Florent Bersani, France Telecom R&D

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
EAP-PSK v8 IETF 63 – Paris, France August EAP-PSK: an independent submission to IESG Requested EAP method type number allocation Reviewed June 2005.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
Outline Properties of keys Key management Key servers Certificates.
Wireless Protocols WEP, WPA & WPA2.
OAuth WG Conference Call, 11th Jan. 2013
Phil Hunt, Hannes Tschofenig
Discussions on FILS Authentication
Pre-Shared Key EAP methods & EAP-PSK
P802.11aq Waiver request regarding IEEE RAC comments
Keying for Fast Roaming
Secure 3-Party Protocol
Pre-association Security Negotiation for 11az SFD Follow up
Motions to Address Some Letter Ballot 52 Comments
EAP based Message Flow Optimization for FILS
Pre-association Security Negotiation for 11az SFD Follow up
SPINS: Security Protocols for Sensor Networks
Use of EAPOL-Key messages during pre-auth
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Mutual Authentication
Nancy Cam Winget, Atheros
Stefan Rommer, Mats Näslund, András Méhes (Ericsson)
TAP & JIT Key Hierarchy Notes
Agenda retrospective - B. Aboba Lunch
Mutual Authentication
doc.: IEEE /252 Bernard Aboba Microsoft
SPINS: Security Protocols for Sensor Networks
Jesse Walker and Emily Qi Intel Corporation
PMF, take one A simple i extension
Security Properties Straw Polls
“Not Ready” Response in FT Auth Messages
Kerberos Part of project Athena (MIT).
Fast Roaming Compromise Proposal
Link Setup Flow July 2011 Date: Authors: Name Company
Roaming timings and PMK lifetime
Fast Roaming Compromise Proposal
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Fast Roaming Compromise Proposal
Roaming timings and PMK lifetime
Keying for Fast Roaming
Jesse Walker, Intel Corporation Russ Housley, Vigil Security
P802.11aq Waiver request regarding IEEE RAC comments
P802.11aq Waiver request regarding IEEE RAC comments
Overview of Improvements to Key Holder Protocols
Session MAC Address Solves Deadlocks
Fast Roaming Observations
Overview of Improvements to Key Holder Protocols
Link Setup Flow July 2011 Date: Authors: Name Company
Roaming timings and PMK lifetime
11ay Fast Association Authentication
Message Authentication
11ay Fast Association Authentication
AIT 682: Network and Systems Security
Presentation transcript:

Florent Bersani, France Telecom R&D September 2002 doc.: IEEE 802.11-02/xxxr0 September 2004 Dominos, bonds and watches: discussion of some security requirements for TGr Florent Bersani, France Telecom R&D florent.bersani@francetelecom.com F. Bersani, France Telecom R&D Eleanor Hepworth, Siemens

Goal of this presentation September 2004 Goal of this presentation Loren Adams once said: "What is understood need not be discussed" This presentation is about discussing some tentative security requirements listed in document IEEE 802.11-04/1048r0: Sharing of the PMK Binding of the PMK Timeliness of messages ... and make sure 09/13 discussion is captured F. Bersani, France Telecom R&D

September 2004 Sharing of the PMK Sharing of the PMK is explicitly prohibited by IEEE 802.11i: Page 38, clause 8.1.4 item 5 "An IEEE 802.1X AS never exposes the common symmetric key to any party except the AP with which the STA is currently communicating. (...)" NB: Clause 8.1.4 is informative F. Bersani, France Telecom R&D

September 2004 Sharing of the PMK Sharing of the PMK is explicitly prohibited by IEEE 802.11i: Page 38, clause 8.1.4 item 5 ctd. "It implies that the AS itself is never compromised. It also implies that the IEEE 802.1X AS is embedded in the AP, or the AP is physically secure and the AS and the AP lie entirely within the same administrative domain." NB: Clause 8.1.4 is informative F. Bersani, France Telecom R&D

September 2004 Sharing of the PMK Yet practice does not seem to comply with this requirement (e.g., RADIUS proxying), should TG r? Possible rationale for this requirement: The domino effect Sound cryptographic practice F. Bersani, France Telecom R&D

September 2004 Sharing of the PMK This is reflected in document IEEE 802.11-04/1048r0, requirements: #2: "In particular, the pairs <STA, AP1> and <STA, AP2> must have cryptographically independent PMKs, or all the 802.11i security claims are voided. This rules out sharing PMKs among different APs." #7: "A PMK shall never be shared between APs" F. Bersani, France Telecom R&D

Sharing of the PMK The domino effect September 2004 Sharing of the PMK The domino effect Housley, R., "Key Management in AAA", Presentation to the AAA WG at IETF 56, http://www.ietf.org/proceedings/03mar/slides/aaa-5/index.html "Compromise of a single authenticator cannot compromise any other part of the system, including session keys and long-term secrets." F. Bersani, France Telecom R&D

Sharing of the PMK The domino effect September 2004 Sharing of the PMK The domino effect Compromise of long term secrets would be really painful... but PMKs are not long term (except in PSK mode) Domino protection is useful when the network has the possibility to inform STA of the compromised AP Could also very well do it for PMKID... if it is not "too broadly shared" F. Bersani, France Telecom R&D

Sharing of the PMK Sound cryptographic practice September 2004 Sharing of the PMK Sound cryptographic practice Reusing a nonce can void security properties (e.g., Counter mode) However, if nonce is random then collision probability can be bounded A key has limited lifetime Sharing it, speeds up burning out. For 128 bit block length, assuming 54 Mbit/s, 0.4*10**14 s with 1 AP PMK is generally for a short period of time and used in a somewhat conservative scheme F. Bersani, France Telecom R&D

Sharing of the PMK Anyway what is an AP? September 2004 Sharing of the PMK Anyway what is an AP? Not particularly advocating sharing the PMKs... just debating! F. Bersani, France Telecom R&D

September 2004 Binding the PMK This "requirement" appeared during discussion of IEEE 802.11-04/1048r0 Perhaps alluded to in requirement #9 "The only visible identifier seems to be BSSID." The idea would be that: A PMK should only be used by a pair <AP,STA> This restriction should be "incorporated" in the PMK F. Bersani, France Telecom R&D

Binding the PMK Is the PTK bound to something? September 2004 Binding the PMK Is the PTK bound to something? It incorporates nonces and MAC addresses... Yet this does not per se preclude sharing of the PTK! How can we prevent two parties that have agreed to do so to abuse a key usage??? What does "binding the keys" mean? EAP channel binding? F. Bersani, France Telecom R&D

Timeliness of messages September 2004 Timeliness of messages This is reflected in document IEEE 802.11-04/1048r0, requirements #11 "An AP shall test the liveness of the mobile STA at reassociation when the mobile STA does a secure fast transition to it. This is required to synchronize replay counters." #12. "A mobile STA shall test the liveness of the AP at reassociation when it does a secure fast transition to a new AP. This is required to synchronize replay counters" F. Bersani, France Telecom R&D

Timeliness of messages September 2004 Timeliness of messages The attack scenario: CCMP protected frame, PN=23: "Sell stocks, now!" CCMP protected frame, PN=23: "Sell stocks, now!" Attacker delays the frame (and possibly subsequent traffic) This is not a replay: client only sees the delayed frame once F. Bersani, France Telecom R&D

Timeliness of messages September 2004 Timeliness of messages 802.11i does not include such a feature, why: Hard to do? (timestamps, ...) Not necessary? (client won't stay associated with big delays) Should TGr? What if pre-auth is allowed to go up to deriving a PTK: there can be some time between derivation and usage Avoid DoS and black-holes F. Bersani, France Telecom R&D

Timeliness of messages September 2004 Timeliness of messages Solution alluded to to provided timeliness: periodically make a protected resynch of replay counters Kind of a key confirmation Tradeoff between the frequency of this resynch and the "timeliness" protection F. Bersani, France Telecom R&D

Another security aspect to take into account September 2004 Another security aspect to take into account Although IEEE 802.11 & 802.11i leave the door quite open to many DoS attacks... We probably want to make sure that 11r does not make things even worse for that regard, e.g, Allowing a STA to exhaust resources of many APs thanks to a badly-designed pre-auth scheme Allowing a STA to make other STAs' traffic flow in a dead hole F. Bersani, France Telecom R&D

September 2004 Conclusion TG r PAR: "Security must not be decreased as a result of the enhancement." To what extent has TG r to comply with TG i? Is there an objective measure of security diminution? TG r can break some of TG i assumptions, yet prove that it remains secure... H2 make Apples to apples comparison between securtiy of the proposals? F. Bersani, France Telecom R&D

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.