11i PSK use in 11s: Consider Dangerous 2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 11i PSK use in 11s: Consider Dangerous Date: 2006-09-17 Authors: Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <stuart.kerry@philips.com> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee.org>. D. Harkins, Tropos Networks D. Harkins, Tropos Networks

2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 Abstract Known attacks against 802.11i PSK authentication make it unsuitable for use in a mesh network. D. Harkins, Tropos Networks D. Harkins, Tropos Networks

PSK Authentication from 802.11i Sept 2006 PSK Authentication from 802.11i PSK SSID supplicant authenticator PSK SSID Anonce PBKDF2 PBKDF2 PMK PMK Snonce, MIC MIC PRF-x MIC PRF-x PTK PTK D. Harkins, Tropos Networks

What’s the Attack? An observer of the exchange knows: 2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 What’s the Attack? An observer of the exchange knows: the SSID from beacons and probe responses, both nonces, the PRF, PBKDF2, a frame with a valid MIC It is possible to launch a passive attack capture an exchange perform a dictionary attack using the above information Described by Bob Moscowitz in “Weakness in Passphrase Choice in WPA Interface”, November, 2003 Utilities exist to launch this attack e.g. coWPAtty, WPAcracker FPGA acceleration of coWPApatty can attempt ~1000/s. These can be easily clustered to further decrease cracking time. there exists a database of precomputed hash table of top 1,000,000 most popular passwords and 1,000 most popular SSIDs D. Harkins, Tropos Networks D. Harkins, Tropos Networks

2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 What’s the Problem? 11i’s PSK authentication also doesn’t provide Perfect Forward Secrecy all traffic previously sent can be decrypted all future traffic can be decrypted bogus frames can be injected into current traffic Deployment experience shows this is a big problem PSKs are typically shared– i.e. not bound to specific supplicant MAC address. Phrases over 20 characters are not really possible when humans are involved. Random strings are difficult to remember and prone to misconfiguration. Therefore PSKs are typically weak and consist of words and phrases found in a dictionary. There is only ~1.5 bits of entropy per character too, making it unsuitable for generation of a 128bit encryption key. D. Harkins, Tropos Networks D. Harkins, Tropos Networks

Why is this so bad for a mesh? 2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 Why is this so bad for a mesh? The dynamic nature of a mesh basically ensures that PSKs will be shared to do otherwise would require an onerous and unscalable configuration of every MPs PSK on every other MP: O(N) problem. Attacking 802.11i PSK allows access to the network behind an AP for attackers within earshot of the AP. Attacking 802.11s PSK would allow the mesh to grow unbounded to unauthorized MPs and clients the mesh grows, further increasing unauthorized traffic being sent onto the wired network behind the mesh. the larger the mesh the more opportunity for more attackers to see the mesh and attack it. D. Harkins, Tropos Networks D. Harkins, Tropos Networks

Sept 2006 D. Harkins, Tropos Networks

Summary and Suggestion 2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 Summary and Suggestion 11s must support some form of PSK authentication Existing 11i scheme should be replaced New PSK authentication scheme should have the following properties must not be susceptible to passive attack must provide Perfect Forward Secrecy: the property that “disclosure of long term secret keying material does not compromise the secrecy of exchanged keys from earlier runs”-- Diffie, van Oorshot, and Wiener in Authentication and Authenticated Key Exchanges. must provide some level of DoS resistance D. Harkins, Tropos Networks D. Harkins, Tropos Networks

Questions? Sept 2006 doc.: IEEE 802.11-06/xxxxr0 2/25/2019 D. Harkins, Tropos Networks D. Harkins, Tropos Networks

2/25/2019 doc.: IEEE 802.11-06/xxxxr0 Sept 2006 Straw Poll PSK authentication as defined by 802.11i is inappropriate for use in 11s Yes: No: Don’t know: Don’t care: D. Harkins, Tropos Networks D. Harkins, Tropos Networks