PKEX issue in ai Date: Authors: September 2016

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

Secure Pre-Shared Key Authentication for IKE
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:
Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Diffie-Hellman Key Exchange Color Mixing Example Rick Stroud 21 September 2015 CSCE 522.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Key Management Network Systems Security Mort Anvari.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Cracking Encrypted Systems
Secure PSK Authentication
Hash Functions Which of these problems is easier to solve:
Encryption and Integrity
Key Exchange References: Applied Cryptography, Bruce Schneier
DTTF/NB479: Dszquphsbqiz Day 26
Enhanced Security Features for
Cryptographic Review and PKEX
Group theory exercise.
Enhanced Security Features for
Secure 3-Party Protocol
Cryptographic Review and PKEX
Course Business I am traveling April 25-May 3rd
Cryptographic Review and PKEX
Secure PSK Authentication
PKEX Alternatives Date: Authors: Acknowledgements:
PKEX Alternatives Date: Authors: Acknowledgements:
Opportunistic Wireless Encryption
Man in the Middle Attacks
Diffie-Hellman Key Exchange Color Mixing Example
Assignment #4 – Solutions
How To Fragment An IE Date: Authors: May 2013
Protocol ap1.0: Alice says “I am Alice”
CS2911 Week 9, Class 1 Today Discussion on RSA Video Eavesdropping
Protocol ap1.0: Alice says “I am Alice”
Cryptographic Review and PKEX
Key Management Network Systems Security
Efficient Short-Password Key Exchange (ESP-KE)
Security Properties Straw Polls
Password Authenticated Key Exchange
Changes to SAE State Machine
11i PSK use in 11s: Consider Dangerous
Chapter 3 - Public-Key Cryptography & Authentication
Cryptographic Review and PKEX
Diffie/Hellman Key Exchange
Cryptographic Review and PKEX
Asymmetric Cryptographic Algorithms
Password Authenticated Key Exchange
Cryptographic Review and PKEX
Chapter 8 roadmap 8.1 What is network security?
Introduction to Cryptography
11i PSK use in 11s: Consider Dangerous
AIT 682: Network and Systems Security
Key Exchange With Public Key Cryptography
Lecture 6.2: Protocols - Authentication and Key Exchange II
Presentation transcript:

PKEX issue in 802.11ai Date: 2016-09-13 Authors: September 2016 doc.: IEEE 802.11-16/1261r0 September 2016 PKEX issue in 802.11ai Date: 2016-09-13 Authors: Dan Harkins, HPE Dan Harkins, HPE

Abstract This presentation discusses the PKEX issues. September 2016 doc.: IEEE 802.11-16/1261r0 September 2016 Abstract This presentation discusses the PKEX issues. Dan Harkins, HPE Dan Harkins, HPE

September 2016 doc.: IEEE 802.11-16/1261r0 September 2016 PKEX Exchange Intended to allow two parties to exchange a “raw” public key for use with FILS public key authentication Uses a password to authenticate the exchange and encrypt the exchanged public keys Dan Harkins, HPE Dan Harkins, HPE

PKEX Exchange September 2016 sA PA = sA*G sB PB = sB*G Alice Bob shared secret pw Pwe = F(pw) mA = H(macA) CA = PA + mA*Pwe Pwe = F(pw) mB = H(macB) CB = PB + mB*Pwe CA CB m’B = H(macB) P’B = CB - m’B*Pwe if (min(nonceA, nonceB) == nonceA x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || F(S)) else x = H(nonceA || nonceB) CA || CB || macA || macB || F(S)) checkA = HMAC(k, PA || P’B || macA|| macB) m’A = H(macA) P’A = CA - m’A*Pwe if (min(nonceB, nonceA) == nonceB x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CA || CB || macA || macB || F(S)) else x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || F(S)) checkB = HMAC(k, PB || P’A || macB|| macA) checkA checkB Validate checkB == HMAC(k, PB || PA || macB|| macA) Validate checkA == HMAC(k, PA || P’B || macA|| macB) After the exchange: - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret September 2016 Dan Harkins, HPE

September 2016 doc.: IEEE 802.11-16/1261r0 September 2016 What’s the Problem? Only truly secure when the same public key is not used in multiple PKEX runs Running PKEX multiple times with the same public key opens up two attacks: Off-line dictionary attack to determine the password(s) used Man-in-the-middle attack to insert an adversary’s public key Dan Harkins, HPE Dan Harkins, HPE

Off-line Dictionary Attack September 2016 Off-line Dictionary Attack Adversary watches two exchanges in which she knows that the same public key was used both times (let’s say from “Alice”) CA1 = PA + QA1 = PA + (mA*Pwe1) CA2 = PA + QA2 = PA + (mA*Pwe2) Therefore, adversary knows CA1 - CA2 = QA1 - QA2 Adversary can go offline and check all N2 password combinations where N is number of possible passwords Birthday paradox makes this an O(N) attack not O(N2) Dan Harkins, HPE

Off-line Dictionary Attack September 2016 Off-line Dictionary Attack If the adversary learns the password after the exchange is over the so what? Keys are exchanged, nothing is subverted If dictionary attack can be done in real-time though, the exchange can be subverted by inserting the adversary’s public key into the exchange Dictionary attacks are getting faster and faster Dan Harkins, HPE

Man-in-The-Middle Attack September 2016 Man-in-The-Middle Attack Adversary knows that the same key is being used a second time (let’s say by “Bob”) Adversary gets C1, modifies C2 = C = PB + QB by determining QB (knows PB) and inserts adversary’s key But adversary cannot decrypt PA to complete attack because she doesn’t know QA To determine QA, it is necessary to take a discrete logarithm from an unknown root An Nth root equation where N is a 256-bit number! Extremely unlikely this compute power is readily available But the fix is easy, add the password to the KDF Dan Harkins, HPE

Man-in-The-Middle Attack September 2016 Man-in-The-Middle Attack There is an easier attack but it requires both parties to exchange the same key multiple times There is really no reason why people would do PKEX twice with the same keys– if they exchanged their keys once what’s the point? Somewhat of a contrived attack, but the fix is the same, add the password to the KDF Dan Harkins, HPE

Conclusion The Man-In-The-Middle attack is an easy fix September 2016 Conclusion The Man-In-The-Middle attack is an easy fix The dictionary attack is more severe 802.11 has a history of releasing security protocols with flaws– PSK mode, WEP It is possible to replace PKEX with something that does not suffer from the problems presented here PKEX is not critical to FILS, it’s optional and it’s still possible exchange “raw” public keys in a manner outside the scope of the standard. Let’s just get rid of PKEX Dan Harkins, HPE

References September 2016 doc.: IEEE 802.11-16/1261r0 September 2016 Dan Harkins, HPE Dan Harkins, HPE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.