key management (802.1af-considerations)
Download
Report
Transcript key management (802.1af-considerations)
Key Management
[802.1af - considerations]
2004. 5. 12
Jee-Sook Eun
Electronics and Telecommunications Research Institute
3/27/2016
EPON Technology Team
Authentication
EPON Technology Team
Between Authentication server and Supplicant by
means of EAP and EAPOL
802.1x must be supported in Access Point
Back-end function for EAP packet must be supported on
all devices between Access point and Authentication
server.
Supplicant
Access point
(Authenticator)
Authentication
server
secured network
3/27/2016
(본 발표자료는 대외비임.)
Why we need an Authentication server?
EPON Technology Team
Authentication should be need
Key exchange use public-key encryption
Why public-key encryption?
In Symmetric key encryption, the number of key distributed in
network is so numerous
Easy to exchange key
But Authentication process is very complex and
expensive
Need 802.1x(authenticator, supplicant, authentication server)
Need certificates for each devices, if we doesn’t generate it,
we communicate with upper layer using management plane.
This means that link security does not operate independently
Need RSA function(Very complex Algorithm, and no
verification so far)
3/27/2016
(본 발표자료는 대외비임.)
We need an Authentication server necessarily?
EPON Technology Team
Though we use Symmetric key encryption, the number
of key distributed in network is not so numerous
In network? Right
But, no network. Only Two devices connected at one
link need the symmetric key
And Master key must install such as a certificate used
in public-key encryption as off-line
So, confirm of master key itself can be an
authentication
3/27/2016
(본 발표자료는 대외비임.)
Authentication server is one?
EPON Technology Team
If there is only one authentication server in whole netw
ork, all access points must have back-end function in o
rder to relay EAP to authentication server
If there is one device which does not support back-end
function in network?
In wireless LAN, mobility must be supported on device
s. So, devices can be set on anywhere.
But, In wired LAN, mobility may be supported on devic
es. Because if one device has set, it scarcely move. Th
e subscriber may move, and IP security is enough. MA
C security function is not on subscriber’s device such a
s PC. That is, MAC security function usually operate on
switch. Switch usually does not have mobility
3/27/2016
(본 발표자료는 대외비임.)
There is multi hop to get authentication server?
EPON Technology Team
If there is one authentication server managing several s
upplicant, it is not assure that an authenticator place wit
hin one hop distance
Although authentication server is in authenticator, it woul
d manage other supplicants
Otherwise, why authentication server is need?
3/27/2016
(본 발표자료는 대외비임.)
Authentication server is more?
EPON Technology Team
If so, whenever device is changed to other access point
, we must set authentication information within appropri
ate authentication server. This is not different that we in
stall symmetric key on new device if we use symmetric
key encryption
3/27/2016
(본 발표자료는 대외비임.)