04/19/23 EPON Technology Team

Key Management[802.1af - Issues]

2004. 5. 12

Jee-Sook Eun

Electronics and Telecommunications Research Institute

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/19/23 ( 본 발표자료는 대외비임 .)

802.1af

This is a project of the 802.1 MAC Security Task Group. It is not an amendment to IEEE std 802.1X

This standard need not extends 802.1X to establish security associations for 802.1ae MAC Security

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/19/23 ( 본 발표자료는 대외비임 .)

Authentication problem

Link security is between access point and access device Authentication is between access point and access device, too.

In order to authenticate access device, we need not use 802.1x We can use symmetric key encryption between access point and

access device because of many reasonable reason.• And, we need symmetric key. Master key generating session keys

must set before security process.

• The confirm of Master key is authentication

• This method is very simple, and low cost.

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/19/23 ( 본 발표자료는 대외비임 .)

Problems of 802.1x authentication

The use of IEEE Std 802.1X, already widespread and supported by multiple vendors, in additional applications. This is just assumption. If not so

• who assure that EAP message is relayed to authentication server?

• we must implement 802.1x. – This is very complex, and high cost if we develop an low cost switch. – And we need an authentication server in case of absent– Supplicant, Authenticator, Authentication server state machine

• For example, if there is a bridge, the bridge must have above all three state machines. Because bridge can be supplicant or authenticator or authentication server.

There is two security channel. One is for MAC security, the other is for key security

• And, Need two configuration protocols for each, too

• As you know, key security was made for MAC security.

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/19/23 ( 본 발표자료는 대외비임 .)

Authentication as the confirm of Master key

very simple If encrypted message can be decrypt, the receiver can transmit

ack message encrypted

Low cost Need not authentication server Need not KDC

• Symmetric key is available for access point, access device

can get secured channel as only an authentication Key exchange through the secured channel

need not get information such as certificate from upper layer. Link security can be operated independently