1 / 10

Extra MIC for use in Public Access WLAN

Extra MIC for use in Public Access WLAN. Stefan Rommer, Mats Näslund (Ericsson). Motivation. Public Access WLAN has special properties not present in corporate WLAN. Security in the AP and between the AP and a WLAN Serving Node (WSN) is important. Public Access Hotspot. AP. WSN/FA. AP.

MikeCarlo
Télécharger la présentation

Extra MIC for use in Public Access WLAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extra MIC for use in Public Access WLAN Stefan Rommer, Mats Näslund (Ericsson) Stefan Rommer, Mats Näslund (Ericsson)

  2. Motivation • Public Access WLAN has special properties not present in corporate WLAN. • Security in the AP and between the AP and a WLAN Serving Node (WSN) is important. Public Access Hotspot AP WSN/FA AP Could be highly untrusted! Stefan Rommer, Mats Näslund (Ericsson)

  3. Motivation (2) • Operators are very concerned about robust billing. • Robust billing requires at least integrity protection between mobile terminal and WSN. Public Access Hotspot Billing data collected here AP WSN/FA AP Could be highly untrusted! Stefan Rommer, Mats Näslund (Ericsson)

  4. Solution alternatives • Extend the 802.11i security association (authentication, encryption etc.) from the Mobile all the way to the WSN. • Difficult since 802.11i is closely tied to the 802.11 MAC layer. • Let higher layers and/or other standards perform the needed functions • A layer-2 solution is to prefer. • IEEE 802.10 is not well supported. • Use proprietary solutions • Not good for interoperability and market acceptance • Add needed functions to 802.11i Stefan Rommer, Mats Näslund (Ericsson)

  5. Add needed functions to 802.11i:Extra MIC • Add a (optional) ’transparent’ MIC that is not closely tied to the 802.11 MAC layer • MIC calculated over the whole payload (MSDU) • Payload’ = Payload || extra MIC • The AP can be configured to not add/verify the MIC • The AP can transparently forward the Payload || MIC Stefan Rommer, Mats Näslund (Ericsson)

  6. Possible message flow 802.11i MIC’ Basic 802.11i AP WSN/FA Payload’ RC Payload MIC’ TAG Payload MIC’ Payload AES Encrypted IV Payload MIC’ Michael ICV TKIP Encrypted Stefan Rommer, Mats Näslund (Ericsson)

  7. Motivation (3): Why specify it in 802.11i? • A single standardised WLAN-solution will promote interoperability. • Possible to reuse existing 802.11i functions, e.g. the key management. • Possible to reuse the existing algorithms (e.g. Michael). Stefan Rommer, Mats Näslund (Ericsson)

  8. Key details AP WSN • WSN acts as a RADIUS Proxy and can extract the EAP Master Key. • A key for the new MIC can then be derived both at the Mobile and at the WSN. Trusted RADIUS Trusted RADIUS Stefan Rommer, Mats Näslund (Ericsson)

  9. Can we use the existing 802.11i MICs instead of adding a new one? • Add MIC in the WSN, do the encryption in the AP. • MIC should be applied to whole MSDU • TKIP: • Should be possible to add Michael in the WSN • AES: • OCB: Not easy, encryption and authentication coupled. • CCM: Add CBC-MAC in WSN. Stefan Rommer, Mats Näslund (Ericsson)

  10. Conclusions • Public access sites need “extended” protection. • Robust billing requires at least integrity protection. • An extra MIC is one option. • 802.11i has the possibility to provide it. • Existing security functions can be reused. Stefan Rommer, Mats Näslund (Ericsson)

More Related