Id B,Q B ), sign B, Text B ]} KEK2 Cert CA (Id A,Q A ) Cert CA (Id B,Q B )

9 doc.: 11-13-0201-05 Submission March 21, 2013 Conceptual Objects (1) Conceptual Object 802.11 Representation as Sequence of Information Elements Conversion mechanism:  Represent single object/multiple objects within single frame  Allows recovering of original object from representation  Works also if object spread over multiple frames (bonus)  Allows reconstruction as soon as segments all received Note: This allows full flexibility on how one could carry objects within a single and across multiple frames Body 250Body 1 Body 3 Body 2 213 76 176 IE 1 IE 2 IE 3 1125021376 539 Foreign object:  may live outside 802.11  syntax/semantics unknown  to 802.11 e.g., DHCP, Higher Layer, IP Large object:  may not fit within single IE e.g., Certificate chain Represent as ordered sequence of IEs  “piggy-backing” possible  “squeezing” large objects into frame possible  “spreading” large objects over several frames too… Requires one new IE

10 doc.: 11-13-0201-05 Submission March 21, 2013 Conceptual Objects (2) Conceptual Object 802.11 Representation as Sequence of Information Elements How to recover objects?  Within single frame: separator symbol (‘  ’) allows unique recovery of multiple objects  Object spread over multiple frames: parse till ‘  ’-symbol found (assuming only one object to spread across) Note:  Up to implementation to partition to one’s needs  Representation with multiple ‘  ’-symbols in the end possible (“padding”) Body 250Body 1 Body 3 Body 2 213 76 176 IE 1 IE 2 IE 3 1125021376 539 0 176 IE 4 end-of-object indicator (‘  ’,  EOF, etc.) object “segments” (in order)

11 doc.: 11-13-0201-05 Submission March 21, 2013 Authenticated Encryption Modes (1) General mechanism After AEAD protection Now with Information elements: or... Main problem: How to pinpoint the portions that are encrypted? (only problem for recipient) Notes:  Security of object (=confidentiality) determined by Object Type  Object Type and Header fields (length info) visible, also to parties without access to keying material Consequences:  One cannot decide on case-by-case basis whether or not to encrypt object of specific object type  Object types to be encrypted need to be clustered (since Object Types in increasing order)  Never possible to encrypt “vendor-specific” information element (Type:=0xFF), even if, e.g., privacy info  Party who monitors traffic can “jump” over secured object and parse remaining (unsecured) IEs. HeaderPayload Header Secured Payload Authentication of entire frame 071346589A071346589A071346589A071346589A

12 doc.: 11-13-0201-05 Submission March 21, 2013 Authenticated Encryption Modes (2) How to pinpoint the portions that are encrypted? (only problem for recipient) Recipient can easily find this “L”-symbol: simply parse received message (and remove) Does this also work for other “encryption ON/OFF” combinations? 071346589A071346589A071346589A L 071346589A “L” 11 2 2L 2  Encryption indicator IE (4 octets)

13 doc.: 11-13-0201-05 Submission March 21, 2013 Authenticated Encryption Modes (3) Does this also work for other “encryption ON/OFF” combinations? YES! Exploit structure in IEs: encryption/decryption is essentially on “unordered” set of IEs. Step 1 @sender: massage in right form Step 2 @sender: encrypt and put “L”-symbol (encryption indicator IE) in place Step 1 @recipient: find encryption indicator, length of encrypted segment, decrypt and remove “L”-symbol Step 2 @recipient: reorder, by exploiting that IEs should be in ascending order. 071346589A0A13475689 “L” 0A134756890A13475689071346589A

14 doc.: 11-13-0201-05 Submission March 21, 2013 Authenticated Encryption Modes (4) Does this also work for other “encryption ON/OFF” combinations? Encryption indicator IE value not important? Step 1 @sender: massage in right form Step 2 @sender: encrypt and put “L”-symbol (encryption indicator IE) in place Alternatives: or, e.g., 071346589A0A13475689 “L” 0A134756890A13475689 0A13475689

15 doc.: 11-13-0201-05 Submission March 21, 2013 Recommended Approach 1.Use existing frame fragmentation mechanism (802.11-2012) to handle frames that would otherwise not “fit” 2.Represent “conceptual objects” as described:  Introduce new Information Element (IE) for “conceptual object” type  Implement end-fragment ‘  ’ with “empty” conceptual object (which acts as simple separator) 3.Facilitate “aggressive scheme”, as follows:  Allow inclusion of certificate info both in Authentication Request and Association Request (for STA), resp. Authentication Response and Association Response (for AP)  Similar remark for “piggy-backed” info Note: Whether or not this “aggressive scheme” is exploited, is up to implementer. 4.Implement flexible encryption scheme as presented:  Introduce new Information Element (IE) as “security indicator element” (4- octets), so as to indicate length of encryption segment following

16 doc.: 11-13-0201-05 Submission March 21, 2013 Straw Poll #1 Use existing frame fragmentation mechanism (802.11-2012) to handle frames that would otherwise not “fit”.  Yes  No  “Don’t Care”  Need more information Result:

17 doc.: 11-13-0201-05 Submission March 21, 2013 Straw Poll #2 Represent “conceptual objects” as described:  Introduce new Information Element (IE) for “conceptual object” type  Implement end-fragment ‘  ’ with “empty” conceptual object (which acts as simple separator) Facilitate “aggressive scheme”, as follows:  Allow inclusion of certificate info both in Authentication Request and Association Request (for STA), resp. Authentication Response and Association Response (for AP)  Similar remark for “piggy-backed” info  Yes  No  “Don’t Care”  Need more information Result:

18 doc.: 11-13-0201-05 Submission March 21, 2013 Straw Poll #3 Implement flexible encryption scheme as presented:  Introduce new Information Element (IE) as “security indicator element” (4-octets), so as to indicate length of encryption segment following  Yes  No  “Don’t Care”  Need more information Result:

19 doc.: 11-13-0201-05 Submission March 21, 2013 Motion #1 Instruct the Editor to incorporate the textual changes contained in 13/311r0 into the next version of the TGai draft. Note: Represent “conceptual objects” as described:  Introduce new Information Element (IE) for “conceptual object” type  Implement end-segment ‘  ’ with “empty” conceptual object (which acts as simple separator) Implement flexible encryption scheme as presented:  Introduce new Information Element (IE) as “security indicator element” (4-octets), so as to indicate length of encryption segment following Motion: Seconded: Result: Y/N/A

20 doc.: 11-13-0201-05 Submission March 21, 2013 Motion #2 Instruct the Editor and the Proposer to implement any further changes in the current draft to align remaining text with that resulting from implementing motion #1. This would effect the following:  Replaces information elements that may currently not “fit” in D0.4 by the corresponding “foreign object” and adapt conversion text between these “conceptual objects” and sequences of “real” information elements. There seem to be countless examples in the draft where we now have potential errors and that would require clean-up (this would also synch this completely with 13/235r2)  This would facilitate automatically allow implementation of the so-called “aggressive scheme”. (Again, whether or not this is exploited by the implementer is up to him.) Motion: Seconded: Result: Y/N/A

Download ppt "Doc.: 11-13-0201-05 Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: 2013-03-21 Authors:"

Similar presentations

IETF-91, DICE Working Group November 10, 2014 René Struik (Struik Security Consultancy)Slide 1 Multicast Security  Quo Vadis?  René Struik.

IETF-91, DICE Working Group November 10, 2014 René Struik (Struik Security Consultancy)Slide 1 Multicast Security  Quo Vadis?  René Struik.
MAC Header Compression

MAC Header Compression
Submission doc.: IEEE 11-14/0141r0 January 2014 Jarkko Kneckt (Nokia)Slide 1 Element Fragmentation Date: 2014-01-21 Authors:

Submission doc.: IEEE 11-14/0141r0 January 2014 Jarkko Kneckt (Nokia)Slide 1 Element Fragmentation Date: Authors:
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Doc.: IEEE 802.11-08/1268 r1 Submission November 2008 Ding Zhiming, HuaweiSlide 1 Amendment for emergency alert system notification Date: 2008-11-09 Authors:

Doc.: IEEE /1268 r1 Submission November 2008 Ding Zhiming, HuaweiSlide 1 Amendment for emergency alert system notification Date: Authors:
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Submission doc.: IEEE 802.11-11/1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
(Business) Process Centric Exchanges

(Business) Process Centric Exchanges
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Submission doc.: IEEE 11-12/0281r0 March 2012 Jarkko Kneckt, NokiaSlide 1 Recommendations for association Date: 2012-03-05 Authors:

Submission doc.: IEEE 11-12/0281r0 March 2012 Jarkko Kneckt, NokiaSlide 1 Recommendations for association Date: Authors:
IPsec. 18.1 Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
Doc.: 11-12-1243r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date: 2012-10-30.

Doc.: r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date:
Doc.: IEEE 802.11-11/0977r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-

Doc.: IEEE /0977r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
Doc.: IEEE 802.15-05-0082-00-004b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area.

Doc.: IEEE b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE15-12-0373-01-0009-KMP-Transport-Joint-802.1 Submission July 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P802.15 Working Group for Wireless.

Doc.: IEEE KMP-Transport-Joint Submission July 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P Working Group for Wireless.
Doc.: IEEE 802.11-08/1378r0 Submission November 2008 Darwin Engwer, Nortel NetworksSlide 1 Improving Multicast Reliability Date: 2008-11-11 Authors:

Doc.: IEEE /1378r0 Submission November 2008 Darwin Engwer, Nortel NetworksSlide 1 Improving Multicast Reliability Date: Authors:
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.

Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
Doc.: IEEE 802.11-08/0357r0 Submission March 2008 Michelle Gong, Intel, et alSlide 1 Enhancement to Mesh Discovery Date: 2008-03-17 Authors:

Doc.: IEEE /0357r0 Submission March 2008 Michelle Gong, Intel, et alSlide 1 Enhancement to Mesh Discovery Date: Authors:
Doc.: IEEE 802.11-13/0133r3 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0133r3 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: 11-13-0201-07 Submission May 13, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects, FILS Piggy-Backing Date: 2013-05-13.

Doc.: Submission May 13, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects, FILS Piggy-Backing Date:

Similar presentations

Ads by Google