Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Slides:

Advertisements

Similar presentations

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Advertisements

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Doc.: IEEE /037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.

Doc.: IEEE /173r1 Submission Byoung-Jo Kim, AT&T March 2003 Slide 1 Coexistence of Legacy & RSN STAs in Public WLAN Byoung-Jo “J” Kim AT&T Labs-Research.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

802.1x EAP Authentication Protocols

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

IEEE Wireless Local Area Networks (WLAN’s).

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.

1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.

Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.

1 Wireless LAN Security Kim W. Tracy NEIU, University Computing

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Michal Rapco 05, 2005 Security issues in Wireless LANs.

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Wireless and Security CSCI 5857: Encoding and Encryption.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.

Wireless Networking.

Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:

CAPWAP related draft-shao-opsawg-capwap-hybridmac-00 draft-chen-opsawg-capwap-extension-00 draft-zhang-opsawg-capwap-eap-00.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Doc.: IEEE /137r2 Submission June 2000 Tim Godfrey, IntersilSlide 1 TGe Requirements Version r2 8 June 2000.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:

WEP Protocol Weaknesses and Vulnerabilities

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

Doc.: IEEE /035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft.

EMU BOF EAP-TLS Experiment Report RFC 2716 Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.

Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.

Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.

Lecture 24 Wireless Network Security

Doc.: IEEE /200 Submission September 2000 Ron Brockmann, Intersil Plug-n-Play Security in the Home & Small Business Ron Brockmann Intersil.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.

WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.

Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.

Wireless Network Security CSIS 5857: Encoding and Encryption.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.

Doc.: IEEE /419 Submission November 2000 David Halasz et alSlide 1 TGe Security Baseline David Halasz, Stuart Norman, Glen Zorn Cisco Systems,

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

Port Based Network Access Control

Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.

Robust Security Network (RSN) Service of IEEE

Some LB 62 Motions January 13, 2003 January 2004

Security for Next Generation Wireless LANs Merwyn Andrade 11/16/00

Chapter 4: Wireless LANs

– Chapter 5 (B) – Using IEEE 802.1x

doc.: IEEE /454r0 Bob Beach Symbol Technologies

A Joint Proposal for Security

Responses to Clause 5 Comments

Pre-Authentication with 802.1X

Presentation transcript:

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen Zorn, Cisco Systems, Inc. Bernard Aboba, Tim Moore, Microsoft

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 2 Outline Introduction, Goals Description –Authentication Transport –Authentication Implementation –Informational –Proposed changes to Summary

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 3 Introduction Follow up to document 00/035 IEEE 802.1X, Port based Network Access Control IETF RFC 2284, PPP Extensible Authentication Protocol (EAP)

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 4 Goals Extensible system Modular Authentication done at higher layer protocol Session encryption at IEEE layer Promote multi-vendor interoperability Minimize changes to IEEE

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 5 Goals cont. System should apply to different PHY’s. –System should scale to Ethernet, dial-up, etc. –System should fit in to existing systems Ability to add new authentication methods easily (without changing ) –e.g. EAP authentication type can change with no change to station, driver or AP

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 6 Description IEEE 802.1X mutually authenticatable supplicant resides above IEEE layer IEEE 802.1X authenticator resides in AP Authenticator resides in AP –e.g X authenticator and Radius client Authentication server gets strongly authenticated to the client. –e.g. Radius server

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 7 Description Allow for different authentication types –TLS RFC2716 –Kerberos draft-aboba-pppext-eapgss-01.txt –Others can be added

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 8 Description cont to 802.1X adaptation layer SupplicantAuthenticator Supplicant 1...N1...N One IEEE physical port becomes 1 to N virtual IEEE 802.1X ports.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 9 Description cont. IEEE 802.1X Terminology Controlled port Uncontrolled port SupplicantAuthentication ServerAuthenticator Pieces of the system.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 10 Description cont. Normal Data Authentication traffic Wireless laptopAuthentication ServerAccess Point 802.1X trafficAuthentication traffic Wireless client assoc. at layer. Data blocked by AP. Access Point blocks everything except 802.1X to authentication traffic. Authentication traffic is allowed to flow. Access point encapsulates 802.1X traffic into authentication server traffic and vice versa.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 11 Description cont. Normal Data Authentication traffic Wireless laptop Authentication ServerAccess Point 802.1X trafficAuthentication traffic Wireless client mutually authenticates with Authentication Server Access Point blocks everything except 802.1X to authentication traffic. In the authentication process the supplicant securely obtains a WEP key. The authentication server also sends the WEP key in the success packet to the AP. AP uses the WEP key to send the broadcast WEP key.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 12 Description cont. Normal Data Authentication traffic Wireless laptopAuthentication ServerAccess Point 802.1X trafficAuthentication traffic Wireless client and AP use WEP key. AP allows traffic to flow. After successful EAP authentication, the Access Point allows all traffic to the Wireless laptop. The Wireless laptop sets the WEP keys through the MLME interface. (e.g. NIC driver)

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 13 Description cont. Wireless laptopRadius Server New EAP authentication types gets added in Supplicant and Authentication Server Station and AP are aware of the authentication transport. But, they are unaware of the authentication type. Therefore, new authentication types can be added without modifying the station or the AP. Authentication points

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 14 Description cont. Wireless laptopAuthentication Server New EAP authentication type benefits everybody Vendor A AP Vendor B AP Vendor C Switch

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 15 Description cont. Dynamic Key Distribution Key gets delivered to the supplicant depending on the EAP authentication type (e.g. EAP-TLS) Per client session key gets delivered to the authenticator. (e.g. via MS-MPPE-Send- Key attribute: RFC 2548)

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 16 Description cont. Broadcast Key Distribution Broadcast key(s) gets securely delivered to the station via IEEE 802.1X EAPOL-Key. Dynamic session key is used to encrypt the broadcast key. Authentication server timer gets configured to re-authenticate/re-key the client.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 17 Implementation outline Informational –IEEE layer –Supplicant –Supplicant to station MLME (NIC driver) –Station –AP authenticator –Authentication server

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 18 Implementation outline cont. IEEE proposed changes –Encrypted/Non-encrypted changes –WEP data formats

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 19 Implementation: layer Initial client authentication –Open authentication used, since dynamically derived WEP key not yet available –After 802.1X authentication and setting dynamic key, run with WEP –AP needs to be able to support a mixture of WEP/non-802.1X and non-WEP/802.1X data –Station needs to be able to run WEP/non X and non-WEP/802.1X

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 20 Implementation: Supplicant Supplicant, that mutually authenticates with authentication server, resides at higher layer than IEEE Create modular interface to port easily Station is unaware of EAP authentication type

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 21 Implementation: Station MLME (e.g. NIC driver) Indication of roam to different AP to supplicant Ability of supplicant to set the keys

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 22 Implementation: Station MLME interface to set the keys –e.g. NIC driver ability to set the keys X packets sent without WEP non-802.1X packets sent with WEP

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 23 Implementation: AP Authenticator Communicates with station via IEEE 802.1X Communicates with Authentication server –e.g. Radius client in AP Encapsulate EAP in Authentication server traffic. –e.g. RADIUS attributes AP is unaware of EAP authentication type

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 24 Implementation: Authentication Server EAP support can be added to Authentication server –e.g. EAP and RADIUS defined by RFC’s EAP easily extensible to different EAP authentication types

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 25 Implementation: Current Privacy capability From Capability Information APs set the Privacy subfield to 1 within transmitted Beacon, Probe Response, Association Response and Reassociation Response Management frames if WEP encryption is required for all Data Type frames exchanged within the BSS. If WEP encryption is not required, the Privacy subfield is set to 0. STAs within an Independent BSS set the Privacy subfield to 1 in transmitted Beacon or Probe Response Management frames if WEP encryption is required for for all Data Type frames exchanged within the IBSS. If WEP encryption is not required the Privacy subfield is set to 0.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 26 Implementation: Proposed change to Privacy capability Addition to Capability Information STAs set the Privacy subfield to 1 in transmitted Probe Request and Association Request Management frames if WEP encryption is required for all Data Type frames exchanged. If WEP encryption is optional the Privacy subfield is set to 0.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 27 Implementation: proposed change Broadcast/Multicast data in mixed 802.1X cell run with WEP. If run broadcast without WEP, then encrypted traffic open to attack.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 28 Implementation: proposed change WEP data formats should be expanded upon. Refer to the following paper, –00/037 Proposal for Enhanced Encryption, Duncan Kitchen, Jesse Walker This should be followed up in the standard. This will allow for implementation in hardware.

doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 29 Summary This proposal will promote multi-vendor interoperability by making authentication an upper layer function. Authentication should reside at an upper layer where knowledge of the user is available. EAP authentication types can be created with no changes to the IEEE specification. Changes to the IEEE specification should be made to allow for mixed WEP cells and for more secure WEP data packets.