04/21/23 EPON Technology Team

Key Management[802.1af - considerations]

2004. 5. 12

Jee-Sook Eun

Electronics and Telecommunications Research Institute

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/21/23 ( 본 발표자료는 대외비임 .)

Authentication

Between Authentication server and Supplicant by means of EAP and EAPOL

802.1x must be supported in Access Point Back-end function for EAP packet must be supported on

all devices between Access point and Authentication server.

secured network

Access point(Authenticator)

Authentication server

Supplicant

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/21/23 ( 본 발표자료는 대외비임 .)

Why we need an Authentication server?

Authentication should be need Key exchange use public-key encryption Why public-key encryption?

In Symmetric key encryption, the number of key distributed in network is so numerous

Easy to exchange key

But Authentication process is very complex and expensive Need 802.1x(authenticator, supplicant, authentication server) Need certificates for each devices, if we doesn’t generate it,

we communicate with upper layer using management plane. This means that link security does not operate independently

Need RSA function(Very complex Algorithm, and no verification so far)

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/21/23 ( 본 발표자료는 대외비임 .)

We need an Authentication server necessarily?

Though we use Symmetric key encryption, the number of key distributed in network is not so numerous

In network? Right But, no network. Only Two devices connected at one

link need the symmetric key And Master key must install such as a certificate used

in public-key encryption as off-line So, confirm of master key itself can be an

authentication

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/21/23 ( 본 발표자료는 대외비임 .)

Authentication server is one?

If there is only one authentication server in whole network, all access points must have back-end function in order to relay EAP to authentication server

If there is one device which does not support back-end function in network?

In wireless LAN, mobility must be supported on devices. So, devices can be set on anywhere.

But, In wired LAN, mobility may be supported on devices. Because if one device has set, it scarcely move. The subscriber may move, and IP security is enough. MAC security function is not on subscriber’s device such as PC. That is, MAC security function usually operate on switch. Switch usually does not have mobility

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/21/23 ( 본 발표자료는 대외비임 .)

There is multi hop to get authentication server?

If there is one authentication server managing several supplicant, it is not assure that an authenticator place within one hop distance

Although authentication server is in authenticator, it would manage other supplicants

Otherwise, why authentication server is need?

E

PO

N T

ech

nolo

gy T

eam

EP

ON

Tech

nolo

gy T

eam

04/21/23 ( 본 발표자료는 대외비임 .)

Authentication server is more?

If so, whenever device is changed to other access point, we must set authentication information within appropriate authentication server. This is not different that we install symmetric key on new device if we use symmetric key encryption