Password Authenticated Key Exchange

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Advertisements

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Secure Pre-Shared Key Authentication for IKE
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
Diffie-Hellman Key Exchange
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Doc.: IEEE /0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: Authors:
Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Doc.: IEEE /1092r2 Submission Nov 2006 D. Harkins, Tropos Networks Slide 1 Secure Mesh Formation Notice: This document has been prepared to assist.
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Relationship between peer link and physical link
Outline The basic authentication problem
Vocabulary Big Data - “Big data is a broad term for datasets so large or complex that traditional data processing applications are inadequate.” Moore’s.
Enhanced Security Date: Authors: May 2009 May 2009
Secure PSK Authentication
PKEX issue in ai Date: Authors: September 2016
draft-harkins-emu-eap-pwd-01
Authentication and Upper-Layer Messaging
Key Exchange References: Applied Cryptography, Bruce Schneier
On the Size of Pairing-based Non-interactive Arguments
Enhanced Security Features for
Cryptographic Hash Function
B. R. Chandavarkar CSE Dept., NITK Surathkal
Cryptographic Review and PKEX
Enhanced Security Features for
Secure PSK Authentication
Opportunistic Wireless Encryption
OTR AKE Protocol.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Password Authenticated Key Exchange
Reducing Risk from Poorly Chosen Keys
How To Fragment An IE Date: Authors: May 2013
Cryptography: Basics (2)
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Efficient Short-Password Key Exchange (ESP-KE)
Security Properties Straw Polls
Hash Functions Motivation Hash Functions: collision, pre-images SHA-1
Changes to SAE State Machine
11i PSK use in 11s: Consider Dangerous
CDK: Chapter 7 TvS: Chapter 9
Password Authenticated Key Exchange
TGr Authentication Framework
Cryptographic Review and PKEX
One Way Functions Motivation Complexity Theory Review, Motivation
Cryptographic Review and PKEX
Relationship between peer link and physical link
Security Requirements for an Abbreviated MSA Handshake
Password Authenticated Key Exchange
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Secure Mesh Formation Date: Authors: July 2006
EAP Method Requirements for Emergency Services
Cryptographic Review and PKEX
A Better Way to Protect APE Messages
Chapter 8 roadmap 8.1 What is network security?
11i PSK use in 11s: Consider Dangerous
AIT 682: Network and Systems Security
Presentation transcript:

Password Authenticated Key Exchange January 2008 doc.: IEEE 802.11-08/0045r0 January 2008 Password Authenticated Key Exchange Date: 2008-01-12 Authors: Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

January 2008 doc.: IEEE 802.11-08/0045r0 January 2008 Abstract A key exchange authenticated with a password (which may be cryptographically weak) is presented. Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

Pre-shared Key Authentication in 11s January 2008 Pre-shared Key Authentication in 11s Required for certain use cases. Current proposal is unrealistic Pre-shared key is assumed to be cryptographically strong Pre-shared key is pairwise. Pre-shared keys are deployed problematically for a reason Pairwise keys doesn’t scale: give an administrator a choice between O(n) and O(1) s/he will choose the latter. Pre-shared keys will be shared. Deployment experience shows that things will be used insecurely if that’s easier to deploy that way. If n is a non-trivial amount (i.e. at least one-half dozen) the pre-shared key must be something that can be repeatedly entered with a low probability of errors– i.e. it probably won’t be cryptographically strong. Pre-shared key is used directly in MSA 4-way handshake. Dan Harkins, Aruba Networks

This Poses Severe Problems in a Mesh January 2008 This Poses Severe Problems in a Mesh Using the pre-shared key (or key trivially derived from pre-shared key) with MSA authentication is susceptible to attack. There are downloadable scripts available that can crack an 802.11i PSK in minutes! They could easily to the same for an 802.11s PSK The attack in 11s is far worse than the attack in 11i Attacking 802.11i PSK allows access to the network behind an AP for attackers within earshot of the AP. Attacking 802.11s PSK would allow the mesh to grow unbounded to unauthorized MPs and clients Successful attacks cause the mesh to grow, further increasing unauthorized traffic being sent onto the wired network behind the mesh. the larger the mesh the more opportunity for more attackers to see the mesh and attack it. It’s a vicious downward spiral. Dan Harkins, Aruba Networks

January 2008 Mesh is used in a warehouse It gets attacked, mesh grows when unauthorized mesh point authenticates with the PSK. Bigger mesh is visible to more people who attack it, further growing the mesh …and it keeps growing as it keeps getting attacked. Dan Harkins, Aruba Networks

January 2008 How to Fix this Problem We need to ensure mesh security regardless of deployment. We need to ensure that the key used in the MSA 4-way handshake is unique and cryptographically strong. We cannot do that by issuing a fiat in the draft. We need a way to turn a cryptographically weak, and possibly shared, pre-shared secret into a unique and cryptographically strong key. This technique must be: Resistant to active attack Resistant to passive attack Resistant to dictionary attack We need to ensure that the technique used to generate a cryptographically strong key is appropriate for mesh. There cannot be any notion of an “initiator” and a “responder” We need simultaneous authentication of equals Dan Harkins, Aruba Networks

Simultaneous Authentication of Equals January 2008 Simultaneous Authentication of Equals A protocol for authentication and key derivation using a, presumably weak, pre-shared secret Initially both parties share: Knowledge of identity of self and each other’s identity-- “Alice” and “Bob”. A secret that need not be cryptographically strong– password. A public ordering function, L, that returns the “greater” of two strings A public random function, H The definition of a finite cyclic group for which the discrete logarithm problem is known to be hard. For an elliptic curve group Ε, base point is G. (Notation: a point is uppercase, Q, and a scalar is lowercase, q). A bijective function, f() that maps an element from the group to an integer. For an elliptic curve group, f() merely takes the x component of the point. Upon completion: Peers are authenticated Peers share an authenticated (master) key that will be suitable for use with the MSA 4-way handshake. Dan Harkins, Aruba Networks

Simultaneous Authentication of Equals January 2008 Simultaneous Authentication of Equals if L(Alice, Bob) == Alice then p = H(Alice | Bob | password) else p = H(Bob | Alice | password) Alice Bob Choose random a Compute U=a*G, u = f(U) A = -(u*G), m = a*p + u*p Choose random b Compute V=b*G, v = f(V) B = -(v*G), n = b*p + v*p m,A n,B Compute K = a*(n*G + p*B) = a*b*p*G Compute k = f(K) Compute x = H(k | A | m | B | n) Compute K = b*(m*G + p*A) = b*a*p*G Compute k = f(K) Compute y = H(k | B | n | A | m) x y Verify y Verify x Authenticated Master Key = H(k | f(A+B) | (n+m)mod r) Dan Harkins, Aruba Networks

Simultaneous Authentication of Equals January 2008 Simultaneous Authentication of Equals Attractive security properties Perfect Forward Secrecy for keys. Key is authenticated in addition to the mesh points being authenticated. Resistant to active attack, passive attack, and dictionary attack. Uniquely appropriate for a mesh No roles– initiator/responder or supplicant/authenticator Either party can initiate first or both can initiate at the same time Addresses numerous comments: 1345, 1614, 1615, 1616, 1622, 2975, 2980, 4750*, and 4758 Security proof? I’m working on it. Hope to have something for the next meeting. * my personal favorite. Dan Harkins, Aruba Networks

Simultaneous Authentication of Equals January 2008 Simultaneous Authentication of Equals What’s the plan? Socialize the idea within the 802.11s Working Group Solicit input on how to most harmoniously incorporate this protocol into the 802.11s draft Have some normative text ready for a motion very soon Please come see me or email me: If any of the PSK-related comments are your’s If you think this is a good idea If you think this is a bad idea If you have crypto people at work who typically review standards please have them look at this and please send any comments to me. Dan Harkins, Aruba Networks