Submission doc.: IEEE 802.11-15/1128r1 September 2015 Dan Harkins, Aruba Networks (an HP...
-
Upload
wendy-wilkerson -
Category
Documents
-
view
218 -
download
3
Transcript of Submission doc.: IEEE 802.11-15/1128r1 September 2015 Dan Harkins, Aruba Networks (an HP...
Submission
doc.: IEEE 802.11-15/1128r1September 2015
Dan Harkins, Aruba Networks (an HP company)Slide 1
Opportunistic Wireless EncryptionDate: 2015-09-13
Authors:
Submission
doc.: IEEE 802.11-15/1128r1September 2015
Dan Harkins, Aruba Networks (an HP company)Slide 2
Abstract
This submission presents an idea for addressing a problem with public wi-fi hotspots
Submission
doc.: IEEE 802.11-15/1128r1September 2015
Dan Harkins, Aruba Networks (an HP company)
Slide 3
The Situation
• Wireless Internet access as an entitlement– “oh, no wi-fi, let’s go somewhere else”
• Coffee shop, bar, or restaurant wants to offer patrons “free wi-fi”– They want to provide a service but don’t want
it to be a pain to configure or use– They want to provide some notion of both
service and security to customers
Submission
doc.: IEEE 802.11-15/1128r1September 2015
Dan Harkins, Aruba Networks (an HP company)
Slide 4
The Problem
• Perpetual battle: Security vs Ease-of-Use– They want it to be easy-to-use
• Don’t bug the staff too much– “no I said the L is capital”• Don’t irritate the customer– “wait, what? say that again”• Don’t require specialized knowledge– “what’s an ‘EAP method’?”, “How do
I know what my ‘anonymous identity’ is?”, “Which of these 400 certificates do I need to select?”
– They want some notion of security• Want it to be better-than-nothing security• Don’t want to have to get/generate/install a certificate• Secure access by patrons has to scale (see easy-to-use)
• Result: Both sides lose
FAIL
September 2015 Dan Harkins, Aruba Networks (an HP company) 5
Submission
doc.: IEEE 802.11-15/1128r1
The Solution? OWE
• Make it simple to provision– just switch it on• Make it virtually impossible to misconfigure– no
user entry required• Make public wi-fi “suck less” than it does when
using a shared PSK• Raise the bar that is necessary to perform
pervasive monitoring just a bit higher• OWE is an outgrowth of an IETF BOF on improving
the captive portal experience
Slide 6 Dan Harkins, Aruba Networks (an HP company)
September 2015
Submission
doc.: IEEE 802.11-15/1128r1
IETF Proposal
• https://tools.ietf.org/html/draft-wkumari-owe-00– Network appears “open” to the user (no “lock icon”)– Uses a Vendor Specific Element in beacons and probe responses to
indicate OWE– After association in an OWE network, STA and AP do PSK authentication
using the SSID as the password
• Upside– No need to explain/enter anything, just works– Code changes AP side are trivial; STA side, manageable
• Downside– Inherits all the security problems of shared PSK– Publicly advertises the PSK so arguably worse!
Slide 7 Dan Harkins, Aruba Networks (an HP company)
September 2015
Submission
doc.: IEEE 802.11-15/1128r1
My Proposal
• Don’t do it in the IETF, let’s do it here• AP advertises an OWE AKM• When associating to an SSID with OWE
include Diffie-Hellman exponentials in (Re)Associate Request and Response
• STA and AP perform Diffie-Hellman, use shared secret to derive a PMK
• Use this (truly pairwise) PMK with 4-way HS
Slide 8 Dan Harkins, Aruba Networks (an HP company)
September 2015
Submission
doc.: IEEE 802.11-15/1128r1
Benefits
• More secure than a shared PSK– Not susceptible to passive attack– All those tools downloadable from Internet to crack PSKs
won’t work!
• Easier to set-up than PSK– Nothing to provision or describe, no user error
• Easier to use by customers– Absolutely nothing needed to do! It just works.
• Makes pervasive monitoring that much harder• Easier to use plus better security! Winner, winner!
Slide 9 Dan Harkins, Aruba Networks (an HP company)
September 2015
Submission
doc.: IEEE 802.11-15/1128r1
�
Slide 10 Dan Harkins, Aruba Networks (an HP company)
September 2015
ขอขอบคณ Thank You!
Submission
doc.: IEEE 802.11-15/1128r1
Slide 11 Dan Harkins, Aruba Networks (an HP company)
September 2015
Questions?
Submission
doc.: IEEE 802.11-15/1128r1
OWE Straw Poll
• Option 1: Good idea, we should do it!• Option 2: Bad idea, let the IETF do it!• Option 3: I was reading my email and not
paying attention, sorry.
Slide 12 Dan Harkins, Aruba Networks (an HP company)
September 2015