1 / 9

May 2011

May 2011. HIP DEX for Fast Initial Authentication in 802.11. Date: 2011-05-10. Authors:. Slide 1. Konstantinos Georgantas, HIIT. May 2011. Abstract. This document presents the use of a HIP Diet EXchange (DEX) based architecture which intends to provide the necessary IP layer

lei
Download Presentation

May 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. May 2011 HIP DEX for Fast Initial Authentication in 802.11 Date: 2011-05-10 Authors: Slide 1 Konstantinos Georgantas, HIIT

  2. May 2011 Abstract This document presents the use of a HIP Diet EXchange (DEX) based architecture which intends to provide the necessary IP layer elevated security mechanisms in order to face the challenge of fast authentication in WLANs. HIP introduces a radically new way of authenticating hosts in WLANs in only two message exchanges and therefore saves time during authentication Slide 2 Konstantinos Georgantas, HIIT

  3. May 2011 Agenda • Problem statement • Solution overview • Network architecture • HIP DEX adjustments • Protocol operation • Open work items • Conclusions Slide 3 Konstantinos Georgantas, HIIT

  4. May 2011 ProblemStatement • Why Fast Initial Authentication? • Moving users with high velocity between APs • Big amount of users entering an AP • Smaller and smaller cell areas • Ultimate goal: • Can we go with a single roundtrip? Slide 4 Konstantinos Georgantas, HIIT

  5. May 2011 Solution Overview (1/3) • Maybe not a single roundtrip but what about 2 roundtrips? • “Lightweight Authentication and Key Management on 802.11 Wireless Networks” by Konstantinos Georgantas and Andrei Gurtov submitted in IEEE GLOBECOM 2011 • Introduce a new network hierarchy • Move the authenticator – HIP responder one level above • Authentication only when ESS transition occurs • Let the APs act as relays • Introduce port based Net Access Control allowing HIP only traffic until the Initiator is authenticated Slide 5 Konstantinos Georgantas, HIIT

  6. May 2011 Solution Overview (2/3) • Let HIP datagrams run over 802.11 Authentication frames • HIP UPDATE can act as a rekeying mechanism • EAP can also run on HIP! Slide 6 Konstantinos Georgantas, HIIT

  7. May 2011 Solution Overview (3/3) Proposed operation Slide 7 Konstantinos Georgantas, HIIT

  8. May 2011 Open Work Items • STA validation of AP • Include a CERT parameter in R1 that contains an X.509 cert for the AP • Assumption is the STA can validate the cert without any 'upstream' assistance, or delay validation until IP connectivity is provided • Timing concerns for AUTHENTICATION RESPONSE • 802.11 does not specify a response time window, but does WiFi certification? • If so do we need NULL keepalives or loosening of timings when AUTHENTICATION used for KMP? Slide 8 Konstantinos Georgantas, HIIT

  9. May 2011 Conclusions • Seamless intra-domain handovers (BSS transitions) • Only 2 roundtrips (instead of 11) for inter-domain handovers (ESS transitions) • But there are still some security considerations under review Thank you! Slide 9 Konstantinos Georgantas, HIIT

More Related