KTS Wireless Security Framework Web White Paper

The KTS Wireless Security Framework provides a world-class comprehensive solution to wireless network security leveraging proven standards and cryptography. The framework includes the following features:

FIPS 140-2 Cryptography
The framework starts with a FIPS 140-2 validated cryptography library that has passed rigorous testing by a NIST certified laboratory to insure correct implementation of all algorithms.

Public Key Infrastructure (PKI)

The framework employs Public-key Infrastructure to uniquely identify, authenticate and authorize radios. This approach allows networks to be centrally managed without any requirement to configure remote radios with passphrases or Pre-Shared Keys (PSK) (KTS Wireless devices do support PSK but PKI is preferred for security and convenience). KTS Wireless has established its own private Certificate Authority (CA) to generate keys and certificates for devices, servers and clients that are used in KTS Wireless radio networks.

Unique Device Keys
KTS Wireless radio products are provisioned during manufacture with a unique private key and it’s corresponding public key certificate signed by the KTSWireless CA. The private key is further encrypted on the device with a secret key that is unique to each device.

IEEE 802.1x Authentication and Authorization
Remote or client radios in a KTS Wireless radio network use the IEEE 802.1x EAP-TLS protocol to authenticate and obtain authorization to join a network. The device key and certificate are used in the TLS transactions to authenticate with a RADIUS authentication server, usually co-located with the hub or master radio. The hub radio functions as the authenticator in the system and proxies the EAP-TLS protocol to the RADIUS protocol containing the TLS transactions. The RADIUS server must also be provisioned with a KTS Wireless private key and certificate. In some cases the RADIUS server may be further configured to add the device serial number to the network authorization. KTS Wireless offers a third party gateway/router solution configured with a RADIUS server and remote management services for customer networks.

IEEE802.11i Key Management
After authentication and authorization has completed the hub radio and remote radio enter into the Four-Way Handshake followed by the Group Key Handshake to establish session keys for the OTA encryption. These session keys are randomly generated by the hub radio and periodically refreshed across the network using these secure handshake mechanisms.

Over-the-Air (OTA) Encryption
KTS Wireless devices use NIST standard AES-128-CCM encryption for the wireless link. The 128-bit key is provided either by Pre-Shared Key (PSK) or through the PKI system. PKI is recommended as mentioned earlier.

Secure Device Management
KTS Wireless provides its customers with management tools used to configure devices and networks. The same device keys and certificates used in network Authentication Authorization and Key Management (AAKM) are used to provide secure TLS connections for management of the devices including firmware updates. Customers are provided with their own unique keys and certificates to be used with KTS Wireless management tools.