Doc.: 11-13-0201-00 Submission February 5, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: 2013-02-05 Authors:

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Submission doc.: IEEE 11-13/0487r0 May 2013 Dan Harkins, Aruba NetworksSlide 1 How To Fragment An IE Date: Authors:
IETF-91, DICE Working Group November 10, 2014 René Struik (Struik Security Consultancy)Slide 1 Multicast Security  Quo Vadis?  René Struik.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Chapter 5 Network Security Protocols in Practice Part I
Submission doc.: IEEE 11-14/0141r0 January 2014 Jarkko Kneckt (Nokia)Slide 1 Element Fragmentation Date: Authors:
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Gursharan Singh Tatla Transport Layer 16-May
Computer Science Public Key Management Lecture 5.
Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.
Secure Electronic Transaction (SET)
Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
IETF SFC: Service Chain Header draft-zhang-sfc-sch-01
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
ICN Hop-By-Hop Fragmentation Marc Mosko Palo Alto Research Center Christian Tschudin University of Basel
Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
More on TCP Acknowledgements Sequence Number Field Initial Sequence Number Acknowledgement Number Field.
Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Doc.: r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date:
Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Doc.: IEEE /1206r0 Submission Oct 2004 Black, NokiaSlide 1 TGk LB71 Parallel category comment resolution Simon Black (Nokia)
Submission doc.: IEEE 11-14/0877r2 July 2014 SK Yong et.al., AppleSlide 1 Generic Service Discovery Proposal: Dynamic Bloom Filter Operation Date:
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Doc.: IEEE /0133r3 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: Submission May 13, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects, FILS Piggy-Backing Date:
Doc.: Submission January 22, 2014 Rene Struik (Struik Security Consultancy)Slide 1 TGai Motions Date: Authors: NameCompanyAddressPhone .
Doc.: Submission March 21, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: Authors:
Doc.: IEEE /0232r0 Submission February 2009 Meiyuan Zhao, IntelSlide 1 Suggestions to Clean Up Peering Management Frames Date:
Doc.: Submission April 22, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects, FILS Piggy-Backing Date:
Submission doc.: IEEE 11-13/0324r0 March 2013 M. Emmelmann, FOKUSSlide 1 TGai Principles and Mechanisms (Joint TGai and TGaq Meeting) Date:
Doc.:IEEE /0318r0 March 2013 A. Asterjadhi, Qualcomm Inc. Short MAC Header Design Date: Authors:
Doc.: Submission May 14, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Piggy-Backing Aspects Date: Authors: NameCompanyAddressPhone .
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
FILS Reduced Neighbor Report
Discussion of Outstanding TGai Security Topics
Security Enhancement to FTM
Cryptography and Network Security
Topic #1 & #5 “All that has to do with header formats”
Standards Basics.
FILS Handling of Large Objects
IP : Internet Protocol Surasak Sanguanpong
FILS Handling of Large Objects, FILS Piggy-Backing
May 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:
FILS Handling of Large Objects
Secure WUR frames Date: Authors: January 2018
How To Fragment An IE Date: Authors: May 2013
December 7, 2018 doc.: IEEE r0 July, 2003
FILS Reduced Neighbor Report
FILS Handling of Large Objects
CID#102 - Channel Allocation
TGai Motions Date: Authors: January 22, 2014 Name Company
Overview of Changes to Key Holder Frame Formats
February 24, 2019 doc.: IEEE r0 July, 2003
FILS Handling of Large Objects
CID#89-Directed Multicast Service (DMS)
Channel Allocation March 2008 Authors: Date: Month Year
May 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:
Presentation transcript:

doc.: Submission February 5, 2013 René Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects Date: Authors: NameCompanyAddressPhone René StruikStruik Security Consultancy Toronto ON, CanadaUSA: +1 (415) Toronto: +1 (647) Skype: rstruik

doc.: Submission February 5, 2013 Review Comments on ai – D0.2 Ref: 13/0036r09 (tgai-draft-review-combined-comments) CID #242 (David Goodall, 13/0016r0): Comment ( ): An X.509v3 certificate may be longer than 253 bytes and therefore requires fragmentation across multiple elements. A certificate chain may require additional fragmentation. Proposed change: 11ai will need to provide a mechanism for fragmenting certificates and certificate chains. It may be possible to adopt a mechanism from 11af etc. Generalized Problem Statement 1)What to handle large objects that fit within a single frame? 2)How to fragment FILS frames, if these become too long due to large objects?

doc.: Submission February 5, 2013 Outline 1.Protocol recap 2.Constructs from  Frame fragmentation/defragmentation  Management frame body components 3.Application to FILS protocol  Handling of large objects  Handling of “foreign” objects (e.g., higher-layer “piggy-backed data” along key confirmation flows) Note: Our exposition is relative to certificate-based public-key protocol (i.e., without online third party), but does leave out details not necessary for current discussion

doc.: Submission February 5, 2013 Frame Fragmentation ( ) Conceptual Channel Channel w/Fragmentation Notes:  Headers contain Sequence Control Field that indicates fragment# (4-bits) and sequence # (12-bits)  Originator (A) partitions frame body and sends individual segments in separate frames, in order  Recipient (B) reconstructs original (conceptual) frame from received segments, in order  When secure channel used, each segment is individually secured (by originator) or unsecured (by recipient)  Duplicate segments and segments received after time-out are acknowledged allows fragmentation/defragmentation with individually addressed MSDUs and MMPDUs HDR Body 2 FCS AB HDR 1 Body 1 FCS 1 AB HDR 3 Body 3 FCS 3 HDR 2 Body 2 FCS 2 Body 3 Body 1 A A B B

doc.: Submission February 5, 2013 Management Frame Body Components ( ) Information Elements (8.4.2): Named objects with format (Type, Length, Value), where  Type: Element-ID (1-octet field);  Length: Octet-length of Value field (1-octet field);  Value: Variable field. Non-Information Elements (8.4.1): Specified objects with tailored length and value attributes Notes:  Information elements cannot have size larger than 255 octets, whereas non-information elements can. With , Authentication frames ( ) are specified with field elements that are non-IEs, as is the case with some field elements specified with association request frames ( ) and Association Response frames ( ).

doc.: Submission February 5, 2013 René Struik (Struik Security Consultancy)Slide 6 Protocol Recap Notes: Our exposition is relative to certificate-based public-key protocol (i.e., without online third party), but does leave out details not necessary for current discussion A Random X, Nonce N A {N A, N B,[Cert CA (Id A,Q A ), sign A ]} KEK2 Key Establishment Key Confirmation B Random Y, Nonce N B {N B, N A,[Cert CA (Id B,Q B ), sign B ]} KEK2 STAAP

doc.: Submission February 5, 2013 René Struik (Struik Security Consultancy)Slide 7 Protocol Recap w/ “Piggy-Backed Info” Notes:  Key confirmation messages can become quite large, due to accumulation of  certificates;  Signature;  “piggy-backed info”.  Certificate (chain) verification has to happen after completion of the key computation (thus, forcing a serialized implementation (optionally carrying out computations between A and B in parallel). A Random X, Nonce N A {N A, N B,[Cert CA (Id A,Q A ), sign A, Text A ]} KEK2 Key Establishment Key Confirmation B Random Y, Nonce N B STAAP {N B, N A,[Cert CA (Id B,Q B ), sign B, Text B ]} KEK2

doc.: Submission February 5, 2013 René Struik (Struik Security Consultancy)Slide 8 Suggested Protocol Flows Notes:  Easy fragmentation/defragmentation of Authentication frames (since no frame protection);  Fragmentation on Association frames possible (since no frame protection of those frames);  All objects that do not fit restrictions of IEs can easily be represented as field elements (in ’s sense).  Intra-frame fragmentation of higher-layer TLV objects (13/133r3) can be handled uniformly and aligned with fragmentation/re-assembly approach (details in next version) A Random X, Nonce N A, {N A, N B,[Cert CA (Id A,Q A ), sign A, Text A ]} KEK2 Key Establishment Key Confirmation B Random Y, Nonce N B STAAP {N B, N A,[Cert CA (Id B,Q B ), sign B, Text B ]} KEK2 Cert CA (Id A,Q A ) Cert CA (Id B,Q B )

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.