200 likes | 328 Vues
WEP2 Enhancements. Russ Housley, RSA Labs Doug Whiting, HiFn Jesse Walker, Intel. Bob Beach, Symbol Ron Brockman, Intersil Nancy Cam-Winget, Atheros Clint Chaplin, Symbol Greg Chesson, Atheros Niels Ferguson, MacFergus BV Russ Housley, RSA Labs. Marty Lefkowitz, TI
E N D
WEP2 Enhancements Russ Housley, RSA Labs Doug Whiting, HiFn Jesse Walker, Intel Russ Housley, Doug Whiting, Jesse Walker
Bob Beach, Symbol Ron Brockman, Intersil Nancy Cam-Winget, Atheros Clint Chaplin, Symbol Greg Chesson, Atheros Niels Ferguson, MacFergus BV Russ Housley, RSA Labs Marty Lefkowitz, TI Bob O’Hara, Blackstorm Networks Dorothy Stanley, Agere Doug Smith, Cisco Jesse Walker, Intel Doug Whiting, HiFn Albert Young, 3COM Key Contributors Russ Housley, Doug Whiting, Jesse Walker
Agenda • Review of Consensus • Identify Areas for More Work • Present Motions to incorporate text into Draft Russ Housley, Doug Whiting, Jesse Walker
Review of Consensus • Short-term WEP fix rests on 4 pillars: • IV Sequencing • New Per-Packet Key Mixing Function • New 32-bit MIC • Includes counter-measures • New Rekey Mechanism • All or nothing the conformance requirement • Design is intended as a short term patch to WEP, not a long term solution Russ Housley, Doug Whiting, Jesse Walker
IV Sequencing • Doc 11-01-550r1 specifies IV construction at transmitter: • 16 bit counter initialized to zero • Value of MSB: 0xA5 • IV encoded as a big-Endian value in the WEP IV field • Consensus that receiver must maintain a replay window • Windowing scheme controlled by whether we adopt an encrypt early or encrypt last scheme • Consensus still needed here Russ Housley, Doug Whiting, Jesse Walker
Per-Packet Mixing Function • Constructs per-packet RC4 key • Uses temporal encryption keys from the rekey mechanism • Intended as a short-term patch • But, due to deployment practicalities, expect it will be in the field indefinitely • Two-phase key mixing function algorithm proposed by Doug Whiting and Ron Rivest • TTAK = Phase1 (TemporalKey, TA) • PPK = Phase2 (TTAK, IV) • IV set to 0 when TTAK is first used and 0 IV < 216 • Expect implementations to cache the output of Phase 1 Russ Housley, Doug Whiting, Jesse Walker
32-bit MIC • Constructs per-packet Message Integrity Code • Uses temporal authentication keys from the rekey mechanism • Intended as a short-term patch • But, due to deployment practicalities, expect it will be in the field indefinitely • New 32-bit MIC • Includes counter-measures • Alternatives still under investigation • Performance on host • Performance on MAC processor Goal: prevent packet forgeries Russ Housley, Doug Whiting, Jesse Walker
Rekey Mechanism • Algorithm defines MAC-level rekey protocol • Goal: Temporal Key Derivation, Security Session Management, Roaming Support, Compatibility with 802.1X • Provides temporal encryption keys and temporal authentication keys • All or nothing the conformance requirement • We already have enough insecure protocols • Intended as both a short-term patch to WEP and a long-term solution when used with AES • Two different mechanisms for key types: • Default keys: Countdown-based Rekeying • Key-mapping keys: Message-based Rekeying Russ Housley, Doug Whiting, Jesse Walker
Security Consensus • Omission of IV sequencing enables replay (special type of forgery attack) • Omission of MIC enables packet forgery • Forgery can be turned into attack to derive the privacy key • Omission of Mixing Function enables FMS attacks • Omission of Rekey enables IV collision attacks Russ Housley, Doug Whiting, Jesse Walker
Conformance Consensus • We already have enough insecure 802.11 protocols; we don’t need more • Vendors claiming conformance must implement all of the features • Intended as a short term patch to WEP not a long term solution • But deployment practicalities say it will be in the field indefinitely Russ Housley, Doug Whiting, Jesse Walker
Agenda • Review of Consensus • Identify Areas for More Work • Present Motions to incorporate text into Draft Russ Housley, Doug Whiting, Jesse Walker
Areas Requiring More Work • MIC • Encrypt Early/Late Decision • Rekey Russ Housley, Doug Whiting, Jesse Walker
MIC Work Required • Algorithm definition incomplete • Candidate MPH algorithm defined, but introduces implementation constraints • Cost: ~ 3 cycles/byte, 35K cycles per rekey • Optimized for 32-bit little-Endian processors only: poor choice for MAC firmware • Poor choice for MAC processor • Ferguson and Whiting trying to develop algorithm with acceptable performance on both host and MAC processors • Counter-measures definition and consensus also required Russ Housley, Doug Whiting, Jesse Walker
Encrypt Early/Late • IV sequencing, rekey driving discussion • All implementations must make same IV sequencing decision, or interoperability fails • Late encryption minimizes receiver replay window state • Late encryption seems to simplify rekey algorithm, but requires hardware acceleration for encryption • Need consensus whether to include effects of QoS. If so, need to • Agree on architecture with TGe • Protect QoS traffic-class bits in MIC computation? • Maybe separate sequence spaces for each traffic class? • Unicast retransmit also reorders: how much? • Need consensus on maximum reordering to design replay mechanism, and where to put crypto functions Russ Housley, Doug Whiting, Jesse Walker
Rekey • Only one moderately complete proposal • Doc 01-508r2 • But it has not yet been specified in sufficient detail to implement • And consensus not complete on the message exchanges • Need • Consensus whether to continue with this approach • If so, resolve outstanding message exchange issues • Define details of protocol sufficient for independent interoperable implementations. Russ Housley, Doug Whiting, Jesse Walker
Agenda • Review of Consensus • Identify Areas for More Work • Present Motions to incorporate text into Draft Russ Housley, Doug Whiting, Jesse Walker
Motions • Motion 1: New outline for Clause 8.2.2 • Motion 2: Add Mixing Function Text • Motion 3: Add MPDU expansion text Russ Housley, Doug Whiting, Jesse Walker
Motion 1 • Motion to instruct editor to replace Clause 8.2 of draft with following outline: • 8.2.1 Overview and Theory of Operation • 8.2.2 Placement Cryptographic Processing • 8.2.3 IV Sequencing and Replay • 8.2.4 WEP2 Mixing Function • 8.2.5 WEP2 MIC and Counter-measures • 8.2.6 WEP2 MPDU Expansion • 8.2.7 WEP2 Interaction with Rekeying Russ Housley, Doug Whiting, Jesse Walker
Motion 2 • Motion to instruct the editor to add the text of Sections 1-5 of Doc 01-550r1 as the text of Clause 8.2.4, and to add the text of Section 6, 7 and S-Box definition in Annex A of Doc 01-550r1 as a new Annex to the Draft. Russ Housley, Doug Whiting, Jesse Walker
Motion 3 • Motion to instruct the editor to reinsert the existing MPDU expansion text into the draft as the body of Clause 8.2.6, and to amend it to describe the new 32-bit MIC as • the last 4 bytes of data prior to the WEP ICV • Encoded as a byte string Russ Housley, Doug Whiting, Jesse Walker