Cryptographic Review and PKEX Month Year doc.: IEEE 802.11-yy/xxxxr0 September 2016 Cryptographic Review and PKEX Date: 2016-09-29 Authors: Paul A. Lambert (Marvell) John Doe, Some Company

Month Year doc.: IEEE 802.11-yy/xxxxr0 September 2016 Abstract The Fast Initial Link Setup project (FILS, P802.11ai) is introducing several new authentication mechanisms. Review of one of these authentication mechanisms, PKEX, has identified serious issues with the cryptographic design of the protocol. This presentation provides a brief summary of PKEX functionality and issues. Options for mitigation of the issues with PKEX are provided. Paul A. Lambert (Marvell) John Doe, Some Company

September 2016 PKEX Background The PKEX protocol is defined within the IEEE 802.11 draft specification for Fast Initial Link Setup (FILS) PKEX is one of several new authentication mechanisms being introduced into IEEE 802.11 by the FILS project. This review of PKEX is based on Draft P802.11ai_D10.0 PKEX claims to provide: A means to ‘trust’ a public key from a peer by proof of a shared passphrase Public keys are exchanged that are intended for subsequent use for creation/validation of digital signatures and other authorization purposes. PKEX has been included by reference in the draft specification for the Wi-Fi Alliance Device Provisioning Protocol (DPP) PKEX is included in DPP as means to ‘bootstrap’ trust in keys with a shared secret As part of the review of DPP, summaries of PKEX have been reviewed and flaws in the design identified Paul A. Lambert (Marvell)

September 2016 FILS and PKEX The Fast Initial Link Setup (FILS) project was started in May 2010 and defines mechanisms that provide IEEE 802.11 networks with fast initial link set-up methods which do not degrade the security currently offered by Robust Security Network Association (RSNA) already defined in IEEE 802.11. The project’s primary need comes from an environment where mobile users are constantly entering and leaving the coverage area of an existing extended service set (ESS). (a) scale with a high number of users simultaneously entering an ESS (b) minimize the time spent within the initial link set-up phase (c) securely provide initial authentication. PKEX was introduced into FILS on February 27th, 2015 with comment 7267 CID Submission Comment Proposed Change Resolution 7267 11-15/0291r0 how does one obtain a raw (uncertified) public key from a peer in a trustworthy manner? add a simple protocol to exchange raw public keys in a manner that is trustworthy and does not require certificates 2015-03-11 09:17:49Z) -- REVISED: a corresponding protocol has been added; See 11-15/291r1 for details Paul A. Lambert (Marvell)

PKEX Issues Security Issues have been identified with PKEX: September 2016 PKEX Issues Security Issues have been identified with PKEX: Related Key Attack (8/23) Mitigated by changes in 11-16-1100-03-00ai-mods-to-pkex.docx Fixes incorporated into P802.11ai_D10.0 Off-line Dictionary attack (8/31) From review on the mailing list for the Crypto Forum Research Group (CFRG) https://www.ietf.org/mail-archive/web/cfrg/current/msg08531.html For N different possible passphrases this is a O(sqrt(N)) attack. MiTM Attack (8/31) Identified on CFRG mailing list MiTM attacker simply swaps it’s public key for each of the peer’s during the exchange Details of the protocol and the details of the off-line dictionary attack and MiTM attack are provided in the following slides. Paul A. Lambert (Marvell)

Cryptographic Notation September 2016 Cryptographic Notation s private key used to generate the public key G generator element of the group used for public key operations + associative group operation (point addition for ECC) * scalar multiplication is the repeated addition of a group element with itself P public key where P=s*G H() hash function Kdf() key derivation function hap() the ‘hunt and peck’ algorithm used to map a arbitrary string (passphrase) to a group element (ECC point) defined in section 3.2 of RFC 7664 k symmetric secret key developed from DH key agreement [ ] fields contained in brackets are optional PA PB Subscripts indicate the entity that controls the key pair (Alice ‘A’ , Bob ‘B’) macA macB MAC address Alice sA PA = sA*G Bob sB PB = sB*G Paul A. Lambert (Marvell)

PKEX Overview Preconditions Protocol Exchange Post Conditions September 2016 PKEX Overview sA PA = sA*G macA, macB shared secret pw sB PB = sB*G macA, macB Preconditions Alice Bob macA, macB, nonceA, CA Protocol Exchange macB, macA, nonceB, CB macA, macB, checkA macB, macA, checkB PB PA Post Conditions After the exchange the claimed properties are: - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Assumed security properties: - The shared secret ‘pw’ has not been exposed in a manner that would allow more than one guess of the value per run of the protocol. - The long-term public keys (PA, PB) may be subsequently be used for signature creation, signature validation, access control or authorization. This implies that Alice and Bob may have interacted with other peers so PA and PB may be commonly known and shared in the system. Paul A. Lambert (Marvell)

PKEX September 2016 sA PA = sA*G macA sB PB = sB*G macB Alice Bob shared secret pw Pwe = hap(pw) mA = H(macA) nonceA = random() CA = PA + mA*Pwe Pwe = hap(pw) mB = H(macB) nonceB = random() CB = PB + mB*Pwe macA, macB, nonceA, CA macB, macA, nonceB, CB m’B = H(macB) P’B = CB - m’B*Pwe if (min(nonceA, nonceB) == nonceA x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || sA*P’B) else x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CA || CB || macA || macB || hap(S)) checkA = HMAC(k, PA || P’B || macA|| macB) m’A = H(macA) P’A = CA - m’A*Pwe if (min(nonceB, nonceA) == nonceB x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CA || CB || macA || macB || sB*P’A) else x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || hap(S)) checkB = HMAC(k, PB || P’A || macB|| macA) macA, macB, checkA macB, macA, checkB Validate checkB == HMAC(k, PB || PA || macB|| macA) Validate checkA == HMAC(k, PA || P’B || macA|| macB) After the exchange the claimed properties are: - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Paul A. Lambert (Marvell)

PKEX Off-line Dictionary Attack September 2016 PKEX Off-line Dictionary Attack sA PA = sA*G macA, macB sB PB = sB*G macB, macA Alice Bob shared secret pw Pwe = hap(pw) mA = H(macA) nonceA = random() CA = PA + mA*Pwe Pwe = hap(pw) mB = H(macB) nonceB = random() CB = PB + mB*Pwe macA, macB, nonceA, CA Given observation of CA and macA with prior knowledge of PA: CA = PA + H(macA)*hap(pw) Attacker calculates: H(macA)*hap(pw) = PA - CA This exposes an off-line dictionary attack of the passphrase ’pw’ on the term: H(macA)*hap(pw) For N=2^n possible passphrases the search space is: O( N ) A ‘good PAKE’ has a larger search space than O( N ) that is typically of order or greater than O ( q ) where ‘q’ is the order of the PAKE group operations.

PKEX MiTM Attack September 2016 sA PA = sA*G macA, macB sB PB = sB*G macB, macA Alice Bob shared secret pw sE PE= sE*G PA , PB Pwe = hap(pw) mB = H(macB) nonceB = random() CB = PB+mB*Pwe Pwe = hap(pw) mA = H(macA) nonceA = random() CA = PA + mA*Pwe Eve macA, macB, nonceA, CA macA, macB, nonceA, CEB = CA – PA + PE macB, macA, nonceB, CEA = CB – PB + PE macB, macA, nonceB, CB m’B = H(macB) PE = CEA - m’B*Pwe x = H(nonceB || nonceA) k = Kdf(x, "PKEX Key Confirmation", CEA || CA || macB || macA || sA*PE)) checkAE = HMAC(k, PA || PE || macA||macB) Eve first obtains both Alice and Bob’s public key (PA and PB). The public keys are assumed to be “public” and have been exposed or directly provided to Eve. m’A = H(macA) P’A = CA - m’A*Pwe x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CEA || CA || macB || macA ||sE*P’A)) checkEA = HMAC(k, PE || PA || macB|| macA) macA, macB, checkAE macB, macA, checkEA Validate checkEA == HMAC(k, PE || PA || macB|| macA) After the exchange the MiTM attack properties are: - Alice has Eve’s public key PE and believes it belongs to Bob - Bob has Eve’s public key PE and believes it belongs to Alice (not shown but same as Alice attack) Paul A. Lambert (Marvell)

September 2016 PKEX MiTM Mitigation The MiTM attack on PKEX could be mitigated by additional changes to the protocol Such changes are proposed in: 11-16-1151-00-00ai-kdf-prf-pkex.docx The off-line dictionary attack is not mitigated by this change It would be more productive to look at alternative key exchanges than to incrementally make patches. Paul A. Lambert (Marvell)

TGai Options for PKEX Options: Month Year doc.: IEEE 802.11-yy/xxxxr0 September 2016 TGai Options for PKEX Options: Fix PKEX + New draft of TGai would be quickly available - Large shared one-time passphrases are a bad user experience - Would not fix bad reviews of security design - Magnet for more comments and could cause indefinite TGai delay Remove PKEX No public key ‘introduction’ mechanism would be available with TGai Replace PKEX + Functionality and cryptographic design could be improved to provide valuable features - Delay to TGai PKEX was removed from TGai 9/14/2016 Paul A. Lambert (Marvell) John Doe, Some Company

PAKE+PKA Password Authenticated Key Exchange plus Public Key Authentication (PKA) PKEX provides a password based mutual authentication of long-term public keys Based loosely on the SPAKE2 protocol: https://www.ietf.org/archive/id/draft-ladd-spake2-01.txt Alternatives to PKEX More efficient and secure exchanges could be developed by combining evaluated authenticated public key exchanges with an evaluated PAKE. An alternative follows where SPAKE2 is combined with mutually blinded Diffie-Hellman (mbDH) https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 https://www.emvco.com/specifications.aspx?id=285 Paul A. Lambert (Marvell)

Cryptographic Notation s private key used to generate the public key G generator element of the group used for public key operations + associative group operation (point addition for ECC) * scalar multiplication is the repeated addition of a group element with itself P a long-term public key where P=s*G H() hash function sk symmetric secret key developed from DH key agreement || denotes concatenation of strings { }sk curly braces indicate AEAD encryption by the key appended to the second brace (e.g. ‘sk’) PA PB Subscripts indicate the entity that controls the key pair (Alice ‘A’ , Bob ‘B’) Alice sA PA = sA*G Bob sB PB = sB*G Paul A. Lambert (Marvell)

PAKE+PKA Preconditions Protocol Exchange Post Conditions sA PA = sA*G Alice shared secret pw sB PB = sB*G Preconditions Bob macA, macB, nonceA, CA macB, macA, nonceB, CB Protocol Exchange macA, macB, checkA macB, macA, checkB PB sk PA sk shared secret key Post Conditions After the exchange the required properties are: - Alice and Bob share a pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Paul A. Lambert (Marvell)

SPAKE2 https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 iidA = “Alice” idB = “Bob” shared secret pw idB = “Bob” idA = “Alice” Alice Bob MA and MB are known constants selected for their security properties. w = H( pw ) xA = randRange(0,p*h) XA = xA*G RA = w*MA + XA RA w = H( pw ) xB = randRange(0,p*h) XB = xB*G RB = w*MB + XB RB K = xA * (RB – w*MB) sk = H(idA || idB || RA || RB || XA || XB || K || w) K = xB * (RA – w*MA) sk = H(idA || idB || RA || RB || XA || XB || K || w) After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric key ‘sk’ with certainty that their peer knew the shared secret ‘pw’ If the peer did not use the same passphrase ‘pw’ the shared secret (sk) will not be the same for the peers. - Note that this 2-step exchange does not include validation of the shared secret key Paul A. Lambert (Marvell)

Blinded Diffie-Hellman (bDH) https://www. emvco. com/specifications The EMVco defined bDH protocol is asymmetric and only authenticates one side of the exchange. sA PA = sA*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*G K = xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ( ...) ) RB, { ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys - Alice has not received a long-term public key from Bob - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

Making bDH Mutual Additions to bDH to make the protocol symmetric and provide mutual authentication are shown in red sA PA = sA*G sB PB = sB*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*G xB*PB K = sB*xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ((xB, PB), ...) ) RB, { (xB, PB), ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert RB == xB*PB skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

Mutually Blinded DH (mbDH) sA PA = sA*G sB PB = sB*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*PB K = sB*xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ((xB, PB), ...) ) RB, { (xB, PB), ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert RB == xB*PB skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

SPAKE2 + mbDH SPAKE2 and mbDH can be combined to provide both PAKE and public key authentication. sA PA = sA*G shared secret pw sB PB = sB*G Alice Bob w = H( pw ) xA = randRange(0,p*h) RA = xA* PA RA = w*MA + XA*G RA = w*MA + xA*PA w = H( pw ) xB = randRange(0,p*h) RB = xB*PB RB = w*MB + xB*G RB = w*MB + xB*PB K = sB*xB*RA K = xB*(RA - w*MA) K = sB*xB*(RA - w*MA) skBA = H( “R” || RA || RB || XA || XB || K || w ) encrypt( key=skBA, ((xB, PB), ...) ) RA The ephemeral terms xA*G and xB*G are replaced with the ephemeral masked key xA*PA and xB*PB The ephemeral term xA*G is replaced with the ephemeral masked key xA*PA K = sA*xA*RB K = xA*(RB – w*MB) K = sA*xA*(RB – w*MB) skBA = H( “R” || RA || RB || XA || XB || K || w ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert (RB – w*MB) == xB*PB skAB = H( “I” || RA || RB || XA || XB || K || w ) encrypt( key=skAB, ((xA, PA), ...) ) RB, { (xB, PB), ... }skBA The mbDH shared key calculation now requires knowledge of the passphrase The mbDH shared key now requires knowledge of the passphrase { (xA, PA), ... }skAB skAB = H( “I” || RA || RB || XA || XB || K || w ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert (RA - w*MA) == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

SPAKE2 + mbDH sA PA = sA*G shared secret pw sB PB = sB*G Alice Bob w = H( pw ) xA = randRange(0,p*h) XA = xA*PA RA = w*MA + XA w = H( pw ) xB = randRange(0,p*h) XB = xB*PB RB = w*MB + XB K = sB*xB*(RA – w*MA) skBA = H( “R” || RA || RB || XA || XB || K || w ) encrypt( key=skBA, ((xB, PB), ...) ) RA K = sA*xA*(RB – w*MB) skBA = H( “R” || RA || RB || XA || XB || K || w) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert (RB – w*MB) == xB*PB skAB = H( “I” || RA || RB || XA || XB || K || w) encrypt( key=skAB, ((xA, PA), ...) ) RB, { (xB, PB), ... }skBA { (xA, PA), ... }skAB skAB = H( “I” || RA || RB || XA || XB || K || w ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert (RA – w*MA) == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)