ieee 802 1x pre authentication
play

IEEE 802.1X Pre-Authentication Bernard Aboba Microsoft Submission - PowerPoint PPT Presentation

Dec 11, 2023 •302 likes •508 views

11 July 2002 doc.: IEEE 802.11-02/389r0 IEEE 802.1X Pre-Authentication Bernard Aboba Microsoft Submission Slide 1 Bernard Aboba, Microsoft 11 July 2002 doc.: IEEE 802.11-02/389r0 Outline Goals Conclusions Overview of

  1. 11 July 2002 doc.: IEEE 802.11-02/389r0 IEEE 802.1X Pre-Authentication Bernard Aboba Microsoft Submission Slide 1 Bernard Aboba, Microsoft

  2. 11 July 2002 doc.: IEEE 802.11-02/389r0 Outline • Goals • Conclusions • Overview of pre-authentication • State machine • Threat model • EAP requirements • Management frame protection • Control frame protection • Protected negotiations • Key activation • Summary Submission Slide 2 Bernard Aboba, Microsoft

  3. 11 July 2002 doc.: IEEE 802.11-02/389r0 Goals • To present a strawman threat model for IEEE 802.11 Tgi – Tim Moore to present detailed threat analysis on Thursday • To understand the implications of IEEE 802.1X pre- authentication – Pre-authentication supported in 802.11i Draft 2.2 • To analyze solutions to potential threats – Protected capabilities negotiation – Key activation – Management frame authentication – Control frame authentication Submission Slide 3 Bernard Aboba, Microsoft

  4. 11 July 2002 doc.: IEEE 802.11-02/389r0 Conclusions • IEEE 802.11i needs a threat model. – Without a threat model, you never know when you’re done! – IEEE 802.1X could use a formal threat model too (to avoid misunderstandings). • IEEE 802.1X pre-authentication with 802.11 introduces some new wrinkles – Supplicant-only initiation – Station authenticated to multiple Authenticators simultaneously – No controlled and uncontrolled ports – 802.11 state machine controls access, not 802.1X state machine – IEEE 802.1X frames have a unicast DA and may be forwarded • IEEE 802.1X pre-authentication has substantial advantages for 802.11 – Pre-authentication enables a station to authenticate to multiple APs, which is not possible when 802.1X occurs after Association. • Minimizes connectivity loss during roaming – IEEE 802.1X pre-auth makes it possible to authenticate and derive keys early on, use keys to protect as many messages as possible – Most management and control frames can be protected, with the exception of Beacon and Probe Request/Response Submission Slide 4 Bernard Aboba, Microsoft

  5. 11 July 2002 doc.: IEEE 802.11-02/389r0 802.1X Pre-Authentication Channel 6 Channel 11 c v D AP B STA AP A • STA authenticates and associates to AP A on Channel 6 – 802.1X data frames with “From DS” and “To DS” set to false (Class 1) • STA does passive or active scan, moves, selects AP B as “potential roam” STA authenticates to AP B before connectivity is lost to AP A (if ∆ T < c/v) • – Can send unicast 802.1X data frames to AP B, forwarded by AP A • “From DS” or “To DS” set to true (Class 3) Can tune radio to Channel 11 (if B > r ∆ T) – • STA reassociates to AP B Submission Slide 5 Bernard Aboba, Microsoft

  6. 11 July 2002 doc.: IEEE 802.11-02/389r0 The Problem Space Rate Scan + Pre-auth via Association not Old AP AP authentication Β possible & Advertisement ∆ T over IP Scan + Radio tuning c D ∆ T RTT assoc Stationary Pedestrian Vehicular High Speed Station Velocity Submission Slide 6 Bernard Aboba, Microsoft

  7. 11 July 2002 doc.: IEEE 802.11-02/389r0 State Machine • Original 802.11 state machine Class 1 Frames State 1: can be used Unauthenticated, Unassociated • IEEE 802.1X data frames can be sent in State 1,2 Deauthentication Successful Notification Authentication (Authenticated) – To DS, From DS =0 – “Unassociated pre-auth” Class 1 & 2 State 2: Frames DeAuthentication • IEEE 802.1X data frames can Authenticated, Notification (Authenticated or Unauthenticated) Unassociated be sent in State 3 – To DS or From DS = 1 Successful Disassociation Association or Notification Reassociation (Authenticated) – “Associated Pre-auth” (Authenticated) • Unauthenticated Deauth can be Class 1, 2 & 3 State 3: silently discarded by STA Frames Authenticated, Associated Submission Slide 7 Bernard Aboba, Microsoft

  8. 11 July 2002 doc.: IEEE 802.11-02/389r0 Pre-Authentication State Machine • No “controlled” and “uncontrolled” ports – In fact, no “ports” at all! – Port doesn’t exist until Association/Reassociation exchange – RADIUS Access-Request contains no NAS-Port attribute – Accounting START sent after successful Association/Reassociation Response w/NAS-Port • Supplicant initiation only – Supplicant authenticates to APs that it is likely to roam to – Since roaming decision made by STA, it also handle auth initiation – Unsolicited EAP-Request/Identity frames are silently discarded • 802.11 state machine governs frame treatment – 802.11-1999 state machine already supports pre-authentication, no changes required – 802.1X “auth complete” an input to 802.11 state machine – Reverse of 802.1X after Association, where 802.11 events are inputs to 802.1X state machine Submission Slide 8 Bernard Aboba, Microsoft

  9. 11 July 2002 doc.: IEEE 802.11-02/389r0 Strawman Threat Model for 802.11 • Snooping, modification or injection of data packets • Impersonation of legitimate 802.11 STA or AP • Modification of authentication or control/management messages • Injection of forged authentication or control/management messages • Denial of service, including resource starvation • Disruption of security negotiations – Capabilities advertisement – Ciphersuite or authentication negotiation Submission Slide 9 Bernard Aboba, Microsoft

  10. 11 July 2002 doc.: IEEE 802.11-02/389r0 802.11 EAP Method Requirements • Question: “What role does EAP have in 802.11 security?” • Wireless method requirements (from RFC 2284bis): – Mutual authentication – Key derivation – Dictionary attack resistance – Support for fast reconnect • Question: is 2.5 round trips “fast”? – Protected EAP conversation • To be discussed – Ciphersuite negotiation? – Key activation? Submission Slide 10 Bernard Aboba, Microsoft

  11. 11 July 2002 doc.: IEEE 802.11-02/389r0 Threats Addressed by EAP Reqmts. • Snooping, modification or injection of data packets (802.11 ciphers) • Impersonation of legitimate 802.11 STA or AP (802.11 ciphers) • Modification of authentication or control/management messages • Injection of forged authentication or control/management messages • Denial of service, including resource starvation • Disruption of security negotiations – Capabilities advertisement – Ciphersuite or authentication negotiation Submission Slide 11 Bernard Aboba, Microsoft

  12. 11 July 2002 doc.: IEEE 802.11-02/389r0 No Mandatory Auth Method: Implications • Interoperability – No guarantee that STA and AP can successfully authenticate • Configurations without a backend server – Authenticator can’t just implement the mandatory method; needs to support commonly deployed methods – Result: AP may need constant code changes to support new auth methods – what EAP was designed to prevent! – “Pass through” configuration is easier to implement • IBSS authentication – No guarantee that two STAs can authenticate each other • Effects on 802.1X architecture – Backend authentication server originally an optional component – Not really possible to “Colocate AS and AP” • In EAP, AS and client are assumed to be extensible but AP is not – Normative discussion of AAA attributes and protocols • Belongs in a non-normative Appendix, not within the main specification. Submission Slide 12 Bernard Aboba, Microsoft

  13. 11 July 2002 doc.: IEEE 802.11-02/389r0 Protection of Management Frames • Protectable – Association/Reassociation Request/Response, Deauthenticate, Disassociate • Unprotectable – Beacon, Probe Request/Response – Would need to protect Beacon with multicast key; would not prevent forgery – Can protect contents of Beacon, Probe Response later on in order to detect forgery • Handling of unauthenticated management frames – STA can discard unauthenticated Deauthenticate message • Alternatives – Custom MIC • Requires change to key hierarchy • Low performance – TKIP/WRAP applied to MPDU • No change required to key hierarchy • High performance • Requires changes to ciphers Submission Slide 13 Bernard Aboba, Microsoft

  14. 11 July 2002 doc.: IEEE 802.11-02/389r0 Protection of Control Frames • Similar issues to management frame protection but fewer options – Control frames are higher bandwidth – Performance penalty of not reusing TKIP and WRAP ciphersuites is prohibitive – Custom MIC not a viable option • Conclusion – For control frame protection, need ciphersuites operating on MPDU Submission Slide 14 Bernard Aboba, Microsoft

  15. 11 July 2002 doc.: IEEE 802.11-02/389r0 Threats Addressed by Mgmt/Cntrl Protection • Snooping, modification or injection of data packets • Impersonation of legitimate 802.11 STA or AP • Modification of authentication or control/management messages • Injection of forged authentication or control/management messages • Denial of service, including resource starvation • Disruption of security negotiations – Capabilities advertisement – Ciphersuite or authentication negotiation Submission Slide 15 Bernard Aboba, Microsoft

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network

Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network

Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network Roaming with eduroam Stefan Winter &lt;stefan.winter@restena.lu&gt; TREFpunkt 13, rebro, Sweden 12 Oct 2005 1 Rseau Tlinformatique de

459 views • 28 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
IEEE Infocom 2006 A secure and performant token-based authentication for infrastructure and mesh

IEEE Infocom 2006 A secure and performant token-based authentication for infrastructure and mesh

IEEE Infocom 2006 A secure and performant token-based authentication for infrastructure and mesh 802.1X networks Leonardo Maccari - maccari@lenst.det.unifi.it Romani Fantacci - fantacci@lenst.det.unifi.it Tommaso Pecorella -

714 views • 19 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen &amp; Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

Structure of Presentation Introduction 8 0 2.15.4 and Zigbee IEEE 812.15.4 WPAN IEEE 802.15.4 PHY IEEE 802.15.4 MAC Zigbee Routing Layer Kevin Klues Department of Computer Science and Engineering 2 Introduction Zigbee and

863 views • 6 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes

Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes

IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan

254 views • 13 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
e-authentication Practices: A road to global implementation of e-authentication for

e-authentication Practices: A road to global implementation of e-authentication for

Market-driven e-authentication Practices: A road to global implementation of e-authentication for cross-bordered trade document Mr. Wanawit Ahkuputra Deputy Executive Director of ETDA Thailand HOD and AFACT chair. Building Soft

533 views • 13 slides

More recommend