CS259: Security Analysis of Network Protocols, Winter 2008

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Chapter 07 Designing and Implementing Security for WLAN
CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Wireless and Security CSCI 5857: Encoding and Encryption.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
National Institute of Science & Technology WIRELESS LAN SECURITY Swagat Sourav [1] Wireless LAN Security Presented By SWAGAT SOURAV Roll # EE
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.
Wireless Network Security CSIS 5857: Encoding and Encryption.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Wireless Authentication Protocol Presented By: Tasmiah Tamzid Anannya Student Id:
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
History and Implementation of the IEEE 802 Security Architecture
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
History and Implementation of the IEEE 802 Security Architecture
CompTIA Security+ Study Guide (SY0-401)
Wireless Protocols WEP, WPA & WPA2.
M. Kassab, A. Belghith, J. Bonnin, S. Sassi
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
WEP & WPA Mandy Kershishnik.
A Wireless LAN Security Protocol
Security Protocols Analysis
Just Fast Keying (JFK) Protocol
– Chapter 5 (B) – Using IEEE 802.1x
TGai FILS Authentication Protocol
Mesh Security Proposal
IEEE i Dohwan Kim.
Wireless Network Security
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
Protocol Composition Logic (PCL)
Use of EAPOL-Key messages during pre-auth
Mutual Authentication
Mutual Authentication
Security Analysis of Network Protocols
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Transport Layer Security (TLS)
Updates on Abbreviated Handshake
Overview of Abbreviated Handshake Protocol
Overview of Improvements to Key Holder Protocols
Protocol Verification by the Inductive Method
Security Requirements for an Abbreviated MSA Handshake
Overview of Improvements to Key Holder Protocols
Link Setup Flow July 2011 Date: Authors: Name Company
Cryptography Lecture 27.
Overview of an MSA Security Proof
AIT 682: Network and Systems Security
Presentation transcript:

CS259: Security Analysis of Network Protocols, Winter 2008 Proving IEEE 802.11i Secure Mukund Sundararajan Joint work with Changhua He, Arnab Roy, Anupam Datta, Ante Derek, John Mitchell

802.11i Key Management Auth Server Laptop Access Point TLS: Uses Certificates, provides authentication (Shared Secret-PMK) 4WAY Handshake: Creates keys for data communication Todays wireless networks Group key handshake: Keys for broadcast communication Data protection: AES based

Properties of 802.11i Key Mgt. Roughly Only authorized devices can join n/w Devices do not join rogue n/w Peer device is alive Keys set up for data and group communication are fresh and secret

Proof of 802.11i security A Formal Proof in Protocol Composition Logic (PCL) of : On execution of an 802.11i role, properties listed in the standard are satisfied. Attacker model (perfect crypto) Intercept, read, reorder, delete any message on the n/w Construct, send messages Properties and attacker model, two levels of security rework properties

Why a Proof? [He Mitchell] analyzed 4Way Handshake using Murphi Found a DoS attack But did not find any security flaws [Mitchell Shmatikov] analyzed TLS ‘Finite’ state analysis does not guarantee security

Model Checking does’nt Scale Laptop A.P. A.S. EAP-TLS Client EAP-TLS Server 4WAY Supplicant 4WAY Authenticator Change edge color Group key Supplicant Group key Authenticator 802.11i

TLS Server Role receive C, S, nc, suiteC //Hello new ns send S, C, ns, suiteS //Resp receive C, S, {sec}Ks , SIGC(hshk1) //Xfer check SIGC(hshk1) decrypt {sec}Ks send S, C, hashsec(hshk2) //ServerView

Security Properties of TLS The client and the server agree on Value of the secret Version and crypto suite Identities (mutual authentication) Protocol completion status The secret term is not known to a principal who is not the client or the server (shared secret) Must make nice repeatable diagram

Matching Conversations Honest(C) [TLS Server]S C. Send ( C, Hello)  Receive ( S, Hello )  Receive ( S, Hello )  Send ( S, Resp)  Send ( S, Resp)  Receive( C, Resp)  Receive( C, Resp)  Send ( C, KeyXfer)  Send ( C, KeyXfer)  Receive ( S, KeyXfer)  Receive ( S, KeyXfer)  Send( S,ServerView) Fix the font

Proof Sketch 1. S sees SIGC(hshk1) concludes C constructed it 4. If honest C constructed SIGC(hshk1), then it executed actions consistent with TLS Client role 5. Order actions based on freshness of nonces Fix the font color

Some Axioms Used in the Proof

Program Invariant used in Proof

Proof of TLS Authentication

Matching Conversations!

Proof Structure EAP-TLS Client EAP-TLS Server Group key Authenticator Pre-conditions 4WAY Authenticator Local Reasoning Based on actions And cryptography Program Invariants Fails for the 4-Way handshake – reflection attack Group key Authenticator 4WAY Supplicant Group key Supplicant

Protocol Insights 802.11i is secure Other modes are safe Using Cached PMKs and Pre-shared Keys is safe Safe under error handling Protocols can share certificates with TLS as long as conditions listed in paper are satisfied

Evolution of WLAN Security Wired Equivalent Privacy Incorrect use of cryptography WEP lacks key mgt 802.11i is designed to fix these issues (June 2004) [He Mitchell] uncovers DoS attacks Fix adopted by standards committee Security Proof of 802.11i

Error Handling [HM05] Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timeout 4-Way Handshake Timeout Association Failure 802.1X Failure

Interactions can cause Flaws Exercise: Construct two protocols. Each does something reasonable. Each is secure in isolation. But, if any principal executes both protocols, one of the two protocols is insecure. Chosen protocol attack (Wagner et.al.) Scaling issues

Thanks!