Enhancing Pre-Association Management Frame Protection in IEEE 802.11 Networks

december 2022 n.w
1 / 16
Embed
Share

Explore the discussion on protecting management frames before RSNA establishment in IEEE 802.11 networks to address vital requirements, utilizing mechanisms like 802.11w and related protocols. Learn about the key aspects of management frame protection, such as encryption methods for unicast and broadcast frames, secret key generation, and frame integrity measures, to ensure robust network security.

  • IEEE 802.11
  • Management Frame Protection
  • Network Security
  • RSNA Establishment
  • Encryption
rayaanacharya
div_con Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. December 2022 doc.: IEEE 802.11-22/1666r2 Pre-Association Management Frame Protection Date: 2022-12-7 Authors: Name Okan Mutgan Affiliations Nokia Address Phone email okan.mutgan@nokia- sbell.com zhijie.yang@nokia- sbell.com jianguo.a.liu@nokia- sbell.com Jay Yang Nokia Liu Jianguo Nokia Submission Slide 1 Okan Mutgan, Nokia

  2. December 2022 doc.: IEEE 802.11-22/1666r2 Abstract Some requirements in requirements document (22/1848r16) specify protection for management frames. Some of them are management frames after RSNA is established, some of them are management frames before RSNA is established. The current management frame protection (802.11w and related mechanisms) requires RSNA establishment. However, requirements document also needs to address management frame protection before RSNA. This document discusses how to protect management frames before RSNA. Submission Slide 2 Okan Mutgan, Nokia

  3. December 2022 doc.: IEEE 802.11-22/1666r2 Background Information 802.11w Protected Management Frames (PMF) In 802.11w, when a non-AP STA associates with AP, they determine a secret key and protect the unicast/broadcast management frames as follows: Broadcast/multicast management frames are protected by MME (Management MIC Element) with IGTK. *Previously known as MMIE IPN (IGTK packet number) protects replay attack, MIC (Message Integrity Code) makes sure the frame is not changed (i.e. integrity ). Unicast management frames are protected by encrypting the payload (as in data frames) with PTK. Note that encrypted payload contains PN (packet number) and MIC to provide protection for replay attack and integrity. Beacon is protected by MME (like broadcast management frames) but with BIGTK. Submission Slide 3 Okan Mutgan, Nokia

  4. December 2022 doc.: IEEE 802.11-22/1666r2 Background Information 802.11w Protected Management Frames (PMF) Example: Submission Slide 4 Okan Mutgan, Nokia

  5. December 2022 doc.: IEEE 802.11-22/1666r2 Background Information Take-aways: 802.11w defines management frame protection (MFP) for RSNA: Unicast management frames are protected in way that the payload is encrypted. Broadcast management frames are protected in a way that the payload is not encrypted, but an information element (i.e. MME) is attached to the payload. For unicast and broadcast management frame protection, a secret key (e.g. PTK->TK, IGTK, WIGTK, WTK) is generated for RSNA, and deleted after RSNA is terminated (i.e. disassociation) Within this context, it is described as follows in 802.11 spec: when Management Frame Protection is negotiated dot11RSNAProtectedManagementFramesActivated 802.11bi can protect required management frames by using 802.11w after RSNA is established (22/1975r0 - proposed spec texts for protected version of unicast management frames basically protecting some action frames) 802.11bi currentlycan t protect the management frames by using 802.11w before RSNA is established. -> Some of the management frames before RSNA include probe, authentication, (re)association frames, some action frames. -> These frames can also be called pre-association management frames Submission Slide 5 Okan Mutgan, Nokia

  6. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Q: How to protect pre-association management frames? A: Store a secret key, then you can protect pre-association frames with a similar mechanism as 802.11w. AP Non-AP STA RSNA Establishment - generate RSNA keys (such as PTK, GTK etc.) and delete keys after disassociation - generate and store a secret key (key1) to protect future pre-association management frames 1st Assoc Protect pre-association management frames with stored key (key1) 2nd Assoc RSNA Establishment - generate RSNA keys (such as PTK, GTK etc.) and delete keys after disassociation - generate and store a secret key (key2) to protect future pre-association management frames Protect pre-association management frames with stored key (key2) 3rd Assoc RSNA Establishment - generate RSNA keys (such as PTK, GTK etc.) and delete keys after disassociation - generate and store a secret key (key3) to protect future pre-association management frames Submission Slide 6 Okan Mutgan, Nokia

  7. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Further discussion - The stored key should be different than any other key generated for RSNA in order not to compromise any other operations. For example, storing PTK would not be desirable. - The current encryption mechanisms (CCMP/GCMP) can still be used. - This proposal looks more compatible with unicast pre-association management frames. In other words, protecting pre-association broadcast management frames might not be ideal. - The current 11w relies mostly on verified/authenticated MAC address (i.e. MAC address is verified/authenticated in RSNA establishment). The key is mapped to verified/authenticated. In pre-association, the MAC address is not verified/authenticated because it is before RSNA establishment. However, the stored secret key can be used for verification. - This might increase the complexity (such as key search). Why? (next slide) Submission Slide 7 Okan Mutgan, Nokia

  8. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Complexity issue (such as key search) Note that the STA MAC changed (randomized) High computations and complexity! Submission Slide 8 Okan Mutgan, Nokia

  9. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Complexity issue (such as key search) To overcome complexity issue, an approach would be to send index number so that AP can find the key quickly. No computations and complexity! Submission Slide 9 Okan Mutgan, Nokia

  10. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Complexity issue (such as key search) However, if a STA always sends the same index (e.g. index3), trackability becomes issue. Therefore, better to change the index in each frame. Submission Slide 10 Okan Mutgan, Nokia

  11. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Complexity issue (such as key search) - Index can be carried as an information element, and does not need to be encrypted. - Because it is not encrypted, it should follow a random pattern to reduce trackability. For example, for STA3 (carrying index 3.x for key3) index 3.1 = 150, index 3.2 = 265, index 3.3 = 78 etc. In other words, index -> index.next (not index++) - The construction of index is TBD. Submission Slide 11 Okan Mutgan, Nokia

  12. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Which requirements would benefit from this proposal? 1 11bi shall define a mechanism to prevent an eavesdropper distinguishing whether authentication exchanges between CPE Clients and CPE AP use identical SAE credentials or distinct SAE credentials (where a CPE AP supports multiple SAE credentials). I1, I5 Approved Approved (Motion #13, 13 May 2022) Because of authentication frame usage 2 11bi shall define a mechanism to prevent an eavesdropper distinguishing whether reassociation exchanges between CPE Clients and CPE APs use identical PMK or distinct PMK Because of (re)association req and FILS authentication frame usage I1, I5 Approved Approved (Motion #13, 13 May 2022) 5 11bi shall define a mechanism for a CPE Client and CPE AP to protect the (Re)Association Request/Response. I2 Approved Approved (Motion #13, 13 May 2022) Because of (re)association req and resp Submission Slide 12 Okan Mutgan, Nokia

  13. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Which requirements would benefit from this proposal? 21 11bi shall define a mechanism to protect the Frame Body field of the (Re)Association Request frame I2 Approved Approved (Motion #13, 13 May 2022) Because of (re)association req frame usage 22 11bi shall define a mechanism to protect the Frame Body field of the (Re)Association Response frame I2 Approved Approved (Motion #13, 13 May 2022) Because of (re)association resp frame usage 48 11bi shall define a mechanism for a CPE Client and CPE AP to carry 802.1X EAPOL PDUs in Authentication frames to perform IEEE 802.1X authentication. I2 Approved Approved (Motion #20, 14 Sept 2022) Because of authentication frame usage 53 11bi shall define a mechanism that will allow a non-AP STA to verify the identity of a known AP before association (without exposing its identity). Approved Approved (Motion #25, 15 Sept 2022) Probably because of probe resp, authentication, association resp Submission Slide 13 Okan Mutgan, Nokia

  14. December 2022 doc.: IEEE 802.11-22/1666r2 Proposal Additional considerations There is a requirement that generate key in authentication frame exchange. 4 11bi shall define a mechanism for a CPE Client and CPE AP to establish keys from an Authentication exchange which can then be used to protect the (Re)Association Request/Response. I2 Approved Approved (Motion #13, 13 May 2022) - This approach (key generation in authentication frame exchange) might protect (re)association request/response. The proposal in this document can also address the intended outcome ((Re)Association Request/Response protection) of this requirement. - The proposal in this document also considersprotecting authentication frames. Submission Slide 14 Okan Mutgan, Nokia

  15. December 2022 doc.: IEEE 802.11-22/1666r2 Summary The protection mechanism for pre-association management frames is proposed. To enable this kind of protection, a stored secret key is proposed to be used. The encryption methods can be very similar to the existing 11w encryption methods. To reduce complexity (key search), an index-based idea is introduced. This kind of protection mechanism seems more compatible with unicast management frames. Submission Slide 15 Okan Mutgan, Nokia

  16. December 2022 doc.: IEEE 802.11-22/1666r2 Thanks! Submission Slide 16 Okan Mutgan, Nokia

Related


Nevada Restaurant Association Media Kit

Nevada Restaurant Association Media Kit

zero
Discover the Hottest In-Frame Kitchen Designs of 2024

Discover the Hottest In-Frame Kitchen Designs of 2024

Exquisite
The Great Fire of London

The Great Fire of London

wynn
IEEE 802.11-21/1737r0 Beacon and Group Frames Information

IEEE 802.11-21/1737r0 Beacon and Group Frames Information

blessing
Soil Conservation Practices: Building an A-Frame for Erosion Control

Soil Conservation Practices: Building an A-Frame for Erosion Control

amias
The General Data Protection Regulation (GDPR) and Data Protection Bill

The General Data Protection Regulation (GDPR) and Data Protection Bill

helena
Groundskeeping Safety and Personal Protective Equipment Training

Groundskeeping Safety and Personal Protective Equipment Training

ives
Game Programming Patterns Game Loop Summary

Game Programming Patterns Game Loop Summary

gissellsp
Operational Guidelines of the WCA 2020 Agricultural Census Frame Preparation

Operational Guidelines of the WCA 2020 Agricultural Census Frame Preparation

charlia
Creating an Archery VR Game with A-Frame and Unity - Project Journey

Creating an Archery VR Game with A-Frame and Unity - Project Journey

le_lin
Wide Area Networking Using Frame Relay Cloud

Wide Area Networking Using Frame Relay Cloud

burl_nal
IEEE 802.11-20/0834r1: Recap of Association and Fast BSS Transition

IEEE 802.11-20/0834r1: Recap of Association and Fast BSS Transition

ahint
Mitigating Client Frame Tracking in IEEE 802.11 Networks

Mitigating Client Frame Tracking in IEEE 802.11 Networks

ahund
Spatial Error in Photogrammetry

Spatial Error in Photogrammetry

stev_9
IEEE 802.11-17-1728-01-000m: Frame Body Capture Effect Study

IEEE 802.11-17-1728-01-000m: Frame Body Capture Effect Study

choudhury_c
Towards Low-Bandwidth Video Chats on Smartphones

Towards Low-Bandwidth Video Chats on Smartphones

leay_7
IEEE 802.11-22/0955r0 TGbh Pre-association Schemes Exploration

IEEE 802.11-22/0955r0 TGbh Pre-association Schemes Exploration

omcpi
Kookmin University PHY and MAC Proposal for Image Sensor Communication

Kookmin University PHY and MAC Proposal for Image Sensor Communication

jmichm
IEEE 802.11-15/1312r2 Multiuser Block ACK Request Format

IEEE 802.11-15/1312r2 Multiuser Block ACK Request Format

inaa_953

More Related Content