1 / 8

A Network Enrollment Protocol

A Network Enrollment Protocol. Duncan Kitchin, Intel. Problem Statement. 802.11 requires per-node configuration SSID encryption keys, mechanisms This is too complex for many products and/or users TVs, VCRs, DVD players (no keyboard…) consumers expect these products to work out of the box

dawn-bush
Download Presentation

A Network Enrollment Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Network Enrollment Protocol Duncan Kitchin, Intel Duncan Kitchin, Intel

  2. Problem Statement • 802.11 requires per-node configuration • SSID • encryption keys, mechanisms • This is too complex for many products and/or users • TVs, VCRs, DVD players (no keyboard…) • consumers expect these products to work out of the box • Security implications • the greatest security flaw we could introduce is making the system too difficult to configure correctly Duncan Kitchin, Intel

  3. Proposed Solution – What the User Sees • User sees “press a button at either end” enrollment • same as used for garage door openers, cordless phones, cordless mice, keyboards • Pressing a button on the AP makes it temporarily “open for enrollment” • Two buttons at station, “scan” and “enroll” • first “illuminates” APs, cycling through list • second attempts enrollment in last AP illuminated Duncan Kitchin, Intel

  4. New Packets • Use new generic management type & subtype, with action “enroll” • subaction “illuminate” • subaction “enroll request” • subaction “enroll response” Duncan Kitchin, Intel

  5. Scanning • Station determines available APs by existing active or passive scanning, and maintains a list • Each time the “scan” button is pressed, sends an enroll/illuminate packet to the next AP on the list • An AP receiving an enroll/illuminate packet emits an audible or visual indication Duncan Kitchin, Intel

  6. Enrollment Process • Station and AP create a Diffie-Hellman tunnel • Station creates DH value, sends to AP • AP never advertises that it is open, but accepts an enrollment request if it is and responds with its own DH value and encrypted parameters • The tunnel is then used by the AP to send back to the station: • credentials for future authentication • other configuration parameters such as SSID Duncan Kitchin, Intel

  7. Packet Formats • See 00/xxx for generic management frame type • enroll/illuminate • no additional contents • enroll/request • Diffie-Hellman element • enroll/response • Diffie-Hellman element • configuration data, plus encrypted-content security credential elements Duncan Kitchin, Intel

  8. Process Summary enroll/illuminate indication enroll/illuminate indication request enroll/request enroll/response Duncan Kitchin, Intel

More Related