Motion to Incorporate PSK RSN Extensions into TGi D2.3 Carlos Rios RiosTek LLC

1. Motion to IncorporatePSK RSN Extensions into TGi D2.3Carlos RiosRiosTek LLC

2. The Motion “Move to instruct the Technical Editor to work with the interested parties and incorporate the Pre-Shared Key RSN Extension protocols as presented in 02/431r0 and 02/432r0 into the successor revision of the 802.11i D2.2 draft text”

3. Argument 1 For PSKE • D2.2 802.1x protocols inadequately address enhanced security for the Small BSS (WLAN not provisioned with RADIUS) • D2.2 talks about pre-shared key support (Enrollment) • Provides 4 way EAPOL handshake, key hierarchy structure (Key Management) • D2.2 provides for NO Authentication if no AS is presentHandwaves an “Implicit Authentication”“Just go ahead and send encrypted packets- If you DON’T suffer catastrophic loss of data and/or get disassociated by countermeasures then you are Authenticated”UNACCEPTABLE! Positive mutual authentication is essential to the RSN • PSKE provides full enhanced security support for the SBSS • User friendly PSK Enrollment • Key Management simpler than, yet equivalent to 802.1x • Mutual Authentication • Counterpoint: 802.1x based protocols CAN support SBSS • Just incorporate an Authentication Server into the APYeah, Sure.Well, whoever really wants to do that, just knock yourself out- just let ME do it the easy way- PSKE

4. Argument 2 For PSKE • D2.2 802.1x protocols inadequately address enhanced security for the IBSS • As for the SBSS, D2.2 handwaves pre-shared key Enrollment and EAPOL 4 way handshake, but keeps mum on Authentication • Same fatal flaw as for SBSS case • PSKE provides full enhanced security support for the IBSS • Tiered PSK Enrollment, User Friendly or Very User Friendly imply true pairwise privacy or pairwise ordered group privacy, respectively • Key Management simpler than, yet equivalent to 802.1x • Mutual Authentication • Counterpoint: 802.1x based protocols CAN support IBSS • Just incorporate an Authentication Server into every Station!Well, why stop with just incorporating the AS into the AP?I’ll pass, thanks.

5. Argument 3 For PSKE • 802.1x protocols won’t adequately address two important sidechannel scenarios, SBSS and “Enterprise Guest” • SBSS sidechannel also suffers from fatal lack of Mutual Authentication • Enterprise Guest is not authorized to use the DS, is not worth the trouble of Enrollment, so can’t be Authenticated and issued keys by the AS • The more common sidechannel scenario where both stations are associated to the same AP (and have been automatically Enrolled by virtue of the same), but PSKE protocols can be used to provide Authentication and Key Management. • PSKE provides full enhanced security support for the SBSS and Enterprise Guest • User Friendly PSK Enrollment • Key Management simpler than, yet equivalent to 802.1x • Mutual Authentication • Counterpoint: 802.1x protocols CAN support Sidechannel • If you’ve got an AS in every station, sure

6. Summary • D2.2’s 802.1x based protocols don’t address some gaping holes in the RSN • PSKE is a minimalist, user friendly set of MAC protocols that complement 802.1x and fill in the following holes: • IBSS Enrollment, Authentication and Key Management • SBSS Enrollment, Authentication and Key Management • Sidechannel Enrollment, Authentication and Key Management for the SBSS and the Enterprise Guest • PSKE is a much simpler solution than other, still in the oven 802.1x based approaches • PSKE is a sufficient solution, is arguably a necessary solution, but need not be the unique solution • PSKE makes a lot of sense, it’s time to just do it

7. The Motion “Move to instruct the Technical Editor to work with the interested parties and incorporate the Pre-Shared Key RSN Extension protocols as presented in 02/431r0 and 02/432r0 into the successor revision of the 802.11i D2.2 draft text”