Enhanced 802.11 Security

1. Enhanced 802.11 Security Authors: Date: 2008-07-10 Dan Harkins, Aruba Networks

2. Abstract This document describes some missing features from 802.11 and proposes a way to add them to IEEE 802.11. Dan Harkins, Aruba Networks

3. Security Services in 802.11 • Key Management • Authentication: A STA can prove its identity to the network and vice versa • Authorization and Access Control: Once authenticated a STA can be given access to the network, or a subset of it, or denied access to the network. • Key derivation: each side derives a key known bound to each other. • Ciphers • Data Confidentiality: Data sent between the STA and AP is hidden from all but the source and destination of the data. • Data Integrity: The recipient of a frame is able to verify that the frame was not modified in transit and that a false frame has not been substituted for a valid frame. • Data Source Authentication: The recipient of a frame is able to ascertain the origin of the frame and it is not possible for anyone else to masquerade as the claimed originator. Dan Harkins, Aruba Networks

4. How are These Services Provided Today? • Wired Equivalent Privacy (WEP) • Key Management • Shared key: insecure simple proof-of-possession of a shared key • Cipher • WEP: insecure, numerous fundamental flaws in design • Robust Security Network (RSN) • Key Management • 802.1x: provides mutual authentication, allows for authorization and access control decision making, generates secure and cryptographically strong keys. • PSK: provides a limited type of authentication, generates weak keys that void some features of RSN ciphers. • Ciphers • TKIP: provides confidentiality, data integrity (sub-optimally), and data source authentication. • CCMP: provides confidentiality, data integrity, and data source authentication. Dan Harkins, Aruba Networks

5. What’s The Problem? • 802.11’s current cryptographically strong security is limited to one particular use case– the enterprise-- where: • a AAA server is used to aggregate security services and policy. • strict roles are enforced: clients obtain network access through APs. • 802.11’s current cryptographically strong security doesn’t really work for other deployments. • Small office/home office– a stand-alone AAA server is problematic. • Networks of consumer electronics devices– a stand-alone AAA server is a non-starter and there is no real “client” and “AP” role. • Mesh and peer-to-peer applications– there is no “client” and “AP” role. • The PSK mode of 802.11i is insecure. This is a source of continued bad press for 802.11– “802.11 is still not secure”. • CCM in software is reaching performance limits with current 802.11 high-rate PHYs Dan Harkins, Aruba Networks

6. What’s the Problem? • People right now want to use 802.11 in ways that are not supported: • 11-09-0558-00-0000-bluetooth-sig-liaison-report-may-2009 • Need for secure high-speed data transfer between personal devices (non-AP STAs) but 802.11 doesn’t support that. So, use insecure Bluetooth key management to get a key and then use 802.11 for data transport. • Wi-Fi Alliance liaison report from May 2009 (verbal) • There is a compelling use case for peer-to-peer use of 802.11 but that isn’t supported in 802.11, so WFA is defining a new layer to provide the appearance of peer-to-peer. • PSK mode in 802.11 is insecure but a compelling use case for PSKs still exists so WFA is trying to come up with an adjunct protocol to lessen the security exposure– it does not eliminate it though, the solution does not achieve provable security.. • People will soon want to use 802.11 in ways that are not supported: • “smart grid” applications • People trade security for usability because 802.11 does not give them both (see 11-09-0580-00-0wng-future-security-activities). Dan Harkins, Aruba Networks

7. What’s The Solution? • Support currently unsupported use cases in 802.11 to make hacks by other SDOs unnecessary. • Provide security and usability to 802.11 • A Study Group to come up with a PAR & 5C to work on: • Secure, de-centralized, peer-to-peer authentication and key management protocols– address the Bluetooth and WFA issues • A password-based key exchange that is resistant to attack • A certificate-based key exchange • Definition (not development) of new ciphers • AES-GCM: a high-performance, single-pass, cipher for authenticated encryption • AES-SIV: a misuse-resistant cipher for authenticated encryption Dan Harkins, Aruba Networks

8. A Focus on Enhanced Security • Tight focus ensures timely results • Keep a focus on security enhancements to existing 802.11 functionality and not creation of new security algorithms, ciphers, etc. • Much of this has already been designed– GCM, SIV, SAE– so it’s a problem of defining use in 802.11. • There is a need for de-centralized security in 802.11 • Use of a PSK/password is widespread and will remain so. Unfortunately it is not secure; we should make it so. • There is market demand as shown by the work of other SDOs. • It makes sense for 802.11 to provide it instead of hoping other organizations do it (and do it right). • Data rates keep increasing, ciphers cannot be bottlenecks! • More efficient ciphers consume less power which results in longer battery life, and it’s also green. • Do security work in a security group; keep experts focused on their area of expertise. Dan Harkins, Aruba Networks

9. Motion • Move to request the 802.11 Working Group to approve and forward to the IEEE 802 Executive Committee the creation of a new IEEE 802.11 Study Group, called the Enhanced 802.11 Security Study Group (ESSG), to investigate ways to provide security enhancements to 802.11 on the following: • Secure, robust, de-centralized, peer-to-peer key management. • Faster, more robust, or more power-efficient ciphers. Upon confirmation of feasibility and per 802 operating rules, the ESSG shall draft a PAR and 5 criteria to be submitted to the 802.11 WG. Moved: Seconded: Yes: No: Abstain: Dan Harkins, Aruba Networks