suite b compliance for a mesh network
Download
Skip this Video
Download Presentation
Suite-B Compliance for a Mesh Network

Loading in 2 Seconds...

play fullscreen
1 / 8

Suite-B Compliance for a Mesh Network - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

Suite-B Compliance for a Mesh Network. Authors:. Date: 2009-09-15. Abstract. This document describes the changes necessary to the 802.11s Draft to support “suite B” compliance. What is “suite B?”. A specification of cryptographic building blocks used to construct a secure system

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Suite-B Compliance for a Mesh Network' - vlora


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
suite b compliance for a mesh network
Suite-B Compliance for a Mesh Network

Authors:

Date: 2009-09-15

Dan Harkins, Aruba Networks

abstract
Abstract

This document describes the changes necessary to the 802.11s Draft to support “suite B” compliance

Dan Harkins, Aruba Networks

what is suite b
What is “suite B?”
  • A specification of cryptographic building blocks used to construct a secure system
    • Key exchange using elliptic curve Diffie-Hellman (ECDH)
    • Authentication using elliptic curve Digital Signature Algorithm (ECDSA)
    • Hashing with SHA-256 or greater
    • Use of approved elliptic curves (over prime field of at least 256 bits)
    • AES-GCM for bulk data protection
  • A revised set of requirements (on top of FIPS) by NSA and the US government to sell product to protect data with a certain classification level

Dan Harkins, Aruba Networks

suite b support in 11s
“suite B” support in 11s
  • SAE implements an ECDH-like exchange using approved elliptic curves and specifies SHA-256 but…
    • Authentication is not ECDSA
    • The keys are still used with AES-CCM
  • Today an 11s implementation would not meet “suite B” requirements and cannot be sold into certain markets
  • We could do a bit more work to rectify this
    • Propose a new authentication protocol using ECDH and ECDSA, with SHA-256, that can support approved elliptic curves
    • Define use of AES-GCM for 11s (that might be a lightning rod for negative comments in the next ballot, or maybe not)

Dan Harkins, Aruba Networks

a suite b compliant authentication protocol for 11s
A “suite B”-compliant Authentication Protocol for 11s
  • Use action frames to request and obtain a peer’s certificate
  • Use authentication frames to perform a peer-to-peer protocol which does an ECDH exchange and ECDSA to authenticate
  • Leverage lots from SAE
    • The state machine will be almost identical
    • A new AKM in beacons indicates support for the exchange
    • Use the same mechanism for negotiating the elliptic curve
    • The result of the exchange is an authenticated PMK, just like SAE, that is input to APE to establish a secure peering.

Dan Harkins, Aruba Networks

a suite b compliant authentication protocol for 11s1
A “suite B”-compliant Authentication Protocol for 11s

Mesh Point A identified by ID-A

Mesh Point B identified by ID-B

  • Choose random “b” less than order of group, nonce Nb
  • Compute element B = b*G
  • Choose random “a” less than order of group, nonce Na
  • Compute element A = a*G

Nb, B

Na, A

Sign {Na | Nb | A | B | ID-A | ID-B}

Sign {Nb | Na | B | A | ID-B | ID-A}

Session ID = MAX(Na, Nb) | MIN(Na, Nb)

Shared Secret = a * b * G

Dan Harkins, Aruba Networks

straw polls
Straw Polls
  • Ability to sell product into government markets using sensitive data is important
    • Yes: 5
    • No: 0
    • Don’t Care: 2
  • We should add another authentication protocol to the Draft to support suite-b for this purpose
    • Yes: 1
    • No: 0
    • Don’t Care: 0
    • Don’t Know: 7

Dan Harkins, Aruba Networks

references
References

Dan Harkins, Aruba Networks

ad