1 / 7

Proposal to Integrate Pre-Shared Key RSN Extensions into 802.11i D2.3 Draft for Enhanced Security

This motion advocates for the incorporation of the Pre-Shared Key (PSK) RSN Extensions into the successor revision of the 802.11i D2.2 draft, aiming to address critical security concerns for Small and Independent Basic Service Sets (BSS and IBSS). The proposal emphasizes the inadequacies of the existing 802.1x protocols in enhancing security, suggesting that PSKE provides a more user-friendly solution for enrollment, authentication, and key management. The text outlines arguments supporting the necessity of PSKE in mitigating security vulnerabilities, particularly in side-channel scenarios and for enterprise guests.

bud
Télécharger la présentation

Proposal to Integrate Pre-Shared Key RSN Extensions into 802.11i D2.3 Draft for Enhanced Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Motion to IncorporatePSK RSN Extensions into TGi D2.3Carlos RiosRiosTek LLC

  2. The Motion “Move to instruct the Technical Editor to work with the interested parties and incorporate the Pre-Shared Key RSN Extension protocols as presented in 02/431r0 and 02/432r0 into the successor revision of the 802.11i D2.2 draft text”

  3. Argument 1 For PSKE • D2.2 802.1x protocols inadequately address enhanced security for the Small BSS (WLAN not provisioned with RADIUS) • D2.2 talks about pre-shared key support (Enrollment) • Provides 4 way EAPOL handshake, key hierarchy structure (Key Management) • D2.2 provides for NO Authentication if no AS is presentHandwaves an “Implicit Authentication”“Just go ahead and send encrypted packets- If you DON’T suffer catastrophic loss of data and/or get disassociated by countermeasures then you are Authenticated”UNACCEPTABLE! Positive mutual authentication is essential to the RSN • PSKE provides full enhanced security support for the SBSS • User friendly PSK Enrollment • Key Management simpler than, yet equivalent to 802.1x • Mutual Authentication • Counterpoint: 802.1x based protocols CAN support SBSS • Just incorporate an Authentication Server into the APYeah, Sure.Well, whoever really wants to do that, just knock yourself out- just let ME do it the easy way- PSKE

  4. Argument 2 For PSKE • D2.2 802.1x protocols inadequately address enhanced security for the IBSS • As for the SBSS, D2.2 handwaves pre-shared key Enrollment and EAPOL 4 way handshake, but keeps mum on Authentication • Same fatal flaw as for SBSS case • PSKE provides full enhanced security support for the IBSS • Tiered PSK Enrollment, User Friendly or Very User Friendly imply true pairwise privacy or pairwise ordered group privacy, respectively • Key Management simpler than, yet equivalent to 802.1x • Mutual Authentication • Counterpoint: 802.1x based protocols CAN support IBSS • Just incorporate an Authentication Server into every Station!Well, why stop with just incorporating the AS into the AP?I’ll pass, thanks.

  5. Argument 3 For PSKE • 802.1x protocols won’t adequately address two important sidechannel scenarios, SBSS and “Enterprise Guest” • SBSS sidechannel also suffers from fatal lack of Mutual Authentication • Enterprise Guest is not authorized to use the DS, is not worth the trouble of Enrollment, so can’t be Authenticated and issued keys by the AS • The more common sidechannel scenario where both stations are associated to the same AP (and have been automatically Enrolled by virtue of the same), but PSKE protocols can be used to provide Authentication and Key Management. • PSKE provides full enhanced security support for the SBSS and Enterprise Guest • User Friendly PSK Enrollment • Key Management simpler than, yet equivalent to 802.1x • Mutual Authentication • Counterpoint: 802.1x protocols CAN support Sidechannel • If you’ve got an AS in every station, sure

  6. Summary • D2.2’s 802.1x based protocols don’t address some gaping holes in the RSN • PSKE is a minimalist, user friendly set of MAC protocols that complement 802.1x and fill in the following holes: • IBSS Enrollment, Authentication and Key Management • SBSS Enrollment, Authentication and Key Management • Sidechannel Enrollment, Authentication and Key Management for the SBSS and the Enterprise Guest • PSKE is a much simpler solution than other, still in the oven 802.1x based approaches • PSKE is a sufficient solution, is arguably a necessary solution, but need not be the unique solution • PSKE makes a lot of sense, it’s time to just do it

  7. The Motion “Move to instruct the Technical Editor to work with the interested parties and incorporate the Pre-Shared Key RSN Extension protocols as presented in 02/431r0 and 02/432r0 into the successor revision of the 802.11i D2.2 draft text”

More Related