1 / 30

TGad Security Enhancements

TGad Security Enhancements. Date: 2010-05-18. Proposal overview. This presentation is part and in support of the complete proposal described in 802.11-10/432r0 (slides) and 802.11-10/433r0 (text) that: Supports data transmission rates up to 7 Gbps

lang
Télécharger la présentation

TGad Security Enhancements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TGad Security Enhancements Date: 2010-05-18

  2. Proposal overview • This presentation is part and in support of the complete proposal described in 802.11-10/432r0 (slides) and 802.11-10/433r0 (text) that: • Supports data transmission rates up to 7 Gbps • Supplements and extends the 802.11 MAC and is backward compatible with the IEEE 802.11 standard • Enables both the low power and the high performance devices, guaranteeing interoperability and communication at gigabit rates • Supports beamforming, enabling robust communication at distances beyond 10 meters • Supports GCMP security and advanced power management • Supports coexistence with other 60GHz systems • Supports fast session transfer among 2.4GHz, 5GHz and 60GHz

  3. Outlines • GCM with GMAC Protocol (GCMP) • RSNA Rekeying • RSNA Management in PBSS • Multi-band Security • Conclusions

  4. GCM with GMAC Protocol (GCMP)

  5. GCM vs. CCM • CCM is not suited to high-speed implementations • CBC-MAC is neither pipelinable nor parallelizable • GCM was designed to efficiently provide authenticated encryption at speeds of 10 gigabits per second and above • enable pipelined high-speed implementations • use ½ the number of AES operations than CCM • GCM is recommended by NIST (NIST Special Publication 800-38D, November, 2007) • GCM is the default cipher suite in 802.1ae Reference: David A. McGrew and John Viega, The Security and Performance of the Galois/Counter Mode (GCM) of Operation, INDOCRYPT 2004, Springer-Verlag, 343-355

  6. GCMP parameters • 802.1ae GCM–AES–128 • Key: 128 bits • IV: 96 bits • 48-bit MAC address + 16-bit Port Num + 32-bit PN • T (ICV): 128 bits • 802.11 GCM • Key: 128 bits • Nonce (IV): 96 bits • 48-bit MAC address (A2) + 48-bit PN • MIC: 128 bits

  7. GCMP MPDU Format • The format of GCMP header is the same as that of CCMP header • Common parsing logic for both CCMP and GCMP • MIC is extended to 16 octets

  8. GCM encapsulation / decapsulation

  9. RSNA Rekeying

  10. Motivation • A PTKSA or STKSA has a limited lifetime, either in absolute time or due to exhausting the PN space • Very high data rate increases the possibility of PN exhaustion • A STA that wishes to maintain an uninterrupted security association should establish a new PKTSA or STKSA prior to the expiry of the old PTKSA or STKSA • The STA may initiate a 4-Way Handshake to update the PTKSA or STKSA

  11. Rekeying problem • High packet loss causes • Video streaming disruption • TCP slow start • Use of new PN sequence may be detected as replay attack

  12. New key Installation • Authenticator installs new key for Rx before sending M3 • Supplicant installs new key for Rx after receiving M3 but before sending M4 • Supplicant starts using new key for Tx after receiving M3 • Authenticator starts using new key for Tx after receiving M4 Install New Key for Rx Install New Key for Rx Start using New Key for Tx Start using New Key for Tx

  13. Rekeying using 2 keys Use of Key #N • No timeout required on old keys • New key installation replaces old key • Keys remain in place for Rx for 2 handshake periods • Only need 2 keys (Key ID = 0 or 1) for smooth transition Rekeying period (several hours or days) Lifetime (store & use) of Key #N 4whs 4whs 4whs 4whs 4whs even odd even odd time Transition to new PTKSA PTKSA (Key ID = 0) PTKSA (Key ID = 0) PTKSA (Key ID = 1) PTKSA (Key ID = 1) Transition to new PTKSA

  14. RSNA Management in PBSS

  15. STA association and RSNA setup • IEEE 802.11 Open System authentication is not used in PBSS • A STA can establish an RSNA with the PCP w/ or w/o association • A STA can establish an RSNA with another STA in PBSS

  16. RSNA management in PBSS • If an initiating STA chooses to associate with the PCP, they follow the ESS-based RSNA setup steps, except that • IEEE 802.11 Open System authentication is not used • If an initiating STA wants to establish an RSNA with the PCP without association, or the initiating STA wants to establish an RSNA with a non-PCP STA in a same PBSS, they follow the IBSS-based RSNA setup steps, except that • A single RSNA setup is conducted from the initiating STA to the peer • If race happens, the STA with lower MAC address wins and continues the process

  17. RSNA setup in PBSS - Examples

  18. PSK Authentication in PBSS • When PSK authentication is used in a PBSS, a single PSK can be installed in all STAs that join the PBSS • Once the PSK is installed in a STA, the STA may advertise its possession of the PSK by including the PSKID for the PSK in the RSN element in the Probe/Information Response frames • PSKID = HMAC-SHA1-128(PSK, SSID) • In a PBSS, two STAs that have installed a same PSK can skip pairwise authentication and directly use the PSK as PMK

  19. PSK Authentication in PBSS - Example

  20. Multi-band Security

  21. Multi-band RSNA capabilities • A STA that is Multi-band capable and RSNA-capable includes both RSN element and Multi-band element in Beacon, mmWave Beacon, Announce, Probe Response and Information Response frames • The included RSN element specifies the RSNA capabilities for the current operating band • The included Multi-band element specifies the pairwise cipher suites enabled for the band associated with the Multi-band element

  22. Two types of multi-band RSNA • Non-transparent multi-band RSNA • One PMKSA is established for all bands • Different PTKSAs are created for different bands • PTKSA associated with another band can be established in advance in the current operating band to facilitate fast session transfer • Transparent multi-band RSNA • Both STAs use the same MAC address in all involved bands • At least one common pairwise cipher suite is supported by both STAs in all involved bands • One PMKSA and one PTKSA are created for all involved bands

  23. Non-transparent RSNA establishment • A multi-band STA pair can conduct a 4-Way Handshake in the current operating band to create a PTKSA for another band • If Joint Multi-band RSNA is enabled in both STAs, a single 4-Way Handshake can be used to establish PTKSAs for both the current operating band and other band(s)

  24. Transparent RSNA establishment

  25. Conclusions • GCMP is introduced to support very high data rate secured communication • RSNA rekeying is proposed to maintain uninterrupted security association and also enable smooth transition from old key to new key • RSNA management in PBSS is specified based on ESS and IBSS RSNA management • Multi-band RSNA is defined to facilitate fast session transfer between different bands

  26. References • [1] 11-10-0432-00-00ad-CP-presentation.ppt • [2] 11-10-0433-00-00ad-CP-specification.doc • [3] 11-10-0436-00-00ad-NT-May-Nokia.ppt (Fast Session Transfer) • [4] David A. McGrew and John Viega, The Security and Performance of the Galois/Counter Mode (GCM) of Operation, INDOCRYPT 2004, Springer-Verlag, 343-355

More Related