SA Teardown Protection for w

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Advertisements

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:
Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
Doc.: IEEE /0560r0 Submission May 2010 Ashish Shukla, MarvellSlide 1 TDLS TPK Handshake Date: Authors:
Doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 1 Protecting Associations Attacks – Some Considerations Date:
CSC 311 Chapter Eight FLOW CONTROL TECHNIQUES. CSC 311 Chapter Eight How do we manage the large amount of data on the network? How do we react to a damaged.
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Submission November 2010 doc.: IEEE /1236r0 Enhancements to Enablement Procedure Slide 1 Santosh Abraham, Qualcomm Incorporated Date:
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.:IEEE /0313r1 Submission Robert Stacey (Intel) March 12, 2010 Slide 1 Rekeying Protocol Fix Authors: Date:
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
Doc.: IEEE /2952r2 Submission Dec 2007 L.Chu Etc.Slide 1 Simplified DLS Action Frame Transmission in 11Z Date: Authors:
Protocols and layering Network protocols and software Layered protocol suites The OSI 7 layer model Common network design issues and solutions.
Fast Retransmit For sliding windows flow control we waited for a timer to expire before beginning retransmission of a packet TCP uses an additional mechanism.
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Authentication and Upper-Layer Messaging
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
Overall MAC Procedure for WUR
Some LB 62 Motions January 13, 2003 January 2004
Securing the WUR Date: Authors: July 2016 March 2014
Outline Basics of network security Definitions Sample attacks
Chapter 6: Transport Layer (Part I)
Configuring EtherChannels and Switch Troubleshooting
doc.: IEEE /xxxr0 Mike Moreton
FILS presentation on High Level Security Requirements
802.1X and key interactions Tim Moore November 2001
Defense Against Multi-Channel Man-in-the-Middle (MITM)
TSN Architecture Mike Moreton, STMicroelectronics
Demand of Being Woken Up While Moving Follow-up
TDLS TPK Handshake Date: Authors: May 2010 May 2010
BSS Transition Improvements
Assign and Update Wake-Up Signals in WLAN with Wake-Up Radio Receivers
IGTK Switch Announcement
OCT based 6 GHz AP Operation Discussion
July 2002 Threat Model Tim Moore Tim Moore, Microsoft.
Reducing Overhead in Active Scanning
WLAN Security Antti Miettinen.
Jesse Walker and Emily Qi Intel Corporation
Reducing Overhead in Active Scanning
“Not Ready” Response in FT Auth Messages
Changes to SAE State Machine
A Simplified Solution For Critical A-MPDU DoS Issues
Reducing Overhead in Active Scanning with Simulation Results
Antti Miettinen (modified by JJ)
Rekeying Protocol Fix Date: Authors: Month Year
Group Block Acknowledgements for Multicast Traffic
DL MU MIMO Error Handling and Simulation Results
Reducing Overhead in Active Scanning with Simulation Results
A Simplified Solution For Critical A-MPDU DoS Issues
Fast Roaming Using Multiple Concurrent Associations
Responses to Clause 5 Comments
AP-AC communications and Functional Architecture
Mandatory Protection Mechanisms
Interference Signalling Enhancements
Overview of Improvements to Key Holder Protocols
Fast Roaming Observations
Overview of Improvements to Key Holder Protocols
Cooperative AP Discovery
Use of EAPOL-Key messages
Outline Basics of network security Definitions Sample attacks
Revisiting Path Switch
Considerations on post wake-up sequences
WPA Coordination Changes
Reducing Overhead in Active Scanning
Ready to transition/ Clear to transition
Reducing Overhead in Active Scanning
Peer Traffic Indication enhancements
Discussion on TESLA Based Frame Authentication
Presentation transcript:

SA Teardown Protection for 802.11w Date: 2007-9-10

Abstract 802.11w protects Deauthentication and Disassociation 802.11w does not protect against SA teardown attacks from other sources This proposal addresses that

SA Teardown Section 8.4.10, paraphrased The SA is torn down when any of the following occurs Successful (Re)association Confirm primitive for STA STA sent Non-FT (Re)association Request and got a response (Re)association Indication primitive for AP AP received a Non-FT (Re)association Request Invocation of Disassociation or Deauthentication primitive for everyone Thus, an attacker can teardown the SA on the AP by pretending to be the client and sending an Association message

Analysis of Deauth/Disassoc (for comparison) Deauthing a Non-AP STA will cause the STA to reconnect somewhere quickly Deauthing the AP will cause the class to drop, and the next uplink packet will cause a Disassoc in the opposite direction. All active methods a client use to check that the AP is still in radio range will trigger this, including Null Data A new association and SA will be reestablished quickly

Analysis of SA Teardown Tearing down the STA’s side is generally not possible, except at the time of Association itself. Though STA could potentially go out of sync…this is still a problem Tearing down the AP’s side, however, will cause major problems AP will think the client is associating EAPOL timers will start. These will wait for many seconds before kicking off the client with a Deauth Upstream frames from the client will not cause any resynchronization at all Section 8.4.10 list item c) states that no Deauth will occur in this case Wouldn’t matter anyway: without an SA, all Deauths are lame and take no effect Thus, there’s no way to recover. The STA is happily in limbo.

What to do… Choice I Choice II Incomplete check for whether the Association request is from the real STA Modifies 8.4.10 This prevents the teardown attack from working But this introduces a lockout problem Station that lose key state synchronization can never come back in Specific case: STA loses SA; AP retains it (Re)association SA clearing was what let the STA send and receive unencrypted EAPOL frames from the AP Choice II Have the non-AP STA detect a teardown This doesn’t prevent the teardown attack at all, but allows for recovery

Ping Test Both choices would use a ping test Create a Ping Action frame, with two protected unicast types Ping Request Ping Response When a STA initiates a test, it starts a timer and sends some number of Ping Requests If no Ping Response comes after the timeout, the initiator Deauthenticates or tears down

Ping Example Ping sent Ping replied to within timeout period X X X X X STA1 STA2 STA1 STA2 Ping Request Ping Request X Ping Request X Ping Response Ping Request X Ping Request X Ping Request X Ping Request Response Timeout Ping Response Response Timeout

May or may not fall on deaf ears Ping Example (2) Ping sent Response not received within timeout STA1 initiates Disassociate STA1 STA2 Ping Request X Ping Request X Ping Request X Ping Request X Ping Request X May or may not fall on deaf ears Ping Request X Response Timeout Ping Request X Deauthentication SA Terminated

Choice I: Remove Association Teardown Add two new rules If an AP has an SA for a STA, and it receives an Association frame, quickly test for the presence of the existing PTKSA If the PTKSA is not current, then drop the SAs before responding If the PTKSA is current, ignore the Association request Non-AP STA initiating Associations need to ignore all Ping Requests from the AP the STA is associating to This is already implicit in the base text Action frames are Class 3; STAs that send Associations are not If Robust Management frame protection is on, lack of a PTKSA will prevent the Ping from being verified Now, a refreshed/blank STA coming in will face a small delay after the Association Request before it can begin

Choice I Legitimate Case Non-AP STA sends (Re)association AP pings the STA Only failure drops the SA and disables encryption Non-AP STA AP Association Request Ping Request Response Timeout Ping Request Ping Request SA Terminated Association Response Pings Ignored EAPOL EAPOL

Choice I Attacker Case Attacker sends (Re)association AP pings the STA AP stops processing the Association AP and STA continue using old association and SA Attacker Non-AP STA AP Association Request Ping Request Ping Response Response Timeout AP terminates Association Request, with no change to association or SA state

Choice II: STA Ping Test Remember: we’re keeping the teardown semantics as it is today for this choice No other way for STA to detect SA Teardown AP won’t send downlink packets to STA AP can try to Deauth based on timeouts or uplink packets, but STA will ignore them for lack of a correct MIC STAs already use an existence test for APs They usually are Null data packets Thus, STA needs to ping every now and again Not needed whenever a downlink data frame—successfully decrypted or not—has been recently received

Choice II Normal Case … … Pings are sent every so often (STA determined) Response comes back Non-AP STA AP Ping Request Response Timeout Ping Response … Ping Request Response Timeout Ping Response … Ping Request Response Timeout Ping Response

Choice II Attacker Case Attacker sends Association Request, terminating the SA Ping sent Response not received within timeout STA (Re)associates Attacker Non-AP STA AP SA Terminated Association Request Disassociation Ignored by integrity check Ignored for no SA Ping Request Ping Request Response Timeout Ping Request Reassociation Request Reassociation Response EAPOL

Overhead Per-test overhead can be made very small Teardown attack only requires ability to transmit frames No need to assume that the attacker can jam/delete Thus, even one ping protects Tradeoff between speed and resiliency Question now is on retransmissions to avoid channel loss This can be tuned similarly to that of other existence tests today

Overhead: Choice I Only requires testing on Association requests Without this proposal, AP has to respond with some Association Response = 2 frames With this response, attacker can only elicit one more frame = 3 frames Thus, packet overhead is negligible Low time overhead Ping turnaround can be done in very low millisecond times Centralized WLAN architectures may have > 10ms Association turnaround times in many cases Ping can be initiated and handled locally Thus, overhead can be taken concurrently Thus, no introduced time overhead in many cases

Overhead: Choice II Requires STA to ping for AP’s existance The more often, the quicker the STA can recover from teardown For active clients, there is no added overhead STA receiving data frame from AP is indication that the SA is still intact For silent clients that actively check the AP, the overhead is negligible Instead of Null Data (1 frame), it’s two frames For silent clients that passively check the AP, the overhead is added, but adjustable

Proposal Choice I Ping Services added as an Extended Capabilities Lower overhead in sunny day scenarios Cleaner, addresses problem directly STA may still do its own pings if it wishes It’s just not required to prevent SA teardown attacks Ping Services added as an Extended Capabilities Introduced in 11w, but Useful in other circumstances as well Robust Management frame protection not required for Pings, but Ping responses are required for Robust Management frame protection

Fast Transitions Association Requests based on FT wouldn’t require pings either Currently, SAs are not torn down on an FT Association The liveness test is built in, of course But Pings still needed elsewhere Attackers can always send non-FT Association Requests, and the AP still needs to handle that case Could limit modifications entirely to just 8.4.10: always disregard Assoc for teardown Would let 802.11r + 802.11w be a solution when bundled together But requiring FT support is extreme and unwarranted just to solve this problem End result: 802.11r helps by removing all overhead on FT, but non-FT case still requires Choice I

Other Alternatives It’s possible to consider allowing EAPOL exchanges in the clear when an SA is intact Problem: 802.1X Uncontrolled Port must be hooked up to either encrypted or unencrypted traffic bidirectionally, not a mix Strange Solutions: STAs would be forbidden to send EAPOL encrypted ever, or STAs would have to send EAPOL unencrypted when told by the AP (in a protected manner) Thus, I did not consider this path

Postscript Proposal addresses flaky text in IEEE 802.11-2007 Section 11.3.1.2: Authentication The STA’s SME shall delete any PTKSA and temporal keys held for communication with the indicated STA by using the MLME-DELETEKEYS.request primitive (see 8.4.10) upon receiving a MLMEAUTHENTICATE.indication primitive. Strike that text out (and from 11.3.1.1 as well)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.