Submission doc.: IEEE 802.11-16/313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date: 2016-03-16.

Slides:

Advertisements

Similar presentations

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Advertisements

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade Wenche Backman-Kamila.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.

Submission doc.: IEEE /870r2 July 2015 Guido R. Hiertz et al., EricssonSlide ax in 2.4 GHz Date: Authors:

Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.

1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Wireless and Security CSCI 5857: Encoding and Encryption.

Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.

Submission doc.: IEEE /1015r1 September 2015 Guido R. Hiertz et al., EricssonSlide 1 Proxy ARP in ax Date: Authors:

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.

Doc.: IEEE /751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.

Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

Submission doc.: IEEE /1013r0 September 2015 Guido R. Hiertz et al., EricssonSlide ae & ax Date: Authors:

WEP Protocol Weaknesses and Vulnerabilities

Wireless Networking & Security Greg Stabler Spencer Smith.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

20 November 2015 RE Meyers, Ms.Ed., CCAI CCNA Discovery Curriculum Review Networking for Home and Small Businesses Chapter 7: Wireless Technologies.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

Submission doc.: IEEE /1014r0 September 2015 Guido R. Hiertz et al., EricssonSlide 1 Multiple BSSID element Date: Authors:

The University of Bolton School of Business & Creative Technologies Wireless Networks - Security 1.

CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.

Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:

Lecture 24 Wireless Network Security

Wireless security Wi–Fi (802.11) Security

Doc.: IEEE /0027r0 Submission January 2006 Slide 1 WiNOT Consortium: Proposal for online enrollment cluster Notice: This document has been prepared.

Wireless Network Security CSIS 5857: Encoding and Encryption.

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

Doc.: IEEE /0896r0 SubmissionJae Seung Lee, ETRISlide 1 Probe Request Filtering Criteria Date: July 2012.

Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,

November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.

Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

Submission doc.: IEEE /1359r0 November 2015 Yu Wang, Ericsson et al.Slide 1 System Performance Evaluation of ae Date: Authors:

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Submission doc.: IEEE /871r3 July 2015 Guido R. Hiertz et al., EricssonSlide 1 Efficiency enhancement for ax Date: Authors:

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

Wireless Protocols WEP, WPA & WPA2.

Discussions on FILS Authentication

802.11ax in 2.4 GHz Date: Authors: July 2015

Wireless LAN Security 4.3 Wireless LAN Security.

Opportunistic Wireless Encryption

Session MAC Address Solves Deadlocks

Presentation transcript:

Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date: Authors:

Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 2 Abstract Security is a delicate topic Past experiences with insufficient /Wi-Fi security WEP, WPA1, WPS … Huge market impact because of press reports etc. Opportunistic Wireless Encryption (OWE) fills a (severe) gap in the IEEE standard does not allow for unauthenticated but encrypted operation OWE is simple to add, requires no hardware changes Few software changes, can even operate on legacy equipment OWE is simple to use, no configuration required

Submission doc.: IEEE /313r1 Situation analysis Slide 3Guido R. Hiertz, Ericsson et al. March 2016 Authenticated NoYes Encrypted No Open Free, anonymous access Often combined with captive portal re terms & conditions Captive portal IP layer Credential submission through HTTPS Yes Missing in Free, anonymous access like “Open” method Wireless traffic encrypted, secure Client protection RSNA or Captive portal & opportunistic encryption combined

Submission doc.: IEEE /313r1 Captive Portals Typical Captive Portal operation IP based Client is blocked from Internet access until successfully performing HTTP login Captive Portal gateway intercepts HTTP requests and redirects them to login page After successful credential check record MAC address as permitted Optionally, have client access an operator’s HTTPS webpage to push (secure) Cookie to client Have client perform frequent page refresh to check for Cookie March 2016 Guido R. Hiertz, Ericsson et al.Slide 4

Submission doc.: IEEE /313r1 Captive Portal usage Mostly for guests Hotel, airport, lounge, restaurant … Widely applied Simple to use, access through webpage Provision of credentials or acknowledgment of terms March 2016 Guido R. Hiertz, Ericsson et al.Slide 5

Submission doc.: IEEE /313r1 Threats in unencrypted WLANs ARP Glue between IP & L2 Caches can be poisoned Man in the middle attack to redirect traffic DNS Privacy issues with overheard DNS requests Severe attacks with malicious DNS responses Even DNSSec is unencrypted Pervasive monitoring Eavesdropping E.g. common PSK may reveal individual PTK Only encryption allows for PMF PMF (Protected management frames) needed to prevent disassociation attacks PMF mandatory with WFA ac March 2016 Guido R. Hiertz, Ericsson et al.Slide 6

Submission doc.: IEEE /313r1 OWE implementation aspects Minor software changes Can be added with driver updates OWE adds Diffie- Hellmann key exchange prior to existing RSNA operation No hardware changes needed No new encryption methods needed No additional frames need to be exchanged No changes to RSNA process March 2016 Guido R. Hiertz, Ericsson et al.Slide 7

Submission doc.: IEEE /313r1 RSNA authentication At least ten frames needed to securely associate with AP Probe frames are optional Credentials can be provided as pre-shared key or through EAP (Extensible Authentication Protocol) EAP may require up to 14 additional messages March 2016 Guido R. Hiertz, Ericsson et al.Slide 8

Submission doc.: IEEE /313r1 OWE based authentication OWE requires no additional frames to be exchanged On the fly, generate secret, random credentials Used as input to unmodified RSNA process Standard generation of depending keys: PTK, GTK … March 2016 Guido R. Hiertz, Ericsson et al.Slide 9

Submission doc.: IEEE /313r1 OWE based authentication (zoom in) March 2016 Guido R. Hiertz, Ericsson et al.Slide 10

Submission doc.: IEEE /313r1 Conclusion Security is one of ’s key topics No other topic related to attracts so much attention than broken security A huge number of WLANs operates unencrypted Introducing security in this important market segment is important OWE comes at no cost No over the air overhead Diffie-Hellmann widely implemented with EAP key exchange, e.g. EAP-TLS No new encryption code needed OWE & Open access may operate concurrently on same AP Even during such a legacy transitioning period OWE implementations will already benefit from being protected March 2016 Guido R. Hiertz, Ericsson et al.Slide 11

Submission doc.: IEEE /313r1 Recommendation Integrate OWE into IEEE P REVmc/D5.1 resp. IEEE Apply the changes proposed in /1184r7 Slide 12Guido R. Hiertz, Ericsson et al. March 2016

Submission doc.: IEEE /313r1March 2016 Guido R. Hiertz, Ericsson et al.Slide 13 References 1.V. Dukhovni, “Opportunistic Security: Some Protection Most of the Time,” IETF RFC 7435, Dec