50 likes | 133 Views
Key Management [802.1af - Issues]. 2004. 5. 12 Jee-Sook Eun Electronics and Telecommunications Research Institute. 802.1af. This is a project of the 802.1 MAC Security Task Group. It is not an amendment to IEEE std 802.1X
E N D
Key Management[802.1af - Issues] 2004. 5. 12 Jee-Sook Eun Electronics and Telecommunications Research Institute
802.1af • This is a project of the 802.1 MAC Security Task Group. • It is not an amendment to IEEE std 802.1X • This standard need not extends 802.1X to establish security associations for 802.1ae MAC Security
Authentication problem • Link security is between access point and access device • Authentication is between access point and access device, too. • In order to authenticate access device, we need not use 802.1x • We can use symmetric key encryption between access point and access device because of many reasonable reason. • And, we need symmetric key. Master key generating session keys must set before security process. • The confirm of Master key is authentication • This method is very simple, and low cost.
Problems of 802.1x authentication • The use of IEEE Std 802.1X, already widespread and supported by multiple vendors, in additional applications. • This is just assumption. If not so • who assure that EAP message is relayed to authentication server? • we must implement 802.1x. • This is very complex, and high cost if we develop an low cost switch. • And we need an authentication server in case of absent • Supplicant, Authenticator, Authentication server state machine • For example, if there is a bridge, the bridge must have above all three state machines. Because bridge can be supplicant or authenticator or authentication server. • There is two security channel. One is for MAC security, the other is for key security • And, Need two configuration protocols for each, too • As you know, key security was made for MAC security.
Authentication as the confirm of Master key • very simple • If encrypted message can be decrypt, the receiver can transmit ack message encrypted • Low cost • Need not authentication server • Need not KDC • Symmetric key is available for access point, access device • can get secured channel as only an authentication • Key exchange through the secured channel • need not get information such as certificate from upper layer. • Link security can be operated independently