Doc.: IEEE 802.11-02/318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 1 Implicit Initialization Vectors Martin Lefkowitz, Texas Instruments.

Slides:

Advertisements

Similar presentations

Virtual Trunk Protocol

Advertisements

The Transmission Control Protocol (TCP) carries most Internet traffic, so performance of the Internet depends to a great extent on how well TCP works.

Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.

Submission Title: [AES Modes] Date Submitted: [May 10, 2002]

Doc.: IEEE /300R0 Submission May 2002 Terry Cole, AMDSlide 1 Slides to Assist with Joint Meeting of TgE and TgG Terry Cole AMD Fellow

Doc: IEEE /705ar0 Submission Javier del Prado et. al November 2002 Slide 1 Mandatory TSPEC Parameters and Reference Design of a Simple Scheduler.

A-MPDU Delimiter Changes

Doc.:IEEE /540ar0 Submission November 2001 Albert Young, Bob OHara Slide 1 A Re-Key Proposal Albert Young 3Com Corporation Santa Clara, CA

Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.

Doc.: IEEE /301R0 Submission May 2002 Terry Cole, AMDSlide 1 A More Efficient Protection Mechanism Terry Cole AMD Fellow +1.

Doc.: IEEE /082r0 Submission January 2001 Anuj Batra et al., Texas InstrumentsSlide 1 Project: IEEE P Working Group for Wireless Personal.

Submission Page 1 January 2002 doc.: IEEE 802.RR-02/018A-d1 Andrew Myles, Cisco Systems Report of ad hoc group relating to DFS and JPT5G proposal Andrew.

Cryptography encryption authentication digital signatures

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

1 IP - The Internet Protocol Relates to Lab 2. A module on the Internet Protocol.

Block Cipher Modes of Operation and Stream Ciphers

ECE454/CS594 Computer and Network Security

Doc.: IEEE /0259r02 Submission Date: ad New Technique Proposal March 2010 Yuichi Morioka, Sony CorporationSlide 1 Authors:

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

1 November, 2002 doc:.: /480r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.:IEEE /525Ar0 Submission September 2002 Mathilde Benveniste, Avaya Labs Slide 1 Simplifying Polling Mathilde Benveniste

Doc.:IEEE /223r1 Submission March 2002 J. del Prado and S. Choi, Philips Slide 1 CC/RR Performance Evaluation - Revisited Javier del Prado and.

Doc.: IEEE /543r0 Submission April 2006 Richard van Nee, Airgo NetworksSlide 1 Transmitter CCA Issues in 2.4 GHz April /543r0 Richard van.

Doc.: IEEE /243r0 Submission March 2002 James Kempf, DoCoMo LabsSlide and IP James Kempf Seamoby WG Co-chair DoCoMo Labs USA

Doc.: IEEE /684R2 Submission November 2002 Martin Lefkowitz, Trapeze NetworksSlide 1 Extended Keymap ID Martin Lefkowitz Trapeze Networks.

Doc. :IEEE /314r0 Submission Sai Shankar et al., Philips ResearchSlide 1 May 2002 TXOP Request: in Time vs. in Queue Size? Sai Shankar, Javier.

Doc.: IEEE /0578r0 Submission 2008 May Jarkko Kneckt, NokiaSlide 1 Forwarding in mesh containing MPs in power save Date: Authors:

Doc.: IEEE /0018r0 Submission May 2004 Steve Shellhammer, Intel CorporationSlide 1 IEEE Wireless Coexistence TAG Steve Shellhammer

January 2002 Khaled Turki et. al, Texas InstrumentsSlide 1 doc.: IEEE /022r0 Submission TID Field Usage in QoS CF-Poll Khaled Turki and Matthew.

Doc.:IEEE /321r0 Submission May 2002 Y. Liu, et al Slide 1 CC/RR Performance Evaluation Yonghe Liu, Jin-meng Ho, Matthew B. Shoemake, Jie Liang.

Doc.: r0-I Submission July 22, 2003 Paul Lambert, Airgo NetworksSlide 1 Enabling Encryption in Hotspots by Decoupling the Privacy Field from.

Doc.: IEEE /289r0 Submission Bobby Jose,Slide 1 March 2002 CC/RR Alternatives HCF Adhoc Discussion Work Sheet V00.04 Bobby Jose, et.al

Doc.: IEEE /1123r0 Submission September 2010 Zhu/Kim et al 1 Date: Authors: [TXOP Sharing for DL MU-MIMO Support]

11-1 FRAMING The data link layer needs to pack bits into frames, so that each frame is distinguishable from another. Our postal system practices a type.

12-Apr-15 Analysis of Algorithms. 2 Time and space To analyze an algorithm means: developing a formula for predicting how fast an algorithm is, based.

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

Doc.: IEEE /037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Security in Computing Chapter 12, Cryptography Explained Part 7 Summary created by Kirk Scott 1.

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.

WEP Protocol Weaknesses and Vulnerabilities

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Doc.: IEEE /684r0 Submission November 2002 Martin Lefkowitz, Trapeze NetworksSlide 1 Extended Keymap ID Martin Lefkowitz Trapeze Networks.

Xiuzhen Cheng Xiuzhen Cheng Csci388 Wireless and Mobile Security – Temporal Key Integrity Protocol.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

SubmissionJoe Kwak, InterDigital1 Simplified 11k Security Joe Kwak InterDigital Communications Corporation doc: IEEE /552r0May 2004.

Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.

Wired Equivalent Privacy. INTRODUCTION Wired Equivalent Privacy (WEP) is a security algorithm for IEEE wireless networks. Introduced as part of.

Wireless Protocols WEP, WPA & WPA2.

Martin Lefkowitz Trapeze Networks

Net 323 D: Networks Protocols

doc.: IEEE /454r0 Bob Beach Symbol Technologies

TGi Draft 1 Clause – 8.5 Comments

Presentation transcript:

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 1 Implicit Initialization Vectors Martin Lefkowitz, Texas Instruments

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 2 Presentation Overivew History of the IV in an packet Application of the IV in future implementations Issues involved in Changing the IV, or format of a packet. Optimization of 48 bit IV Extension

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide WEP Properties Properties of the WEP algorithm –It is reasonably strong: The security afforded by the algorithm relies on the difficulty of discovering the secret key through a brute-force attack. This in turn is related to the length of the secret key and the frequency of changing keys. WEP allows for the changing of the key (k) and frequent changing of the IV. Hah! –It is self-synchronizing: WEP is self-synchronizing for each message. This property is critical for a data-link level encryption algorithm, where “best effort” delivery is assumed and packet loss rates may be high.. –It is efficient: The WEP algorithm is efficient and may be implemented in either hardware or software.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide WEP Properties — It may be exportable: Every effort has been made to design the WEP system operation so as to maximize the chances of approval, by the U.S. Department of Commerce, of export from the U.S. of products containing a WEP implementation. However, due to the legal and political climate toward cryptography at the time of publication, no guarantee can be made that any specific IEEE implementations that use WEP will be exportable from the USA. — It is optional: The implementation and use of WEP is an IEEE option.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 5 History of IV in packet (WEP) WEP theory of operation –The IV may be changed as frequently as every MPDU and, since it travels with the message, the receiver will always be able to decipher any message. The IV is transmitted in the clear since it does not provide an attacker with any information about the secret key, and since its value must be known by the recipient in order to perform the decryption.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 6 IV Problems Described in WEP theory of operation –When choosing how often to change IV values, implementors should consider that the contents of some fields in higher-layer protocol headers, as well as certain other higher-layer information, is constant or highly predictable. When such information is transmitted while encrypting with a particular key and IV, an eavesdropper can readily determine portions of the key sequence generated by that (key, IV) pair. If the same (key, IV) pair is used for successive MPDUs, this effect may substantially reduce the degree of privacy conferred by the WEP algorithm, allowing an eavesdropper to recover a subset of the user data without any knowledge of the secret key. Changing the IV after each MPDU is a simple method of preserving the effectiveness of WEP in this situation.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 7 Application of IV for Future Implementations While there is no properties section in the current draft, in general, the WEP properties (goals) are valid for future forms of encryption. –It is reasonably strong This is a moving target. –It is self-synchronizing This is now true not only for packet loss, but for the QOS property of packets coming out of order. –It is efficient While it is an advantage to be able to do this in software, even Hardware implementations, and the protocol can benefit from efficiency. –Efficiency = performance. –It may be exportable No longer an issue –It is optional

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 8 Solution to IV Issues Enforce IV change for every packet –Introduce sequential count Enforce that IV never be reused with the same key. –Three possible solutions: Rapid Rekeying: Change Key before IV runs out. Extend the IV: 48 bit Both

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 9 Issues With Rapid Rekey Disadvantage –Making sure Queues are flushed when packets can come out of order, and may be stalled makes it hard to know when exactly to change over. Very complicated. Hard to get right. Advantage –Key changing happens automatically The user/IT administrator need not know exactly when the key changes

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 10 Need for Rekeying At the given rates the a single key can last > 100 years there is no reason to rekey, other than human issues. –The longer a key is used the longer someone may find it through other means than cracking –Disgruntled Employee. Group Key Rekey –Too many people may have the means to decode the key, therefore it would be a good idea to rekey eariler

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide Bit IV Expansion Issues Adding 4 more bytes to the packet –Certain legacy hardware implementations take advantage of the frame format, and require the IV to be in that place, for TKIP. This can be overcome by reordering the IV fields to make keymixing more streamlined. More Overhead for packet. –Regardless of size, we are adding 40,000 extra bytes per 10,000 packet. Depending upon the size of the packet this decreases throughput from.02-6 %

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 12 Issues with Both 48bit IV and Rekeying Can be the worst or best of both solutions. –We could be having the complication of rapid rekeying, as well as adding 4 bytes to each packet. –We could use 48 bits to simplify, or eliminate the need for rekeying. This must be done for all cases, or we get the worst of both solutions.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 13 Issues With Extending/Changing the IV Format Interoperability with Legacy Stations –These Stations will be using TKIP, not WEP. Existing Hardware can be made to conform to a stronger encryption scheme. –Uses the same general frame format. –Enforces a count in the IV. –Mixed Network with OCB. OCB is new Hardware, but uses the same general frame format.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 14 Advantage of 48 Bit IV More Secure (Obviously) Makes Rekeying Easier –No need to worry about Key Exhaustion if a STA always begins to use the newest key. Send Pong key over when a key change needs to occur. There is no need to reuse the ping key. A queue flush must occur during the life of the session. –There is a MSDU lifetime usually set to about ½ second.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 15 WEP TKIP AES/OCB

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 16 Optimization of 48 bit IV Extension Use 1 IV padding bit as a “Edge Sensitive” toggle when overflow occurs during the counting of the IV. –TKIP example –Key must start at zero –And So on… IV Lower Count (hex)Implicit Upper Count – 0FFFF – 1FFFF FFFF0

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 17 Optimization of 48 bit IV Extension (continued) Incrementing the upper count. –The upper count can not be “officially” incremented until after the replay window expires from the packet that contained the last pre-rollover count. For the OCB mode since each Traffic Class has a different IV space this is not an issue.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 18 Implicit IV Group Key Solution Beacon/Probe Response contains the current upper, and lower IV count –Unambiguous for powersave –IBSS STA can get initialized. –Lower IV count sent to avoid race condition Association Response contains current upper, and lower IV count for initialization for infrastucture situation.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 19 Why Implicit Upper IV works It is self-synchronizing: –With each packet, and the maintance of the upper IV in the it’s memory, the STA has the ability to unambiguously determine the IV for that packet. Works with dropped packets, or out of order packet Unambiguous –You can not miss packets and still care about whether you are associated, or receiving correct data. If you do you should be able the overhead of reassociating.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 20 Why Impicit Upper IV is Better We can use a 16 counter for AES/OCB reduces the amount of overhead required for the IV in AES/OCB mode. –Either eliminate 14 bits, or have 14 bits of padding/other information. We can use 48 bit IV space for TKIP without transmitting an extra 4 bytes per packet.

doc.: IEEE /318r0 Submission May 2002 Martin Lefkowitz, Texas InstrumentsSlide 21 Conclusion Having a 48 bit IV does simplify Rekeying. Designing in the implicit Upper IV does not decrease the over the air performance. Best of both worlds