Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robust Security Network (RSN) Service of IEEE

Published bySharlene Townsend Modified over 6 years ago

Similar presentations

Presentation on theme: "Robust Security Network (RSN) Service of IEEE"— Presentation transcript:

1 Robust Security Network (RSN) Service of IEEE 802.11
December 2002 doc.: IEEE /794r0 December 2002 Robust Security Network (RSN) Service of IEEE Shen Ping Southeast University Nanjing China, Shen Ping, Southeast University, China shen ping, Southeast University, China

2 RSN Security Feature ESS network architecture
December 2002 doc.: IEEE /794r0 December 2002 RSN Security Feature ESS network architecture Access Control (AC) in DS supports 802.1x authenticator 802.1x authenticated key management protocol Authentication Server (AS) in DS provide authentication service Secure capabilities negotiation, including ciphersuite and authenticated key management suite Mutual authentication and certificate, e.g. EAP-TLS Enhanced data protection mechanisms, such as TKIP, WRAP and CCMP Protection of management and control frames Pre-authentication of the BSS-transition STA Shen Ping, Southeast University, China shen ping, Southeast University, China

3 December 2002 RSN architecture Shen Ping, Southeast University, China

4 802.11 Security Services Station Service (SS)
December 2002 doc.: IEEE /794r0 December 2002 Security Services Station Service (SS) Privacy WEP mechanism Authentication Open system authentication Shared key authentication Deauthentication Pre-authentication Distribution System Service (DSS) Association/Disassociation/Reassociation Shen Ping, Southeast University, China shen ping, Southeast University, China

5 Relationships between service
December 2002 Relationships between service Shen Ping, Southeast University, China

6 Class 1 frame Control frames Management frames Data frames
December 2002 Class 1 frame Control frames Management frames Probe request/response Beacon Authentication Deauthentication ATIM Data frames Data frame with FC bit “To DS” and “From DS” both false Shen Ping, Southeast University, China

7 December 2002 RSN Service RSN service provide 802.1x authenticated key management protocol between STA and AC. RSN service is neither a SS nor a DSS. RSN service on STA is a SS RSN service on AC is a DSS STA supports 802.1x supplicant, and AC supports 802.1x authenticator. Shen Ping, Southeast University, China

8 Cipher suite negotiation
December 2002 Cipher suite negotiation The state diagram is unchanged from the 1999 specification. STA and AP must use IEEE open system authentication. RSN IE is added to authentication frame to negotiate the cipher suite between STA and AP. RSN IE in first frame of open system authentication provide a cipher suite list of STA. The cipher suite list shows all cipher suite supported by STA. AP must support all cipher suites. AP selects the highest one of the STA cipher suite list for unicast. The multicast cipher must always be the lowest unicast cipher enabled. The result is sent in RSN IE of final frame. Shen Ping, Southeast University, China

9 802.1x authenticated key management protocol
December 2002 802.1x authenticated key management protocol 802.1x authenticated key management protocol is provided by RSN service between STA and AC. 802.1x message packets are encapsulated in data frame of class 1 frames. All 802.1x message packets pass by AP. AC sends the PTK and GTK to AP over a secure channel between them, e.g. IPsec. Shen Ping, Southeast University, China

10 4 way handshake protocol
December 2002 PMK RADIUS Generate PMK between STA and AS 802.1x authentication protocol Final frame (RSN IE) First frame (RSN IE) Open system authentication STA AP AC AS Generate PTK and GTK between STA and AC 4 way handshake protocol PTK、GTK IPSec Control frames, management frames and data frames 802.11 Phase 1 Phase 2 Phase 3 Shen Ping, Southeast University, China

11 Three phases of State 1 Phase 1 Phase 2 Phase 3
December 2002 Three phases of State 1 Phase 1 Using open system authentication frames to negotiate cipher suite Phase 2 Using 802.1x authentication protocol to generate PMK between STA and AS AS sends PMK to AC over the secure channel of RADIUS Phase 3 Using 4 way handshake and group key update to generate PTK and GTK for the STA AC configures PTK and GTK to cipher engine of AP for privacy service over the secure channel of IPsec Shen Ping, Southeast University, China

12 RSN security protocol stack
December 2002 RSN security protocol stack STA AP AC AS Transport Layer TCP/ UDP TCP/ UDP EAP EAP RADIUS RADIUS Network Layer IP IP IPSec IPSec IP IP IP IP Link Layer EAPOL 802.11 802.3 EAPOL 802.3 802.3 802.1X 802.1X 802.11 802.3 Supplicant Authenticator AS Shen Ping, Southeast University, China

13 Pre-authentication AC stores the keys of each enabled STA
December 2002 Pre-authentication AC stores the keys of each enabled STA Before STA moves from AP1 to AP2 in a ESS, AC configures keys to cipher engine of AP2, and removes keys from AP1 Pre-authentication may not impact the speed with which STA can reassociate between AP2. Pre-authentication is simple and secure. Shen Ping, Southeast University, China

14 December 2002 Support of non-RSN STA The non-RSN station support pre-shared key over 802.1x (only 4-way handshake) No phase 2 of state 1 The non-RSN station does not support 802.1x supplicant (WEP STA) No phase 2 and 3 of state 1 Shen Ping, Southeast University, China

15 Negotiation of authenticated key management suite
December 2002 Negotiation of authenticated key management suite Authenticated key management suite need not be negotiated. AC can select authenticated key management suite by the type of 802.1x message for different phases. If the first 802.1x message belongs phase 2, unspecified authentication over 802.1x is enabled. If the first 802.1x message belongs phase 3, pre-shared key over 802.1x is enabled. WEP STA can not send the data frames of class 1 which encapsulate 802.1x message packets. Shen Ping, Southeast University, China

16 Advantage (1) The 802.11 state diagram is unchanged.
December 2002 Advantage (1) The state diagram is unchanged. AP is changed a little. Authentication service of AP is unchanged. The new cipher engines of TKIP, WRAP and CCMP added to privacy service of AP. AP need transmit the 802.1x data frame of class 1 to AC in DS. Realize the protection of management frames and control frames. Pre-authentication service is simple and secure. Shen Ping, Southeast University, China

17 Advantage (2) Negotiation of cipher suite is simple and valid.
December 2002 Advantage (2) Negotiation of cipher suite is simple and valid. Authenticated key management suite need not negotiated. Support non-RSN STA simply. Compatible 802.1x protocol between wireless and wired LAN. Saving capital of ESS network A little change of AP Only one AC in a ESS Several ESSs shared one AS Shen Ping, Southeast University, China

18 Thanks Tim Moore, Microsoft
December 2002 Thanks Tim Moore, Microsoft “Suggested Changes to Robust Security Network (RSN) for IEEE ” Bernard Aboba, Microsoft “IEEE 802.1x Pre-Authentication” Shen Ping, Southeast University, China

Download ppt "Robust Security Network (RSN) Service of IEEE"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
IEEE Wireless LAN Standard

IEEE Wireless LAN Standard
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Doc.: IEEE 802.11-04/1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004

IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Lecture 24 Wireless Network Security

Lecture 24 Wireless Network Security
Wireless security Wi–Fi (802.11) Security

Wireless security Wi–Fi (802.11) Security
Wireless Network Security CSIS 5857: Encoding and Encryption.

Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE 802.11-03/657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Similar presentations

Ads by Google