ISO/IEC 8802-11:2005/DAmd 7

DRAFT AMENDMENT ISO/IEC DIS 8802-11/Amd.7
Attributed to ISO/IEC JTC 1 by the Central Secretariat (see page iii)
Voting begins on Voting terminates on
2005-10-07 2006-03-07

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION

INTERNATIONAL ELECTROTECHNICAL COMMISSION • МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ • COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE

Technologies de l'information — Télécommunications et échange d'information entre systèmes — Réseaux

Partie 11: Spécifications pour le contrôle d'accès au support et la couche physique

AMENDEMENT 7: Caractéristiques pour la sécurité améliorée — Authentification de WLAN et infrastructure

In accordance with the provisions of Council Resolution 21/1986 this DIS is circulated in the

Conformément aux dispositions de la Résolution du Conseil 21/1986, ce DIS est distribué en

THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE

IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES,

DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted

under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be

reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,

photocopying, recording or otherwise, without prior written permission being secured.

Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's

This draft International Standard is submitted for JTC 1 national body vote under the Fast-Track Procedure.

In accordance with Resolution 30 of the JTC 1 Berlin Plenary 1993, the proposer of this document recommends

1 Any P-member and any Category A liaison organization of ISO/IEC JTC 1 may propose that an existing

standard from any source be submitted directly for vote as a DIS. The criteria for proposing an existing

2 The proposal shall be received by the ITTF which will take the following actions.

2.1 To settle the copyright and/or trade mark situation with the proposer, so that the proposed text can be

2.2 To assess in consultation with the JTC 1 secretariat which SC is competent for the subject covered by

the proposed standard and to ascertain that there is no evident contradiction with other International

2.3 To distribute the text of the proposed standard as a DIS. In case of particularly bulky documents the ITTF

3 The period for combined DIS voting shall be six months. In order to be accepted the DIS must be

supported by 75 % of the votes cast (abstention is not counted as a vote) and by two-thirds of the P-members

4 At the end of the voting period, the comments received, whether editorial only or technical, will be dealt

5 If, after the deliberations of this WG, the requirements of 3 above are met, the amended text shall be sent

to the ITTF by the secretariat of the relevant SC for publication as an International Standard.

If it is impossible to agree to a text meeting the above requirements, the proposal has failed and the procedure

In either case the WG shall prepare a full report which will be circulated by the ITTF.

6 If the proposed standard is accepted and published, its maintenance will be handled by JTC 1.

8.3.1 WAPI ASUE Authentication and key management state machine……………………68

Annex A (normative) Protocol Implementation Conformance Statements (PICS) ………………………99

Annex H (informative) Reference implementations of the frame authentication algorithm and

Annex I (Informative) The example of WAI parameters and WPI block cryptographic algorithm ………199

Figure 11—Portion of the ISO/IEC basic reference model covered in this amendment……………11

Figure 11a—The establishment of security association under the basic mode………………………12

Figure 24—Authentication Linkverification Algorithm Number fixed field………………………18

Figure 25—Authentication Linkverification Transaction Sequence Number fixed field………………18

Figure 43u—The format of the Data field of Authentication Activation packet…………………………42

Figure 43v—The fomat of the Data field of access authentication request packet………………………44

Figure 43w—The format of the Data field of Certificate Authentication Request packet……………… 45

Figure 43x—The format of the Data field of Certificate Authentication Response packet……………… 46

Figure 43y—The format of the Data filed of Access Authentication Response packet………………… 48

Figure 43aa—The format of the Data field of Unicast Key Negotiation Request packet……………… 50

Figure 43ab—The format of the Data field of Unicast Key Negotiation Responding packet …………… 51

Figure 43ac—The format of the Data field Unicast Key Negotiation Confirmation packet……………… 53

Figure 43ad—Multicast key / inter-station key announcing procedure……………………………… 54

Figure 43ae—The format of the Data field of Multicast key / STAKey announcement packet………54

Figure 43af—The format of the Data field of the multicast key/STAKey response packet…………56

Figure 43ah—The format of the Data field in the STAKey establishment request packet…… 58

Figure 43ai—The format of the Data field in the pre-authentication start packet…………………… 59

“The editing instructions are shown in bold italic. Four editing instructions are used: change,

delete, insert, and replace. Change is used to make small corrections in existing text or tables. The editing

instruction specifies the location of the change and describes what is being changed either by using strikethrough

(to remove old material) or underscore (to add new material). Delete removes existing material. Insert adds new

material without disturbing the existing material. Insertions may require renumbering. If so, renumbering

instructions are given in the editing instructions. Replace is used to make large changes in existing text,

subclauses, tables, or figures by removing existing material and replacing it with new material. Editorial notes

ANSI X9.62-Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm

ITU-T Recommendation X.509，Information technology - Open Systems Interconnection - The Directory: Public-key and

ISO/IEC 15946 Information technology - Security techniques - Cryptographic techniques based on elliptic curves

ISO/IEC 10116: 1997 (2nd edition) Information technology - Security techniques - Modes of operation for an n-bit block

Insert the following definitions in alphabetical order into Clause 3, renumbering as necessary:

3.63 authenticator entity (AE): An entity that provides authentication action for the authentication supplicant

3.64 authentication and key management (AKM) suite: A set of methods for authentication and key

3.65 authentication service entity (ASE): An entity that provides mutual identity authentication for the AE and

3.66 authentication service unit (ASU): An important part of WAI authentication framework that is based on

public-key cryptography. It manages the certificates and authenticates the identities of users etc.

3.67 authentication supplicant entity (ASUE): An entity that requires identity authentication through ASU. It

3.68 key encryption key (KEK): A key used to encrypt the key data field in the key management protocol.

3.69 message authentication key (MAK): A key used to authenticate data source and check integrity in key

3.70 multicast session key (MSK): A random value used to protect multicast MPDUs sent by the node. It is

3.71 message integrity code (MIC): A value generated by using a symmetric key cryptographic algorithm on

the input data. If the input data are changed, a new value cannot be correctly computed without knowledge of the

3.72 multicast master key (MMK): An auxiliary key used to generate the multicast encryption key and the

3.73 multicast session key security association (MSKSA): The result of the multicast key announcement

3.74 preshared key (PSK): A static key distributed to the STA. The way of the key distribution is beyond this

3.75 STAKey: A symmetric key used to protect direct communications between two stations in a BSS.

3.76 STAKey security association (STAKeySA): The result of the STA-to-STA unicast key negotiation

3.77 base key (BK): An auxiliary key used to generate the unicast session key. It can be negotiated in the

3.78 base key security association (BKSA): The result of the certificate authentication process or the result

3.79 unicast session key (USK): A random value that is derived from the base key with a pseudo-random

function. It is composed of four parts: the unicast encryption key, the unicast integrity check key, the message

3.80 unicast session key security association (USKSA): The result of the unicast key negotiation process.

3.81 WAPI key management: The key management including the unicast key negotiation, the multicast key

3.82 WAPI security network: A network with the WAPI security mechanism. It is identified by the WAPI

3.83 wireless local area network authentication and privacy infrastructure (WAPI): A security scheme that

is stated to provide identity authentication and data confidentiality for WLAN. WAPI comprises WAI (WLAN

This set of services is divided into two groups: those that are part of every STA, and those that are part of a DS.

There are nine ten services (Linkverification, Authentication, Association, Delinkverification, Disassociation,

Distribution, Integration, Privacy, Reassociation, and MSDU delivery) specified by IEEE 802.11 this standard.

Six of the services are used to support MSDU delivery between STAs. Three Four of the services are used to

Two Three services are required for this standard to provide functionality equivalent to that inherent to wired

LANs. The design of wired LANs assumes the physical attributes of wire. In particular, wired LAN design

assumes the physically closed and controlled nature of wired media. The physically open medium nature of a

Two Three services are provided to bring the wireless LAN functionality in line with wired LAN assumptions;

Linkverification, Authentication and privacy. Linkverification and Authentication is are used instead of the

wired media physical connection. Privacy is used to provide the confidential aspects of closed wired media.

In wired LANs, physical security can be used to prevent unauthenticated access. This is impractical in wireless

IEEE 802.11 provides the ability to control LAN access via the authentication servic