Secure PSK Authentication

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Advertisements

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Secure Pre-Shared Key Authentication for IKE
Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE /0877r0 Submission June WG Slide 1 TGs response to CN NB comments Date: Authors:
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
Doc.: IEEE r0 Submission July 2011 Dan Harkins, Aruba NetworksSlide 1 Prohibiting Technology Date: Authors:
Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:
Doc.: IEEE /1077r0 Submission September 2010 Dan Harkins, Aruba NetworksSlide 1 Galois/Counter Mode (GCM) Date: Authors:
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Doc.: IEEE /1147r1 Submission November 2009 David Halasz, AclaraSlide 1 Path Protection Date: Authors:
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
Outline The basic authentication problem
Re-evaluating the WPA2 Security Protocol
Enhanced Security Date: Authors: May 2009 May 2009
Secure PSK Authentication
draft-harkins-emu-eap-pwd-01
Authentication and Upper-Layer Messaging
Wireless Protocols WEP, WPA & WPA2.
Enhanced Security Features for
Cryptographic Hash Function
CMSC 414 Computer and Network Security Lecture 15
Discussions on FILS Authentication
Security for location determination at a Public Domain
Enhanced Security Features for
Motions to Address Some Letter Ballot 52 Comments
Opportunistic Wireless Encryption
Key Descriptor Version in EAPOL Key Frames
Strawman AP Functional Diagram
Password Authenticated Key Exchange
How To Fragment An IE Date: Authors: May 2013
Digital Certificates and X.509
TGv redline between Draft 1.0 and 1.01
Beacon Protection Date: Authors: July 2018 July 2018
Cryptography and Network Security Chapter 7
Security Properties Straw Polls
Password Authenticated Key Exchange
Changes to SAE State Machine
11i PSK use in 11s: Consider Dangerous
CS 394B Introduction Marco Canini.
Cryptography Lecture 14.
Password Authenticated Key Exchange
TGr Authentication Framework
Beacon Protection Date: Authors: July 2018 July 2018
Hashing Hash are the auxiliary values that are used in cryptography.
Beacon Protection Date: Authors: May 2018 January 2018
TGr Authentication Framework
Password Authenticated Key Exchange
EAP Method Requirements for Emergency Services
Link Setup Flow July 2011 Date: Authors: Name Company
A Better Way to Protect APE Messages
CRYPTOGRAPHY & NETWORK SECURITY
TGu/TGv Joint Meeting Date: Authors: May 2008 Month Year
11i PSK use in 11s: Consider Dangerous
Discussion on TESLA Based Frame Authentication
Presentation transcript:

Secure PSK Authentication July 2010 doc.: IEEE 802.11-10/0899r0 July 2010 Secure PSK Authentication Date: 2010-07-14 Authors: Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

July 2010 doc.: IEEE 802.11-10/0899r0 July 2010 Abstract This presentation presents the problems with D0.1’s use of PSKs and a solution to them. Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

What’s the Problem? PSKs are being used for authentication in a PBSS July 2010 What’s the Problem? PSKs are being used for authentication in a PBSS It is difficult to provision a “strong” PSK. Strength is a function of entropy in the PSK. For a character-based PSK there is approximately 1.5 bits of entropy per character. Generating a key suitable for use with GCM implies a character string of around 100 characters. Humans have a hard time entering a string of 20 characters repeatedly with a low probability of error. Weak PSKs will be used because doing otherwise is prohibitive for operators and users. Need a robust protocol to use PSKs properly, can’t just mandate all PSKs are uniformly random binary strings of sufficient length. Dan Harkins, Aruba Networks

Okay, So What’s the Problem? July 2010 Okay, So What’s the Problem? The PSK is leaked when used in Draft 0.1 Using the PSK directly in the 4-Way Handshake has known and well-published problems. A PSKID, based on a hash of the PSK, is included in beacons. Protocols using the PSK are susceptible to an off-line dictionary attack An attacker has all information needed to run through a dictionary of potential passwords until the correct one is found. This attack is not detectable by legitimate members of the PBSS. Learning the PSK allows an attacker to recover all past and future traffic. The strength of the PSK determines the strength of the GCM key and that’s not strong enough (see previous slide). Dan Harkins, Aruba Networks

July 2010 What’s the Solution? A protocol that uses a PSK that is resistant to attack Each active attack leaks a single bit of information– whether the singular guess was correct or not. Passive attack is not possible. Probability of guessing the PSK is 1/(S-x) after x guesses of the PSK from a pool of possible PSKs of size S. Perfect Forward Secrecy is achieved. A protocol which can produce a cryptographically strong key suitable for use with GCM An entropy amplifier! The strength of the PSK does not determine the strength of the GCM key. A protocol called SAE from the 11s draft Dan Harkins, Aruba Networks

SAE Based upon the Dragonfly key exchange. July 2010 SAE Based upon the Dragonfly key exchange. Uses public key cryptography to produce a strong GCM key that is authenticated with a (potentially weak) PSK. An RSNA authentication protocol for 802.11. Uses 802.11 authentication frames (not data frames). Free, open source (BSD licensed) reference implementation available: http://sourceforge.net/projects/authsae Dan Harkins, Aruba Networks

References 11-10-0884-00-00ad-secure-psk-authentication.doc July 2010 Dan Harkins, Aruba Networks