Key Management
[802.1af - considerations]
2004. 5. 12
Jee-Sook Eun
Electronics and Telecommunications Research Institute
7/26/2016
EPON Technology Team
Authentication
EPON Technology Team
 Between Authentication server and Supplicant by
means of EAP and EAPOL
 802.1x must be supported in Access Point
 Back-end function for EAP packet must be supported on
all devices between Access point and Authentication
server.
Supplicant
Access point
(Authenticator)
Authentication
server
secured network
7/26/2016
(본 발표자료는 대외비임.)
Why we need an Authentication server?
EPON Technology Team
 Authentication should be need
 Key exchange use public-key encryption
 Why public-key encryption?
 In Symmetric key encryption, the number of key distributed in
network is so numerous
 Easy to exchange key
 But Authentication process is very complex and
expensive
 Need 802.1x(authenticator, supplicant, authentication server)
 Need certificates for each devices, if we doesn’t generate it,
we communicate with upper layer using management plane.
This means that link security does not operate independently
 Need RSA function(Very complex Algorithm, and no
verification so far)
7/26/2016
(본 발표자료는 대외비임.)
We need an Authentication server necessarily?
EPON Technology Team
 Though we use Symmetric key encryption, the number
of key distributed in network is not so numerous
 In network? Right
 But, no network. Only Two devices connected at one
link need the symmetric key
 And Master key must install such as a certificate used
in public-key encryption as off-line
 So, confirm of master key itself can be an
authentication
7/26/2016
(본 발표자료는 대외비임.)
Authentication server is one?
EPON Technology Team
 If there is only one authentication server in whole netw
ork, all access points must have back-end function in o
rder to relay EAP to authentication server
 If there is one device which does not support back-end
function in network?
 In wireless LAN, mobility must be supported on device
s. So, devices can be set on anywhere.
 But, In wired LAN, mobility may be supported on devic
es. Because if one device has set, it scarcely move. Th
e subscriber may move, and IP security is enough. MA
C security function is not on subscriber’s device such a
s PC. That is, MAC security function usually operate on
switch. Switch usually does not have mobility
7/26/2016
(본 발표자료는 대외비임.)
There is multi hop to get authentication server?
EPON Technology Team
 If there is one authentication server managing several s
upplicant, it is not assure that an authenticator place wit
hin one hop distance
 Although authentication server is in authenticator, it woul
d manage other supplicants
 Otherwise, why authentication server is need?
7/26/2016
(본 발표자료는 대외비임.)
Authentication server is more?
EPON Technology Team
 If so, whenever device is changed to other access point
, we must set authentication information within appropri
ate authentication server. This is not different that we in
stall symmetric key on new device if we use symmetric
key encryption
7/26/2016
(본 발표자료는 대외비임.)