key management [802.1af - issues]
DESCRIPTION
Key Management [802.1af - Issues]. 2004. 5. 12 Jee-Sook Eun Electronics and Telecommunications Research Institute. 802.1af. This is a project of the 802.1 MAC Security Task Group. It is not an amendment to IEEE std 802.1X - PowerPoint PPT PresentationTRANSCRIPT
04/19/23 EPON Technology Team
Key Management[802.1af - Issues]
2004. 5. 12
Jee-Sook Eun
Electronics and Telecommunications Research Institute
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/19/23 ( 본 발표자료는 대외비임 .)
802.1af
This is a project of the 802.1 MAC Security Task Group. It is not an amendment to IEEE std 802.1X
This standard need not extends 802.1X to establish security associations for 802.1ae MAC Security
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/19/23 ( 본 발표자료는 대외비임 .)
Authentication problem
Link security is between access point and access device Authentication is between access point and access device, too.
In order to authenticate access device, we need not use 802.1x We can use symmetric key encryption between access point and
access device because of many reasonable reason.• And, we need symmetric key. Master key generating session keys
must set before security process.
• The confirm of Master key is authentication
• This method is very simple, and low cost.
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/19/23 ( 본 발표자료는 대외비임 .)
Problems of 802.1x authentication
The use of IEEE Std 802.1X, already widespread and supported by multiple vendors, in additional applications. This is just assumption. If not so
• who assure that EAP message is relayed to authentication server?
• we must implement 802.1x. – This is very complex, and high cost if we develop an low cost switch. – And we need an authentication server in case of absent– Supplicant, Authenticator, Authentication server state machine
• For example, if there is a bridge, the bridge must have above all three state machines. Because bridge can be supplicant or authenticator or authentication server.
There is two security channel. One is for MAC security, the other is for key security
• And, Need two configuration protocols for each, too
• As you know, key security was made for MAC security.
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/19/23 ( 본 발표자료는 대외비임 .)
Authentication as the confirm of Master key
very simple If encrypted message can be decrypt, the receiver can transmit
ack message encrypted
Low cost Need not authentication server Need not KDC
• Symmetric key is available for access point, access device
can get secured channel as only an authentication Key exchange through the secured channel
need not get information such as certificate from upper layer. Link security can be operated independently