Presentation is loading. Please wait.

Presentation is loading. Please wait.

P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

Published byNicholas Hercules Modified over 9 years ago

Similar presentations

Presentation on theme: "P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003."— Presentation transcript:

1 P1451.5 Security Survey and Recommendations By: Ryon Coleman (rcoleman@3eti.com) October 16, 2003

2 2 Agenda – Analyze Security Techniques Of Candidate Stacks & Present Conclusions 802.11 / 802.11i Key Management Encryption Authentication Bluetooth Profile Approach Layered Framework ZigBee / 802.15.4 Government Considerations Areas for Convergence Backup Slides

3 3 802.11 Security 802.11i Specification for Enhanced Security IEEE 802.1X-based authentication mechanisms are used, with AES in CCMP mode, to establish an 802.11 Robust Security Network (RSN). IEEE 802.1X-2001 defines a framework based on the Extensible Authentication Protocol (EAP) over LANs, also known as EAPoL. EAPoL is used to exchange EAP messages. EAP messages perform authentication and are used for key derivation between a STA and an EAP entity known as the Authentication Server (AS). 802.11i defines a 4-way handshake using EAPoL for key management / key derivation.

4 4 802.11i Authentication & Key Management Overview

5 5 802.11 EAP Encapsulation EAPoL frames are normal IEEE 802.11 data frames, thus they follow the format of IEEE 802.11 MSDUs and MPDUs.

6 6 EAPoL for Key Exchange Packet Type = 0x03 in the 802.1X header indicates EAPoL-Key message. Used by the Authenticator and Supplicant to derive or exchange cryptographic keying information. After the association first forms, only IEEE 802.1X protocol messages (i.e., EAP and its associated authentication method) flow across the link until authentication completes The Supplicant’s IEEE 802.1X Port Access Entity (PAE) filters all non-EAP traffic during this period. Until authentication completes with the distribution of a Pairwise Master Key (PMK), the PAE ensures that only EAP packets are sent or received between this STA and the wireless medium.

7 7 802.11 RSN Information Element

8 8 Successful 802.1X Authentication Exchange

9 9 4-Way Handshake to Derive Encryption & Authentication Keys

10 10 4-Way Handshake to Derive Encryption & Authentication Keys

11 11 Pairwise Key Hierarchy Derivation Process – For Unicast

12 12 Group Key Hierarchy Derivation Process – For Multicast

13 13 AES Counter + CBC-MAC (CCMP) Provides Encryption & Authentication The CCMP protocol is based on AES using the CCM mode of operation. The CCM mode combines Counter (CTR) mode privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication. These modes have been used and studied for a long time, have well-understood cryptographic properties, and no known patent encumbrances. They provide good security and performance in both hardware or software.

14 14 802.11 CCMP Encapsulation

15 15 802.11 CCMP Decapsulation

16 16 Bluetooth Security: LAN Access Profile - A Cross-Layered Approach From “Bluetooth Security Whitepaper” Bluetooth SIG Security Expert Group

17 17 Bluetooth Security Overview Bluetooth takes a cross-layered approach to implementing security: SAFER+ algorithm used at the Baseband for encryption & authentication. Link Manager specification covers link level procedures for configuring security. HCI specification details how a host controls security & how security-related events are reported by a Bluetooth module to its host. Bluetooth SIG whitepaper exists for implementing security and provides examples of how services might use security. Drawback: SAFER+ (Secure And Fast Encryption Routine) was beaten out by Rijndael for selection for AES in the U.S. Existing Bluetooth security does not satisfy U.S. DoD requirements.

18 18 ZigBee / 802.15.4 Security Like 802.11i, ZigBee relies on AES CCM as a mainstay for encryption + authentication. CCM mode consists of CTR mode encryption combined with CBC-MAC authentication to produce an authenticate-and-encrypt block cipher using NIST-approved AES. AES CCM is intended to provide encryption, sender authentication, and message integrity.

19 19 ZigBee Key Management Currently ZigBee is establishing its key management / key distribution techniques. Elliptic Curve based techniques are supposedly in the works Need additional input on ZigBee security from a member representative…

20 20 Government Considerations Currently, there exist four FIPS-approved symmetric key algorithms for encryption: Advanced Encryption Standard (AES) Data Encryption Standard (DES) Triple-DES Skipjack AES is the FIPS-Approved symmetric encryption algorithm of choice. FIPS 197, Advanced Encryption Standard (AES), specifies the AES algorithm (http://csrc.nist.gov/cryptval/) FIPS 197http://csrc.nist.gov/cryptval/ 802.11i is compliant with NIST FIPS 197 and FIPS 140-2 validation requirements.

21 21 Areas for Convergence AES CCM should be called out by 1451.5 at the MAC sublayer for authentication and encryption. Key Management is a crucial area for wireless security. 802.11i is good but may be too “heavy” for smart sensors. Access to ZigBee techniques would be useful in this area Bluetooth implements a layered approach, but is not in compliance with NIST or DoD requirements. A strong, layered approach for 1451.5 security would be AES CCM at the MAC plus 802.11i constructs including 802.1X EAPoL for mutual key derivation / key exchange. Any additional information from Axonn or ZigBee? Form Subgroup?

22 Backup Slides

23 23 Bluetooth Versus OSI Model

Download ppt "P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
802.1 AE/AF Platform considerations

802.1 AE/AF Platform considerations
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Solutions for WEP Bracha Hod June 1, 2003 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.

Solutions for WEP Bracha Hod June 1, i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
By Sean Fisk.  Not a new technology  Inherently insecure  In recent years, increased popularity.

By Sean Fisk.  Not a new technology  Inherently insecure  In recent years, increased popularity.

Similar presentations

Ads by Google