Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: 11-13-0581-00 Submission May 14, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Piggy-Backing Aspects Date: 2013-05-14 Authors: NameCompanyAddressPhoneemail.

Published byMervin Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: 11-13-0581-00 Submission May 14, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Piggy-Backing Aspects Date: 2013-05-14 Authors: NameCompanyAddressPhoneemail."— Presentation transcript:

1 doc.: 11-13-0581-00 Submission May 14, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Piggy-Backing Aspects Date: 2013-05-14 Authors: NameCompanyAddressPhoneemail René StruikStruik Security Consultancy Toronto ON, CanadaUSA: +1 (415) 690-7363 Toronto: +1 (647) 867-5658 Skype: rstruik rstruik.ext@gmail.com Note: Material extracted from 13/201r8

2 doc.: 11-13-0581-00 Submission FILS Key Establishment May 14, 2013 STA AP Association Request Beacon/Probe Resp. Authentication Request Authentication Response Association Request Key Establishment Key Confirmation TTP online/offline assistance with authentication FILS key establishment protocol options provided:  FILS Authentication with TTP, based on ERP (two flavors: with or without “PFS” (ERP+ECDH, resp. ERP)  see next slides)  Authentication without online TTP, based on ECDH and ECDSA certificate Slide source: 13/324r0 Slide 2Rene Struik (Struik Security Consultancy)

3 doc.: 11-13-0581-00 Submission Adding “piggy-backed info” to protocol flows … May 14, 2013 STA AP Association Request Beacon/Probe Resp. Authentication Request Authentication Response Association Request Key Establishment Key Confirmation TTP Services + piggy-backed info response + piggy-backed info request Authentication help Configuration help IP address assignment Authorization Subscription credentials Piggy-backing info along FILS authentication protocol:  Higher-layer set-up, including IP address assignment  Authorization functionality, subscription credentials, etc. See details elsewhere in presentation Slide source: 13/324r0 Slide 3Rene Struik (Struik Security Consultancy)

4 doc.: 11-13-0581-00 Submission FILS Security Status May 14, 2013 Current Status:  Three FILS authentication protocol options specified:  FILS Authentication with Trusted Third Party  FILS Authentication with Trusted Third Party and “PFS”  FILS Authentication without Trusted Third Party  Main differences:  Different trust assumptions  Different assumption on “pre-existing” system set-up  Different assumptions on online availability of the “backbone network”  Common elements:  All have only four protocol flows  All implemented via Authentication/Association Request/Response frames  All allow piggy-backing of other info along Association frames (e.g., IP address assignment) Current Work in Progress:  How to deal with large objects (e.g., certificates, higher-layer data objects)  How to specify main piggy-backing details (e.g., on IP address assignment) Slide source: 13/324r0 Slide 4Rene Struik (Struik Security Consultancy)

5 doc.: 11-13-0581-00 Submission May 14, 2013 Questions 1. How to deal with large objects (e.g., certificates, higher-layer data objects)?  Intra-frame fragmentation. DISCUSSED ELSEWHERE How to handle large objects that fit within a single frame  Inter-frame fragmentation. DISCUSSED ELSEWHERE How to fragment FILS frames, if these become too long due to large objects 2. How to specify main piggy-backing details (e.g., on IP address assignment)?  Flexibility re AEAD authenticated encryption mode. DISCUSSED HERE Authentication and potential encryption of piggy-backed information Slide 5Rene Struik (Struik Security Consultancy)

6 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (1) General mechanism After AEAD protection Now with Information elements: or... Main problem: How to pinpoint the portions that are encrypted? (only problem for recipient) HeaderPayload Header Secured Payload Authentication of entire frame 071346589A071346589A071346589A071346589A Encrypted segments starts here Slide 6Rene Struik (Struik Security Consultancy)

7 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (2) How to pinpoint the portions that are encrypted? (only problem for recipient) Recipient can easily find this “L”-symbol: simply parse received message (and remove this “L”-symbol) Does this also work for other “encryption ON/OFF” combinations? 071346589A071346589A071346589A L 071346589A “L” 11 2 2L 2  Encryption length indicator IE (4 octets) Slide 7Rene Struik (Struik Security Consultancy)

8 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (3) Does this also work for other “encryption ON/OFF” combinations? YES! Exploit structure in IEs: encryption/decryption is essentially on “unordered” set of IEs. Step 1 @sender: massage in right form (split frame into “to be encrypted elements” and “other data”) Step 2 @sender: encrypt and put “L”-symbol (encryption indicator IE) in place 071346589A071346589A013689745A Other data To be encrypted data 0A13475689 “L” Slide 8Rene Struik (Struik Security Consultancy)

9 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (4) Step 1 @recipient: find encryption indicator, length of encrypted segment, decrypt and verify authenticity, and remove “L”-symbol (NOTE: encryption indicator is always “on the left”) Step 2 @recipient: massage “decrypted data” and “other data”, so that IEs will be in ascending order. 013689745A Other data Decrypted data 0A13475689 “L” 0A13475689 071346589A Slide 9Rene Struik (Struik Security Consultancy)

10 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (5) What about complexity?  Step 1 @sender: massage in right form (split frame into “to be encrypted elements” and “other data”) Scan data from left to right and partition string according to “Encryption ON/OFF” indication  Step 2 @recipient: massage “decrypted data” and “other data”, so that IEs will be in ascending order. Scan leftmost elements of two substrings and build combined string according to order IE Identifiers.  Step 2 @sender: encrypt and authenticate and put “L”-symbol (encryption length indicator IE) in place  Step 1 @recipient: find encryption indicator, length of encrypted segment, decrypt and verify authenticity, and remove “L”-symbol 071346589A 013689 745A Other data To be encrypted data 0A13475689 “L” 0A13475689 Slide 10Rene Struik (Struik Security Consultancy)

11 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (6) Summary: Flexible authenticated encryption scheme:  Sender has full control over which portions to encrypt (e.g., encryption of vendor-specific info, specific higher-layer objects)  Recipient can always decrypt-and-verify, irrespective of sender’s security policy Limited incremental cost:  Requires new 4-octet information element (“encryption indicator element”) This allows recipient to always easily find “encrypted data” and “other data”  Requires single left-to-right scan of string on sender’s and recipient’s side Implementation cost scan operation insignificant: *Scan on recipient’s side only after decrypt-and-verify, so no schedule impact *Scan on sender’s side may be trivial and can be anticipated by sender Notes: AEAD scheme described has minimal complexity, in the following sense:  Any AEAD scheme where one cannot statically determine size and/or location of “encrypted data” from frame itself requires introduction of “encryption indicator IE”  Any scheme where one wishes to have “encrypted data” together, so that AEAD crypto inputs can be easily determined,requires some type of “scan” operation Slide 11Rene Struik (Struik Security Consultancy)

12 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (7) Summary: Flexible authenticated encryption scheme:  Sender has full control over which portions to encrypt (e.g., encryption of vendor-specific info, specific higher-layer objects)  Recipient can always decrypt-and-verify, irrespective of sender’s security policy Implementation choices:  Any implementer who does not care about flexibility (i.e., its security policy is to always encrypts the entire frame), does not need to implement “scan” on sender’s side. In that case, encrypt-and-authenticate coincides with usual CCM mode.  Any implementer whose incoming frame processing considers IEs as a set, i.e., unordered, does not need to implement “scan” on recipient’s side. In that case, decrypt-and-verify coincides with usual CCM mode. Result: (“Best of both worlds”)  Implementers who do not like flexibility/generality can go their way  Implementation of “encryption indicator element” allows others who do like flexibility to go their way as well (“peaceful coexistence”) Slide 12Rene Struik (Struik Security Consultancy)

13 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption (8) Options: 1. No flexibility. Always encrypt FILS Association Request/Response “body” 2.Some flexibility. Allow only encryption of “first chunk”… No re-ordering of IEs at all. 3. Full flexibility. Allow encryption of any chunks, as set by senders policy… Potential re-ordering of IEs “under the hood”. Put “right” as part of AEAD routine. Details in 13/582r0. HeaderSecured Payload Header Secured Payload Visible Chunk “L” Header Secured Payload Visible Chunk “L” Slide 13Rene Struik (Struik Security Consultancy)

14 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption – Straw Poll Implement flexible encryption scheme as specified in 13/311r1:  Introduce new Information Element (IE) as “security indicator element” (4-octets), so as to indicate length of encryption segment following  Facilitate Option #2 of previous Slide (#22).  For clarity: This only applies to FILS Association frames  Yes  No  “Don’t Care”  Need more information Result: Slide 14Rene Struik (Struik Security Consultancy)

15 doc.: 11-13-0581-00 Submission May 14, 2013 Authenticated Encryption – Motion Instruct the editor to incorporate changes to D0.5, as indicated in 13/311r2  Yes  No  Abstain Result: Y/N/A Slide 15Rene Struik (Struik Security Consultancy)

Download ppt "Doc.: 11-13-0581-00 Submission May 14, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Piggy-Backing Aspects Date: 2013-05-14 Authors: NameCompanyAddressPhoneemail."

Similar presentations

Doc.: IEEE 802.11-11/1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: 2012-01-17 Authors:

Doc.: IEEE /1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: Authors:
IETF-91, DICE Working Group November 10, 2014 René Struik (Struik Security Consultancy)Slide 1 Multicast Security  Quo Vadis?  René Struik.

IETF-91, DICE Working Group November 10, 2014 René Struik (Struik Security Consultancy)Slide 1 Multicast Security  Quo Vadis?  René Struik.
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
Doc.: IEEE 802.11-12/0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: 2012-05-04 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0567r1 Submission May 2012 Huawei Slide 1 Multiple Frequency Channel Scanning Date: Authors: NameAffiliationsAddressPhone .
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Doc.: IEEE 802.11-11/1498-01-00ai Submission NameAffiliationsAddressPhoneemail Phillip BarberHuawei Technologies Co., Ltd. 1700 Alma Rd, Ste 500 Plano,

Doc.: IEEE / ai Submission NameAffiliationsAddressPhone Phillip BarberHuawei Technologies Co., Ltd Alma Rd, Ste 500 Plano,
Doc.: IEEE 802.11-08/1268 r1 Submission November 2008 Ding Zhiming, HuaweiSlide 1 Amendment for emergency alert system notification Date: 2008-11-09 Authors:

Doc.: IEEE /1268 r1 Submission November 2008 Ding Zhiming, HuaweiSlide 1 Amendment for emergency alert system notification Date: Authors:
Submission doc.: IEEE 11-12-0406-03-00ai May 2012 InterDigital, KDDI, Nokia, Huawei, Intel, Qcomm Slide 1 Proposed SFD Text for 802.11ai Passive Scanning.

Submission doc.: IEEE ai May 2012 InterDigital, KDDI, Nokia, Huawei, Intel, Qcomm Slide 1 Proposed SFD Text for ai Passive Scanning.
Doc.: IEEE 802.11-12/1042 Submission NameAffiliationsAddressPhoneemail Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,

Doc.: IEEE /1042 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,
Submission doc.: IEEE 802.11-11/1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Doc.: IEEE 802.11-12/1054r0 Submission Sep. 2012 Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: 2012-09-07 Authors:

Doc.: IEEE /1054r0 Submission Sep Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: Authors:
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Doc.: IEEE 802.11-13-0365-00-00ai Submission NameAffiliationsAddressPhone George Calcev Huawei Technologies Co., Ltd. huawei.com TGai.

Doc.: IEEE ai Submission NameAffiliationsAddressPhone George Calcev Huawei Technologies Co., Ltd. huawei.com TGai.
Doc.: IEEE 802.11-13/0089r0 Submission Listen interval update Jan 2013 Slide 1 Date: 2013-01-13 Authors: Jinsoo Choi, LG Electronics.

Doc.: IEEE /0089r0 Submission Listen interval update Jan 2013 Slide 1 Date: Authors: Jinsoo Choi, LG Electronics.
Doc.: 11-12-1243r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date: 2012-10-30.

Doc.: r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date:
Doc.: IEEE 802.11-11/0977r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKA ROOT INC.2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001 JAPAN +81-92-771-

Doc.: IEEE /0977r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKA ROOT INC Tenjin, Chuo-ku, Fukuoka JAPAN
15-05-0083-02-0400 Submission January, 2005 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks.

Submission January, 2005 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE 802.11-15/0880r2 Submission Scheduled Trigger frames July 2015 Slide 1 Date: 2015-07-04 Authors: A. Asterjadhi, H. Choi, et. al.

Doc.: IEEE /0880r2 Submission Scheduled Trigger frames July 2015 Slide 1 Date: Authors: A. Asterjadhi, H. Choi, et. al.
Doc.: IEEE 802.11-12/0897r0 SubmissionJae Seung Lee, ETRISlide 1 Active Scanning considering Operating Status of APs Date: 2012-07-06 July 2012.

Doc.: IEEE /0897r0 SubmissionJae Seung Lee, ETRISlide 1 Active Scanning considering Operating Status of APs Date: July 2012.

Similar presentations

Ads by Google