1 / 18

Robust Security Network (RSN) Service of IEEE 802.11

Robust Security Network (RSN) Service of IEEE 802.11. Shen Ping Southeast University Nanjing China, 210096 E-mail: shenping@seu.edu.cn. RSN Security Feature. ESS network architecture Access Control (AC) in DS supports 802.1x authenticator 802.1x authenticated key management protocol

johnjenkins
Download Presentation

Robust Security Network (RSN) Service of IEEE 802.11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust Security Network (RSN) Service of IEEE 802.11 Shen Ping Southeast University Nanjing China, 210096 E-mail: shenping@seu.edu.cn Shen Ping, Southeast University, China

  2. RSN Security Feature • ESS network architecture • Access Control (AC) in DS supports 802.1x authenticator • 802.1x authenticated key management protocol • Authentication Server (AS) in DS provide authentication service • Secure capabilities negotiation, including ciphersuite and authenticated key management suite • Mutual authentication and certificate, e.g. EAP-TLS • Enhanced data protection mechanisms, such as TKIP, WRAP and CCMP • Protection of management and control frames • Pre-authentication of the BSS-transition STA Shen Ping, Southeast University, China

  3. RSN architecture Shen Ping, Southeast University, China

  4. 802.11 Security Services Station Service (SS) • Privacy • WEP mechanism • Authentication • Open system authentication • Shared key authentication • Deauthentication • Pre-authentication Distribution System Service (DSS) • Association/Disassociation/Reassociation Shen Ping, Southeast University, China

  5. Relationships between service Shen Ping, Southeast University, China

  6. Class 1 frame • Control frames • Management frames • Probe request/response • Beacon • Authentication • Deauthentication • ATIM • Data frames • Data frame with FC bit “To DS” and “From DS” both false Shen Ping, Southeast University, China

  7. RSN Service • RSN service provide 802.1x authenticated key management protocol between STA and AC. • RSN service is neither a SS nor a DSS. • RSN service on STA is a SS • RSN service on AC is a DSS • STA supports 802.1x supplicant, and AC supports 802.1x authenticator. Shen Ping, Southeast University, China

  8. Cipher suite negotiation • The 802.11 state diagram is unchanged from the 1999 specification. STA and AP must use IEEE 802.11 open system authentication. RSN IE is added to authentication frame to negotiate the cipher suite between STA and AP. • RSN IE in first frame of open system authentication provide a cipher suite list of STA. The cipher suite list shows all cipher suite supported by STA. • AP must support all cipher suites. AP selects the highest one of the STA cipher suite list for unicast. The multicast cipher must always be the lowest unicast cipher enabled. The result is sent in RSN IE of final frame. Shen Ping, Southeast University, China

  9. 802.1x authenticated key management protocol • 802.1x authenticated key management protocol is provided by RSN service between STA and AC. • 802.1x message packets are encapsulated in data frame of class 1 frames. • All 802.1x message packets pass by AP. • AC sends the PTK and GTK to AP over a secure channel between them, e.g. IPsec. Shen Ping, Southeast University, China

  10. STA AP AC AS Open system authentication Phase 1 First frame (RSN IE) Open system authentication Final frame (RSN IE) 802.1xauthentication protocol Phase 2 Generate PMK between STA and AS RADIUS PMK 4 way handshake protocol Phase 3 Generate PTK and GTK between STA and AC IPSec PTK、GTK 802.11 Control frames, management frames and data frames Shen Ping, Southeast University, China

  11. Three phases of State 1 • Phase 1 • Using open system authentication frames to negotiate cipher suite • Phase 2 • Using 802.1x authentication protocol to generate PMK between STA and AS • AS sends PMK to AC over the secure channel of RADIUS • Phase 3 • Using 4 way handshake and group key update to generate PTK and GTK for the STA • AC configures PTK and GTK to cipher engine of AP for privacy service over the secure channel of IPsec Shen Ping, Southeast University, China

  12. RSN security protocol stack STA AP AC AS Transport Layer TCP/ UDP TCP/ UDP EAP EAP RADIUS RADIUS Network Layer IP IPSec IPSec IP IP IP IP IP Link Layer 802.11 802.3 EAPOL 802.3 802.3 EAPOL 802.1X 802.1X 802.11 802.3 Authenticator Supplicant AS Shen Ping, Southeast University, China

  13. Pre-authentication • AC stores the keys of each enabled STA • Before STA moves from AP1 to AP2 in a ESS, AC configures keys to cipher engine of AP2, and removes keys from AP1 • Pre-authentication may not impact the speed with which STA can reassociate between AP2. • Pre-authentication is simple and secure. Shen Ping, Southeast University, China

  14. Support of non-RSN STA • The non-RSN station support pre-shared key over 802.1x (only 4-way handshake) • No phase 2 of state 1 • The non-RSN station does not support 802.1x supplicant (WEP STA) • No phase 2 and 3 of state 1 Shen Ping, Southeast University, China

  15. Negotiation of authenticated key management suite • Authenticated key management suite need not be negotiated. • AC can select authenticated key management suite by the type of 802.1x message for different phases. If the first 802.1x message belongs phase 2, unspecified authentication over 802.1x is enabled. If the first 802.1x message belongs phase 3, pre-shared key over 802.1x is enabled. • WEP STA can not send the data frames of class 1 which encapsulate 802.1x message packets. Shen Ping, Southeast University, China

  16. Advantage (1) • The 802.11 state diagram is unchanged. • AP is changed a little. • Authentication service of AP is unchanged. • The new cipher engines of TKIP, WRAP and CCMP added to privacy service of AP. • AP need transmit the 802.1x data frame of class 1 to AC in DS. • Realize the protection of management frames and control frames. • Pre-authentication service is simple and secure. Shen Ping, Southeast University, China

  17. Advantage (2) • Negotiation of cipher suite is simple and valid. • Authenticated key management suite need not negotiated. • Support non-RSN STA simply. • Compatible 802.1x protocol between wireless and wired LAN. • Saving capital of ESS network • A little change of AP • Only one AC in a ESS • Several ESSs shared one AS Shen Ping, Southeast University, China

  18. Thanks • Tim Moore, Microsoft “Suggested Changes to Robust Security Network (RSN) for IEEE 802.11” • Bernard Aboba, Microsoft “IEEE 802.1x Pre-Authentication” Shen Ping, Southeast University, China

More Related