doc.: ieee 802.11-13/0026r0 submission january 2013 yongho seok, lg electronicsslide 1 security...
DESCRIPTION
doc.: IEEE /0026r0 SubmissionYongho Seok, LG ElectronicsSlide 3 Authors: NameAffiliationsAddressPhone Sayantan ChoudhuryNokia Klaus DopplerNokia Chittabrata GhoshNokia Esa TuomaalaNokia Ken MoriPanasonic Rojan ChitrakarPanasonic Haiguang WangI2R Shoukang ZhengI2R Yeow Wai LeongI2R Zander LeiI2R Jaya ShankarI2R Anh Tuan HoangI2R Joseph Teo Chee MingI2R Anna PantelidouRenesas Mobile Juho PirskanenRenesas Mobile Timo KoskelaRenesas Mobile Liwen ChuSTMicroelectronics George VlantisSTMicroelectronics January 2013TRANSCRIPT
doc.: IEEE 802.11-13/0026r0
Submission
January 2013
Yongho Seok, LG ElectronicsSlide 1
Security Procedure for Long SleeperDate: 2013-01-13
Authors:
Name Affiliations Address Phone Email
Yongho Seok LG ElectronicsLG R&D Complex
Anyang-Shi, Kyungki-Do, Korea
+82-31-450-1947 [email protected]
Minyoung Park Intel Hillsboro, OR +1 503 712 4705 [email protected] Choi LG ElectronicsJeongki Kim LG ElectronicsHangyu Cho LG ElectronicsMatthew Fischer Broadcom [email protected] Wong Broadcom Sunnyvale, CA +1 408 922 6672 [email protected] Tetzlaff IntelEmily Qi IntelSimone Merlin Qualcomm San Diego, CA +1 858 845 1243 [email protected] Jafarian QualcommBin Tian QualcommSantosh Abraham QualcommMenzo Wentink QualcommHemanth Sampath QualcommVK jones Qualcomm
doc.: IEEE 802.11-13/0026r0
Submission Slide 2
Name Affiliations Address Phone EmailHongyuan Zhang MarvellSudhir Srinivasa MarvellGeorge Calcev Huawei Rolling Meadows, IL,
Osama Aboul Magd HuaweiYoung Hoon Kwon HuaweiBetty Zhao HuaweiDavid Yangxun Huawei
Bin Zhen Huawei
ChaoChun Wang MediaTekJames Wang MediaTekJianhan Liu MediaTekVish Ponnampalam MediaTekJames Yee MediaTekHuai-Rong Shao Samsung ElectronicsChiu Ngo Samsung ElectronicsMinho Cheong ETRIJae Seung Lee ETRIHyoungjin Kwon ETRIJaewoo Park ETRISok-kyu Lee ETRISun, Bo ZTELv, Kaiying ZTE
Authors:
Yongho Seok, LG Electronics
January 2013
doc.: IEEE 802.11-13/0026r0
Submission Yongho Seok, LG ElectronicsSlide 3
Authors:Name Affiliations Address Phone Email
Sayantan Choudhury NokiaKlaus Doppler NokiaChittabrata Ghosh NokiaEsa Tuomaala NokiaKen Mori PanasonicRojan Chitrakar PanasonicHaiguang Wang I2RShoukang Zheng I2RYeow Wai Leong I2RZander Lei I2RJaya Shankar I2RAnh Tuan Hoang I2RJoseph Teo Chee Ming I2RAnna Pantelidou Renesas MobileJuho Pirskanen Renesas MobileTimo Koskela Renesas MobileLiwen Chu STMicroelectronicsGeorge Vlantis STMicroelectronics
January 2013
doc.: IEEE 802.11-13/0026r0
Submission
Introduction
• IEEE 802.11w is a standard for supporting a protected management frame
• Wi-Fi Alliance also provides a certification program for the protected management frame as one of core programs– Protected Management Frames: Wi-Fi CERTIFIED WPA2 with
Protected Management Frames provides a WPA2-level of protection for unicast and multicast management action frames, http://www.wi-fi.org/certification/programs
• One of mandatory features of the protected management frame is a Security Association (SA) Query procedure
January 2013
Yongho Seok, LG ElectronicsSlide 4
doc.: IEEE 802.11-13/0026r0
Submission
Background of SA Query Procedure
• If an AP has a valid security association for a non-AP STA – The SME shall reject the Association Request by generating an MLME-
ASSOCIATE.response primitive with ResultCode “Association request rejected temporarily; try again later.”
– The SME shall include in the MLME-ASSOCIATE.response primitive a Timeout Interval element with Timeout interval type set to 3 (Association Comeback time), specifying a comeback time when the AP would be ready to accept an association with this STA.
– Following this, the SME shall issue one MLME-SAQuery.request primitive addressed to the STA every dot11AssociationSAQueryRetryTimeout TUs until a matching MLME-SAQuery.confirm primitive is received or dot11AssociationSAQueryMaximumTimeout TUs from the beginning of the SA Query procedure have passed.
January 2013
Yongho Seok, LG ElectronicsSlide 5
doc.: IEEE 802.11-13/0026r0
Submission
Background of SA Query Procedure
• Security Association Query Procedure Example
January 2013
Yongho Seok, LG ElectronicsSlide 6
AP
STA
AttackerAssociation
Request
Association Response
SA Query Request
SA Query Response
Association Request
Association Response
AP and STA have a validsecurity association
Result Code: “Association requested rejected
temporarily: try again later.”
Association Comeback Timedot11AssociationSAQuery
MaximumTimeout
Result Code: “Association requested rejected
temporarily: try again later.”
doc.: IEEE 802.11-13/0026r0
Submission
Background of SA Query Procedure
• Security Association Query Procedure Example
January 2013
Yongho Seok, LG ElectronicsSlide 7
Association Comeback Timedot11AssociationSAQuery
MaximumTimeout
AP
STA
Attacker
Association Request
Association Response
SA Query Request
Association Request
Association Response
AP and STA have a validsecurity association
Result Code: “Association requested rejected
temporarily: try again later.”
Result Code: “Success.”
SA Query Request
STA is recovered from a failure
doc.: IEEE 802.11-13/0026r0
Submission
Problem Definition
• Low power STA may wake up with very long interval (e.g., 10 minutes)
• So, long sleepers may not received SA Query Request frame even though they have a valid security association – If an MLME-SAQuery.confirm primitive with an outstanding transaction
identifier is not received within dot11AssociationSAQueryMaximumTimeout period, the SME shall allow the association process to be started without starting an additional SA Query procedure.
• dot11AssociationSAQueryMaximumTimeout specifies the number of time units (TUs) that an AP can wait, from the scheduling of the first SA Query Request to allow association process to be started without starting additional SA Query procedure if a successful SA Query Response is not received. And a default value is 1 second.
January 2013
Yongho Seok, LG ElectronicsSlide 8
doc.: IEEE 802.11-13/0026r0
Submission
Problem Definition
• Because STA does not reply to SA Query Request frame, an attacker can be associated with AP and it destroys the security association of the STA.
January 2013
Yongho Seok, LG ElectronicsSlide 9
AP
STA
AttackerAssociation
Request
Association Response
SA Query Request
Association Request
Association Response
Result Code: “Association requested rejected
temporarily: try again later.”
Association Comeback Timedot11AssociationSAQuery
MaximumTimeout
Result Code: “Success.”
SA Query Request
doc.: IEEE 802.11-13/0026r0
Submission
Proposal
• AP Behavior– For protecting a security association from DoS attack,
AP should provide dot11AssociationSAQueryMaximumTimeout value to a non-AP STA
• STA Behavior– For protecting DoS attack, the non-AP STA shall wake to listen to
SA Query Request frame with the interval of dot11AssociationSAQueryMaximumTimeout
January 2013
Yongho Seok, LG ElectronicsSlide 10
doc.: IEEE 802.11-13/0026r0
Submission
Conclusion
• In this contribution, we propose a security association procedure for a long sleeper– For protecting DoS attack, AP needs to provide
dot11AssociationSAQueryMaximumTimeout value to its associated STA
January 2013
Yongho Seok, LG ElectronicsSlide 11
doc.: IEEE 802.11-13/0026r0
Submission
Straw Poll
• Do you support that an AP include dot11AssociationSAQueryMaximumTimeout in Association Response frame or Re-association Response frame with status code set to success?
January 2013
Yongho Seok, LG ElectronicsSlide 12