1 / 18

Secure Handover for IEEE 802.1x Wireless Networks

By: Alex Feldman. Secure Handover for IEEE 802.1x Wireless Networks. What’s the environment?. A mobile station is connected to the network wirelessly through another device. In case of WiFi (IEEE 802.11) this would be an access point .

Download Presentation

Secure Handover for IEEE 802.1x Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. By: Alex Feldman Secure Handover for IEEE 802.1x Wireless Networks

  2. What’s the environment? • A mobile station is connected to the network wirelessly through another device. • In case of WiFi (IEEE 802.11) this would be an access point. • In case of WiMax (IEEE 802.16) it is a base station.

  3. What’s a Handover? • The mobile station may need to change its connection point to the network. • The connection point “Hands Over” the connection to the new point. • It has to be secure • It has to be fast • It has to be standardized

  4. Security (802.11i & 802.16e) • Supplicant (Sta)– the station entering the network to be authenticated. • Authenticator (Au) – the access point directly connected to the station, and acting as a proxy to the authentication server. • Authentication Server (AS)– database containing credentials for all users, reachable by the authenticator.

  5. Ad hoc network

  6. EAP – TLS • Extensible Authentication Protocol -Transport Layer Security • Widely supported but rarely used. • 8-way handshake. Very secure but also very time consuming. • Doesn’t scale well when clients handoff often.

  7. Some definitions • PMK - Pairwise Master Key • PTK – Pairwise Transient Key • EMSK – Extended Master Session Key • RADIUS – Remote Authentication Dial In User Service. Uses a shared secret to cipher and authenticate the communication.

  8. EAP – TLS Authentication – PMK and EMSK generated on SA and Station. AS moves PMK to Au by using RADIUS. 4-way handshake – PTK generated by Au and Station

  9. What’s the problem? • When a station changes access points, re-authenticating the PMK is slow. • Only the PTK needs to be renewed, and PMK can be left alone. • How do we transmit the PMK from Au1 to Au2????

  10. Security Issues • Au1 is a bad guy. Pushes false PMK • Sta is a bad guy that gets access to Au2 • Sta is a good guy that gets a denial of service • Au2 is a bad guy.Pulls PMK from Au1.Now it can decipher traffic.

  11. Strategy One • Don’t use AS for re-authentication! • Pull/Push policies to transfer keys. • Provides good performance. • More complicated. • Use when: • Handover speed is crucial & path to the AU is long • Don’t want to be dependant on the AU server

  12. Strategy Two • Contact the Au on every handover. • Slower performance. • Gained security. • Possible danger if the protocol used to move PMK is not strong. Need good reasons to transfer PMKs.

  13. Fast Re-Authentication Schemeas proposed by the authors • Goal: reduce the number of packets required for TLS exchange by re-using information generated in the first authentication. • EMSK remained on the Authentication Server, so it can be used to re-authenticate the Station

  14. Author’s Proposed Solution Based on contacting the Authentication server Au PTK

  15. Results: • EAP-TLS took 2.34 seconds on average • Proposed protocol took 0.62 seconds on average • 74% improvement over EAP-TLS! • 82% improvement when including retransmissions

  16. IEEE 802.11r – work in progress • Internet Engineering Task Force (IETF) – working on new standard to used the EMSK for re-authentication. • Pull and push methods to transfer keys for nodes within same mobility domains

  17. Conclusion • EAP-TLS is slow for re-authentication. • Big improvements can be made by following the proposed protocol, which • Reduces number of packets required • Reduces retransmissions • Decreases time

  18. Questions? • Original paper written by: Romano Fantacci, Leonardo Maccari, and Tommaso Pecorella from: University of Florence Federico Frosali from: Telecom Italia Lab

More Related