Presentation is loading. Please wait.

Presentation is loading. Please wait.

Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22.

Published byBilal Windell Modified over 10 years ago

Similar presentations

Presentation on theme: "Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22."— Presentation transcript:

1 Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22 Authors: NameAffiliationsAddressPhoneemail Hiroki NakanoTrans New Technology, Inc. Sumitomo Seimei Kyoto Bldg. 8F, 62 Tukiboko-cho, Shimogyo, Kyoto 600-8492 JAPAN +81-75-213-1200cas@trans-nt.com

2 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 2 Possible threats Unauthorized STAs User authentication function should have responsibility. done by EAP or something Fake APs steal security credentials and/or users id. MITM (Snooping) monitor and steal security credentials and/or users id This proposal is for MITM and Fake APs. Authorization of non-STA by AP should be done by another framework, such as EAP-RP. Mutual Authentication

3 Submission doc.: IEEE 802.11-11/1326r1 Common sequence August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 3 non-AP STAAP Beacon Assoc. Request Auth. Server Auth. Request Auth. Response Assoc. Response This should include ID of non-AP STA or its user. AP needs this information at least to know which authentication server should be used. In case of EAP-RP, this includes EMSKname-NAI token to identify EMSK key (= EAP session).

4 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 4 Whats the problem? To reduce time, the next frame of Beacon, which may be Association Request, should include identifications of non-AP STA and/or its user. At least, AP has to know which authentication server is suitable for this user. There is possibility of steal of ID. Attackers may try to gather stolen IDs. IDs can be mail addresses, telephone numbers, IMEI, etc. To protect ID: ID has to be encrypted and signed. STA has to be able to know if AP is authorized or faked.

5 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 5 Protection against MITM (for ID) Almost all frames should be encrypted and signed. Except for beacons? Beacons can be encrypted using public key cryptography…? The target in this presentation is the second frame, which is next to a beacon. Before that, we have to exchange a key. Use Elliptic Curve Diffie-Hellman algorithm. ECDH can produce a smaller key with the same strength. Smaller beacons and other frames are preferable.

6 Submission doc.: IEEE 802.11-11/1326r1 Early key generation by DH/ECDH August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 6 non-AP STAAP Beacon Any mgmt. frame generate gxgenerate gy generate k from (gx, gy) gx, IEs gy, E(k, IEs) decrypt IEs encrypt IEs gx and gy can be reused for a while. This may include user ID.

7 Submission doc.: IEEE 802.11-11/1326r1 Length and strength of DH key RFC3526 mentions as below (published in 2003). Slide 7Hiroki Nakano, Trans New Technology, Inc. August 2011

8 Submission doc.: IEEE 802.11-11/1326r1 Length and strength of ECDH key RFC5656 mentions as below (published in 2009). Slide 8Hiroki Nakano, Trans New Technology, Inc. August 2011

9 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 9 Benefits of early key generation Almost all frames can be encrypted and signed. All packets sent by STA All packets sent by AP except for beacons Threats A malicious STA/AP can let another STA/AP use its computation power. A malicious STA can hijack a MAC address of another STA. Because of lack of MAC address protection User authentication function should kick out such keys after this process. Fake APs can steal information from STAs. Costs beacon size In case of ECDH, additional 64 byte is enough. For example, the length of beacons for VeriLAN.1x is 202 byte. computation power

10 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 10 Protection against faked APs Can no-AP STA know only from a beacon if the AP is not faked? Impossible…? Combination of key generation and public key cryptography can prevent faked APs from getting correct information.

11 Submission doc.: IEEE 802.11-11/1326r1 Early key generation w/ public key crypto. August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 11 non-AP STAAP Beacon Any mgmt. frame generate gxgenerate gy generate k from (gx, gy) gx E(Kp, gy), E(k, IEs) decrypt IEs by k encrypt IEs by k encrypt gy by Kp AP has Kp and Ks.non-AP has Kp only. This may include user ID. (Kp, Ks) is a pair of public and secret keys of AP. decrypt gy by Ks

12 Submission doc.: IEEE 802.11-11/1326r1 In case of faked AP August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 12 non-AP STAAP Beacon Any mgmt. frame generate gxgenerate gy generate k from (gx, gy) gx E(Kp, gy), E(k, IEs) decrypt IEs by k encrypt IEs by k encrypt gy by Kp non-AP has Kp only. AP can not obtain gy because AP does not have Ks. decrypt gy by Ks AP has Kp only. This may include user ID, but faked AP cant obtain this. This may include user ID.

13 Submission doc.: IEEE 802.11-11/1326r1 Another candidate of sequence August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 13 non-AP STAAP Beacon Any mgmt. frame generate gxgenerate gy generate k from (gx, gy) gx, Sign(Ks, gx) gy, E(k, IEs) decrypt IEs encrypt IEs check Sign(Ks, gx) by Kp AP has Kp and Ks.non-AP has Kp only. This may include user ID. (Kp, Ks) is a pair of public and secret keys of AP.

14 Submission doc.: IEEE 802.11-11/1326r1 Replay attack by faked AP August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 14 non-AP STAAP Beacon Any mgmt. frame generate gy generate k from (gx, gy) gx, Sign(Ks, gx) gy, E(k, IEs) decrypt IEs encrypt IEs check Sign(Ks, gx) by Kp non-AP has Kp only. AP has Kp only. AP can not produce by itself correct Sign(Ks, gx) from gx because of lack of Ks. But AP can obtain a pair of gx and Sign(Ks, gx) by monitoring. This may include user ID.

15 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 15 Benefits of early key generation w/ PK Almost all frames can be encrypted and signed. All packets sent by STA All packets sent by AP except for beacons Threats A malicious STA/AP can let another STA/AP use its computation power. A malicious STA can hijack a MAC address of another STA. Because of lack of MAC address protection User authentication function should kick out such keys after this process. Fake APs can steal information from STAs Solved. Costs beacon size In case of ECDH, additional 64 byte is enough. For example, the length of beacons for VeriLAN.1x is 202 byte. computation power

16 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 16 Conclusion Elliptic Curve Diffie-Hellman key exchange and public key cryptography enables secure transmission of the second frame including user ID transmission. Of course, this can be used to protect another type of frames such as ANQP, etc. This scheme needs additional IE in beacons and computation power. ECDH enables acceptable size of beacon. Old DH method makes beacon too fat.

17 Submission doc.: IEEE 802.11-11/1326r1August 2011 Hiroki Nakano, Trans New Technology, Inc. Slide 17 Discussion

Download ppt "Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-98/178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE 802.11e Security IEEE 802.11 Task Group.

Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Doc.: IEEE 802.11-11/0410r2 Submission March 2011 Slide 1 Data Transmission Protection on the IEEE 802.11ac MU-MIMO Downlink Date: 2011-03-16 Authors:

Doc.: IEEE /0410r2 Submission March 2011 Slide 1 Data Transmission Protection on the IEEE ac MU-MIMO Downlink Date: Authors:
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,

Doc.: IEEE /516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Doc.:IEEE 802.11-11/1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:

Doc.:IEEE /1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:
Doc.: IEEE 802.11-10/0259r02 Submission Date: 2010-03-15 802.11ad New Technique Proposal March 2010 Yuichi Morioka, Sony CorporationSlide 1 Authors:

Doc.: IEEE /0259r02 Submission Date: ad New Technique Proposal March 2010 Yuichi Morioka, Sony CorporationSlide 1 Authors:
Doc.: IEEE 802.11-12/1097r1 Submission Sep 2012 Timo Koskela, Renesas Mobile CorporationSlide 1 Reserve Channel List in 802.11ah Date: 2012-09-17 Authors:

Doc.: IEEE /1097r1 Submission Sep 2012 Timo Koskela, Renesas Mobile CorporationSlide 1 Reserve Channel List in ah Date: Authors:
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
SCSC 455 Computer Security

SCSC 455 Computer Security
Submission doc.: IEEE 802.11-12/0789r3 NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,

Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Submission doc.: IEEE 11-13/0586r0 May 2013 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Comparison of IE fragmentation proposals Date: 2013-05-15.

Submission doc.: IEEE 11-13/0586r0 May 2013 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Comparison of IE fragmentation proposals Date:
Doc.: IEEE 802.11-14/0093r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0093r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Similar presentations

Ads by Google