Download presentation
Presentation is loading. Please wait.
Published bySharlene Townsend Modified over 7 years ago
1
Robust Security Network (RSN) Service of IEEE 802.11
December 2002 doc.: IEEE /794r0 December 2002 Robust Security Network (RSN) Service of IEEE Shen Ping Southeast University Nanjing China, Shen Ping, Southeast University, China shen ping, Southeast University, China
2
RSN Security Feature ESS network architecture
December 2002 doc.: IEEE /794r0 December 2002 RSN Security Feature ESS network architecture Access Control (AC) in DS supports 802.1x authenticator 802.1x authenticated key management protocol Authentication Server (AS) in DS provide authentication service Secure capabilities negotiation, including ciphersuite and authenticated key management suite Mutual authentication and certificate, e.g. EAP-TLS Enhanced data protection mechanisms, such as TKIP, WRAP and CCMP Protection of management and control frames Pre-authentication of the BSS-transition STA Shen Ping, Southeast University, China shen ping, Southeast University, China
3
December 2002 RSN architecture Shen Ping, Southeast University, China
4
802.11 Security Services Station Service (SS)
December 2002 doc.: IEEE /794r0 December 2002 Security Services Station Service (SS) Privacy WEP mechanism Authentication Open system authentication Shared key authentication Deauthentication Pre-authentication Distribution System Service (DSS) Association/Disassociation/Reassociation Shen Ping, Southeast University, China shen ping, Southeast University, China
5
Relationships between service
December 2002 Relationships between service Shen Ping, Southeast University, China
6
Class 1 frame Control frames Management frames Data frames
December 2002 Class 1 frame Control frames Management frames Probe request/response Beacon Authentication Deauthentication ATIM Data frames Data frame with FC bit “To DS” and “From DS” both false Shen Ping, Southeast University, China
7
December 2002 RSN Service RSN service provide 802.1x authenticated key management protocol between STA and AC. RSN service is neither a SS nor a DSS. RSN service on STA is a SS RSN service on AC is a DSS STA supports 802.1x supplicant, and AC supports 802.1x authenticator. Shen Ping, Southeast University, China
8
Cipher suite negotiation
December 2002 Cipher suite negotiation The state diagram is unchanged from the 1999 specification. STA and AP must use IEEE open system authentication. RSN IE is added to authentication frame to negotiate the cipher suite between STA and AP. RSN IE in first frame of open system authentication provide a cipher suite list of STA. The cipher suite list shows all cipher suite supported by STA. AP must support all cipher suites. AP selects the highest one of the STA cipher suite list for unicast. The multicast cipher must always be the lowest unicast cipher enabled. The result is sent in RSN IE of final frame. Shen Ping, Southeast University, China
9
802.1x authenticated key management protocol
December 2002 802.1x authenticated key management protocol 802.1x authenticated key management protocol is provided by RSN service between STA and AC. 802.1x message packets are encapsulated in data frame of class 1 frames. All 802.1x message packets pass by AP. AC sends the PTK and GTK to AP over a secure channel between them, e.g. IPsec. Shen Ping, Southeast University, China
10
4 way handshake protocol
December 2002 PMK RADIUS Generate PMK between STA and AS 802.1x authentication protocol Final frame (RSN IE) First frame (RSN IE) Open system authentication STA AP AC AS Generate PTK and GTK between STA and AC 4 way handshake protocol PTK、GTK IPSec Control frames, management frames and data frames 802.11 Phase 1 Phase 2 Phase 3 Shen Ping, Southeast University, China
11
Three phases of State 1 Phase 1 Phase 2 Phase 3
December 2002 Three phases of State 1 Phase 1 Using open system authentication frames to negotiate cipher suite Phase 2 Using 802.1x authentication protocol to generate PMK between STA and AS AS sends PMK to AC over the secure channel of RADIUS Phase 3 Using 4 way handshake and group key update to generate PTK and GTK for the STA AC configures PTK and GTK to cipher engine of AP for privacy service over the secure channel of IPsec Shen Ping, Southeast University, China
12
RSN security protocol stack
December 2002 RSN security protocol stack STA AP AC AS Transport Layer TCP/ UDP TCP/ UDP EAP EAP RADIUS RADIUS Network Layer IP IP IPSec IPSec IP IP IP IP Link Layer EAPOL 802.11 802.3 EAPOL 802.3 802.3 802.1X 802.1X 802.11 802.3 Supplicant Authenticator AS Shen Ping, Southeast University, China
13
Pre-authentication AC stores the keys of each enabled STA
December 2002 Pre-authentication AC stores the keys of each enabled STA Before STA moves from AP1 to AP2 in a ESS, AC configures keys to cipher engine of AP2, and removes keys from AP1 Pre-authentication may not impact the speed with which STA can reassociate between AP2. Pre-authentication is simple and secure. Shen Ping, Southeast University, China
14
December 2002 Support of non-RSN STA The non-RSN station support pre-shared key over 802.1x (only 4-way handshake) No phase 2 of state 1 The non-RSN station does not support 802.1x supplicant (WEP STA) No phase 2 and 3 of state 1 Shen Ping, Southeast University, China
15
Negotiation of authenticated key management suite
December 2002 Negotiation of authenticated key management suite Authenticated key management suite need not be negotiated. AC can select authenticated key management suite by the type of 802.1x message for different phases. If the first 802.1x message belongs phase 2, unspecified authentication over 802.1x is enabled. If the first 802.1x message belongs phase 3, pre-shared key over 802.1x is enabled. WEP STA can not send the data frames of class 1 which encapsulate 802.1x message packets. Shen Ping, Southeast University, China
16
Advantage (1) The 802.11 state diagram is unchanged.
December 2002 Advantage (1) The state diagram is unchanged. AP is changed a little. Authentication service of AP is unchanged. The new cipher engines of TKIP, WRAP and CCMP added to privacy service of AP. AP need transmit the 802.1x data frame of class 1 to AC in DS. Realize the protection of management frames and control frames. Pre-authentication service is simple and secure. Shen Ping, Southeast University, China
17
Advantage (2) Negotiation of cipher suite is simple and valid.
December 2002 Advantage (2) Negotiation of cipher suite is simple and valid. Authenticated key management suite need not negotiated. Support non-RSN STA simply. Compatible 802.1x protocol between wireless and wired LAN. Saving capital of ESS network A little change of AP Only one AC in a ESS Several ESSs shared one AS Shen Ping, Southeast University, China
18
Thanks Tim Moore, Microsoft
December 2002 Thanks Tim Moore, Microsoft “Suggested Changes to Robust Security Network (RSN) for IEEE ” Bernard Aboba, Microsoft “IEEE 802.1x Pre-Authentication” Shen Ping, Southeast University, China
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.