Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Published byBernadette Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et."— Presentation transcript:

1 doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et. al.

2 doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 2 Abstract This submission proposes: –Replacing the required use of AES-SIV in P802.11s draft with AES-CCM Russ Housley (Vigil Security), et. al.

3 doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 3 Current situation  P802.11s D3.0, Mar 2009, Section 11.B.3.2.3 GTK Distribution: “… The deterministic authenticated encryption mode of AES-SIV, defined in IETF RFC 5297, shall be used to protect the GTK field using the AKEK derived from the chosen PMK…”  Requirement to use AES-SIV for 802.11s GTK protection has been in draft since D2.02, Sep 2008  AES-CCM is the mandatory authenticated encryption algorithm for Robust Security Network compliance throughout the existing 802.11 universe Russ Housley (Vigil Security), et. al.

4 doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 4 Why consider AES-CCM for 11s?  Con –Late in the game: AES-SIV is already in D3.0 (ref given above) –AES-SIV is more “misuse resistant” than AES-CCM  Pro –AES-CCM is the established Authenticated-Encryption standard for WPA2 and 802.11 Robust Security Network applications –CCM is the NIST approved block cipher mode for authenticated encryption, NIST SP800-38C –11s is a component of the much larger 802.11 universe, as such it should re-use established 802.11 methods wherever possible Russ Housley (Vigil Security), et. al.

5 doc.: IEEE 802.11-09/770r0 Submission Primary reason for (re)consideration July 2009 Slide 5  Yes, it is late in the game. -AES-SIV is in the document that has gone through initial voting/approval - The core engine of AES-SIV is the approved and well known AES - AES-SIV has received significant academic scrutiny  But, was this feature carefully considered by all concerned - Cost of implementing a new variation: learning and properly building - H/W & S/W cost of supporting an additional cipher – still must support 11i - Risks of implementing a non-NIST approved algorithm  802.11s is a part of the larger 802.11 universe - Is it the place to introduce a new cipher mode when one is already in place and widely implemented? - Would it be better to expend a bit more effort now in carefully weighing the consequences rather than being unpleasantly surprised later? Russ Housley (Vigil Security), et. al.

6 doc.: IEEE 802.11-09/770r0 Submission SIV – CCM Comparison  Differences are minor –Both use CMAC mode of AES to compute MAC –Both use AES in counter (CTR) mode to encrypt data  Nonce vs. “Synthetic Initialization Vector” (SIV) –CTR mode requires a 128-bit initialization vector (IV) –CCM uses a random nonce for IV, SIV uses the MAC for IV  802.11i uses the packet number for the nonce in CCM  Constraint on nonce is that it not be reused for a given encryption key  At bit level, packaging and padding, differences are more evident – the devil resides in the details July 2009 Slide 6 Russ Housley (Vigil Security), et. al.

7 doc.: IEEE 802.11-09/770r0 Submission So, what’s the big deal?  Precisely because the CCM – SIV differences are not significant, it begs the question, “Why change at all from the widely implemented and established method?” –SIV appears to offer better nonce misuse protections in general  But, for 802.11s application being considered here this is easily solved –The bit level differences will entail significant effort in designing, coding, implementing and testing  Is this effort worth the gain?  Where else within 802.11 can the SIV block of code (or piece of hardware) be applied to amortize the expense of building? July 2009 Slide 7 Russ Housley (Vigil Security), et. al.

8 doc.: IEEE 802.11-09/770r0 Submission Whither AES-SIV  AES-SIV is a sound algorithm with some good features  It should be given serious consideration for use in new protocols and technologies or for major security service upgrades  But neither AES-SIV, nor any other new authenticated or encryption mode, should be introduced for confidentiality and integrity of a single 802.11 sub-element July 2009 Slide 8 Russ Housley (Vigil Security), et. al.

9 doc.: IEEE 802.11-09/770r0 Submission Conclusion  A proven, approved, already designed, built and widely employed solution exists to solve the secure GTK transport problem in 802.11s  The secure GTK transport problem is too minor an application to warrant developing a new solution  Requiring a new solution for a single sub-element within 802.11s should be carefully considered  To determine if the advantage gained justifies the expense of implementation  To determine if a single application within 802.11s is the place to introduce new security mode July 2009 Slide 9 Russ Housley (Vigil Security), et. al.

10 doc.: IEEE 802.11-09/770r0 Submission Summary The purpose of 802.11s is to develop acceptable standards for wireless mesh networking within the 802.11 framework 802.11s is not the place to introduce new security algorithms if accepted and adequate security algorithms already exist in 802.11 –New algorithms impose added implementation cost –Additional algorithms impose added maintenance/support cost –Algorithms that are not yet approved by NIST or other security standards bodies have additional risk –802.11s should not be burdened with these costs and risk July 2009 Slide 10 Russ Housley (Vigil Security), et. al.

11 doc.: IEEE 802.11-09/770r0 Submission Recommendation  Recommend that P802.11s D3.0, Mar 2009, Section 11.B.3.2.3 GTK Distribution: “… The deterministic authenticated encryption mode of AES-SIV, defined in IETF RFC 5297, shall be used to protect the GTK field using the AKEK derived from the chosen PMK…” be amended* to replace “AES-SIV defined in IETF RFC 5297” with “AES-CCM defined in IETF RFC 3610” *This change will have a modest ripple effect of changes elsewhere in the draft where this requirement is referenced and applied July 2009 Slide 11 Russ Housley (Vigil Security), et. al.

12 doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 12 Comments? Russ Housley (Vigil Security), et. al.

13 doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 13 Acronyms AKEK – Abbreviated Handshake Key Encryption Key AAD – Additional Authenticated Data PMK – Pairwise Master Key GTK – Group Temporal Key SIV – Synthetic Initialization Vector CCM – Counter with Cipher Block Chaining-MAC MAC – Message Authentication Code RSN – Robust Security Network Russ Housley (Vigil Security), et. al.

Download ppt "Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et."

Similar presentations

Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE 802.11-09/0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: 2009-03-08 Authors:

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Doc.: IEEE 802.11-12/0946r3 Submission August 2012 A proposal for next generation security in 802.11 built on changes in 802.11ac 23 August 2012 Slide.

Doc.: IEEE /0946r3 Submission August 2012 A proposal for next generation security in built on changes in ac 23 August 2012 Slide.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Similar presentations

Ads by Google