1 / 14

802.11s Security concepts

802.11s Security concepts. Jasmeet Chhabra, Intel ( jasmeet.chhabra@intel.com ) Anand R Prasad, DoCoMo Euro-Labs ( prasad@docomolab-euro.com ) Jesse Walker, Intel ( jesse.walker@intel.com ) Hindenori Aoki, NTT DoCoMo ( aokihid@nttdocomo.co.jp ). Outline. Goals Requirements Assumptions

cricket
Download Presentation

802.11s Security concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.11s Security concepts Jasmeet Chhabra, Intel (jasmeet.chhabra@intel.com) Anand R Prasad, DoCoMo Euro-Labs (prasad@docomolab-euro.com ) Jesse Walker, Intel (jesse.walker@intel.com ) Hindenori Aoki, NTT DoCoMo (aokihid@nttdocomo.co.jp ) J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  2. Outline • Goals • Requirements • Assumptions • Basic security model • Distributed Authentication • Centralized Authentication • Conclusion J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  3. Goals/Requirements • Reuse/build on top of current 802.11i techniques • 802.11s PAR, Clause 18: “The amendment shall utilize IEEE 802.11i security mechanisms, or an extension thereof...” • Other requirements • Allow peer-to-peer association/authentication between mesh points/mesh APs • Protect mesh management and control messages exchanged between mesh points/mesh APs (e.g. routing and topology info) • Allow mesh nodes to broadcast to all its neighbors : needed by routing services etc. • Maintain 11i data security for data delivery across multi-hop mesh path • Credentials issued might have to differentiate between a mesh point and a non-mesh point • Allow for both distributed and centralized authentication schemes J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  4. Assumptions • Authenticated Mesh Points in an administrative domain can be trusted for faithful forwarding of messages. • No selective forwarding like attacks • No eavesdropping J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  5. Background 802.11i “Figure 16—Example 4-Way Handshakes in an IBSS” J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  6. Basic security model Authenticator • Group key is used for broadcast communications • Pair-wise keys are used for unicast communications • Authentication server could be distributed or centralized • Does not effect basic security model Supplicant ESS Mesh Security bubble New mesh point J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  7. Basic security model (Contd.) • Each mesh point supports both supplicant and authenticator functionality • Each mesh point acts as supplicant and authenticator for each of its neighbors • Similar to IBSS security model in 802.11i • After authentication/authorization/4-way handshake: • Mesh point uses its own group key to broadcast/multicast • Pair-wise key for unicast • Number of keys is O (num_neighbors) J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  8. Advantages • Minimal changes required to 802.11i • Mainly language changes • Re-uses the strong and well debated solution • Builds on top of current 802.11i standard • Key management Complexity is controlled • O(num_neighbors) J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  9. Security model with stations • No change in the current STA operation Authenticator ESS Mesh Security bubble Supplicant Access Point J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  10. Authentication Schemes • IEEE 802.11i does not specify where the authentication server resides. • Can be on the AP/Node itself • Only specifies functionality needed • As mentioned earlier, the authentication scheme could be • Distributed or • Centralized J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  11. Distributed authentication • Completely distributed: automatic or manual configuration of nodes • Elect: Requires solution for the case where elected AS becomes unavailable • A node is assigned as AS at random • The first node becomes AS • Some other mechanism is used • Select: The user selects a node as AS J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  12. Centralized Authentication • The centralized method involves a ESS mesh AP that has access to a AS • The AS could either reside locally or could be placed elsewhere in the network • All other ESS mesh APs and STAs will be authenticated via the AP connected to the AS J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  13. Open questions • 802.11i does not provide management frame security • Could effect routing, topology traffic etc. security • Should align with management frame security study group: • Need to submit requirements to the group before November • Only language changes needed to 802.11i • Do we need to do any other changes in 802.11i? • Are there changes needed for allowing distributed authentication? J Chhabra, A. R. Prasad, J. Walker, H. Aoki

  14. Conclusion • Security model builds on top of 802.11i • Minimal language changes • Manageable key complexity • O(num_neighbors) • Need to submit requirements to the management frame security group J Chhabra, A. R. Prasad, J. Walker, H. Aoki

More Related