Download WAPI NP proposal

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts
no text concepts found
Transcript 
May 2011
doc.: IEEE 802.11-11/0734r0
Liaison presentation to ISO/IEC JTC1/SC6
in relation to claims of 802.11i insecurity
9 May 2011
• This presentation is based on two liaisons from IEEE 802.11 WG to
ISO/IEC JTC1/SC6:
– N14141 (December 2009)
– N14551 (January 2011)
Submission
Slide 1
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
802.11i is secure and its alleged insecurity cannot
be used to justify a WAPI NP in SC6
The situation …
The next steps …
IEEE 802 has participated in
good faith in the WAPI NP
proposal voting and
resolution process ...
The current view of IEEE
802 is best summarized by
our conclusion in N14551
that no evidence has been
provided of security
loopholes in 802.11i …
... and yet the IEEE 802
comments and rebuttals
have been generally ignored
or dismissed
… and IEEE 802 requests
SC6 to delete invalid claims
about 802.11i and halt any
project relying on them until
the claims can be properly
justified
Submission
Slide 2
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
IEEE 802 has participated in good faith in the WAPI
NP proposal voting and resolution process ...
Oct 09: N14123
Feb 10: N14228
Oct 10: N14436
Mar 11: N14620
WAPI NP proposal
WAPI NP
voting results
Initial WAPI NP
disposition
Revised WAPI NP
disposition
O N D J F M A M J J A S O N D J F M A M J
2009 D
2010
Dec 09: N14142
IEEE 802 comments on
WAPI NP proposal
Submission
J
IEEE 802
participation
in WAPI NP
process
Slide 3
2011
Jan 11: N14551
IEEE 802 comments on
WAPI NP disposition
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
... and yet the IEEE 802 comments and rebuttals
have been generally ignored or dismissed!
Oct 09: N14123
Feb 10: N14228
Oct 10: N14436
Mar 11: N14620
Justification of WAPI
NP based on assertion
802.11i is insecure
Very few NBs appear to
have considered the
IEEE 802 rebuttal
during the WAPI NP
vote
Ignores IEEE 802
input, repeats invalid
claims about 802.11i
security & extends
them
Dismisses IEEE 802 (&
US NB) concerns on
basis that they are too
late!
O N D J F M A M J J A S O N D J F M A M J
2009 D
Dec 09: N14142
IEEE 802 rebutted all
assertions in WAPI NP
proposal about 802.11i
security
Submission
2010
J
IEEE 802
participation
in WAPI NP
process
Slide 4
2011
Jan 11: N14551
IEEE 802 rebutted all
new claims of 802.11i
insecurity, and notes
problems with WAPI
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
The justification of the WAPI NP in N14123 is
entirely based on an assertion 802.11i is insecure
• N14123 justified the WAPI NP project based on a single assertion that
IEEE 802.11i contains security loopholes
– From N14123: It is a well known fact that current WLAN international standards
contains serious security loopholes which need to be dealt with by enhanced
security mechanisms
• N14123 provided three examples of supporting evidence
– A paper titled, “WiFi Epidemiology: Can Your Neighbors’ Router Make Yours
Sick?” published in early 2008
– An article titled, “A Wi-Fi virus outbreak? Researchers say it's possible”
published in a trade magazine in late 2008
– Two papers published in late 2008 and early 2009 that describe similar
mechanisms to attack WPA systems
• If the allegation of 802.11i insecurity is invalided then N14123 does not
contain any material in the “justification” clause
Submission
Slide 5
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
In N14142 (Dec 2009), IEEE 802 rebutted all claims
of 802.11i insecurity
Claim in N14123 (WAPI NP proposal)
Rebuttal in N14142 (IEEE 802 liaison)
WiFi Epidemiology: Can Your
Neighbors’ Router Make Yours Sick?
provides evidence that 802.11i is
insecure
The paper actually focuses on APs that either have no
security or use WEP, a protocol that was deprecated with
the ratification of 802.11i in 2004 Indeed, the authors of the
paper explicitly “assume that WPA is not vulnerable to
attack”.
A Wi-Fi virus outbreak? Researchers
say it's possible provides evidence
that 802.11i is insecure
This trade magazine article merely reports on the paper
referenced above. It makes no claims about the insecurity
of 802.11i
Two papers that describe mechanisms
to attack WPA provide evidence that
802.11i is insecure
TKIP (aka WPA) was designed in 2003 with a 5 year
horizon to allow devices that implemented WEP to
transition to a higher level of security without a hardware
upgrade. The industry is in the process of deprecating
TKIP, and it is notable that TKIP is prohibited in IEEE
802.11n. The papers make no claims related to the
security of the mandatory security components (aka
WPA2)
Question: does any NB believe the “justification” is valid given the IEEE 802 rebuttal?
Submission
Slide 6
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
Very few NBs appear to have even considered the
IEEE 802 rebuttal during the WAPI NP vote
• The results of the WAPI NP vote (in N14228) indicates that very few NBs
considered the IEEE 802 comments
• The US NB submitted a number of comments in response to the WAPI
NP proposal vote
– Two comments challenged the validity of the material in the ”justification” that
claims 802.11i is insecure
– The US NB also submitted seven other substantive comments
• The UK NB submitted a comments that alluded to some technical
concerns but focused on the “standalone standard issue”
• No other NB provided substantive comments
• Question: Is it appropriate to approve a NP proposal with a justification
that that is known to be invalid?
Submission
Slide 7
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
The disposition in N14436 repeats & extend invalid
claims about 802.11i security, ignoring IEEE 802 input
• The proposed disposition of comments (in N14436) does not address the
IEEE 802 comments at all
• N14436 responds to similar US NB comments by repeating and
extending the allegations of 802.11i insecurity
– Asserting “Security loopholes in the current IS (ISO/IEC 8802-11) have been
reported in the security literature”
– Claiming that WAPI can protect against attacks by fake STAs and fake APs,
with the implication that 802.11i cannot
– Claiming that specific security problems were asserted in the fast track ballot on
802.11i in 2006
– Asserting that N14123, N14399, N14402 & N14410 all “comprehensively
address weaknesses in existing network security”
• No specific evidence of the alleged insecurity of 802.11i was included in
N14436
Submission
Slide 8
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
In N14551 (Jan 2011), IEEE 802 rebutted new claims of
802.11i insecurity & noted problems with WAPI
Claim in N14436
(WAPI NP 1st disposition)
Rebuttal in N14551
(IEEE 802 liaison)
Repeat of claims from N14123
(WAPI NP proposal in Oct 2009)
Already addressed by N14142
(liaison from IEEE 802 in Dec 2009)
N14410 refers to article IEEE
802.16 Security Issues: A Survey
published in 2008
The only criticism in this article is observation that security was not
designed into 802.11-2003. This is true but has no relevance to 802.11i2004
N14399, N14402 & N14410 all
make implicit criticisms of 802.11
security by alleging that such
systems are unable to mutually
authenticate the STA, AP & AS.
802.11 with appropriate EAP methods, will mutually authenticate the STA
& AS, while the AP & AS have a trust relationship established using a
variety of other methods. The four way handshake is used to establish
the final binding that enables the AP to attest to the STA that it was
authorized by the AS. The effect is mutual authentication.
Similar claims were made during
the Fast Track Ballot on 802.11i
in 2006.
In WAPI, the STA also cannot directly authorize the AP; instead it is
carried out via the AS. However, 802.11 has a significant advantage in
that it can be tailored using IETF EAP methods to satisfy a variety of
deployment & computation complexity tradeoffs. In contrast, WAPI has
high deployment complexity because of the need to provision certificates
in every device, and high computation complexity because of its
need to validate multiple certificates in each transaction.
Note: the US NB independently made similar rebuttals in N14549
Submission
Slide 9
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
In N14620, the objections of IEEE 802 were
disregarded on basis they are too late
• The latest proposed comment disposition (N14620) includes some
responses to comments from IEEE 802 (N14551)
• However, it dismisses the comments on the basis that the comment
disposition is no longer concerned with the WAPI NP proposal
– This comment is focusing on the Justification of ISO/IEC 20011, but it should be
noted that, the NP ballot has passed; the main comment and contribution in this
stage should be focused and changed to the editing and commenting of WD text
• Various similar comments by the US NB were similarly dismissed
Submission
Slide 10
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
The current view of IEEE 802 is best summarized by
the conclusion from N14551 (Jan 11) …
• … the fundamental justification for a WAPI NP in SC6 is based on the
assertion that there are security loopholes or flaws in mandatory security
components included in 802.11 (and its amendments). However, no valid
or credible evidence has been provided to support this assertion.
• The reality is that mandatory security components included 802.11 have
no known “security loopholes”. This statement is practically supported by
the use of 802.11 in millions of systems worldwide, in high security
applications, by governments, financial institutions, telecommunications
providers, enterprises and consumers.
• IEEE 802 requests SC6 do not consider any assertions that mandatory
security components included in 802.11 (and its amendments) are
insecure when deciding whether to authorize the WAPI NP proposal.
Alternatively, IEEE 802 invites any SC6 NB to provide valid and credible
evidence to the 820.11 WG of “serious security loopholes”.
Submission
Slide 11
802.11 WG
May 2011
doc.: IEEE 802.11-11/0734r0
… IEEE 802 requests SC6 to delete invalid claims about
802.11i & halt any project relying on these claims
• The IEEE 802 requests SC6 undertake a number of actions to satisfy our
concerns relating to the WAPI NP
• The requested actions are:
– Remove all existing allegations of insecurity of 802.11i from official SC6 output
documents
— Particularly the WAPI NP proposal and all associated comment dispositions
– Alternatively, provide credible evidence of any insecurity in 802.11i
— None has been provided to date
– Halt any new project activity that relies on the invalid assertion that 802.11i is
insecure as part of its justification
Submission
Slide 12
802.11 WG
Related documents
IEEE Press Liaison - University of Hawaii
IEEE Press Liaison - University of Hawaii
Virtual Meetings
Virtual Meetings
Call for Papers The 2009 IEEE International Workshop on Intelligent
Call for Papers The 2009 IEEE International Workshop on Intelligent
IEEE Northern Jersey Section Distinguished Lecture (SMC, CS, SP
IEEE Northern Jersey Section Distinguished Lecture (SMC, CS, SP
Slide 1
Slide 1
Title - K.f.u.p.m. ISI
Title - K.f.u.p.m. ISI
EDMA-2017 Call for Papers
EDMA-2017 Call for Papers
The Second IEEE International Workshop on Data Integration and
The Second IEEE International Workshop on Data Integration and
Synopsis - An optimized wind energy harvesting (WEH) system that
Synopsis - An optimized wind energy harvesting (WEH) system that
LB #1 Comment Summary
LB #1 Comment Summary