ieee 802 1x pre authentication
play

IEEE 802.1X Pre-Authentication Bernard Aboba Microsoft Submission - PowerPoint PPT Presentation

Dec 11, 2023 •302 likes •508 views

11 July 2002 doc.: IEEE 802.11-02/389r0 IEEE 802.1X Pre-Authentication Bernard Aboba Microsoft Submission Slide 1 Bernard Aboba, Microsoft 11 July 2002 doc.: IEEE 802.11-02/389r0 Outline Goals Conclusions Overview of

  1. 11 July 2002 doc.: IEEE 802.11-02/389r0 IEEE 802.1X Pre-Authentication Bernard Aboba Microsoft Submission Slide 1 Bernard Aboba, Microsoft

  2. 11 July 2002 doc.: IEEE 802.11-02/389r0 Outline • Goals • Conclusions • Overview of pre-authentication • State machine • Threat model • EAP requirements • Management frame protection • Control frame protection • Protected negotiations • Key activation • Summary Submission Slide 2 Bernard Aboba, Microsoft

  3. 11 July 2002 doc.: IEEE 802.11-02/389r0 Goals • To present a strawman threat model for IEEE 802.11 Tgi – Tim Moore to present detailed threat analysis on Thursday • To understand the implications of IEEE 802.1X pre- authentication – Pre-authentication supported in 802.11i Draft 2.2 • To analyze solutions to potential threats – Protected capabilities negotiation – Key activation – Management frame authentication – Control frame authentication Submission Slide 3 Bernard Aboba, Microsoft

  4. 11 July 2002 doc.: IEEE 802.11-02/389r0 Conclusions • IEEE 802.11i needs a threat model. – Without a threat model, you never know when you’re done! – IEEE 802.1X could use a formal threat model too (to avoid misunderstandings). • IEEE 802.1X pre-authentication with 802.11 introduces some new wrinkles – Supplicant-only initiation – Station authenticated to multiple Authenticators simultaneously – No controlled and uncontrolled ports – 802.11 state machine controls access, not 802.1X state machine – IEEE 802.1X frames have a unicast DA and may be forwarded • IEEE 802.1X pre-authentication has substantial advantages for 802.11 – Pre-authentication enables a station to authenticate to multiple APs, which is not possible when 802.1X occurs after Association. • Minimizes connectivity loss during roaming – IEEE 802.1X pre-auth makes it possible to authenticate and derive keys early on, use keys to protect as many messages as possible – Most management and control frames can be protected, with the exception of Beacon and Probe Request/Response Submission Slide 4 Bernard Aboba, Microsoft

  5. 11 July 2002 doc.: IEEE 802.11-02/389r0 802.1X Pre-Authentication Channel 6 Channel 11 c v D AP B STA AP A • STA authenticates and associates to AP A on Channel 6 – 802.1X data frames with “From DS” and “To DS” set to false (Class 1) • STA does passive or active scan, moves, selects AP B as “potential roam” STA authenticates to AP B before connectivity is lost to AP A (if ∆ T < c/v) • – Can send unicast 802.1X data frames to AP B, forwarded by AP A • “From DS” or “To DS” set to true (Class 3) Can tune radio to Channel 11 (if B > r ∆ T) – • STA reassociates to AP B Submission Slide 5 Bernard Aboba, Microsoft

  6. 11 July 2002 doc.: IEEE 802.11-02/389r0 The Problem Space Rate Scan + Pre-auth via Association not Old AP AP authentication Β possible & Advertisement ∆ T over IP Scan + Radio tuning c D ∆ T RTT assoc Stationary Pedestrian Vehicular High Speed Station Velocity Submission Slide 6 Bernard Aboba, Microsoft

  7. 11 July 2002 doc.: IEEE 802.11-02/389r0 State Machine • Original 802.11 state machine Class 1 Frames State 1: can be used Unauthenticated, Unassociated • IEEE 802.1X data frames can be sent in State 1,2 Deauthentication Successful Notification Authentication (Authenticated) – To DS, From DS =0 – “Unassociated pre-auth” Class 1 & 2 State 2: Frames DeAuthentication • IEEE 802.1X data frames can Authenticated, Notification (Authenticated or Unauthenticated) Unassociated be sent in State 3 – To DS or From DS = 1 Successful Disassociation Association or Notification Reassociation (Authenticated) – “Associated Pre-auth” (Authenticated) • Unauthenticated Deauth can be Class 1, 2 & 3 State 3: silently discarded by STA Frames Authenticated, Associated Submission Slide 7 Bernard Aboba, Microsoft

  8. 11 July 2002 doc.: IEEE 802.11-02/389r0 Pre-Authentication State Machine • No “controlled” and “uncontrolled” ports – In fact, no “ports” at all! – Port doesn’t exist until Association/Reassociation exchange – RADIUS Access-Request contains no NAS-Port attribute – Accounting START sent after successful Association/Reassociation Response w/NAS-Port • Supplicant initiation only – Supplicant authenticates to APs that it is likely to roam to – Since roaming decision made by STA, it also handle auth initiation – Unsolicited EAP-Request/Identity frames are silently discarded • 802.11 state machine governs frame treatment – 802.11-1999 state machine already supports pre-authentication, no changes required – 802.1X “auth complete” an input to 802.11 state machine – Reverse of 802.1X after Association, where 802.11 events are inputs to 802.1X state machine Submission Slide 8 Bernard Aboba, Microsoft

  9. 11 July 2002 doc.: IEEE 802.11-02/389r0 Strawman Threat Model for 802.11 • Snooping, modification or injection of data packets • Impersonation of legitimate 802.11 STA or AP • Modification of authentication or control/management messages • Injection of forged authentication or control/management messages • Denial of service, including resource starvation • Disruption of security negotiations – Capabilities advertisement – Ciphersuite or authentication negotiation Submission Slide 9 Bernard Aboba, Microsoft

  10. 11 July 2002 doc.: IEEE 802.11-02/389r0 802.11 EAP Method Requirements • Question: “What role does EAP have in 802.11 security?” • Wireless method requirements (from RFC 2284bis): – Mutual authentication – Key derivation – Dictionary attack resistance – Support for fast reconnect • Question: is 2.5 round trips “fast”? – Protected EAP conversation • To be discussed – Ciphersuite negotiation? – Key activation? Submission Slide 10 Bernard Aboba, Microsoft

  11. 11 July 2002 doc.: IEEE 802.11-02/389r0 Threats Addressed by EAP Reqmts. • Snooping, modification or injection of data packets (802.11 ciphers) • Impersonation of legitimate 802.11 STA or AP (802.11 ciphers) • Modification of authentication or control/management messages • Injection of forged authentication or control/management messages • Denial of service, including resource starvation • Disruption of security negotiations – Capabilities advertisement – Ciphersuite or authentication negotiation Submission Slide 11 Bernard Aboba, Microsoft

  12. 11 July 2002 doc.: IEEE 802.11-02/389r0 No Mandatory Auth Method: Implications • Interoperability – No guarantee that STA and AP can successfully authenticate • Configurations without a backend server – Authenticator can’t just implement the mandatory method; needs to support commonly deployed methods – Result: AP may need constant code changes to support new auth methods – what EAP was designed to prevent! – “Pass through” configuration is easier to implement • IBSS authentication – No guarantee that two STAs can authenticate each other • Effects on 802.1X architecture – Backend authentication server originally an optional component – Not really possible to “Colocate AS and AP” • In EAP, AS and client are assumed to be extensible but AP is not – Normative discussion of AAA attributes and protocols • Belongs in a non-normative Appendix, not within the main specification. Submission Slide 12 Bernard Aboba, Microsoft

  13. 11 July 2002 doc.: IEEE 802.11-02/389r0 Protection of Management Frames • Protectable – Association/Reassociation Request/Response, Deauthenticate, Disassociate • Unprotectable – Beacon, Probe Request/Response – Would need to protect Beacon with multicast key; would not prevent forgery – Can protect contents of Beacon, Probe Response later on in order to detect forgery • Handling of unauthenticated management frames – STA can discard unauthenticated Deauthenticate message • Alternatives – Custom MIC • Requires change to key hierarchy • Low performance – TKIP/WRAP applied to MPDU • No change required to key hierarchy • High performance • Requires changes to ciphers Submission Slide 13 Bernard Aboba, Microsoft

  14. 11 July 2002 doc.: IEEE 802.11-02/389r0 Protection of Control Frames • Similar issues to management frame protection but fewer options – Control frames are higher bandwidth – Performance penalty of not reusing TKIP and WRAP ciphersuites is prohibitive – Custom MIC not a viable option • Conclusion – For control frame protection, need ciphersuites operating on MPDU Submission Slide 14 Bernard Aboba, Microsoft

  15. 11 July 2002 doc.: IEEE 802.11-02/389r0 Threats Addressed by Mgmt/Cntrl Protection • Snooping, modification or injection of data packets • Impersonation of legitimate 802.11 STA or AP • Modification of authentication or control/management messages • Injection of forged authentication or control/management messages • Denial of service, including resource starvation • Disruption of security negotiations – Capabilities advertisement – Ciphersuite or authentication negotiation Submission Slide 15 Bernard Aboba, Microsoft

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network

Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network

Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network Roaming with eduroam Stefan Winter &lt;stefan.winter@restena.lu&gt; TREFpunkt 13, rebro, Sweden 12 Oct 2005 1 Rseau Tlinformatique de

459 views • 28 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
IEEE Infocom 2006 A secure and performant token-based authentication for infrastructure and mesh

IEEE Infocom 2006 A secure and performant token-based authentication for infrastructure and mesh

IEEE Infocom 2006 A secure and performant token-based authentication for infrastructure and mesh 802.1X networks Leonardo Maccari - maccari@lenst.det.unifi.it Romani Fantacci - fantacci@lenst.det.unifi.it Tommaso Pecorella -

714 views • 19 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen &amp; Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
Computer Graphics Seminar MTAT.03.296 Spring 2014 Raimond Tunnel Contact Information

Computer Graphics Seminar MTAT.03.296 Spring 2014 Raimond Tunnel Contact Information

Computer Graphics Seminar MTAT.03.296 Spring 2014 Raimond Tunnel Contact Information Raimond Tunnel jee7@ut.ee Konstantin Tretjakov kt@ut.ee Karl-Aksel Puulman macobo@ut.ee Organizational Information 16 seminars:

820 views • 44 slides
COMMUNICATION TO GAIN COOPERATION LifeServices Employee Assistance Program (EAP)

COMMUNICATION TO GAIN COOPERATION LifeServices Employee Assistance Program (EAP)

COMMUNICATION TO GAIN COOPERATION LifeServices Employee Assistance Program (EAP) 1-800-822-4847 Margie Roop, LPCC-S; CEAP; SAP, Regional Director HAVE YOU EVER Walked away from a conversation wonderingwhat just

561 views • 33 slides
2020 Campaign .cat.com 1 Caterpillar: Confidential Green October 10, 2020 Why now? September

2020 Campaign .cat.com 1 Caterpillar: Confidential Green October 10, 2020 Why now? September

2020 Campaign .cat.com 1 Caterpillar: Confidential Green October 10, 2020 Why now? September 10, 2020 .cat.com 2 Caterpillar: Confidential Green Agenda 1. Mental health during the time of Covid-19 2. RUOK? employee orientation 3. EAP

476 views • 45 slides
EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP setup Access Target Client NAS Network Network AAA server S 2 A new EAP setup Authentication AuthToken AuthServer Integrity Client

628 views • 7 slides
Exploring Teaching and Learning in English for Academic Purposes Jennifer MacDonald And Kate

Exploring Teaching and Learning in English for Academic Purposes Jennifer MacDonald And Kate

Exploring Teaching and Learning in English for Academic Purposes Jennifer MacDonald And Kate Morrison TESL NS, Nov. 16, 2019 A Conversation around Teaching &amp; Learning in EAP What makes EAP teaching unique? Frameworks for EAP

408 views • 23 slides
Interference Between Forced and Unforced Climate Variability: Implications for the North Atlantic

Interference Between Forced and Unforced Climate Variability: Implications for the North Atlantic

Interference Between Forced and Unforced Climate Variability: Implications for the North Atlantic and the Arctic Neil F. Tandon &amp; Paul J. Kushner University of Toronto November 17, 2015 AMOC-NASST Relationship schematic adaptation from

421 views • 24 slides
CXF3 Application from a Swagger-Contract Johannes Fiala, Developer Agenda Generate based on

CXF3 Application from a Swagger-Contract Johannes Fiala, Developer Agenda Generate based on

How to Generate a REST CXF3 Application from a Swagger-Contract Johannes Fiala, Developer Agenda Generate based on contract Extend using code first Freeze the contract Use the REST API Generate client code (Java/Javascript)

1.51k views • 53 slides
NEC4 Early Adopter programme Steve Rowsell NEC4 Contract Board Member NEC4 Early Adopters

NEC4 Early Adopter programme Steve Rowsell NEC4 Contract Board Member NEC4 Early Adopters

NEC4 Early Adopter programme Steve Rowsell NEC4 Contract Board Member NEC4 Early Adopters Announced in the Special Issue of the Newsletter and through the webinars on NEC4 Early Adopters programme was rolled out to encourage

260 views • 6 slides

More recommend