Security Properties Straw Polls November 2011 doc.: IEEE 802.11-11/1572r1 November 2011 Security Properties Straw Polls Date: 2011-11-10 Authors: Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

November 2011 doc.: IEEE 802.11-11/1572r1 November 2011 Abstract This presentation describes some security properties and offers some straw polls on them. Many thanks to Rene Struik for document 11-11/1408r3 which this submission borrows from heavily. Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

We’re getting ahead of ourselves… November 2011 We’re getting ahead of ourselves… Proposals are being made for FILS authentication and security We have not decided what properties we want from a FILS authentication and security protocol though! Alice proposes protocol with property FOO Bob proposes protocol that does not have FOO Bob and his proponents now discount the desirability of FOO because his protocol doesn’t have it Alice and her proponents now state the importance of FOO because her protocol has it This is backwards! We should agree on properties and then evaluate proposals on how they meet those properties Dan Harkins, Aruba Networks

November 2011 A Modest Proposal Discuss common security properties that typical key exchange and authentication protocols have Have a series of straw polls to gauge what the group feels is important and what isn’t. With respect: Suggest that these not be makers or breakers of a proposed protocol Also, if 75% of the people value FOO then it doesn’t mean that Bob’s protocol (that doesn’t have FOO) is undesirable. And vice versa. Suggest using these straw poll results to evaluate proposals. Suggest we set expectations appropriately: we might not get everything we desire. Dan Harkins, Aruba Networks

What are we talking about? November 2011 What are we talking about? We have 2 parties in a hostile environment that wish to communicate securely. These parties are not equals: One is a gatekeeper who protects a valuable resource– the network The other is one who would like to obtain access to that valuable resource We need to provide some level of identity assurance– we need authentication We need to provide a way for these 2 parties to communicate securely after the authentication step– we need key establishment We need an authentication and key exchange protocol! Dan Harkins, Aruba Networks

What are we talking about? November 2011 What are we talking about? Authentication requires a credential– an identity and a way to prove that identity Secret keys can be independent and unique for each session, or secret keys for many sessions can share a common secret ancestor In addition to knowing that the other party really is who the other party claims to be, a proof of “liveness” is also needed; similarly, replaying an old message exchange should cause the protocol to fail A successful attack is not just finding out the secret key! The severity of a weakness does not depend on our ability to describe how it can be successfully exploited! Dan Harkins, Aruba Networks

November 2011 Some Basic Security Properties of Authentication and Key Exchange Protocols Key establishment/derivation A shared secret becomes available to two parties, or is derived by the two parties, for subsequent cryptographic use Key transport/distribution A shared secret is generated for two parties and provided to them for subsequent cryptographic use Key Confirmation Assurance that other (possibly unknown) party has possession of a particular key… a proof of possession of the secret key Dan Harkins, Aruba Networks

November 2011 Some More Esoteric Properties of Authentication and Key Exchange Protocols Unknown key share resilience Upon conclusion of the protocol, Alice is assured that she shares a key with Bob (and not Carl), and vice versa Forward Secrecy Loss of security of a long-term secret does not provide an attacker an advantage in determining past session keys Session Key Independence Compromise of one session key does not provide an attacker an advantage in determining another session key Identity Protection The identity (of Alice) cannot be ascertained by a passive observer of the exchange Dan Harkins, Aruba Networks

November 2011 Some More Esoteric Properties of Authentication and Key Exchange Protocols Mutual authentication Alice proves to Bob that she really is Alice, and Bob proves to Alice that he really is Bob Non-mutual authentication Alice proves to Bob that she really is Alice, but Bob doesn’t prove anything to Alice about who he really is Deniability Ability to deny ever participating in a particular protocol exchange Protection against Distributed Denial of Service Attacks Crypto-agility Ability to swap in/out different cryptographic primitives (like hash functions or ciphers) Dan Harkins, Aruba Networks

References 11-11/1408r3, “Notes On TGai Security Properties” November 2011 References 11-11/1408r3, “Notes On TGai Security Properties” Dan Harkins, Aruba Networks

Suggested Security Considerations November 2011 Suggested Security Considerations Protocols should list what properties apply to them Key Establishment or Key Derivation Key Confirmation Identity Protection Forward Secrecy Session Key Independence Mutual Authentication or Non-mutual Authentication Deniability Crypto-agility Resistance to DDOS attacks Dan Harkins, Aruba Networks

For reference November 2011 RSN Key Establishment or Key Derivation Both Key Confirmation Yes Identity Protection Optional Forward Secrecy Session Key Independence Mutual Authentication or Non-mutual Authentication Deniability Crypto-agility No Resistance to DOS attacks somewhat Dan Harkins, Aruba Networks

November 2011 Straw Poll #1 This is an important security property for a FILS authentication protocol to have Key Establishment: Key Delivery/Transport: Don’t know/Don’t care: RETRACTED Dan Harkins, Aruba Networks

November 2011 Straw Poll #2 Key Confirmation is an important security property for a FILS authentication protocol to have Yes: No: Don’t know/Don’t care: RETRACTED Dan Harkins, Aruba Networks

November 2011 Straw Poll #3 Identity Protection is an important security property for a FILS authentication protocol to have Yes:14 No:5 Don’t know/Don’t care:9 Dan Harkins, Aruba Networks

November 2011 Straw Poll #4 Forward Secrecy is an important security property for a FILS authentication protocol to have Yes:13 No:4 Don’t know/Don’t care:14 Dan Harkins, Aruba Networks

November 2011 Straw Poll #5 Session key independence is an important security property for a FILS authentication protocol to have Yes:14 No:0 Don’t know/Don’t care:13 Dan Harkins, Aruba Networks

November 2011 Straw Poll #6 Mutual authentication is an important security property for a FILS authentication protocol to have Yes:18 No:1 Don’t know/Don’t care:10 Dan Harkins, Aruba Networks

November 2011 Straw Poll #7 Non-mutual authentication (server authenticates client only) is an important security property for a FILS authentication protocol to have Yes: 11 No: 3 Don’t know/Don’t care: 8 Dan Harkins, Aruba Networks

November 2011 Straw Poll #8 Deniability is an important security property for a FILS authentication protocol to have Yes:6 No:2 Don’t know/Don’t care:19 Dan Harkins, Aruba Networks

November 2011 Straw Poll #9 Resistance to DOS attacks is an important security property for a FILS authentication protocol to have Yes:7 No:9 Don’t know/Don’t care:13 Dan Harkins, Aruba Networks