Upload
sara-bruce
View
214
Download
0
Embed Size (px)
Citation preview
04/21/23 EPON Technology Team
Key Management[802.1af - considerations]
2004. 5. 12
Jee-Sook Eun
Electronics and Telecommunications Research Institute
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/21/23 ( 본 발표자료는 대외비임 .)
Authentication
Between Authentication server and Supplicant by means of EAP and EAPOL
802.1x must be supported in Access Point Back-end function for EAP packet must be supported on
all devices between Access point and Authentication server.
secured network
Access point(Authenticator)
Authentication server
Supplicant
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/21/23 ( 본 발표자료는 대외비임 .)
Why we need an Authentication server?
Authentication should be need Key exchange use public-key encryption Why public-key encryption?
In Symmetric key encryption, the number of key distributed in network is so numerous
Easy to exchange key
But Authentication process is very complex and expensive Need 802.1x(authenticator, supplicant, authentication server) Need certificates for each devices, if we doesn’t generate it,
we communicate with upper layer using management plane. This means that link security does not operate independently
Need RSA function(Very complex Algorithm, and no verification so far)
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/21/23 ( 본 발표자료는 대외비임 .)
We need an Authentication server necessarily?
Though we use Symmetric key encryption, the number of key distributed in network is not so numerous
In network? Right But, no network. Only Two devices connected at one
link need the symmetric key And Master key must install such as a certificate used
in public-key encryption as off-line So, confirm of master key itself can be an
authentication
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/21/23 ( 본 발표자료는 대외비임 .)
Authentication server is one?
If there is only one authentication server in whole network, all access points must have back-end function in order to relay EAP to authentication server
If there is one device which does not support back-end function in network?
In wireless LAN, mobility must be supported on devices. So, devices can be set on anywhere.
But, In wired LAN, mobility may be supported on devices. Because if one device has set, it scarcely move. The subscriber may move, and IP security is enough. MAC security function is not on subscriber’s device such as PC. That is, MAC security function usually operate on switch. Switch usually does not have mobility
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/21/23 ( 본 발표자료는 대외비임 .)
There is multi hop to get authentication server?
If there is one authentication server managing several supplicant, it is not assure that an authenticator place within one hop distance
Although authentication server is in authenticator, it would manage other supplicants
Otherwise, why authentication server is need?
E
PO
N T
ech
nolo
gy T
eam
EP
ON
Tech
nolo
gy T
eam
04/21/23 ( 본 발표자료는 대외비임 .)
Authentication server is more?
If so, whenever device is changed to other access point, we must set authentication information within appropriate authentication server. This is not different that we install symmetric key on new device if we use symmetric key encryption