L2 Per Frame Authentication Necessity in IEEE 802.11-18

june 2018 n.w
1 / 8
Embed
Share

Understanding the importance of Layer 2 per frame authentication in IEEE 802.11-18 for BCS security. The presentation by Hitoshi Morioka from SRC Software delves into the need for per-frame authentication to prevent malicious attacks, such as DoS attacks and rogue access point setups, emphasizing the vulnerabilities in existing authentication methods and proposing solutions for robust security measures.

  • IEEE 802.11
  • Authentication
  • Security
  • Layer 2
  • Hitoshi Morioka
rayaanacharya
mar_top Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. June 2018 doc.: IEEE 802.11-18/1090r0 Reason Why L2 Per Frame Authentication Is Required Date: 2018-06-18 Authors: Name Hitoshi Morioka Affiliations Address SRC Software Phone +81-92-791- 5766 email hmorioka@src-soft.com 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-001 JAPAN Slide 1 Submission Hitoshi Morioka, SRC Software

  2. June 2018 doc.: IEEE 802.11-18/1090r0 Abstract This presentation describes the reason why L2 per frame authentication is required for BCS. Slide 2 Submission Hitoshi Morioka, SRC Software

  3. doc.: IEEE 802.11-18/1090r0 June 2018 System Structure Assumption STA Internet Server AP STA STA IP Multicast IEEE802.11 Multicast Simplify Server AP STA Router STA selects information by ID of information (e.g. SSID) Hitoshi Morioka, SRC Software Slide 3 Submission

  4. doc.: IEEE 802.11-18/1090r0 June 2018 Case 1: No Authentication Server AP STA Router Spoofing MAC address and Information ID Rogue AP If no authentications are provided, a malicious user can make a fake AP easily by spoofing AP s MAC address and Information ID. Rogue AP can do the following attacks. DoS attack by injecting invalid frames to the stream Distributing fake information Hitoshi Morioka, SRC Software Slide 4 Submission

  5. doc.: IEEE 802.11-18/1090r0 June 2018 Case 2: Existing GTKSA Server AP STA Router Spoofing MAC address and Information ID Rogue AP The existing GTKSA provides per frame authentication and encryption to the multicast frames. The GTKSA uses symmetric algorithm. A malicious user who can join the GTKSA can make a fake AP. The existing GTKSA is not suitable for public use. Hitoshi Morioka, SRC Software Slide 5 Submission

  6. doc.: IEEE 802.11-18/1090r0 June 2018 Case 3: Application Layer Per Packet Authentication (No Fragmentation) Preinstalled CA Public Key Server AP STA Router Public Key Sign by CA Private Key Verify Sign Data Data Data Data Data Data Verify Sign Sign Sign Sign Sign Sign The server generates private/public key pair. The CA signs the server s public key. The server distributes the public key to STAs with CA signature. The STAs verify the server s public key by preinstalled CA s public key. The server signs each packet by the private key. The STAs can verify each packet by the public key. If the packets are never fragmented by the router on the path, it will work well. Hitoshi Morioka, SRC Software Slide 6 Submission

  7. doc.: IEEE 802.11-18/1090r0 June 2018 Case 4: Application Layer Per Packet Authentication (With Fragmentation) Public Key Private Key Server Router AP STA Data Data Data Data Data Data Invalid Sign Sign Invalid Sign Data Malicious Sign Same as Case 3 except the router fragments packets. If an invalid frame is injected between fragmented packets, the STA will fail to verify and discard whole packet. Malicious user can cause DoS attack by injecting an invalid frame between fragmented packets. For unicast, the server can avoid fragmentation by performing path MTU discovery and use DF flag. For multicast, the server cannot perform path MTU discovery and the routers never returns ICMP fragmentation required message even if the packet size exceeds MTU. (IPv4) Hitoshi Morioka, SRC Software Slide 7 Submission

  8. doc.: IEEE 802.11-18/1090r0 June 2018 Case 5: L2 Per Frame Authentication Public Key Private Key Server Router AP STA Data Data Data Data Invalid Data Sign Sign Malicious The AP generates private/public key pair. The AP distributes the public key to STAs. The AP signs each frame by the private key. The STA can verify each frame by the public key. The STA can detect invalid frames and discard them. Of course, it can be used with application layer authentication. Hitoshi Morioka, SRC Software Slide 8 Submission

Related


Implementing 2FA for UW Azure AD: Best Practices and Options

Implementing 2FA for UW Azure AD: Best Practices and Options

adlai
Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

harri
DAVA Drugs Authentication & Verification Application by National Informatics Centre

DAVA Drugs Authentication & Verification Application by National Informatics Centre

ruxt_322
Wide Area Networking Using Frame Relay Cloud

Wide Area Networking Using Frame Relay Cloud

burl_nal
Setting Up Multi-Factor Authentication at Moraine Park

Setting Up Multi-Factor Authentication at Moraine Park

leid_3
Authentication Mechanisms and Security Vulnerabilities

Authentication Mechanisms and Security Vulnerabilities

lev_tre
Evolution of User Authentication Practices: Moving Beyond IP Filtering

Evolution of User Authentication Practices: Moving Beyond IP Filtering

rin_fi
Mitigating Client Frame Tracking in IEEE 802.11 Networks

Mitigating Client Frame Tracking in IEEE 802.11 Networks

ahund
Spatial Error in Photogrammetry

Spatial Error in Photogrammetry

stev_9
Kerberos Authentication in Network Security

Kerberos Authentication in Network Security

pcapp
Ambiguity of Reason in Philosophy Through Historical Perspectives

Ambiguity of Reason in Philosophy Through Historical Perspectives

aulania
Secure Authentication Using ISO 15693 RFID Tags

Secure Authentication Using ISO 15693 RFID Tags

rtrez
Authentication and Authorization in Information Assurance

Authentication and Authorization in Information Assurance

zam_nus
Reason as a Way of Knowing

Reason as a Way of Knowing

wier_imy
Authentication and Message Authentication in Network Security

Authentication and Message Authentication in Network Security

lein_aye
Authentication in Networking Environments

Authentication in Networking Environments

bolander_j
Seeking a General-Purpose CCSDS Link Layer Protocol: Next-Generation Data Link Protocol (NGDLP)

Seeking a General-Purpose CCSDS Link Layer Protocol: Next-Generation Data Link Protocol (NGDLP)

constante_m
Anti-Shoulder Surfing based Authentication Mechanism using Graphical Passwords

Anti-Shoulder Surfing based Authentication Mechanism using Graphical Passwords

brne727
Authentication Overview: Definition and Means

Authentication Overview: Definition and Means

juliean
Deflection for Frame by Unit Load Method

Deflection for Frame by Unit Load Method

gtyz

More Related Content