Академический Документы
Профессиональный Документы
Культура Документы
Submission
November 2001
Authentication and key management methods requiring public key operations (e.g. EAP-TLS) can take several seconds to complete TLS continuation can decrease round-trips (from 3.5 to 2.5)
Disconnection time is still significant, particularly if backend authentication server is far away (e.g. hotspot scenarios). Submission Tim Moore, Bernard Aboba/Microsoft
November 2001
Hot Spot
802.11 wireless access in airports, hotels, cafes Authentication is typically password-based
Account at wireless ISP Wholesale wireless access to corporations may eventually become popular
VLANs typically not implemented User authenticates to the home authentication server, which may be far away
Submission Tim Moore, Bernard Aboba/Microsoft
November 2001
Secure
Support for per-session keys, dynamic key generation Works with all EAP authentication methods Secure reassociation requests and responses, as well as disassociation notifications Protection against spoofing, denial of service, hijacking
Deployable
Enable deployment of inter-access point protocol (IAPP) without a registration service
Submission Tim Moore, Bernard Aboba/Microsoft
November 2001
Security improvements
Submission
November 2001
Successful MAC layer Authentication State 2 Authenticated, Unassociated Successful Association or Reassociation State 3 Authenticated, and Associated
Submission
DeAuthentication Notification
Deauthentication notification
November 2001
November 2001
APnew
Reassociate-Request
Reassociate-Response ACK
~ OTTSTA-AP
DS Notified
November 2001
DeAuthentication Notification
State 2 Authenticated, Unassociated
Class 1 & 2 Frames
Disassociation Notification
State 3 Authenticated, and Associated Class 1, 2 & 3 Frames
Tim Moore, Bernard Aboba/Microsoft
Submission
November 2001
November 2001
Questions
Should authentication occur before or after reassociation? How do we authenticate management frames?
This presentation addresses ReassociationRequest/Response, and Disassociation Notification frames Future work will address authentication of other Management Frames
Association-Request/Response, Beacon, ProbeRequest/Response, Deauthentication, ATIM
Submission
November 2001
Alternatives
Authentication before reassociation
Pros
Enables pre-authentication Authentication no longer in the critical path for reassociation
Cons
If you authenticate management frames, cryptographic operations remain in the critical path (since you need to authenticate the Reassociation Request/Response) If youre already authenticating reassociation request/response, why do more than canned authentication in addition?
Cons
No pre-authentication
Submission Tim Moore, Bernard Aboba/Microsoft
November 2001
Proposed Approach
Authentication of Reassociate, Disassociate frames
Authenticator Information Element added to ReassociationRequest/Response, Disassociation notification frames Authenticator Information Element enables STA and new AP to provide possession of the unicast authentication session key negotiated with the old access point.
802.1X canned success sent from AP to STA if Authenticator IE included within the Reassociation-Request is valid.
Submission
November 2001
STA
APnew
~ nRTTSTA-AP
~ RTTSTA-AP
November 2001
November 2001
ESSID#
Number of the ESSID corresponding to this authenticator (for shared use APs)
Authenticator
For Algorithm=1, 128-bit HMAC-MD5(STA MAC address | AP MAC address |
Timestamp, key)
November 2001
Deployability improvements
Submission
November 2001
802.11 enables the STA to obtain the MAC address of the old & new APs
Client obtains the MAC address of the old AP when it associates/reassociates with it Client provides the new AP with the MAC address of the old AP in the re-association request
Submission
November 2001
2. 3.
AAA protocols
4.
Recommendation: Choice 4
Submission
November 2001
SLPv2 requires multicast routing to all access points; not widely deployed SLPv2 limited to use within a single administrative domain prevents context transfer between domains
Inter-domain context transfer should not be prohibited in situations where the trust issues can be worked out
For scalability, SLPv2 requires deployment of Directory Agents (DAs) SLPv2 security is inflexible
Requires certificate infrastructure Supports only DSA signatures (RSA much more widely used) No known implementations
Submission Tim Moore, Bernard Aboba/Microsoft
November 2001
Would require APs, DNS servers to support new DNS record types as well as DNS dynamic update DNS dynamic update not yet widely deployed Secure dynamic update implementations not yet interoperable
Use by APs would require trust between APs and DNS Server
Submission Tim Moore, Bernard Aboba/Microsoft
November 2001
Submission
November 2001
Element ID: TBD Length: 7 = IPv4, 19 = IPv6 Type: from Address Family Numbers in RFC 1700
1 = IPv4 2 = IPv6
Address
For Type=1, 32-bit IPv4 address For Type=2, 128-bit IPv6 address
Submission
November 2001
Meaning
Reassociation-Request denied due to failed authenticator Reassociation-Response denied due to failed authenticator Disassociation denied due to failed authenticator
Submission
November 2001
Motion
To amend the TGi draft to include text detailing usage of the Extended Address and Authenticator Information Elements.
Submission
November 2001
Feedback?
Submission