1 / 11

IBSS and ESN

IBSS and ESN. Bob Beach Symbol Technologies. IBSS and ESN. Current baseline really does not address IBSS networks Most of the assumptions of baseline are absent in IBSS No AP to advertise/negotiate cypher and authentication suites No AP to respond to probes (any station can respond)

leblancr
Download Presentation

IBSS and ESN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBSS and ESN Bob Beach Symbol Technologies Bob Beach

  2. IBSS and ESN • Current baseline really does not address IBSS networks • Most of the assumptions of baseline are absent in IBSS • No AP to advertise/negotiate cypher and authentication suites • No AP to respond to probes (any station can respond) • No associations – stations can transmit whenever they like • No place for 802.1x port control • Assume manual configuration for IBSS is not sufficient • E.g. write cypher suite and encryption key on blackboard and have each user enter the information manually • Maximize commonality between IBSS and ESS modes Bob Beach

  3. Review of IBSS Operation • In 1999 specification only Station Services supported • Authentication, Deauthentication, Privacy, MSDU delivery • IBSS is indicated by bit in capability field of beacon • WEP is also so indicated • All stations in an IBSS generate a beacon on regular basis • First STA in IBSS sets beacon interval • Stations update local configuration based upon last beacon received • Stations may generate probe requests • Station that transmitted last beacon responds to probe • Stations can transmit whenever they want per DCF Bob Beach

  4. Desired Functionality for ESN IBSS • Key Distribution • All stations use same session key • May have separate broadcast key • Key Derivation • Need to derive actual keys for AES use from session • Yields set of keys per station pair • Cypher Suite • Assumption: one suite for all stations Bob Beach

  5. Basic Model -1 • Per baseline, no MAC layer Authentication • E.g. no authentication, deauthentication services • Any station can send data packets whenever it wants • Most of 802.1x functionality is not used • No entity to act as port controller • Request/response packets are used to carry authentication packets • One station acts as Security Coordinator for IBSS • Specifies Cypher suite and authentication suite for IBSS • Allocates encryption key using authentication suite Bob Beach

  6. Basic Model -2 • Stations use Probe/Probe Response messages to derive AES keys much like BSS model uses association packets • Done between each pair of stations that want to exchange data Bob Beach

  7. Security Coordinator (SC) -1 • Any station can perform the SC functions • Need not be station that instantiates the IBSS • Application that runs above the MAC layer • Generates beacons as do other stations in IBSS but they contain additional information • Only its beacons contain ESN bit (other stations’ beacons don’t) • Contain cypher suite and authentication suite for IBSS using elements defined in ESN • Specifies only one option for each. Use of indicated suites is mandatory for particular IBSS Bob Beach

  8. Security Coordinator (SC) -2 • Key Distribution uses authentication algorithm • Authentication packets are carried inside 802.lx request and response packets • Addressed to station generating ESN tagged beacon • Baseline authentication algorithm is used (e.g. Kerberos) Bob Beach

  9. Kerberos Usage in IBSS • Security Coordinator station operates as Mini-KDC • Stations do regular Kerberos handshake using information in ESN tagged beacons • Mini-KDC allocates same session key to all stations using Kerberos packet exchanges • Users share common password distributed manually or agree upon some password derivation model (password = username) • SC application may have user interface that allows manual user approval • I.e. authenticate “George”? “Yes/no ?” • Allows membership in IBSS to be known Bob Beach

  10. Key Derivation • Need to derive AES keys from session key • Add nonce to probe/probe response packets • When a station needs to send a data packet to another station for the first time it sends a probe packet to it containing the nonce. • The target station replies with a probe response containing its nonce • Both stations compute AES key using the contents of the probe/probe response packets Bob Beach

  11. Proposed Motions • Proposed: The model of IBSS ESN operation contained in this document be added to the Tgi baseline. • Proposed: Tgi instruct the author of this document to prepare text for incorporation into the next revision of the Draft specification. Bob Beach

More Related