1 / 12

Liaison presentation to ISO/IEC JTC1/SC6 in relation to claims of 802.11i insecurity

Liaison presentation to ISO/IEC JTC1/SC6 in relation to claims of 802.11i insecurity. 9 May 2011 This presentation is based on two liaisons from IEEE 802.11 WG to ISO/IEC JTC1/SC6: N14141 (December 2009) N14551 (January 2011).

atalo
Download Presentation

Liaison presentation to ISO/IEC JTC1/SC6 in relation to claims of 802.11i insecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Liaison presentation to ISO/IEC JTC1/SC6in relation to claims of 802.11i insecurity • 9 May 2011 • This presentation is based on two liaisons from IEEE 802.11 WG to ISO/IEC JTC1/SC6: • N14141 (December 2009) • N14551 (January 2011)

  2. 802.11i is secure and its alleged insecurity cannot be used to justify a WAPI NP in SC6 The situation … The next steps … IEEE 802 has participated in good faith in the WAPI NP proposal voting and resolution process ... The current view of IEEE 802 is best summarized by our conclusion in N14551 that no evidence has been provided of security loopholes in 802.11i … ... and yet the IEEE 802 comments and rebuttals have been generally ignored or dismissed … and IEEE 802 requests SC6 to delete invalid claims about 802.11i and halt any project relying on them until the claims can be properly justified

  3. IEEE 802 has participated in good faith in the WAPI NP proposal voting and resolution process ... Oct 09: N14123 WAPI NP proposal Feb 10: N14228 WAPI NPvoting results Oct 10: N14436 Initial WAPI NP disposition Mar 11: N14620 Revised WAPI NP disposition O N D J F M A M J J A S O N D J F M A M J 2009 D 2010 2011 J IEEE 802 participation in WAPI NP process Dec 09: N14142 IEEE 802 comments on WAPI NP proposal Jan 11: N14551 IEEE 802 comments on WAPI NP disposition

  4. ... and yet the IEEE 802 comments and rebuttals have been generally ignored or dismissed! Oct 09: N14123 Justification of WAPI NP based on assertion 802.11i is insecure Feb 10: N14228 Very few NBs appear to have considered the IEEE 802 rebuttal during the WAPI NP vote Oct 10: N14436 Ignores IEEE 802 input, repeats invalid claims about 802.11i security & extends them Mar 11: N14620 Dismisses IEEE 802 (& US NB) concerns on basis that they are too late! O N D J F M A M J J A S O N D J F M A M J 2009 D 2010 2011 J Dec 09: N14142 IEEE 802 rebutted all assertions in WAPI NP proposal about 802.11i security Jan 11: N14551 IEEE 802 rebutted all new claims of 802.11i insecurity, and notes problems with WAPI IEEE 802 participation in WAPI NP process

  5. The justification of the WAPI NP in N14123 is entirely based on an assertion 802.11i is insecure • N14123 justified the WAPI NP project based on a single assertion that IEEE 802.11i contains security loopholes • From N14123: It is a well known fact that current WLAN international standards contains serious security loopholes which need to be dealt with by enhanced security mechanisms • N14123 provided three examples of supporting evidence • A paper titled, “WiFi Epidemiology: Can Your Neighbors’ Router Make Yours Sick?” published in early 2008 • An article titled, “A Wi-Fi virus outbreak? Researchers say it's possible” published in a trade magazine in late 2008 • Two papers published in late 2008 and early 2009 that describe similar mechanisms to attack WPA systems • If the allegation of 802.11i insecurity is invalided then N14123 does not contain any material in the “justification” clause

  6. In N14142 (Dec 2009), IEEE 802 rebutted all claims of 802.11i insecurity Question: does any NB believe the “justification” is valid given the IEEE 802 rebuttal?

  7. Very few NBs appear to have even considered the IEEE 802 rebuttal during the WAPI NP vote • The results of the WAPI NP vote (in N14228) indicates that very few NBs considered the IEEE 802 comments • The US NB submitted a number of comments in response to the WAPI NP proposal vote • Two comments challenged the validity of the material in the ”justification” that claims 802.11i is insecure • The US NB also submitted seven other substantive comments • The UK NB submitted a comments that alluded to some technical concerns but focused on the “standalone standard issue” • No other NB provided substantive comments • Question: Is it appropriate to approve a NP proposal with a justification that that is known to be invalid?

  8. The disposition in N14436 repeats & extend invalid claims about 802.11i security, ignoring IEEE 802 input • The proposed disposition of comments (in N14436) does not address the IEEE 802 comments at all • N14436 responds to similar US NB comments by repeating and extending the allegations of 802.11i insecurity • Asserting “Security loopholes in the current IS (ISO/IEC 8802-11) have been reported in the security literature” • Claiming that WAPI can protect against attacks by fake STAs and fake APs, with the implication that 802.11i cannot • Claiming that specific security problems were asserted in the fast track ballot on 802.11i in 2006 • Asserting that N14123, N14399, N14402 & N14410 all “comprehensively address weaknesses in existing network security” • No specific evidence of the alleged insecurity of 802.11i was included in N14436

  9. In N14551 (Jan 2011), IEEE 802 rebutted new claims of 802.11i insecurity & noted problems with WAPI Note: the US NB independently made similar rebuttals in N14549

  10. In N14620, the objections of IEEE 802 were disregarded on basis they are too late • The latest proposed comment disposition (N14620) includes some responses to comments from IEEE 802 (N14551) • However, it dismisses the comments on the basis that the comment disposition is no longer concerned with the WAPI NP proposal • This comment is focusing on the Justification of ISO/IEC 20011, but it should be noted that, the NP ballot has passed; the main comment and contribution in this stage should be focused and changed to the editing and commenting of WD text • Various similar comments by the US NB were similarly dismissed

  11. The current view of IEEE 802 is best summarized by the conclusion from N14551 (Jan 11) … • … the fundamental justification for a WAPI NP in SC6 is based on the assertion that there are security loopholes or flaws in mandatory security components included in 802.11 (and its amendments). However, no valid or credible evidence has been provided to support this assertion. • The reality is that mandatory security components included 802.11 have no known “security loopholes”. This statement is practically supported by the use of 802.11 in millions of systems worldwide, in high security applications, by governments, financial institutions, telecommunications providers, enterprises and consumers. • IEEE 802 requests SC6 do not consider any assertions that mandatory security components included in 802.11 (and its amendments) are insecure when deciding whether to authorize the WAPI NP proposal. Alternatively, IEEE 802 invites any SC6 NB to provide valid and credible evidence to the 820.11 WG of “serious security loopholes”.

  12. … IEEE 802 requests SC6 to delete invalid claims about 802.11i & halt any project relying on these claims • The IEEE 802 requests SC6 undertake a number of actions to satisfy our concerns relating to the WAPI NP • The requested actions are: • Remove all existing allegations of insecurity of 802.11i from official SC6 output documents • Particularly the WAPI NP proposal and all associated comment dispositions • Alternatively, provide credible evidence of any insecurity in 802.11i • None has been provided to date • Halt any new project activity that relies on the invalid assertion that 802.11i is insecure as part of its justification

More Related