1 / 11

IBSS Solution with 802.1X

IBSS Solution with 802.1X. Objectives of proposal. Support “ad-hoc” nature of IBSS Consistent with ESS solution in approach Uses Pre-shared Master Ley and live session keys Solution provides for both Pairwise and Group key. Proposed IBSS Security Model. Fully Distributed (no master)

mhall
Download Presentation

IBSS Solution with 802.1X

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBSS Solutionwith 802.1X D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  2. Objectives of proposal • Support “ad-hoc” nature of IBSS • Consistent with ESS solution in approach • Uses Pre-shared Master Ley and live session keys • Solution provides for both Pairwise and Group key D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  3. Proposed IBSS Security Model • Fully Distributed (no master) • Every client has an 802.1X Authentication Server combined with an 802.1X Authenticator (abbreviated AS/A) • AS/A simple to implement with pre-shared master key. • Every client also has an 802.1X Supplicant (S) • Each pair of stations must authenticate and share keys both ways: each must be successful supplicant to the other • Once the client’s AS/A has authenticated a supplicant, it will unblock traffic and may communicate with the supplicant. D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  4. AS/A AS/A S S Authentication Server combined with an authenticator • The authentication server does not need to be a RADIUS server. • In the case of IBSS, there isn’t any RADIUS communication. • Each AS/A authenticates each supplicant, S • In an IBSS, each client has a supplicant. • In an IBSS, the supplicant is insufficient for communication. • The client must also have an AS:A STA1 STA2 D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  5. IBSS EAP authentication method • Simple method • PGP methods D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  6. IBSS keying • Pairwise keying • Group keying D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  7. Pairwise Key Exchange • Follow same approach as for ESS but with subtle difference as below: • Each pair of stations perform key exchange separately in each direction (since each acts as supplicant in turn) • Therefore two sets of pairwise keys are produced • Unicasts from STAa -> STAb are encrypted using pairwise keys obtained by STAa’s AS/A • Unicasts from STAb -> STAa are encrypted using pairwise keys obtained by STAb’s AS/A • This gives true non-master relationship D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  8. IBSS Pairwise keying Summary • Each AS:A does keying. • The AS:A pairwise key established, with a supplicant, is used for the authenticator transmission. • The authenticator reception is done with the pairwise key established by the supplicant’s authenticator. D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  9. Group key • Lemma : In IBSS there is NO NEED for single group key • Each STA uses its own group key for its multicast transmissions – this is same concept as in ESS AP case. • Consider STAx. All other STAs that want to communicate with STAx must first exchange keys. STAx sends its multicasts using its own group key. All valid STAs can understand if they know STAx’s group key. • This is true for every STA – it has own group key and shares it only with those STAs that exchange pairwise key. • Method for creating and sending group key is the same as for ESS case (AP to STA) D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  10. IBSS group keying Summary • Each AS:A has its own group key. • Once an AS/A has authenticated an S, it establishes the authenticator group key with the supplicant. • Each client has an AS/A, so each client has its own group key. • For broadcast reception, the supplicant uses source address to determine correct group key. D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

  11. Conclusion • This approach has the advantages: • Fully non master solution for ad-hoc network • Uses live keys as per current ESS solution • Provides for both pairwise and group key solution • Implementation very consistent with ESS case for streamlines implementation D. Halasz, Cisco Systems, J. Edney, Qosine Ltd.

More Related