NIST
802.11 Wireless LAN Security Workshop
December
4-5, 2002
Falls
Church, Virginia
On the
4th and 5th of December 2002, the National Institute of
Standards and Technology (NIST) held a workshop on 802.11 Wireless LAN Security
in Falls Church, Virginia. The workshop comprised approximately 30 individuals
from the US Federal Government, the WiFi industry and the security and academic
communities. Participants included individuals from NIST, the National Security
Agency (NSA), the National Communication System (NCS), US Secret Service (USSS),
Boeing Corporation, Cisco Systems, Microsoft Corporation, Intel Corporation,
TruSecure, Microsoft, Agere Systems, Booz-Allen-Hamilton, Vigil Security,
Virginia Tech, the University of Maryland, and the Burton
Group.
The
primary objectives of the workshop were the following:
Specific
working sessions within the workshop included the following: an overview of NIST
and an explanation of its roles and responsibilities; an informative session on
FIPS-140 (Security Requirements for Cryptographic Modules); an
enlightening “user perspective” on implementing 802.11 securely in a large
enterprise; an overview of the WiFi Alliance industry organization, and very
detailed discussions on the characteristics and rationale of the short-term
(WPA—WiFi Protected Access) and long-term (RSN—Robust Security Networks) 802.11
security solutions.
At the
conclusion of the second day, the broad-based group of cross-industry and
government attendees developed a high-level strategy for the industry that
included the following:
The
2-day workshop concluded having produced a list of “action-able” items to
address the high-level strategy identified above.
Workshop Agenda
Detailed Agenda
Day 1 – Wednesday, December 4, 2002
Theme:
Introductions, Overviews and Perspectives
Time |
Session
Title |
Duration |
Speakers |
8:00A-8:10A |
Opening
Remarks and Welcome (Logistics) |
10
mins |
Marlene
Wilson |
8:10A-8:30A |
Workshop
Motivation, Objectives and Agenda Review |
20
mins |
Tim
Grance |
8:30A-9:10A |
Roundtable
– Attendee Introductions and Sharing of Roles in
802.11 |
40
mins |
All |
9:10A-10:10A |
Federal
Cryptographic & Non-cryptographic Security Requirements – Perspectives
from several fronts [DoD
Wireless Policies and Requirements]
[NIST
Cryptographic Standards Program]
|
60
mins |
Bill
Burr (NIST) / Tim Havighurst (FWUF/NSA) |
10:10A-10:20A |
Brief
Review of Special Publication 800-48 |
10
mins |
Tom
Karygiannis |
10:20A-10:30A |
Morning
Break |
10
mins |
All |
10:30-11:30PM |
User’s
Perspective on 802.11 security – Existing challenges and thoughts about
future features |
60
mins |
Steve
Whitlock; Paul Dodd (Boeing) |
11:30-12:30PM |
Overview
of FIPS140-2 and Discussion of the Validation
Process [The
Cryptographic Module Validation Program and FIPS-140-2]
|
60
mins |
Randy
Easter (NIST) |
12:30-1:30PM |
Working
Lunch WiFi
State-of-the-Industry Report 802.11
Wireless LAN Status and Direction – By 2005 what can we
expect? |
60
mins |
John
Pescatore (Gartner Group) |
1:30-2:30PM |
Overview
of WiFi Alliance and IEEE 802.11 WGs (Including the organizational
composition, key initiatives, mission, approval procedures,
etc.) Status
of Activities and Current Plans – the Roadmap of 802.11 Security – WiFi
Protected Access, RSN and beyond [WiFi
Protected Access Media Briefing]
|
60
mins |
Frank
Ferro (Agere, WIFI Alliance); Nancy Cam-Winget
(Cisco) Frank
covers the WiFi Alliance Nancy
covers the IEEE. |
2:30-3:30PM |
Detailed
Presentations on WiFi Protected Access (WPA) 1)
What security is offered and what is not? 2)
Salient differences from RSN should be identified. 3)
Points of known vulnerability identified. |
60
mins |
Jesse
Walker With
Tim Moore and Nancy Cam-Winget |
3:30-3:40PM |
Afternoon
Break / BAH FVP Lab Tour and IA Demonstrations |
10
mins |
FVP
Information Assurance Staff (BAH) / All |
3:40-4:40PM |
Detailed
Presentations Robust Secure Networks (RSN) What
are the elements of RSN? What security is offered and what is not? How are
authentication, integrity, confidentiality, and key management
handled? |
60
mins |
Jesse
Walker With
Tim Moore and Nancy Cam-Winget
|
4:40-5:30PM |
Detailed
Presentations on IETF Activities with respect to standardization of AAA
and EAP Methods |
60
mins |
Bernard
Aboba (Microsoft) |
5:30-5:45PM |
Day
1 Summary / Wrap-Up |
15
mins |
Les
Owens (BAH) |
Detailed Agenda
Day 2 – Thursday, December 5, 2002
Theme:
Technology, Tutorials and Collaboration
Time |
Session
Title |
Duration |
Speakers |
8:00-8:10A |
Day
1 Review and Day 2 Agenda
Review |
10
mins |
Les
Owens (BAH) |
8:10-9:10A |
Continued
– Detailed Presentations Robust Secure Networks
(RSN) What
are the elements of RSN? What security is offered and what is not? How are
authentication, integrity, confidentiality, and key management
handled? |
60
mins |
Jesse
Walker With
Tim Moore, Nancy Cam-Winget and Dorothy Stanley
|
9:10-10:00A |
Panel/Open
discussion “Will WiFi Protected Access gain so much momentum that RSN will
never happen?” |
50
mins |
Mike
DiSabato (Burton Group), Steve Whitlock (Boeing),Bob
Moskowitz All
to discuss |
10:00-10:10A |
Morning
Break |
10
mins |
All |
10:10-11:15AM |
WPA
Security Feature rational, motivation, and genesis plus initial Security
analysis/discussion TKIP,
802.1X, PEAP, eap-TTLS and other versions of extensible authentication
protocol Why
is WPA what it is? |
65
mins |
Russ
Housley (Vigil Security) leads discussion Interactive
discussion with security experts ( Gligor, Giorgio, Arbaugh, McGrew et.
al.) |
11:15-12:30PM |
RSN
Security Feature rational, motivation, and genesis plus initial Security
analysis/discussion Key
management |
75
mins |
Russ
Housley (Vigil Security) leads discussion Interactive
discussion with security experts ( Gligor, Giorgio, Arbaugh, McGrew et.
al.) |
12:30-1:30PM |
Working
Lunch – Continue security analysis discussions |
60
mins |
All |
1:30-2:15PM |
Continued
– RSN Security Feature rational, motivation, and genesis plus initial
Security analysis/discussion Key
management Why
is RSN what it is? |
45
mins |
Russ
Housley (Vigil Security) leads discussion Interactive
discussion with security experts ( Gligor, Giorgio, Arbaugh, McGrew, Bob
Moskowitz et. al.) |
2:15-2:30PM |
Afternoon
Break FVP
Information Assurance Center of
Excellence Tour (optional) |
15
mins |
All |
2:30-4:40PM |
Strategy
Session on Partnership -
What are the risks of WPA and addressing WPA inadequacies in the
interim; -How
to embed FIPS140-2 in the RSN standard; -Improving
RSN security even further; -Analyzing
RSN to ensure it’s the right set of security
features; -What
are the pitfalls? Are there weaknesses in a protocol that we need to
address or avoid; -Shortening
the time to RSN; -Development
of partnership and plan; to work together; -Open
Discussion |
2
hrs and 10 mins |
Les
Owens, Tim Grance, All |
4:40-5:00PM |
Summary
/ Action Item Review |
20
mins |
Les
Owens (BAH) Tim Grance(NIST) |
5:00-5:10PM |
Closing
Remarks / Wrap-up / Depart [Comparison
of Cellular Industry (’92) to WiFi Industry (’02)] |
10
mins |
Tim
Grance (NIST) |